Exploit.Siggen.58386

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'newapp' = '%APPDATA%\newapp\newapp.exe'

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\systempropertiesadvanced.url

Malicious functions

Executes the following (exploit)

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function j71536 {param($ybae4)$odaf9ff='q16b7b';$o81551='';for ($i=0; $i -lt $ybae4.length;$i+=2){$qe56d3f=[convert]::ToByte($ybae4.Substring($i,2),16);$o81551+=[char]($qe...

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v2.0.50727\regasm.exe

Reads files which store third party applications passwords

%APPDATA%\thunderbird\profiles.ini

Modifies file system

Creates the following files

%TEMP%\w8qzwe28.0.cs
%TEMP%\vqnpf2wh.dll
%TEMP%\rese32.tmp
%TEMP%\csce21.tmp
%TEMP%\vqnpf2wh.out
%TEMP%\vqnpf2wh.cmdline
%TEMP%\vqnpf2wh.0.cs
%TEMP%\if4kmivr.dll
%TEMP%\resf589.tmp
%TEMP%\cscf579.tmp
%TEMP%\if4kmivr.out
%TEMP%\if4kmivr.cmdline
%TEMP%\if4kmivr.0.cs
%TEMP%\o67rtnnb.dll
%TEMP%\resd35b.tmp
%TEMP%\cscd34b.tmp
%TEMP%\o67rtnnb.out
%TEMP%\o67rtnnb.cmdline
%TEMP%\o67rtnnb.0.cs
%TEMP%\hkq4-ohu.dll
%TEMP%\ndbwrnfx.0.cs
%TEMP%\ndbwrnfx.cmdline
%TEMP%\ndbwrnfx.out
%TEMP%\csc240b.tmp
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%APPDATA%\newapp\newapp.exe
%HOMEPATH%\systempropertiesadvanced\aepic.exe
%HOMEPATH%\systempropertiesadvanced\systempropertiesadvanced.vbs
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{f6cb022b-e9d3-4e55-a558-07742b88306f}.tmp
%TEMP%\_qyqtxj_.dll
%TEMP%\res552e.tmp
%TEMP%\csc551d.tmp
%TEMP%\_qyqtxj_.cmdline
%TEMP%\_qyqtxj_.out
%TEMP%\_qyqtxj_.0.cs
%TEMP%\p24ec7w9.dll
%TEMP%\res3d7f.tmp
%TEMP%\csc3d6f.tmp
%TEMP%\p24ec7w9.out
%TEMP%\p24ec7w9.cmdline
%TEMP%\p24ec7w9.0.cs
%TEMP%\ndbwrnfx.dll
%TEMP%\res241b.tmp
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%TEMP%\resbfc4.tmp
%TEMP%\cscbfb3.tmp
%TEMP%\hkq4-ohu.out
%TEMP%\rccrmpal.cmdline
%TEMP%\rccrmpal.0.cs
%TEMP%\uchyd7jz.dll
%TEMP%\res4d05.tmp
%TEMP%\csc4ce4.tmp
%TEMP%\uchyd7jz.out
%TEMP%\uchyd7jz.cmdline
%TEMP%\uchyd7jz.0.cs
%TEMP%\w8qzwe28.dll
%TEMP%\res4341.tmp
%TEMP%\g78jyoei.dll
%TEMP%\res42e3.tmp
%TEMP%\csc4340.tmp
%TEMP%\csc42d2.tmp
%TEMP%\g78jyoei.out
%TEMP%\g78jyoei.cmdline
%TEMP%\g78jyoei.0.cs
%TEMP%\w8qzwe28.out
%TEMP%\w8qzwe28.cmdline
%TEMP%\rccrmpal.out
%TEMP%\csc5fa1.tmp
%TEMP%\res5fb2.tmp
%TEMP%\rccrmpal.dll
%TEMP%\hkq4-ohu.0.cs
%APPDATA%\j1333.exe
%TEMP%\s8gro4jv.dll
%TEMP%\resab03.tmp
%TEMP%\cscaaf3.tmp
%TEMP%\s8gro4jv.out
%TEMP%\s8gro4jv.cmdline
%TEMP%\s8gro4jv.0.cs
%TEMP%\h_9rcxng.dll
%TEMP%\csc8162.tmp
%TEMP%\res8173.tmp
%TEMP%\h_9rcxng.out
%TEMP%\h_9rcxng.cmdline
%TEMP%\h_9rcxng.0.cs
%TEMP%\yuehw1ba.dll
%TEMP%\res730b.tmp
%TEMP%\csc72fa.tmp
%TEMP%\yuehw1ba.out
%TEMP%\yuehw1ba.cmdline
%TEMP%\yuehw1ba.0.cs
%TEMP%\hkq4-ohu.cmdline
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol

Sets the 'hidden' attribute to the following files

%APPDATA%\newapp\newapp.exe

Deletes the following files

%TEMP%\res42e3.tmp
%TEMP%\rese32.tmp
%TEMP%\if4kmivr.out
%TEMP%\if4kmivr.pdb
%TEMP%\if4kmivr.0.cs
%TEMP%\if4kmivr.cmdline
%TEMP%\if4kmivr.dll
%TEMP%\cscf579.tmp
%TEMP%\resf589.tmp
%TEMP%\o67rtnnb.out
%TEMP%\vqnpf2wh.0.cs
%TEMP%\csce21.tmp
%TEMP%\o67rtnnb.cmdline
%TEMP%\o67rtnnb.0.cs
%TEMP%\cscd34b.tmp
%TEMP%\resd35b.tmp
%TEMP%\hkq4-ohu.dll
%TEMP%\hkq4-ohu.0.cs
%TEMP%\hkq4-ohu.out
%TEMP%\hkq4-ohu.pdb
%TEMP%\hkq4-ohu.cmdline
%TEMP%\o67rtnnb.dll
%TEMP%\rccrmpal.0.cs
%TEMP%\vqnpf2wh.cmdline
%TEMP%\_qyqtxj_.dll
%TEMP%\_qyqtxj_.pdb
%TEMP%\_qyqtxj_.out
%TEMP%\csc551d.tmp
%TEMP%\res552e.tmp
%TEMP%\p24ec7w9.cmdline
%TEMP%\p24ec7w9.pdb
%TEMP%\p24ec7w9.0.cs
%TEMP%\p24ec7w9.dll
%TEMP%\p24ec7w9.out
%TEMP%\csc3d6f.tmp
%TEMP%\res3d7f.tmp
%TEMP%\ndbwrnfx.dll
%TEMP%\ndbwrnfx.pdb
%TEMP%\ndbwrnfx.cmdline
%TEMP%\ndbwrnfx.0.cs
%TEMP%\ndbwrnfx.out
%TEMP%\csc240b.tmp
%TEMP%\res241b.tmp
%TEMP%\vqnpf2wh.dll
%TEMP%\vqnpf2wh.pdb
%TEMP%\cscbfb3.tmp
%TEMP%\o67rtnnb.pdb
%TEMP%\resbfc4.tmp
%TEMP%\s8gro4jv.dll
%TEMP%\s8gro4jv.pdb
%TEMP%\w8qzwe28.dll
%TEMP%\uchyd7jz.0.cs
%TEMP%\uchyd7jz.pdb
%TEMP%\uchyd7jz.out
%TEMP%\uchyd7jz.dll
%TEMP%\uchyd7jz.cmdline
%TEMP%\csc4ce4.tmp
%TEMP%\res4d05.tmp
%TEMP%\w8qzwe28.cmdline
%TEMP%\w8qzwe28.out
%TEMP%\w8qzwe28.pdb
%TEMP%\csc5fa1.tmp
%TEMP%\w8qzwe28.0.cs
%TEMP%\g78jyoei.out
%TEMP%\g78jyoei.cmdline
%TEMP%\g78jyoei.0.cs
%TEMP%\g78jyoei.dll
%TEMP%\g78jyoei.pdb
%TEMP%\csc4340.tmp
%TEMP%\res4341.tmp
%TEMP%\csc42d2.tmp
%TEMP%\_qyqtxj_.0.cs
%TEMP%\vqnpf2wh.out
%TEMP%\rccrmpal.cmdline
%TEMP%\rccrmpal.dll
%TEMP%\res5fb2.tmp
%TEMP%\s8gro4jv.0.cs
%TEMP%\s8gro4jv.cmdline
%TEMP%\s8gro4jv.out
%TEMP%\cscaaf3.tmp
%TEMP%\resab03.tmp
%TEMP%\h_9rcxng.cmdline
%TEMP%\h_9rcxng.pdb
%TEMP%\h_9rcxng.dll
%TEMP%\h_9rcxng.0.cs
%TEMP%\h_9rcxng.out
%TEMP%\csc8162.tmp
%TEMP%\res8173.tmp
%TEMP%\yuehw1ba.cmdline
%TEMP%\yuehw1ba.0.cs
%TEMP%\yuehw1ba.dll
%TEMP%\yuehw1ba.out
%TEMP%\yuehw1ba.pdb
%TEMP%\csc72fa.tmp
%TEMP%\res730b.tmp
%TEMP%\rccrmpal.out
%TEMP%\rccrmpal.pdb
%TEMP%\_qyqtxj_.cmdline

Network activity

TCP

HTTP GET requests

http://gr######une-2749.ciao.jp/mad/bincrypted.exe

UDP

DNS ASK gr######une-2749.ciao.jp

Miscellaneous

Creates and executes the following

'%APPDATA%\j1333.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function j71536 {param($ybae4)$odaf9ff='q16b7b';$o81551='';for ($i=0; $i -lt $ybae4.length;$i+=2){$qe56d3f=[convert]::ToByte($ybae4.Substring($i,2),16);$o81551+=[char]($qe...' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D7F.tmp" "%TEMP%\CSC3D6F.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\p24ec7w9.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES241B.tmp" "%TEMP%\CSC240B.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ndbwrnfx.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE32.tmp" "%TEMP%\CSCE21.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vqnpf2wh.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF589.tmp" "%TEMP%\CSCF579.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\if4kmivr.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD35B.tmp" "%TEMP%\CSCD34B.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\o67rtnnb.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBFC4.tmp" "%TEMP%\CSCBFB3.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hkq4-ohu.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAB03.tmp" "%TEMP%\CSCAAF3.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s8gro4jv.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8173.tmp" "%TEMP%\CSC8162.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\h_9rcxng.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES730B.tmp" "%TEMP%\CSC72FA.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yuehw1ba.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5FB2.tmp" "%TEMP%\CSC5FA1.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rccrmpal.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4D05.tmp" "%TEMP%\CSC4CE4.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uchyd7jz.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4341.tmp" "%TEMP%\CSC4340.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES42E3.tmp" "%TEMP%\CSC42D2.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\g78jyoei.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\w8qzwe28.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\_qyqtxj_.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES552E.tmp" "%TEMP%\CSC551D.tmp"' (with hidden window)

Executes the following

'%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES552E.tmp" "%TEMP%\CSC551D.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\_qyqtxj_.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D7F.tmp" "%TEMP%\CSC3D6F.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\p24ec7w9.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES241B.tmp" "%TEMP%\CSC240B.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ndbwrnfx.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE32.tmp" "%TEMP%\CSCE21.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\vqnpf2wh.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF589.tmp" "%TEMP%\CSCF579.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\if4kmivr.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD35B.tmp" "%TEMP%\CSCD34B.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\o67rtnnb.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESBFC4.tmp" "%TEMP%\CSCBFB3.tmp"
'%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hkq4-ohu.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s8gro4jv.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8173.tmp" "%TEMP%\CSC8162.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\h_9rcxng.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES730B.tmp" "%TEMP%\CSC72FA.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yuehw1ba.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5FB2.tmp" "%TEMP%\CSC5FA1.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rccrmpal.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4D05.tmp" "%TEMP%\CSC4CE4.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\uchyd7jz.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4341.tmp" "%TEMP%\CSC4340.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES42E3.tmp" "%TEMP%\CSC42D2.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\g78jyoei.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\w8qzwe28.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAB03.tmp" "%TEMP%\CSCAAF3.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\regasm.exe'

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней