Trojan.Siggen9.59982

Technical Information

Malicious functions

Injects code into

the following user processes:

acasvfc.exe

Searches for registry branches where third party applications store passwords

[<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
[<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions\]

Modifies file system

Creates the following files

%TEMP%\acasvfc.exe
%TEMP%\20de7791\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-multibyte-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-private-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\20de7791\freebl3.dll
%TEMP%\20de7791\mozglue.dll
%TEMP%\20de7791\msvcp140.dll
%TEMP%\20de7791\nss3.dll
%TEMP%\20de7791\nssdbm3.dll
%TEMP%\20de7791\softokn3.dll
%TEMP%\20de7791\ucrtbase.dll
%TEMP%\20de7791\vcruntime140.dll
%TEMP%\20de7791\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-util-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-console-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l1-2-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l2-1-0.dll
%TEMP%\20de7791\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\sdfvcaq.exe
%TEMP%\20de7791\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\20de7791\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-string-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\20de7791\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\ds1.exe
%TEMP%\ds2.exe

Deletes the following files

%TEMP%\20de7791\api-ms-win-core-console-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-multibyte-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-private-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\20de7791\freebl3.dll
%TEMP%\20de7791\mozglue.dll
%TEMP%\20de7791\msvcp140.dll
%TEMP%\20de7791\nss3.dll
%TEMP%\20de7791\nssdbm3.dll
%TEMP%\20de7791\softokn3.dll
%TEMP%\20de7791\ucrtbase.dll
%TEMP%\20de7791\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\20de7791\vcruntime140.dll
%TEMP%\20de7791\api-ms-win-core-util-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l1-2-0.dll
%TEMP%\20de7791\api-ms-win-core-file-l2-1-0.dll
%TEMP%\20de7791\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\20de7791\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\20de7791\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-string-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\20de7791\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\20de7791\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\acasvfc.exe

Network activity

TCP

HTTP GET requests

http://ma###kass.ug/az2.exe
http://ma###kass.ug/os2.exe
http://le##tts.ug/ds1.exe
http://le##tts.ug/ds2.exe
http://le##tts.ug/rc.exe

HTTP POST requests

http://le##tts.ug/index.php

UDP

DNS ASK ma###kass.ug
DNS ASK le##tts.ug

Miscellaneous

Creates and executes the following

'%TEMP%\acasvfc.exe'
'%TEMP%\sdfvcaq.exe'
'%TEMP%\ds1.exe'
'%TEMP%\ds2.exe'
'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\timeout.exe 3 & del "acasvfc.exe"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c <SYSTEM32>\timeout.exe 3 & del "acasvfc.exe"

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial