Trojan.Siggen18.50437

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'pyxojenixsfcraxudm' = '%WINDIR%\SysWOW64\srv426.exe'

Sets the following service settings

[<HKLM>\SYSTEM\CurrentControlSet\Services\clclajuoxlSv\Parameters] 'ServiceDll' = '%WINDIR%\SysWOW64\svcclclaju.dll'
[<HKLM>\System\CurrentControlSet\Services\clclajuoxlSv] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\clclajuoxlSv] 'ImagePath' = '<SYSTEM32>\svchost.exe -k DcomSec'

Creates the following services

'clclajuoxlSv' <SYSTEM32>\svchost.exe -k DcomSec

Modifies file system

Creates the following files

C:\logbot.txt
%WINDIR%\temp\lspae85.exe
%WINDIR%\temp\lspba97.exe
%WINDIR%\temp\lspc67a.exe
%WINDIR%\temp\lspd28c.exe
%WINDIR%\temp\lspde7e.exe
%WINDIR%\temp\lspeabf.exe
%WINDIR%\temp\lsp2a4.exe
%WINDIR%\temp\lsp5859.exe
%WINDIR%\temp\lspe87.exe
%WINDIR%\temp\lsp1a6a.exe
%WINDIR%\temp\lsp263e.exe
%WINDIR%\temp\lsp3211.exe
%WINDIR%\temp\lsp3df4.exe
%WINDIR%\temp\lsp4c76.exe
%WINDIR%\temp\lspa2a2.exe
%WINDIR%\temp\lspf6b2.exe
%WINDIR%\temp\lsp96bf.exe
%WINDIR%\temp\lsp1dbf.exe
%TEMP%\lisa92a.tmp
%WINDIR%\syswow64\srv426.exe
%WINDIR%\syswow64\svcclclaju.dll
%WINDIR%\temp\lspac93.exe
%TEMP%\lseaf04.tmp
%WINDIR%\temp\lsp11cc.exe
%WINDIR%\temp\lsp29e0.exe
%WINDIR%\temp\lsp7ee9.exe
%WINDIR%\temp\lsp35d3.exe
%WINDIR%\temp\lsp431d.exe
%WINDIR%\temp\lsp4f5d.exe
%WINDIR%\temp\lsp5b50.exe
%WINDIR%\temp\lsp6733.exe
%WINDIR%\temp\lsp7316.exe
%WINDIR%\temp\lsp8acc.exe
%WINDIR%\temp\lsp644c.exe

Deletes the following files

%WINDIR%\temp\lspac93.exe
%WINDIR%\temp\lsp3df4.exe
%WINDIR%\temp\lsp3211.exe
%WINDIR%\temp\lsp263e.exe
%WINDIR%\temp\lsp1a6a.exe
%WINDIR%\temp\lspe87.exe
%WINDIR%\temp\lsp2a4.exe
%WINDIR%\temp\lspf6b2.exe
%WINDIR%\temp\lspeabf.exe
%WINDIR%\temp\lspde7e.exe
%WINDIR%\temp\lspd28c.exe
%WINDIR%\temp\lspc67a.exe
%WINDIR%\temp\lspba97.exe
%WINDIR%\temp\lsp4c76.exe
%WINDIR%\temp\lspae85.exe
%WINDIR%\temp\lsp96bf.exe
%WINDIR%\temp\lsp8acc.exe
%WINDIR%\temp\lsp7ee9.exe
%WINDIR%\temp\lsp7316.exe
%WINDIR%\temp\lsp6733.exe
%WINDIR%\temp\lsp5b50.exe
%WINDIR%\temp\lsp4f5d.exe
%WINDIR%\temp\lsp431d.exe
%WINDIR%\temp\lsp35d3.exe
%WINDIR%\temp\lsp29e0.exe
%WINDIR%\temp\lsp1dbf.exe
%WINDIR%\temp\lsp11cc.exe
%WINDIR%\temp\lspa2a2.exe
%WINDIR%\temp\lsp5859.exe

Miscellaneous

Creates and executes the following

'%WINDIR%\temp\lsp644c.exe'
'%WINDIR%\temp\lspa2a2.exe'
'%WINDIR%\temp\lsp7ee9.exe'
'%WINDIR%\temp\lsp1a6a.exe'
'%WINDIR%\temp\lsp8acc.exe'
'%WINDIR%\temp\lsp96bf.exe'
'%WINDIR%\temp\lspe87.exe'
'%WINDIR%\temp\lspd28c.exe'
'%WINDIR%\temp\lsp2a4.exe'
'%WINDIR%\temp\lspba97.exe'
'%WINDIR%\temp\lspc67a.exe'
'%WINDIR%\temp\lspf6b2.exe'
'%WINDIR%\temp\lsp263e.exe'
'%WINDIR%\temp\lspde7e.exe'
'%WINDIR%\temp\lspae85.exe'
'%WINDIR%\temp\lsp6733.exe'
'%WINDIR%\temp\lsp4c76.exe'
'%WINDIR%\temp\lsp3211.exe'
'%WINDIR%\temp\lsp4f5d.exe'
'%WINDIR%\temp\lsp431d.exe'
'%WINDIR%\temp\lspeabf.exe'
'%WINDIR%\temp\lsp35d3.exe'
'%WINDIR%\temp\lsp3df4.exe'
'%WINDIR%\temp\lsp1dbf.exe'
'%WINDIR%\temp\lsp11cc.exe'
'%WINDIR%\temp\lsp5859.exe'
'%WINDIR%\temp\lsp5b50.exe'
'%WINDIR%\temp\lsp7316.exe'
'%WINDIR%\temp\lsp29e0.exe'
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp1DBF.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp11CC.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspDE7E.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspBA97.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspE87.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspF6B2.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp3DF4.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp5859.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp2A4.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp3211.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp4C76.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspEABF.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp263E.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp1A6A.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp431D.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp8ACC.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspD28C.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspC67A.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp644C.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspA2A2.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp96BF.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspAE85.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp7EE9.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp7316.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp6733.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp5B50.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp4F5D.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp29E0.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp35D3.exe"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspAC93.exe"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\svchost.exe' -k DcomSec
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp4C76.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp3DF4.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp3211.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp263E.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp1A6A.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspE87.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp2A4.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspF6B2.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspEABF.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspDE7E.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspD28C.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspC67A.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspBA97.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp5859.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspAE85.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp96BF.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp8ACC.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp7EE9.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp7316.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp6733.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp5B50.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp4F5D.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp431D.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp35D3.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp29E0.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp1DBF.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp11CC.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspAC93.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lspA2A2.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%WINDIR%\TEMP\lsp644C.exe"

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней