マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.Siggen27.11306

Added to the Dr.Web virus database: 2024-03-04

Virus description added:

  • sha1: 60eaa4fd53b78227760864e6cf27b08bc4bdde72

Description

A Windows trojan written in C. It is a DLL with an encrypted payload.

Operating routine

During initialization, the trojan sequentially creates two threads: one to decrypt the data and the other to execute the payload.

Initially, the payload is encrypted with a key that is the path to the executable. During the first run, the trojan rebuilds the executable and covers it with another layer of encryption. This encryption binds the payload to the infected PC.

The preparation phase consists of the following steps

  • A random salt is generated and stored in a new trojan body at a specific offset
  • BIOS information is obtained
  • This information is hashed using the salt generated in step 1, and the resulting hash is the key to encrypt the payload
  • The payload is encrypted using a “custom” key

After this transformation, the trojan has two decryption stages:

Stage 1: Decryption using constants from the compromised PC

  • The salt stored in the trojan body is taken at a specific offset
  • The salt is used to create a hash of the BIOS information
  • The payload is decrypted

Stage 2: Decryption of the payload encrypted with the default key

  • The ImagePathName value is extracted from the RTL_USER_PROCESS_PARAMETERS struct - this field is a Unicode string whose length must be greater than 0x76 bytes (in our case the filename was %LOCALAPPDATA%\Yandex\YandexBrowser\Application\Wldp.dll)
  • The last 0x76 bytes are read from the above value
  • The hash of this value, which is the key for the symmetric algorithm, is generated
  • The payload is decrypted

Encryption algorithm

A modified ChaCha20 algorithm is used as the symmetric encryption algorithm. The modification consists of an additional layer for key initialization: the input key undergoes 1 round of the algorithm, after which it becomes the key for the regular algorithm.

Hashing algorithm

A modified BLAKE2 algorithm is used as the hash function. The modification is that multiple repetitive hashes of the input data are used.

Payload

The payload is a shellcode generated using https://github.com/TheWover/donut/tree/master. This shellcode decrypts and downloads an MZPE file written in .NET, the main purpose of which is to launch a trojan downloaded from the Internet. The main body of the shellcode can be found at https://github.com/TheWover/donut/blob/master/loader_exe_x64.h.

The shellcode performs the following actions:

  • Checks the flag responsible for executing the load in a separate or main thread
  • Decrypts the MZPE file into a new allocated memory area
  • Loads the ole32.dll, oleaut32.dll, wininet.dll, mscoree.dll, and shell32.dll libraries, using the LoadLibraryA function
  • Loads the WldpQueryDynamicCodeTrust, WldpIsClassInApprovedList, EtwEventWrite and EtwEventUnregister functions, using the GetProcAddress function
  • Initializes the AMSI interface
    • Loads amsi.dll
    • Loads the AmsiInitialize, AmsiScanBuffer and AmsiScanString functions
  • Reads the value of the AMSI bypass flag; this flag is not set in this sample
  • Downloads the .NET application

The .NET stager downloads other malware, saves it under the name “YandexUpdater.exe” and then launches it. At the time of our investigation, the file was no longer available on the server from which the malware was supposed to be downloaded, so we were unable to positively identify the downloaded software; however, we can assume that the file in question could be the same Trojan.Packed2.46324.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android