Trojan.Siggen18.36597

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\BSW_CHOCO_DO_UPDATE] 'ImagePath' = '"%ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_DO_UPDATE.exe"'
[<HKLM>\System\CurrentControlSet\Services\BSW_CHOCO_GET_UPDATE] 'ImagePath' = '"%ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_GET_UPDATE.exe"'

Creates the following services

'BSW_CHOCO_DO_UPDATE' "%ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_DO_UPDATE.exe"
'BSW_CHOCO_DO_UPDATE' %ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_DO_UPDATE.exe
'BSW_CHOCO_GET_UPDATE' "%ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_GET_UPDATE.exe"
'BSW_CHOCO_GET_UPDATE' %ProgramFiles(x86)%\bit4finance\BSW-ChocoPowerUpdate\services\BSW_CHOCO_GET_UPDATE.exe

Malicious functions

Downloads and executes

https://community.chocolatey.org/install.ps1

Modifies file system

Creates the following files

%TEMP%\autd47d.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\res\building150x150_1.35.gif
%TEMP%\autd810.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\res\loading70x70_1.35.gif
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\bsw-chocopowerupdate\bsw-chocopowerupdate.lnk
C:\users\public\desktop\bsw-chocopowerupdate.lnk
%WINDIR%\temp\bsw_choco_do_update.exe.log
%TEMP%\~uprgdku.tmp
%TEMP%\~pvwsngq.tmp
%TEMP%\~qdsmpmf.tmp
%TEMP%\~drrhqiq.tmp
%TEMP%\~qmsrcbg.tmp
%TEMP%\~ngiottr.tmp
%TEMP%\~dcabpuj.tmp
%TEMP%\~robtsbo.tmp
%TEMP%\autd80f.tmp
%WINDIR%\temp\bsw_choco_get_update.exe.log
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\res\bit4finance_logo.jpg
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\servicesgrantaccess.exe
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bsw-chocopowerupdate.exe
%TEMP%\autd588.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_do_update.exe
%TEMP%\autd634.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_get_update.exe
%TEMP%\autd72f.tmp
%TEMP%\autd7ad.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\res\application.ico
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\ps\choco_do-update.ps1
%TEMP%\autd7ae.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\ps\choco_get-update.ps1
%TEMP%\autd7be.tmp
%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe
%TEMP%\autd7ee.tmp
%TEMP%\autd7ff.tmp
%TEMP%\bsw-chocopowerupdate_17_08_2022__45-16.log

Deletes the following files

%TEMP%\autd47d.tmp
%TEMP%\autd588.tmp
%TEMP%\autd634.tmp
%TEMP%\autd72f.tmp
%TEMP%\autd7ad.tmp
%TEMP%\autd7ae.tmp
%TEMP%\autd7be.tmp
%TEMP%\autd7ee.tmp
%TEMP%\autd7ff.tmp
%TEMP%\autd80f.tmp
%TEMP%\autd810.tmp

Network activity

Connects to

'co######y.chocolatey.org':443

TCP

Other

'co######y.chocolatey.org':443

UDP

DNS ASK co######y.chocolatey.org

Miscellaneous

Creates and executes the following

'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_do_update.exe' -i
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_get_update.exe' -i
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\servicesgrantaccess.exe'
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~qdsmpmf.tmp /errorlog=%TEMP%\~uprgdku.tmp /service BSW_CHOCO_DO_UPDATE /grant=Benutzer=QSTOP
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~qmsrcbg.tmp /errorlog=%TEMP%\~drrhqiq.tmp /service BSW_CHOCO_DO_UPDATE /grant=Users=QSTOP
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~dcabpuj.tmp /errorlog=%TEMP%\~ngiottr.tmp /service BSW_CHOCO_GET_UPDATE /grant=Benutzer=QSTOP
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~pvwsngq.tmp /errorlog=%TEMP%\~robtsbo.tmp /service BSW_CHOCO_GET_UPDATE /grant=Users=QSTOP
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install microsoft-teams.install -y"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install zoom -y"' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~dcabpuj.tmp /errorlog=%TEMP%\~ngiottr.tmp /service BSW_CHOCO_GET_UPDATE /grant=Benutzer=QSTOP' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor ...' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~pvwsngq.tmp /errorlog=%TEMP%\~robtsbo.tmp /service BSW_CHOCO_GET_UPDATE /grant=Users=QSTOP' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\servicesgrantaccess.exe' ' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install gotomeeting -y"' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~qdsmpmf.tmp /errorlog=%TEMP%\~uprgdku.tmp /service BSW_CHOCO_DO_UPDATE /grant=Benutzer=QSTOP' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\bin\subinacl.exe' /outputlog=%TEMP%\~qmsrcbg.tmp /errorlog=%TEMP%\~drrhqiq.tmp /service BSW_CHOCO_DO_UPDATE /grant=Users=QSTOP' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_get_update.exe' -i' (with hidden window)
'%ProgramFiles(x86)%\bit4finance\bsw-chocopowerupdate\services\bsw_choco_do_update.exe' -i' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco upgrade chocolatey"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install webex-meetings -y --ignore-checksums"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco upgrade chocolatey"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install zoom -y"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install microsoft-teams.install -y"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install gotomeeting -y"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "choco install webex-meetings -y --ignore-checksums"

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial