Trojan.PWS.Siggen5.33761

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '"<Full path to file>"'

Malicious functions

Injects code into

the following user processes:

msedge.exe

Terminates or attempts to terminate

the following user processes:

firefox.exe

Reads files which store third party applications passwords

%APPDATA%\mozilla\firefox\profiles.ini
%HOMEPATH%\desktop\garden.htm
%HOMEPATH%\desktop\trivial-merge.htm
%APPDATA%\thunderbird\profiles.ini

Modifies file system

Creates the following files

<Current directory>\output\securesettingsmigration\thunderbird\crash reports\installtime20210406220621
<Current directory>\output\securesettingsmigration\thunderbird\installs.ini
<Current directory>\output\securesettingsmigration\thunderbird\profiles\b376zl1q.default\times.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\abook.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\addons.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\addonstartup.json.lz4
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\blist.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\cert9.db
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\compatibility.ini
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\cookies.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\crashes\store.json.mozlz4
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\datareporting\archived\2024-08\1723427186027.740f65ac-6c92-4860-a433-5c4acb1df428.new-profile.js...
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\datareporting\archived\2024-08\1723427186364.ea3bd3ee-1392-479f-ab3c-37fb050509c4.main.jsonlz4
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\datareporting\archived\2024-08\1723427186367.5fb935d8-7cd4-40ee-aeeb-ffd7037d7c83.first-shutdown...
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\datareporting\session-state.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\datareporting\state.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\directorytree.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\enigmail.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\extension-preferences.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\extensions.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\favicons.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\formhistory.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\global-messages-db.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\history.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\key4.db
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\mailviews.dat
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\openpgp.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\permissions.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\pkcs11.txt
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\places.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\prefs.js
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\saved-telemetry-pings\5fb935d8-7cd4-40ee-aeeb-ffd7037d7c83
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\saved-telemetry-pings\740f65ac-6c92-4860-a433-5c4acb1df428
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\saved-telemetry-pings\ea3bd3ee-1392-479f-ab3c-37fb050509c4
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\search.json.mozlz4
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\sessioncheckpoints.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\storage\permanent\chrome\.metadata-v2
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\storage.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\times.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\webappsstore.sqlite
<Current directory>\output\securesettingsmigration\thunderbird\profiles\gbmwccb6.default-release\xulstore.json
<Current directory>\output\securesettingsmigration\thunderbird\profiles.ini
<Current directory>\output\postextractionreports\readme.txt
<Current directory>\output\postextractionreports\99_server_zip_paths.txt
<Current directory>\output\postextractionreports\00_system_information.txt
<Current directory>\output\postextractionreports\01_openssh.txt
<Current directory>\output\postextractionreports\02_aws_style_credentials.txt
<Current directory>\output\postextractionreports\03_gcp_service_accounts.txt
<Current directory>\output\postextractionreports\04_azure_credentials.txt
<Current directory>\output\postextractionreports\05_dotenv_harvest.txt
<Current directory>\output\postextractionreports\06_bip39_mnemonic_scan.txt