Trojan.Siggen13.11678

Добавлен в вирусную базу Dr.Web: 2021-04-24

Описание добавлено: 2021-04-26

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Executes the following

'<SYSTEM32>\taskkill.exe' /F /IM ROMServer.exe
'<SYSTEM32>\taskkill.exe' /F /IM ROMFUSClient.exe
'<SYSTEM32>\taskkill.exe' /F /IM rfusclient.exe
'<SYSTEM32>\taskkill.exe' /F /IM dllhost.exe
'<SYSTEM32>\taskkill.exe' /F /IM taskhost.exe
'<SYSTEM32>\taskkill.exe' /F /IM wininnit.exe
'<SYSTEM32>\taskkill.exe' /F /IM dInjector.exe
'<SYSTEM32>\taskkill.exe' /F /IM SysTrayRefresh.exe
'<SYSTEM32>\taskkill.exe' /F /IM winvers.exe
'<SYSTEM32>\taskkill.exe' /F /IM wiacmgr.exe
'<SYSTEM32>\taskkill.exe' /F /IM syscrb.exe
'<SYSTEM32>\taskkill.exe' /F /IM sysmxd.exe
'<SYSTEM32>\taskkill.exe' /F /IM WmiMgms.exe
'<SYSTEM32>\netsh.exe' firewall set notifications DISABLE

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\taskhost.exe
<SYSTEM32>\msiexec.exe

Modifies file system

Creates the following files

%WINDIR%\winbiosystem\id.txt
%APPDATA%\wininnit\id.txt
%TEMP%\winautomation\1.txt
%APPDATA%\wininnit\ids2.txt
%APPDATA%\wininnit\ids.txt
%TEMP%\winautomation\all.bat
%TEMP%\winautomation\ccg35uv0q0p.tmp
%TEMP%\winautomation\activated-online-user_611106.txt
%TEMP%\winautomation\activated-online-280-103-688-022.txt
%ALLUSERSPROFILE%\1.reg
%TEMP%\winautomation\temp.bat
%TEMP%\winautomation\hide.vbs

Deletes the following files

%TEMP%\winautomation\1.txt
%TEMP%\winautomation\activated-online-user_611106.txt
%TEMP%\winautomation\activated-online-280-103-688-022.txt
%ALLUSERSPROFILE%\1.reg
%TEMP%\winautomation\all.bat
%TEMP%\winautomation\hide.vbs

Deletes itself.

Network activity

Connects to

'un##hone.gr':21
'un##hone.gr':55503
'un##hone.gr':55511
'un##hone.gr':55956
'un##hone.gr':55014
'un##hone.gr':25

TCP

'un##hone.gr':21
'un##hone.gr':55511
'un##hone.gr':55014
'un##hone.gr':25

UDP

DNS ASK un##hone.gr

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''
ClassName: 'RegEdit_RegEdit' WindowName: ''

Creates and executes the following

'<SYSTEM32>\wscript.exe' "%TEMP%\WinAutomation\hide.vbs"
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\WinAutomation\all.bat" "' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\WinAutomation\temp.bat" "' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c pushd "%LOCALAPPDATA%\Temp" && (rd /s /q "%LOCALAPPDATA%\Temp" 2>nul & popd)
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\systray\SysTrayRefresh.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\winvervts\winverss.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\winversxs\winvers.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\WinBioSystem\ROMServer.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\WinBioSystem\ROMFUSClient.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\winbiossystem\rutserv.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\winbiossystem\rfusclient.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%ProgramFiles%\MicrosoftSystem\ProcessHacker.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%ProgramFiles%\MicrosoftSystem\PowerRun.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%CommonProgramFiles%\MicrosoftSystem\ProcessHacker.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%CommonProgramFiles%\MicrosoftSystem\PowerRun.exe"
'<SYSTEM32>\cmd.exe' /c MsiExec.exe /package "%TEMP%\WinAutomation\service.msi" /quiet
'<SYSTEM32>\msiexec.exe' /package "%TEMP%\WinAutomation\service.msi" /quiet
'<SYSTEM32>\cmd.exe' /c icacls %WINDIR%\WinBioSystem /remove:d users
'<SYSTEM32>\cmd.exe' /c netsh firewall set notifications DISABLE
'<SYSTEM32>\icacls.exe' %WINDIR%\WinBioSystem /deny users:f
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\WinAutomation\all.bat" "
'<SYSTEM32>\cmd.exe' /c sc.exe start RManService
'<SYSTEM32>\sc.exe' start RManService
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters" /v "InternetId" /t REG_BINARY /d "efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d73...
'<SYSTEM32>\cmd.exe' /c TASKLIST /NH /FI "IMAGENAME eq rfusclient.exe" /FI "username eq user"
'<SYSTEM32>\tasklist.exe' /NH /FI "IMAGENAME eq rfusclient.exe" /FI "username eq user"
'<SYSTEM32>\cmd.exe' /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
'<SYSTEM32>\wbem\wmic.exe' /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
'<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet
'<SYSTEM32>\cmd.exe' /c regedit.exe /s %ALLUSERSPROFILE%\1.reg
'%WINDIR%\regedit.exe' /s %ALLUSERSPROFILE%\1.reg
'<SYSTEM32>\cmd.exe' /c start hide.vbs
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\svchost\svchost.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\BootSystem\7za.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wininnit\wininnit.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\taskhost\taskhost.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\dllhost\dllhost.exe"
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM ROMFUSClient.exe
'<SYSTEM32>\cmd.exe' /c sc.exe stop RManService
'<SYSTEM32>\sc.exe' stop RManService
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM rfusclient.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM dllhost.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM taskhost.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM wininnit.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM dInjector.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM SysTrayRefresh.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM winvers.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM wiacmgr.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM syscrb.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM sysmxd.exe
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\WinAutomation\temp.bat" "
'<SYSTEM32>\cmd.exe' /c icacls %WINDIR%\WinBioSystem /deny users:f
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM WmiMgms.exe
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%TEMP%\WinAutomation"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%ALLUSERSPROFILE%\SoftwareDistribution"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\dInject\dInjector.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimser\wimser.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimserp\wimserp.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimsert\wimsert.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimserv\wimserv.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimsern\wimsern.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimser\winver.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimserp\winverp.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimsert\winvert.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimserv\winverv.exe"
'<SYSTEM32>\cmd.exe' /c dInjector.exe /A "%WINDIR%\wimsern\winvern.exe"
'<SYSTEM32>\cmd.exe' /c taskkill /F /IM ROMServer.exe
'<SYSTEM32>\icacls.exe' %WINDIR%\WinBioSystem /remove:d users
'<SYSTEM32>\ping.exe' 127.0.0.1 -n 5

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней