Trojan.Siggen32.30555

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\$pwnwhellImageCacheHost.exe'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs' = '%WINDIR%\$pwn.dll'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'LoadAppInit_DLLs' = '00000001'
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '$pwnwhellImageCacheHost' = '<SYSTEM32>\$pwnwhellImageCacheHost.exe'
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '$pwnwhellImageCacheHost' = '<SYSTEM32>\$pwnwhellImageCacheHost.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\microsoft\windows\cloud experience config servicr
<SYSTEM32>\tasks\microsoft\microsoft store licensing config listenec
<SYSTEM32>\tasks\microsoftedgeupdateinstaller
%APPDATA%\microsoft\windows\start menu\programs\startup\$pwnwhellimagecachehost.lnk
<SYSTEM32>\tasks\$pwnwhellimagecachehost

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\Warsaw_PM] 'ImagePath' = '%TEMP%\c2d51e644c644b4ca94018c29ad5528b.sys'

Creates the following services

'Warsaw_PM' %TEMP%\c2d51e644c644b4ca94018c29ad5528b.sys

Malicious functions

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\securityhealthservice.exe
<SYSTEM32>\securityhealthsystray.exe

Modifies file system

Creates the following files

<SYSTEM32>\$pwnwhellimagecachehost.exe
<SYSTEM32>\$pwngmagemetadataextractionhost.exe
%WINDIR%\$pwn.dll
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-01-778.dump
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-01-778.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-01-778.dump
%TEMP%\content\1448-800-$pwnwhellimagecachehost.exe-15-26-01-886.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-01-902.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-01-902.dump
%TEMP%\content\1448-3036-$pwnwhellimagecachehost.exe-15-26-02-171.dump
%TEMP%\content\1448-2848-$pwnwhellimagecachehost.exe-15-26-02-171.dump
%TEMP%\content\1448-2848-$pwnwhellimagecachehost.exe-15-26-02-325.dump
%TEMP%\content\1448-3036-$pwnwhellimagecachehost.exe-15-26-02-356.dump
%TEMP%\content\1448-4872-$pwnwhellimagecachehost.exe-15-26-02-462.dump
%TEMP%\tmpf7d9.tmp.exe
%TEMP%\tmpf912.tmp.exe
<SYSTEM32>\ikernelq.exe
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-06-827.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-06-827.dump
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-06-827.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-06-936.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-06-938.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-11-861.dump
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-11-861.dump
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-11-882.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-12-008.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-12-008.dump
%TEMP%\content\1448-3036-$pwnwhellimagecachehost.exe-15-26-40-783.dump
%TEMP%\content\1448-3036-$pwnwhellimagecachehost.exe-15-26-41-137.dump
%TEMP%\tmp90a0.tmp.exe
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\$pwnwhellimagecachehost.exe.log
%LOCALAPPDATA%\microsoft\clr_v4.0_32\usagelogs\tmpf912.tmp.exe.log
%TEMP%\c2d51e644c644b4ca94018c29ad5528b.sys
%TEMP%\9879fab7216c46efb62219814655f6ff.sys
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-47-158.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-47-211.dump
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-47-261.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-47-335.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-47-415.dump
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-52-233.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-52-318.dump
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-52-449.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-52-550.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-52-711.dump
%TEMP%\content\1448-3692-$pwnwhellimagecachehost.exe-15-26-57-262.dump
%TEMP%\content\1448-3260-$pwnwhellimagecachehost.exe-15-26-57-355.dump
%TEMP%\content\1448-2568-$pwnwhellimagecachehost.exe-15-26-57-477.dump
%TEMP%\content\1448-4656-$pwnwhellimagecachehost.exe-15-26-57-578.dump
%TEMP%\content\1448-4736-$pwnwhellimagecachehost.exe-15-26-57-727.dump

Sets the 'hidden' attribute to the following files

<SYSTEM32>\$pwnwhellimagecachehost.exe
<SYSTEM32>\$pwngmagemetadataextractionhost.exe
%WINDIR%\$pwn.dll

Network activity

Connects to

'ri#############8e20w7sett0g4kp4vqldh6fwb.duckdns.org':9842

TCP

Other

'ri#############8e20w7sett0g4kp4vqldh6fwb.duckdns.org':9842

UDP

DNS ASK ri#############8e20w7sett0g4kp4vqldh6fwb.duckdns.org

Miscellaneous

Creates and executes the following

'<SYSTEM32>\$pwnwhellimagecachehost.exe'
'%TEMP%\tmpf7d9.tmp.exe'
'%TEMP%\tmpf912.tmp.exe'
'%TEMP%\tmp90a0.tmp.exe'

Executes the following

'<SYSTEM32>\cmd.exe' netsh advfirewall firewall add rule name="=5kP2q~,2kYF23" dir=in action=allow program="<SYSTEM32>\$pwnwhellImageCacheHost.exe" enable=yes & exit
'<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\Cloud Experience Config Servicr" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe" /RL HIGHEST & exit
'<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 1 /tn "Microsoft\Windows\Cloud Experience Config Servicr" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe" /RL HIGHEST
'<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Microsoft Store Licensing Config Listenec" /tr "<SYSTEM32>\$pwngmageMetadataExtractionHost.exe" /RL HIGHEST & exit
'<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 30 /tn "Microsoft\Microsoft Store Licensing Config Listenec" /tr "<SYSTEM32>\$pwngmageMetadataExtractionHost.exe" /RL HIGHEST
'<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /mo 60 /tn "MicrosoftEdgeupdateinstaller" /tr "<SYSTEM32>\ikernelq.exe" /RL HIGHEST && exit
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmpF912.tmp.exe"
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmpF7D9.tmp.exe"
'<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 60 /tn "MicrosoftEdgeupdateinstaller" /tr "<SYSTEM32>\ikernelq.exe" /RL HIGHEST
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmp90A0.tmp.exe"
'<SYSTEM32>\cmd.exe' /c schtasks /create /sc onlogon /tn "$pwnwhellImageCacheHost" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe" /rl highest && exit
'<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn "$pwnwhellImageCacheHost" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe" /rl highest
'<SYSTEM32>\cmd.exe' /c schtasks /create /sc onlogon /tn "$pwnwhellImageCacheHost" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe" && exit
'<SYSTEM32>\schtasks.exe' /create /sc onlogon /tn "$pwnwhellImageCacheHost" /tr "<SYSTEM32>\$pwnwhellImageCacheHost.exe"
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmpF912.tmp.exe"' (with hidden window)
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmpF7D9.tmp.exe"' (with hidden window)
'%TEMP%\tmpf7d9.tmp.exe' ' (with hidden window)
'%TEMP%\tmpf912.tmp.exe' ' (with hidden window)
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler "%TEMP%\tmp90A0.tmp.exe"' (with hidden window)
'%TEMP%\tmp90a0.tmp.exe' ' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней