Trojan.Siggen25.48546

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'CSRSS' = '"%ALLUSERSPROFILE%\Drivers\csrss.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent 21db8207075b4391

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\IMAP List Mailboxes 65] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\IMAP List Mailboxes 65] 'ImagePath' = '%ALLUSERSPROFILE%\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exe'

Creates the following services

'IMAP List Mailboxes 65' %ALLUSERSPROFILE%\IMAP List Mailboxes 65\IMAP List Mailboxes 65.exe

Modifies master boot record (MBR).

Malicious functions

Injects code into

the following user processes:

8584.exe

Modifies file system

Creates the following files

%APPDATA%\gvfbwga
%LOCALAPPDATA%\burnaware extension\is-hdceg.tmp
%LOCALAPPDATA%\burnaware extension\is-ar64n.tmp
%LOCALAPPDATA%\burnaware extension\is-25icv.tmp
%LOCALAPPDATA%\burnaware extension\is-8likj.tmp
%LOCALAPPDATA%\burnaware extension\is-7oahs.tmp
%LOCALAPPDATA%\burnaware extension\is-u2roj.tmp
%LOCALAPPDATA%\burnaware extension\is-nddrg.tmp
%LOCALAPPDATA%\burnaware extension\is-ou124.tmp
%LOCALAPPDATA%\burnaware extension\is-63pve.tmp
%LOCALAPPDATA%\burnaware extension\is-a3bjk.tmp
%LOCALAPPDATA%\burnaware extension\languages\is-php5j.tmp
%LOCALAPPDATA%\burnaware extension\is-uhdlj.tmp
%LOCALAPPDATA%\burnaware extension\unins000.dat
%LOCALAPPDATA%\burnaware extension\burnawareext.exe
%ALLUSERSPROFILE%\imap list mailboxes 65\imap list mailboxes 65.exe
%LOCALAPPDATA%\burnaware extension\is-9j1rr.tmp
%LOCALAPPDATA%\burnaware extension\is-im5d3.tmp
%LOCALAPPDATA%\burnaware extension\is-1fuk7.tmp
%LOCALAPPDATA%\burnaware extension\is-me727.tmp
%TEMP%\4kpv6a~1\cached-microdescs.new
%TEMP%\89c9.exe
%ALLUSERSPROFILE%\drivers\csrss.exe
%TEMP%\9cfc.exe
%TEMP%\4kpv6a~1\state.tmp
%TEMP%\d24f.exe
%TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp
%TEMP%\4kpv6a~1\cached-certs.tmp
%TEMP%\8584.exe
%TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp
%TEMP%\is-rr47b.tmp\_isetup\_regdll.tmp
%TEMP%\is-rr47b.tmp\_isetup\_setup64.tmp
%TEMP%\is-rr47b.tmp\_isetup\_shfoldr.dll
%TEMP%\is-rr47b.tmp\_isetup\_isdecmp.dll
%TEMP%\is-rr47b.tmp\_isetup\_iscrypt.dll
%LOCALAPPDATA%\burnaware extension\is-a5fc6.tmp
%LOCALAPPDATA%\burnaware extension\is-884al.tmp
%TEMP%\is-jvtd1.tmp\d24f.tmp
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\cookies.sqlite-shm
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\places.sqlite-shm

Sets the 'hidden' attribute to the following files

%APPDATA%\gvfbwga
%ALLUSERSPROFILE%\drivers\csrss.exe

Deletes the following files

%TEMP%\4kpv6a~1\unverified-microdesc-consensus
%TEMP%\4kpv6a~1\cached-certs
%LOCALAPPDATA%\burnaware extension\libgcc_s_dw2-1.dll
%TEMP%\4kpv6a~1\state
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\cookies.sqlite-shm
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\places.sqlite-shm

Moves the following files

from %TEMP%\4kpv6a~1\state.tmp to %TEMP%\4kpv6a~1\state
from %LOCALAPPDATA%\burnaware extension\is-a3bjk.tmp to %LOCALAPPDATA%\burnaware extension\setting.ini
from %LOCALAPPDATA%\burnaware extension\is-im5d3.tmp to %LOCALAPPDATA%\burnaware extension\sdl2.dll
from %LOCALAPPDATA%\burnaware extension\is-9j1rr.tmp to %LOCALAPPDATA%\burnaware extension\swresample-3.dll
from %LOCALAPPDATA%\burnaware extension\is-63pve.tmp to %LOCALAPPDATA%\burnaware extension\zlib1.dll
from %LOCALAPPDATA%\burnaware extension\is-u2roj.tmp to %LOCALAPPDATA%\burnaware extension\libbz2-1.dll
from %LOCALAPPDATA%\burnaware extension\is-7oahs.tmp to %LOCALAPPDATA%\burnaware extension\libwinpthread-1.dll
from %LOCALAPPDATA%\burnaware extension\is-8likj.tmp to %LOCALAPPDATA%\burnaware extension\libvorbisenc-2.dll
from %LOCALAPPDATA%\burnaware extension\is-25icv.tmp to %LOCALAPPDATA%\burnaware extension\libvorbis-0.dll
from %LOCALAPPDATA%\burnaware extension\languages\is-php5j.tmp to %LOCALAPPDATA%\burnaware extension\languages\turkish.ini
from %LOCALAPPDATA%\burnaware extension\is-ar64n.tmp to %LOCALAPPDATA%\burnaware extension\libogg-0.dll
from %LOCALAPPDATA%\burnaware extension\is-nddrg.tmp to %LOCALAPPDATA%\burnaware extension\avutil-56.dll
from %LOCALAPPDATA%\burnaware extension\is-1fuk7.tmp to %LOCALAPPDATA%\burnaware extension\libgcc_s_dw2-1.dll
from %LOCALAPPDATA%\burnaware extension\is-me727.tmp to %LOCALAPPDATA%\burnaware extension\avformat-58.dll
from %LOCALAPPDATA%\burnaware extension\is-884al.tmp to %LOCALAPPDATA%\burnaware extension\avcodec-58.dll
from %LOCALAPPDATA%\burnaware extension\is-a5fc6.tmp to %LOCALAPPDATA%\burnaware extension\unins000.exe
from %TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\cached-microdesc-consensus
from %TEMP%\4kpv6a~1\cached-certs.tmp to %TEMP%\4kpv6a~1\cached-certs
from %TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\unverified-microdesc-consensus
from %LOCALAPPDATA%\burnaware extension\is-hdceg.tmp to %LOCALAPPDATA%\burnaware extension\libiconv-2.dll
from %LOCALAPPDATA%\burnaware extension\is-uhdlj.tmp to %LOCALAPPDATA%\burnaware extension\burnawareext.exe

Modifies the following files

Substitutes the following files

%TEMP%\4kpv6a~1\cached-certs.tmp
%TEMP%\4kpv6a~1\cached-certs
%LOCALAPPDATA%\burnaware extension\libgcc_s_dw2-1.dll
%TEMP%\4kpv6a~1\state.tmp
%TEMP%\4kpv6a~1\state

Deletes itself.

Network activity

Connects to

'se####ation17io.io':80
'localhost':49819
'localhost':49817
'localhost':49815
'localhost':49813
'localhost':49810
'localhost':49808
'localhost':49806
'localhost':49800
'localhost':49803
'localhost':49801
'localhost':49798
'localhost':49796
'localhost':49792
'localhost':49823
'localhost':49790
'localhost':49788
'localhost':49786
'localhost':49784
'localhost':49782
'localhost':49780
'localhost':49778
'localhost':49776
'localhost':49774
'localhost':49772
'localhost':49770
'localhost':49794
'localhost':49883
'localhost':49825
'localhost':49879
'localhost':49877
'localhost':49875
'localhost':49873
'localhost':49871
'localhost':49869
'localhost':49867
'localhost':49865
'localhost':49863
'localhost':49861
'localhost':49859
'localhost':49849
'localhost':49768
'localhost':49821
'localhost':49852
'localhost':49850
'localhost':49847
'localhost':49845
'localhost':49843
'localhost':49841
'localhost':49839
'localhost':49837
'localhost':49835
'localhost':49833
'localhost':49831
'localhost':49829
'localhost':49854
'localhost':49827
'localhost':49856
'localhost':49881
'localhost':49762
'localhost':49707
'localhost':49701
'localhost':49699
'localhost':49697
'localhost':49695
'localhost':49693
'localhost':49691
'localhost':49689
'localhost':49687
'localhost':49685
'localhost':49683
'localhost':49681
'localhost':49679
'localhost':49677
'localhost':49675
'localhost':49673
'localhost':49671
'localhost':49669
'localhost':49667
'localhost':49665
'localhost':49663
'localhost':49661
'localhost':49659
'localhost':49657
'localhost':49655
'localhost':49709
'localhost':49711
'localhost':49760
'localhost':49732
'localhost':49736
'localhost':49758
'localhost':49756
'localhost':49754
'localhost':49752
'localhost':49750
'localhost':49748
'localhost':49746
'localhost':49744
'localhost':49742
'localhost':49740
'localhost':49738
'localhost':49766
'localhost':49764
'localhost':49703
'localhost':49730
'localhost':49728
'localhost':49726
'localhost':49548
'localhost':49723
'localhost':49721
'localhost':49565
'localhost':49719
'localhost':49717
'localhost':49715
'localhost':49713
'localhost':49733
'localhost':49498
'localhost':49885
'localhost':50057
'localhost':50055
'localhost':50053
'localhost':50051
'localhost':50049
'localhost':50047
'localhost':50045
'localhost':50043
'localhost':50041
'localhost':50039
'localhost':50037
'localhost':50035
'localhost':50033
'localhost':50029
'localhost':50063
'localhost':50027
'localhost':50025
'localhost':50023
'localhost':50021
'localhost':50019
'localhost':50017
'localhost':50015
'localhost':50013
'localhost':50011
'localhost':50009
'localhost':50059
'localhost':50031
'localhost':49887
'localhost':50065
'localhost':50116
'localhost':50114
'localhost':50112
'localhost':50110
'localhost':50108
'localhost':50106
'localhost':50098
'localhost':50104
'localhost':50102
'localhost':50100
'localhost':50094
'localhost':50007
'localhost':50095
'localhost':50061
'localhost':50088
'localhost':50085
'localhost':50083
'localhost':50081
'localhost':50079
'localhost':50077
'localhost':50075
'localhost':50073
'localhost':50071
'localhost':50069
'localhost':50067
'localhost':50092
'localhost':50005
'localhost':50118
'localhost':50003
'localhost':50001
'localhost':49938
'localhost':49653
'localhost':49934
'localhost':49932
'localhost':49930
'localhost':49928
'localhost':49924
'localhost':49925
'localhost':49922
'localhost':49920
'localhost':49918
'localhost':49916
'localhost':49940
'localhost':49942
'localhost':49914
'localhost':49908
'localhost':49906
'localhost':49904
'localhost':49902
'localhost':49900
'localhost':49898
'localhost':49896
'localhost':49894
'localhost':49812
'localhost':49891
'localhost':49889
'localhost':49912
'localhost':49910
'localhost':49705
'localhost':49946
'localhost':49971
'localhost':49975
'localhost':49997
'localhost':49995
'localhost':49993
'localhost':49991
'localhost':49989
'localhost':49987
'localhost':49985
'localhost':49983
'localhost':49981
'localhost':49979
'localhost':49977
'localhost':49999
'localhost':49944
'localhost':49936
'localhost':49969
'localhost':49967
'localhost':49959
'localhost':49965
'localhost':49963
'localhost':49961
'localhost':49957
'localhost':49955
'localhost':49952
'localhost':49950
'localhost':49948
'localhost':49973
'localhost':49651
'localhost':49649
'localhost':49647
'localhost':49348
'localhost':49342
'localhost':49340
'localhost':49338
'localhost':49336
'localhost':49334
'localhost':49332
'localhost':49330
'localhost':49328
'localhost':49326
'localhost':49324
'localhost':49322
'localhost':49320
'localhost':49318
'localhost':49316
'localhost':49314
'localhost':49311
'localhost':49308
'localhost':49309
'localhost':49306
'localhost':49304
'localhost':49302
'localhost':49300
'localhost':49292
'localhost':49297
'localhost':49350
'localhost':49352
'localhost':49404
'localhost':49374
'localhost':49380
'localhost':49402
'localhost':49400
'localhost':49398
'localhost':49396
'localhost':49394
'localhost':49392
'localhost':49390
'localhost':49388
'localhost':49386
'localhost':49384
'localhost':49382
'localhost':49346
'localhost':49295
'localhost':49290
'localhost':49375
'localhost':49372
'localhost':49370
'localhost':49368
'localhost':49366
'localhost':49364
'localhost':49362
'localhost':49360
'localhost':49358
'localhost':49356
'localhost':49354
'localhost':49377
'localhost':49293
'localhost':49286
'localhost':49260
'localhost':49200
'localhost':49224
'localhost':49222
'localhost':49220
'localhost':49218
'localhost':49216
'localhost':49214
'localhost':49212
'localhost':49210
'localhost':49208
'localhost':49206
'localhost':49204
'localhost':49406
'localhost':49228
'45.##8.77.29':9700
'localhost':21694
'18#.#72.128.19':80
'17#.#2.136.221':9001
'51.##.57.125':9001
'13#.#88.40.189':443
'10#.#7.25.148':443
'10#.#0.100.29':443
'14#.#6.170.20':443
'38.##5.200.61':443
'in##.#unaviat.com':80
'localhost':49183
'localhost':49202
'localhost':50120
'localhost':49230
'localhost':49236
'localhost':49232
'localhost':49287
'localhost':49284
'localhost':49282
'localhost':49280
'localhost':49278
'localhost':49276
'localhost':49274
'localhost':49272
'localhost':49270
'localhost':49268
'localhost':49266
'localhost':49234
'localhost':49264
'localhost':49226
'localhost':49256
'localhost':49257
'localhost':49254
'localhost':49248
'localhost':49251
'localhost':49249
'localhost':49246
'localhost':49244
'localhost':49242
'localhost':49240
'localhost':49238
'localhost':49262
'localhost':50090
'localhost':49408
'localhost':49414
'localhost':49559
'localhost':49583
'localhost':49584
'localhost':49581
'localhost':49579
'localhost':49577
'localhost':49574
'localhost':49569
'localhost':49572
'localhost':49570
'localhost':49567
'localhost':49563
'localhost':49561
'localhost':49557
'localhost':49589
'localhost':49555
'localhost':49553
'localhost':49549
'localhost':49550
'localhost':49546
'localhost':49544
'localhost':49542
'localhost':49540
'localhost':49538
'localhost':49534
'localhost':49344
'localhost':49591
'localhost':49643
'localhost':49619
'localhost':49621
'localhost':49644
'localhost':49641
'localhost':49639
'localhost':49637
'localhost':49635
'localhost':49633
'localhost':49631
'localhost':49629
'localhost':49627
'localhost':49625
'localhost':49623
'localhost':49535
'localhost':49532
'localhost':49593
'localhost':49615
'localhost':49613
'localhost':49611
'localhost':49609
'localhost':49607
'localhost':49605
'localhost':49603
'localhost':49601
'localhost':49599
'localhost':49595
'localhost':49596
'localhost':49617
'localhost':49587
'localhost':49530
'localhost':49528
'localhost':49410
'localhost':49438
'localhost':49463
'localhost':49460
'localhost':49458
'localhost':49456
'localhost':49454
'localhost':49452
'localhost':49450
'localhost':49448
'localhost':49446
'localhost':49444
'localhost':49468
'localhost':49442
'localhost':49440
'localhost':49436
'localhost':49434
'localhost':49432
'localhost':49430
'localhost':49428
'localhost':49426
'localhost':49424
'localhost':49422
'localhost':49420
'localhost':49418
'localhost':49416
'localhost':49462
'localhost':49412
'localhost':49472
'localhost':49476
'localhost':49526
'localhost':49470
'localhost':49524
'localhost':49514
'localhost':49521
'localhost':49519
'localhost':49517
'localhost':49515
'localhost':49512
'localhost':49510
'localhost':49508
'localhost':49506
'localhost':49474
'localhost':49504
'localhost':49500
'localhost':49465
'localhost':49496
'localhost':49494
'localhost':49490
'localhost':49491
'localhost':49488
'localhost':49486
'localhost':49484
'localhost':49482
'localhost':49480
'localhost':49478
'localhost':49502
'localhost':50122

TCP

HTTP GET requests

http://in##.#unaviat.com/data/pdf/may.exe
http://18#.#72.128.19/288c47bbc1871b439df19ff4df68f0776.exe
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/upd.php?n=#################################################################################################################...
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/task.php?n=################################################################################################################...
http://x5###############dj2m6eq4amkkpndbqyvmvaz6yl4mmfco6oqxsqd.onion/hb.php?n=##############################

HTTP POST requests

http://se####ation17io.io/index.php

Other

'13#.#88.40.189':443
'10#.#7.25.148':443
'17#.#2.136.221':9001
'51.##.57.125':9001
'localhost':21694
'localhost':49195
'localhost':49197
'localhost':49198
'45.##8.77.29':9700
'localhost':49564

UDP

DNS ASK se####ation17io.io
DNS ASK ry#####up.toppr.school
DNS ASK jo##.#econdlife.com
DNS ASK ac#####pp.pearson.com
DNS ASK ch###tempo.com
DNS ASK ia#.#earson.com
DNS ASK li##.#hessbase.com
DNS ASK al####online.com
DNS ASK ec##.##urceinfosys.com
DNS ASK ss#.#arena.com
DNS ASK st#####.allendigital.in
DNS ASK ac#####.protonvpn.com
DNS ASK di##ord.com
DNS ASK te####n.taleo.net
DNS ASK cl###.mongodb.com
DNS ASK lo###.##crosoftonline.com
DNS ASK re######ng360.avature.net
DNS ASK gm##rix.net
DNS ASK re###post.com
DNS ASK ac######.myherbalife.com
DNS ASK my######gs.easemytrip.com
DNS ASK na.####unt.amazon.com
DNS ASK po####.###ometaxindiaefiling.gov.in
DNS ASK my####ingpoint.in
DNS ASK tn####net.gov.in
DNS ASK hu#.#sf.gov.in
DNS ASK my.##ndirect.in
DNS ASK te###wifi.com
DNS ASK m.###iamart.com
DNS ASK ze##.com
DNS ASK mo######i.moneycontrol.com
DNS ASK po##er.in
DNS ASK se####.booking.com
DNS ASK co####er-pdf.com
DNS ASK bs###elhi.com
DNS ASK to##ily.net
DNS ASK fo######nsing.fssai.gov.in
DNS ASK tn###outreg.in
DNS ASK ca##oda.com
DNS ASK an##l.co
DNS ASK in.#######ontract.myherbalife.com
DNS ASK ac####ts.paytm.com
DNS ASK fi###.#00webhost.com
DNS ASK vi#########.centralindia.cloudapp.azure.com
DNS ASK sh####minsight.in
DNS ASK ma###gif.com
DNS ASK te###atta.com
DNS ASK ss#.nic.in
DNS ASK hi##eap.com
DNS ASK id#.#penccc.net
DNS ASK op##ccc.net
DNS ASK wi###cribe.com
DNS ASK re##ine.com
DNS ASK in.###webhost.com
DNS ASK ma#####p.zendesk.com
DNS ASK lo###.aol.com
DNS ASK ap#.#ools.surf
DNS ASK co####e.xrcloud.com
DNS ASK ud###rmuda.com
DNS ASK in##.#unaviat.com
DNS ASK ap#.#urbo.net
DNS ASK un########tal-mem.epfindia.gov.in
DNS ASK ac####t.xiaomi.com
DNS ASK ax#.#aleo.net
DNS ASK pr#####-infinity.cloud
DNS ASK in####tycheats.com
DNS ASK st###.#teampowered.com
DNS ASK st####ommunity.com
DNS ASK myaccount.google.com
DNS ASK mh.###lwire.co.in
DNS ASK sh##nkme.io
DNS ASK sh###kearn.com
DNS ASK ac####t.battle.net
DNS ASK kr.##ttle.net
DNS ASK ta######itsuisse.taleo.net
DNS ASK pi##ux.com
DNS ASK dh###gurc.com
DNS ASK pa######.epfindia.gov.in
DNS ASK am#######us.aspiringminds.com
DNS ASK sw######enid.b2clogin.com
DNS ASK co###hef.com
DNS ASK as####.cocubes.com
DNS ASK mx###.##stedmxserver.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: 'f38285_BAE262FlashFixClass_f38285'

Creates and executes the following

'%TEMP%\8584.exe'
'%TEMP%\89c9.exe'
'%TEMP%\9cfc.exe'
'%TEMP%\d24f.exe'
'%TEMP%\is-jvtd1.tmp\d24f.tmp' /SL5="$1025A,7139316,54272,%TEMP%\D24F.exe"
'%LOCALAPPDATA%\burnaware extension\burnawareext.exe' -i
'%LOCALAPPDATA%\burnaware extension\burnawareext.exe' -s
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\Temp\Task.bat" "' (with hidden window)

Executes the following

'<SYSTEM32>\regsvr32.exe' /s %TEMP%\BC9.dll
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\Temp\Task.bat" "
'%WINDIR%\syswow64\chcp.com' 1251

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней