Trojan.Siggen31.7742

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\googleupdatetaskmachinecore{8e3fc4ba-6e26-49c0-adb8-872edbdc3683}
<SYSTEM32>\tasks\googleupdatetaskmachineua{feb79203-afc1-466b-a655-99d146fbe159}

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\gupdate] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\gupdate] 'ImagePath' = '"%ProgramFiles(x86)%\Google\Update\GoogleUpdate.exe" /svc'
[HKLM\System\CurrentControlSet\Services\gupdatem] 'ImagePath' = '"%ProgramFiles(x86)%\Google\Update\GoogleUpdate.exe" /medsvc'

Creates the following services

'gupdate' "%ProgramFiles(x86)%\Google\Update\GoogleUpdate.exe" /svc
'gupdatem' "%ProgramFiles(x86)%\Google\Update\GoogleUpdate.exe" /medsvc

Modifies file system

Creates the following files

%TEMP%\chromesetup\chromesetup.bat
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_fil.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_fr.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_gu.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_hi.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_et.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_hr.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_fi.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_id.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_it.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_iw.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ja.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_kn.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_hu.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ko.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_is.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_fa.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_es-419.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_es.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\googlecrashhandler.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\googlecrashhandler64.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdatecomregistershell64.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_am.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ar.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdate.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_bg.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ca.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_cs.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_da.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_de.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_el.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_en.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_bn.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_en-gb.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdate.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdatecore.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_lt.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ms.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_vi.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_zh-cn.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_zh-tw.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\psuser.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\psuser_64.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_uk.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ur.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\psmachine.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdatebroker.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdateondemand.exe
%WINDIR%\temp\cab4fd6.tmp
%WINDIR%\temp\tar4fd7.tmp
%WINDIR%\temp\cab81d0.tmp
%ProgramFiles(x86)%\google\update\1.3.36.372\psmachine_64.dll
%ProgramFiles(x86)%\google\update\googleupdate.exe
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_tr.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_te.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_no.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_nl.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_no.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_pl.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_pt-br.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_pt-pt.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ro.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ru.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_sk.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_sl.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_sr.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_sv.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_sw.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ta.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_lv.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_mr.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_ml.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdatesetup.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_zh-tw.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_zh-cn.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_bn.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ca.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_cs.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_da.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_am.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_de.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_bg.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_en.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_es.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_es-419.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_et.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_fa.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_el.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdatecore.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_en-gb.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googlecrashhandler64.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\psuser_64.dll
%TEMP%\chromesetup\google chrome.bat
%TEMP%\chromesetup\chromesetup.exe
%TEMP%\chromesetup\sfta.exe
%TEMP%\chromesetup\~<File name>.exe-hide~.bat
%ProgramFiles(x86)%\google\temp\gut57e1.tmp
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdate.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googlecrashhandler.exe
%TEMP%\chromesetup\google chrome.lnk
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdate.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdateondemand.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdatecomregistershell64.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\psmachine.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\psmachine_64.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\psuser.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_fi.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdatebroker.exe
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_fil.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ar.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_fr.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_pt-pt.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ru.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_sk.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_sl.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_sr.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_sv.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_sw.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ta.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_te.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_th.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_tr.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_uk.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ur.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_vi.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_pt-br.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_gu.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ro.dll
%ProgramFiles(x86)%\google\update\1.3.36.372\goopdateres_th.dll
%WINDIR%\temp\tar81e1.tmp
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_nl.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_hr.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_hu.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_id.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_is.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_it.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_iw.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_hi.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ja.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ko.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_lt.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_lv.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ml.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_mr.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_ms.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_kn.dll
%ProgramFiles(x86)%\google\temp\gum57d0.tmp\goopdateres_pl.dll
%TEMP%\bita025.tmp

Sets the 'hidden' attribute to the following files

%TEMP%\chromesetup\google chrome.lnk
%TEMP%\chromesetup\~<File name>.exe-hide~.bat
%TEMP%\chromesetup\chromesetup.bat
%TEMP%\chromesetup\chromesetup.exe
%TEMP%\chromesetup\google chrome.bat
%TEMP%\chromesetup\sfta.exe
%TEMP%\bita025.tmp

Deletes the following files

%WINDIR%\temp\cab4fd6.tmp
%WINDIR%\temp\tar4fd7.tmp
%WINDIR%\temp\cab81d0.tmp
%WINDIR%\temp\tar81e1.tmp

Moves the following files

from %TEMP%\bita025.tmp to %TEMP%\{27c927f8-a625-4e09-838f-7a4fc7ed55a2}-109.0.5414.120_chrome_installer.exe

Network activity

Connects to

'dl.google.com':443
'up####.googleapis.com':443
'ed####.me.gvt1.com':80

TCP

HTTP GET requests

http://ed####.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe

Other

'34.##9.100.209':443
'dl.google.com':443
'up####.googleapis.com':443

UDP

DNS ASK dl.google.com
DNS ASK up####.googleapis.com
DNS ASK ed####.me.gvt1.com

Miscellaneous

Creates and executes the following

'%TEMP%\chromesetup\chromesetup.exe'
'%ProgramFiles(x86)%\google\temp\gum57d0.tmp\googleupdate.exe' /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={CBD818AD-B538-47E7-F226-BD17DDE89503}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=...
'%ProgramFiles(x86)%\google\update\googleupdate.exe' /regsvc
'%ProgramFiles(x86)%\google\update\googleupdate.exe' /regserver
'%ProgramFiles(x86)%\google\update\1.3.36.372\googleupdatecomregistershell64.exe'
'%ProgramFiles(x86)%\google\update\googleupdate.exe' /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNzEiIGlzbWFjaGl...
'%ProgramFiles(x86)%\google\update\googleupdate.exe' /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={CBD818AD-B538-47E7-F226-BD17DDE89503}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-st...
'%ProgramFiles(x86)%\google\update\googleupdate.exe' /svc

Executes the following

'<SYSTEM32>\cmd.exe' /c attrib +h "%TEMP%\ChromeSetup"
'<SYSTEM32>\cmd.exe' /c dir /s /b "%TEMP%\ChromeSetup\"
'<SYSTEM32>\cmd.exe' /c @pushd "%TEMP%\ChromeSetup" >nul 2>&1 & CALL "%TEMP%\ChromeSetup\Google Chrome.bat"
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\SFTA.exe"
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\Google Chrome.bat"
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\ChromeSetup.exe"
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\."
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\ChromeSetup.bat"
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat" "
'<SYSTEM32>\attrib.exe' -H -R -S "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"
'<SYSTEM32>\cmd.exe' /c attrib -H -R -S "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"&echo attrib +h "%~dp0." > "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"&echo attrib +h "%~f0" >> "%TEMP%\ChromeSetup\~<File ...
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup"
'<SYSTEM32>\xcopy.exe' /H "Google Chrome.lnk" "X:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
'<SYSTEM32>\attrib.exe' +h "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"
'<SYSTEM32>\cmd.exe' /c attrib -H -R -S "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"&echo attrib +h "%~dp0." > "%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat"&echo attrib +h "%~f0" >> "%TEMP%\ChromeSetup\~<File ...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c attrib +h "%TEMP%\ChromeSetup"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\ChromeSetup\~<File name>.exe-hide~.bat" "' (with hidden window)
'<SYSTEM32>\cmd.exe' /c @pushd "%TEMP%\ChromeSetup" >nul 2>&1 & CALL "%TEMP%\ChromeSetup\Google Chrome.bat"' (with hidden window)

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial