Trojan.PWS.Siggen1.63425

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'rallyerallye' = '"%ProgramFiles%\Possession\palpably.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'crisscross' = '"%ProgramFiles%\Paroxysmal\palpably.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'crisscrosscrisscross' = '"%ProgramFiles%\Possession\palpably.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'hsu' = '"%ProgramFiles%\Paroxysmal\palpably.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'havers' = '"%ProgramFiles%\puede\havers.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'affiliation' = '"%ProgramFiles%\Paroxysmal\palpably.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'potluck' = '"%ProgramFiles%\Paroxysmal\palpably.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'potluckpotluck' = '"%ProgramFiles%\Possession\palpably.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'rallye' = '"%ProgramFiles%\Paroxysmal\palpably.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'affiliationaffiliation' = '"%ProgramFiles%\Possession\palpably.exe"'

Creates or modifies the following files:

%HOMEPATH%\Start Menu\Programs\Startup\perspicacious.lnk

Malicious functions:

Executes the following:

'<LS_APPDATA>\90601.exe'
'<LS_APPDATA>\57987.exe'
'%ProgramFiles%\puede\havers.exe'
'<SYSTEM32>\taskkill.exe' /im chrome.exe
'<SYSTEM32>\find.exe' /I "palpably.exe"
'<SYSTEM32>\tasklist.exe' /NH /FI "IMAGENAME eq palpably.exe"
'<SYSTEM32>\cmd.exe' /C <SYSTEM32>\tasklist /NH /FI "IMAGENAME eq palpably.exe" | <SYSTEM32>\find /I "palpably.exe"
'<LS_APPDATA>\prettily.exe' "%ProgramFiles%\kull\kull.exe" "k34914958"
'%ProgramFiles%\Paroxysmal\palpably.exe'
'<LS_APPDATA>\prettily.exe' "%ProgramFiles%\Paroxysmal\palpably.exe" "5866774"
'<LS_APPDATA>\85579.exe'
'<LS_APPDATA>\30669.exe'
'<LS_APPDATA>\prettily.exe' "%ProgramFiles%\Possession\palpably.exe" "34914958"
'%ProgramFiles%\Possession\palpably.exe'
'<LS_APPDATA>\prettily.exe' "<LS_APPDATA>\palpably.exe" "62209052"

Searches for registry branches where third party applications store passwords:

[<HKLM>\SOFTWARE\Microsoft\Internet Account Manager]

Modifies file system:

Creates the following files:

%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[23].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[24].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[21].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[22].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[27].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[28].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[25].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[26].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[15].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[16].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[13].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[14].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[19].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[20].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[17].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[18].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[39].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[40].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[37].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[38].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[43].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[44].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[41].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[42].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[31].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[32].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[29].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[30].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[35].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[36].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[33].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[34].php
%ProgramFiles%\Possession\settings.dll
%ProgramFiles%\kull\kull.exe
<LS_APPDATA>\palpably.exe
%ProgramFiles%\Possession\palpably.exe
%WINDIR%\palpably.exe
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\homepage[1].php
%TEMP%\nsl5.tmp\SimpleFC.dll
%ProgramFiles%\puede\havers.exe
<LS_APPDATA>\30669.exe
<LS_APPDATA>\57987.exe
%TEMP%\nsm2.tmp\AccessControl.dll
<LS_APPDATA>\21650.exe
<LS_APPDATA>\prettily.exe
%ProgramFiles%\Paroxysmal\palpably.exe
<LS_APPDATA>\85579.exe
<LS_APPDATA>\90601.exe
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[7].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[8].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[5].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[6].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[11].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[12].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[9].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[10].php
%TEMP%\nssA.tmp\ExecCmd.dll
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\2VAZY7AN\homepage[1].php
%TEMP%\nsl9.tmp\ShellLink.dll
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\homepage[1].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[3].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[4].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[1].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\YPORKZYZ\homepage[2].php

Deletes the following files:

%TEMP%\nsl9.tmp\ShellLink.dll
%TEMP%\nsl5.tmp\SimpleFC.dll

Moves the following files:

from %WINDIR%\palpably.exe to %WINDIR%\vouching.exe

Modifies the HOSTS file.

Network activity:

Connects to:

'www.ex###rochure.pw':80
'www.ne###know.pw':80
'localhost':1037
'localhost':1038

TCP:

HTTP GET requests:

http://www.ne###know.pw/homepage.php?id###########################################################
http://www.ex###rochure.pw/homepage.php?id###########################################################

UDP:

DNS ASK www.ne###know.pw
DNS ASK www.ex###rochure.pw

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Chrome_WidgetWin_0' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней