Trojan.Siggen8.53314

Technical Information

To ensure autorun and distribution

Creates the following services

[<HKLM>\SYSTEM\CurrentControlSet\Services\556452577] 'ImagePath' = '%ProgramFiles(x86)%\Mozilla Firefox\556452577.sys'

Malicious functions

Injects code into

the following user processes:

firefox.exe

Modifies file system

Creates the following files

%TEMP%\icon.ico
%ProgramFiles(x86)%\mozilla firefox\556452577.sys

Deletes the following files

<DRIVERS>\etc\hosts
%ProgramFiles(x86)%\mozilla firefox\556452577.sys

Substitutes the HOSTS file.

Network activity

TCP

HTTP GET requests

http://43.###.222.21:8089/hosts.txt
http://43.###.222.21:8080/yyroom/ZZ.key
http://to##u.me//ZZ.key

UDP

DNS ASK vi#.#fxbkj.com
DNS ASK b.###bkj.com
DNS ASK to###.#e.cdn.dnsv1.com
DNS ASK to##u.me

Miscellaneous

Searches for the following windows

ClassName: 'QWidget' WindowName: '3879'
ClassName: 'QWidget' WindowName: '3879-ВЎВѕГ‰Г±В»В°ВЎВїВ»Г°ГЏГџГ—ГЏВЅГ°В№В¤В»ГЎВЈВ¬ВґГіГђГЌГЌГёГ“ГЋВїВЄВєГљВ№В¤В»ГЎВЈВ¬ГЋГ’ГѓГ‡Г’В»Г–В±Г“ГѓГђГ„Г”ГљГ—Г¶ВЈВЎ'

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Administrators:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Remote Desktop Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Remote Desktop Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Replicator:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Replicator:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Event Log Readers:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Debugger Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p HomeUsers:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g HomeUsers:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p IIS_WPG:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g IIS_WPG:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p everyone:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g everyone:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Power Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Power Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Performance Monitor Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Performance Monitor Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Performance Log Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Backup Operators:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Backup Operators:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Cryptographic Operators:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Cryptographic Operators:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Distributed COM Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Distributed COM Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p user:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Debugger Users:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Event Log Readers:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Guests:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p IIS_IUSRS:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g IIS_IUSRS:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Network Configuration Operators:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Network Configuration Operators:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Performance Log Users:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Administrators:r' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Guests:N' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g user:r' (with hidden window)

Executes the following

'%ProgramFiles(x86)%\mozilla firefox\firefox.exe' 100861008671
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Replicator:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Replicator:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Replicator:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Replicator:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Remote Desktop Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Remote Desktop Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Remote Desktop Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Remote Desktop Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Power Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Power Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Power Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Power Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Performance Monitor Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Debugger Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Debugger Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p user:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p user:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g everyone:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g everyone:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p everyone:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p everyone:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g IIS_WPG:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p IIS_WPG:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g IIS_WPG:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p IIS_WPG:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g HomeUsers:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g HomeUsers:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p HomeUsers:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p HomeUsers:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Debugger Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Debugger Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g user:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Performance Monitor Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Performance Monitor Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Performance Monitor Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Distributed COM Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Distributed COM Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Distributed COM Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Cryptographic Operators:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Cryptographic Operators:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Cryptographic Operators:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Cryptographic Operators:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Backup Operators:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Backup Operators:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Backup Operators:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Backup Operators:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Administrators:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Administrators:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Administrators:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Administrators:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Distributed COM Users:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Event Log Readers:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Event Log Readers:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Event Log Readers:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Performance Log Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Performance Log Users:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Performance Log Users:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Network Configuration Operators:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Network Configuration Operators:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Network Configuration Operators:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Network Configuration Operators:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g IIS_IUSRS:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g IIS_IUSRS:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p IIS_IUSRS:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p IIS_IUSRS:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Guests:r
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /g Guests:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p Guests:N
'%WINDIR%\syswow64\cmd.exe' /c cacls.exe <DRIVERS>\etc\hosts /e /t /p Guests:N
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Event Log Readers:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g Performance Log Users:r
'%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /g user:r

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial