Exploit.Siggen3.9542

Technical Information

Malicious functions

Executes the following (exploit)

'<SYSTEM32>\rundll32.exe' C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer

Modifies file system

Creates the following files

C:\fyjh\zglgy\lckhvmn.drhdh
<Current directory>\ff380000
%LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012021020820210209\index.dat
%TEMP%\fv9cjjrm.0.cs
%TEMP%\fv9cjjrm.cmdline
%TEMP%\fv9cjjrm.out
%TEMP%\csc8a54.tmp
%TEMP%\res8a65.tmp
%TEMP%\fv9cjjrm.dll
%TEMP%\gj-f9e3a.0.cs
%TEMP%\gj-f9e3a.cmdline
%TEMP%\gj-f9e3a.out
%TEMP%\csc8d22.tmp
%TEMP%\res8d23.tmp
%TEMP%\gj-f9e3a.dll

Deletes the following files

%TEMP%\res8a65.tmp
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\jquery-1.9.1.min[1].js
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\googlelogo_color_150x54dp[1].png
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\override[1].css
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\robot[1].png
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\favicon[3].ico
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\17-f90ef1[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\yytr[1].png
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\re1mu3b[1].png
%TEMP%\gj-f9e3a.out
%TEMP%\gj-f9e3a.cmdline
%TEMP%\gj-f9e3a.0.cs
%TEMP%\gj-f9e3a.dll
%TEMP%\gj-f9e3a.pdb
%TEMP%\csc8d22.tmp
%TEMP%\res8d23.tmp
%TEMP%\fv9cjjrm.out
%TEMP%\fv9cjjrm.cmdline
%TEMP%\fv9cjjrm.pdb
%TEMP%\fv9cjjrm.0.cs
%TEMP%\fv9cjjrm.dll
%TEMP%\csc8a54.tmp
%APPDATA%\microsoft\windows\cookies\user@microsoft[2].txt
%APPDATA%\microsoft\windows\cookies\user@pronpepsipirpyamvioerd[1].txt

Modifies the following files

Substitutes the following files

<PATH_SAMPLE>.xls

Deletes itself.

Network activity

Connects to

'on#####docu-sign-st.com':80
'as####.onestore.ms':443
'aj##.#spnetcdn.com':443
'st############ingsites-wcus-ms-com.akamaized.net':443
'im##########-rt-microsoft-com.akamaized.net':443
'fi########moteconfig.googleapis.com':80
'pr######ipirpyamvioerd.com':80

TCP

HTTP GET requests

http://pr######ipirpyamvioerd.com/favicon.ico

'as####.onestore.ms':443

'aj##.#spnetcdn.com':443

'st############ingsites-wcus-ms-com.akamaized.net':443

'im##########-rt-microsoft-com.akamaized.net':443

UDP

DNS ASK on#####docu-sign-st.com
DNS ASK as####.onestore.ms
DNS ASK st############ingsites-wcus-ms-com.akamaized.net
DNS ASK aj##.#spnetcdn.com
DNS ASK im##########-rt-microsoft-com.akamaized.net
DNS ASK fi########moteconfig.googleapis.com
DNS ASK pr######ipirpyamvioerd.com

Miscellaneous

Searches for the following windows

ClassName: 'Static' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'<SYSTEM32>\rundll32.exe' C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer' (with hidden window)
'<SYSTEM32>\mshta.exe' "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\294256E3-74A5-4392-C66D-E8275AF19C4B\\\BthsxRes'...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\294256E3-74A5-4392-C66D-E8275AF19C4B").AUDI9_29))' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fv9cjjrm.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8A65.tmp" "%TEMP%\CSC8A54.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gj-f9e3a.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8D23.tmp" "%TEMP%\CSC8D22.tmp"' (with hidden window)
'<SYSTEM32>\rundll32.exe' Shell32.dll,Control_RunDLL -h' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C pause dll mail, ,' (with hidden window)

Executes the following

'<SYSTEM32>\mshta.exe' "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\294256E3-74A5-4392-C66D-E8275AF19C4B\\\BthsxRes'...
'<SYSTEM32>\ipconfig.exe' /all
'<SYSTEM32>\systeminfo.exe'
'<SYSTEM32>\makecab.exe' /F "%TEMP%\AB7A.bin"
'<SYSTEM32>\cmd.exe' /C "ipconfig /all >> %TEMP%\4861.bin1"
'<SYSTEM32>\cmd.exe' /C "systeminfo.exe > %TEMP%\D49C.bin1"
'<SYSTEM32>\cmd.exe' /C "echo -------- >> %TEMP%\E044.bi1"
'<SYSTEM32>\nslookup.exe' myip.opendns.com resolver1.opendns.com
'<SYSTEM32>\cmd.exe' /C "nslookup myip.opendns.com resolver1.opendns.com > %TEMP%\E044.bi1"
'<SYSTEM32>\rundll32.exe' Shell32.dll,Control_RunDLL -h
'<SYSTEM32>\control.exe' -h
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8D23.tmp" "%TEMP%\CSC8D22.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gj-f9e3a.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8A65.tmp" "%TEMP%\CSC8A54.tmp"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fv9cjjrm.cmdline"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\294256E3-74A5-4392-C66D-E8275AF19C4B").AUDI9_29))
'%WINDIR%\syswow64\cmd.exe' /C pause dll mail, ,
'<SYSTEM32>\cmd.exe' /C "echo -------- >> %TEMP%\4861.bin1"

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial