Trojan.Siggen31.1248

Добавлен в вирусную базу Dr.Web: 2025-03-16

Описание добавлено: 2025-03-17

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\s-1-5-21-1042309485-1296873312-1406453725-5030\{5hxyuk96-fh1q-8t1y-28ke-ikh1w9t7nnr4}

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /pid 1392

Modifies file system

Creates the following files

%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a\log.log
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\fwr8bwhx\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2vn9pwx9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\imwjuvbg\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\18z93g7k\desktop.ini
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat

Sets the 'hidden' attribute to the following files

%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a\log.log
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\fwr8bwhx\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2vn9pwx9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\imwjuvbg\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\18z93g7k\desktop.ini

Moves itself

from <Full path to file> to %APPDATA%\30

Deletes itself.

Network activity

Connects to

'21#.#82.200.111':21
'2n#.co':443

TCP

Other

'21#.#82.200.111':21
'2n#.co':443

UDP

DNS ASK 2n#.co

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c icacls "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Administrator:(R,REA,RA,RD)" & icacls "%APPDATA%\msil_m...
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Network Configuration Operators:(R,REA,RA,RD)"
'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /pid 1392 & attrib -s -h -r -a "%APPDATA%\30" & del /q /f "%APPDATA%\30"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "everyone:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Все:(R,REA,RA,RD)"
'<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Users:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Replicator:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Remote Desktop Users:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Power Users:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Performance Monitor Users:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Performance Log Users:(R,REA,RA,RD)"
'<SYSTEM32>\taskeng.exe' {D1D23C55-3376-42DE-84A5-4A9B550290EE} S-1-5-21-3691498038-2086406363-2140527554-1000:izslnp\user:Interactive:[1]
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Event Log Readers:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Distributed COM Users:(R,REA,RA,RD)"
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Cryptographic Operators:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Backup Operators:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "user:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Guest:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Administrator:(R,REA,RA,RD)"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "IIS_IUSRS:(R,REA,RA,RD)"
'%WINDIR%\syswow64\attrib.exe' -s -h -r -a "%APPDATA%\30"
'%WINDIR%\syswow64\icacls.exe' "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Guests:(R,REA,RA,RD)"
'%WINDIR%\syswow64\cmd.exe' /c icacls "%APPDATA%\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_1.0.0.0_ru-ru_3afd32e85053fe1a" /inheritance:e /deny "Administrator:(R,REA,RA,RD)" & icacls "%APPDATA%\msil_m...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c taskkill /f /pid 1392 & attrib -s -h -r -a "%APPDATA%\30" & del /q /f "%APPDATA%\30"' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней