Trojan.Siggen18.7018

Техническая информация

Для обеспечения автозапуска и распространения

Устанавливает следующие настройки сервисов

[<HKLM>\System\CurrentControlSet\Services\SUsvcStaged2] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\SUsvcStaged2] 'ImagePath' = '%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\SUAgent.exe'

Создает следующие сервисы

'SUsvcStaged2' %ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\SUAgent.exe

Вредоносные функции

Запускает на исполнение

'%WINDIR%\syswow64\net.exe' stop "SUsvcStaged1"
'%WINDIR%\syswow64\net.exe' stop "SUsvcStaged2"

Изменения в файловой системе

Создает следующие файлы

%TEMP%\7zsc178e841\del_old_lock.vbs
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\gzip.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\head.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\id.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\join.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\less.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\lesskey.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\logname.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\ls.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\makemsg.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\gsar.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\gunzip.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\md5sum.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\mvdir.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\nl.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\od.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\paste.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\pathchk.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\pr.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\printenv.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\printf.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\pwd.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\mkdir.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\mv.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\grep.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\gawk.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\fsplit.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\cat.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\cksum.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\cmp.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\comm.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\compress.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\cp.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\cut.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\date.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\dc.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\diff.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\bzip2recover.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\dirname.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\echo.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\egrep.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\env.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\expand.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\expr.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\factor.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\fgrep.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\find.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\flex.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\fold.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\du.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\rm.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\rmdir.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\sdiff.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\sed.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\zcat.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\zip.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\what.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\handle32.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\handle64.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\handle.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\svc.log
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\782d7e2bfb036a849a99ffa65c652d39
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\782d7e2bfb036a849a99ffa65c652d39
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\42b9a473b4daf01285a36b4d3c7b1662_178c086b699fd6c56b804af3ef759cb5
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\42b9a473b4daf01285a36b4d3c7b1662_178c086b699fd6c56b804af3ef759cb5
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\616ad1ab067cfd351d6c0ef6f3e12f40
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\616ad1ab067cfd351d6c0ef6f3e12f40
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\66ae3bfdf94a732b262342ad2154b86e_1700c8664a2848974fbd6e8f1fd8382f
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\66ae3bfdf94a732b262342ad2154b86e_1700c8664a2848974fbd6e8f1fd8382f
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\0e506cebbc8b162cfb2d72db4891dcae
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\0e506cebbc8b162cfb2d72db4891dcae
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\f4ea555947766f67c3bb52dedfd509c5
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\f4ea555947766f67c3bb52dedfd509c5
%WINDIR%\temp\cabdb51.tmp
%WINDIR%\temp\tardb52.tmp
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\yes.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\which.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\xargs.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\wget.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\seq.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\sleep.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\sort.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\split.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\stego.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\sum.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\tac.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\tail.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\tar.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\tee.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\test.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\touch.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\tr.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\type.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\uname.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\unexpand.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\uniq.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\unrar.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\unshar.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\unzip.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\uudecode.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\uuencode.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\wc.exe
%WINDIR%\temp\cabf23c.tmp
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\bzip2.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\bunzip2.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\bison.exe
%TEMP%\7zsc178e841\sccapps.exe
%TEMP%\7zsc178e841\sessionagent.exe
%TEMP%\7zsc178e841\suagent.exe
%TEMP%\7zsc178e841\webupdate.dll
%TEMP%\7zsc178e841\webupdate.xmlserializers.dll
%TEMP%\7zsc178e841\winrun.exe
%TEMP%\7zsc178e841\netfx20sp2_x86.exe
nul
%WINDIR%\temp\suinst\applauncher.exe
%TEMP%\7zsc178e841\wbin.7z.exe
%TEMP%\7zsc178e841\applauncher.exe
%WINDIR%\temp\suinst\del_old_lock.vbs
%WINDIR%\temp\suinst\functions.su
%WINDIR%\temp\suinst\gen_inst_cmd.su
%WINDIR%\temp\suinst\install.cmd
%WINDIR%\temp\suinst\install.su
%WINDIR%\temp\suinst\netfx20sp2_x86.exe
%WINDIR%\temp\suinst\sccapps.exe
%WINDIR%\temp\suinst\sccapps.exe.config.model
%WINDIR%\temp\suinst\sessionagent.exe
%WINDIR%\temp\suinst\softupdate.reg
%WINDIR%\temp\suinst\environments.ini
%WINDIR%\temp\suinst\environments.ini.model
%TEMP%\7zsc178e841\environments.ini
%TEMP%\7zsc178e841\version.txt.build
%TEMP%\7zsc178e841\version.txt
%TEMP%\7zsc178e841\docs\all.hlp4su
%TEMP%\7zsc178e841\docs\cleanup.man4su
%TEMP%\7zsc178e841\docs\combosync.man4su
%TEMP%\7zsc178e841\docs\cp.man4su
%TEMP%\7zsc178e841\docs\probe.man4su
%TEMP%\7zsc178e841\docs\reg.man4su
%TEMP%\7zsc178e841\docs\remove.man4su
%TEMP%\7zsc178e841\docs\script.man4su
%TEMP%\7zsc178e841\docs\set.man4su
%TEMP%\7zsc178e841\docs\short.hlp4su
%TEMP%\7zsc178e841\docs\admin.hlp4su
%TEMP%\7zsc178e841\docs\undeploy.man4su
%TEMP%\7zsc178e841\functions.su
%TEMP%\7zsc178e841\gen_inst_cmd.su
%TEMP%\7zsc178e841\ico\sccapp.ico
%TEMP%\7zsc178e841\ico\scchf.ico
%TEMP%\7zsc178e841\install.cmd
%TEMP%\7zsc178e841\install.su
%TEMP%\7zsc178e841\sccapps.exe.config.model
%TEMP%\7zsc178e841\softupdate.reg
%TEMP%\7zsc178e841\uninstall.reg
%TEMP%\7zsc178e841\uninstall.su
%TEMP%\7zsc178e841\environments.ini.model
%WINDIR%\temp\suinst\suagent.exe
%WINDIR%\temp\suinst\uninstall.reg
%WINDIR%\temp\suinst\uninstall.su
%WINDIR%\temp\suinst\version.txt
%ProgramFiles(x86)%\softcomputer\softupdate\2\sccapps.exe.config.model
%ProgramFiles(x86)%\softcomputer\softupdate\2\sessionagent.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\suagent.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\webupdate.dll
%ProgramFiles(x86)%\softcomputer\softupdate\2\webupdate.xmlserializers.dll
%ProgramFiles(x86)%\softcomputer\softupdate\2\winrun.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\admin.hlp4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\all.hlp4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\short.hlp4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\cleanup.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\combosync.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\cp.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\probe.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\reg.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\remove.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\script.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\set.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\docs\undeploy.man4su
%ProgramFiles(x86)%\softcomputer\softupdate\2\sccapps.exe.config
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\ps.bat
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\agrep.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\ansi2knr.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\basename.exe
%ProgramFiles(x86)%\softcomputer\softupdate\2\sccapps.exe
%TEMP%\uninstall.reg.63326a3e6335793e7831693e6d326f5f
%ProgramFiles(x86)%\softcomputer\softupdate\2\applauncher.exe
%TEMP%\environments.ini.62387a2a6a3967216e30633e6c366f2d
%WINDIR%\temp\suinst\version.txt.build
%WINDIR%\temp\suinst\wbin.7z.exe
%WINDIR%\temp\suinst\webupdate.dll
%WINDIR%\temp\suinst\webupdate.xmlserializers.dll
%WINDIR%\temp\suinst\winrun.exe
%WINDIR%\temp\suinst\docs\admin.hlp4su
%WINDIR%\temp\suinst\docs\all.hlp4su
%WINDIR%\temp\suinst\docs\cleanup.man4su
%WINDIR%\temp\suinst\docs\combosync.man4su
%WINDIR%\temp\suinst\docs\cp.man4su
%WINDIR%\temp\suinst\docs\probe.man4su
%WINDIR%\temp\suinst\docs\reg.man4su
%WINDIR%\temp\suinst\docs\remove.man4su
%WINDIR%\temp\suinst\docs\script.man4su
%WINDIR%\temp\suinst\docs\set.man4su
%WINDIR%\temp\suinst\docs\short.hlp4su
%WINDIR%\temp\suinst\docs\undeploy.man4su
%WINDIR%\temp\suinst\ico\sccapp.ico
%WINDIR%\temp\suinst\ico\scchf.ico
%WINDIR%\temp\suinst\install.log
%WINDIR%\temp\suinst\sysinfo_before.log
%WINDIR%\temp\suinst\uninstall.log
%WINDIR%\temp\suinst\silent_update.log
%ProgramFiles(x86)%\softcomputer\softupdate\2\wbin\bc.exe
%WINDIR%\temp\tarf24d.tmp

Удаляет следующие файлы

%WINDIR%\temp\suinst\install.log
%TEMP%\environments.ini.62387a2a6a3967216e30633e6c366f2d
%TEMP%\uninstall.reg.63326a3e6335793e7831693e6d326f5f
%WINDIR%\temp\cabdb51.tmp
%WINDIR%\temp\tardb52.tmp
%WINDIR%\temp\cabf23c.tmp
%WINDIR%\temp\tarf24d.tmp

Подменяет следующие файлы

%WINDIR%\temp\suinst\install.log

Сетевая активность

Подключается к

'localhost':0
'localhost':5522
'microsoft.com':80

TCP

Запросы HTTP GET

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

UDP

DNS ASK microsoft.com

Другое

Ищет следующие окна

ClassName: 'RegEdit_RegEdit' WindowName: ''

Создает и запускает на исполнение

'%WINDIR%\syswow64\cscript.exe' "%TEMP%\7zSC178E841\del_old_lock.vbs" "%WINDIR%\Temp\SUINST\install.lock"
'%WINDIR%\temp\suinst\winrun.exe' -script "%WINDIR%\Temp\SUINST\uninstall.su" -label SYSINFO
'%WINDIR%\temp\suinst\winrun.exe' -script %WINDIR%\Temp\SUINST\gen_inst_cmd.su
'%WINDIR%\temp\suinst\winrun.exe' -script "%WINDIR%\Temp\SUINST\uninstall.su"
'%WINDIR%\temp\suinst\winrun.exe' -script "%WINDIR%\Temp\SUINST\install.su"
'%WINDIR%\temp\suinst\wbin.7z.exe' -y -o"%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2"
'%ProgramFiles(x86)%\softcomputer\softupdate\2\suagent.exe' install 2
'%ProgramFiles(x86)%\softcomputer\softupdate\2\suagent.exe' start 2
'%ProgramFiles(x86)%\softcomputer\softupdate\2\suagent.exe'

Запускает на исполнение

'%WINDIR%\syswow64\cmd.exe' /c .\install.cmd
'%WINDIR%\syswow64\cmd.exe' /c copy /Y "%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\SCCApps.exe.config.model" "%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\SCCApps.exe.config"
'%WINDIR%\syswow64\regedit.exe' /s "%TEMP%\uninstall.reg.63326A3E6335793E7831693E6D326F5F"
'%WINDIR%\syswow64\regedit.exe' /s "%TEMP%\environments.ini.62387A2A6A3967216E30633E6C366F2D"
'%WINDIR%\syswow64\sc.exe' delete "SUsvcStaged2"
'%WINDIR%\syswow64\net1.exe' stop "SUsvcStaged2"
'%WINDIR%\syswow64\sc.exe' delete "SUsvcStaged1"
'%WINDIR%\syswow64\net1.exe' stop "SUsvcStaged1"
'%WINDIR%\syswow64\cmd.exe' /c %WINDIR%\Temp\SUINST\winrun.exe -script %WINDIR%\Temp\SUINST\gen_inst_cmd.su
'%WINDIR%\syswow64\findstr.exe' "2"
'%WINDIR%\syswow64\cmd.exe' /c copy /Y "%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\wbin\handle64.exe" "%ProgramFiles(x86)%\SoftComputer\SoftUpdate\2\wbin\handle.exe"
'%WINDIR%\syswow64\findstr.exe' "SP"
'%WINDIR%\syswow64\findstr.exe' "1"
'%WINDIR%\syswow64\findstr.exe' "Install"
'%WINDIR%\syswow64\reg.exe' QUERY "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727" /v "Install"
'%WINDIR%\syswow64\xcopy.exe' "%TEMP%\7zSC178E841\*" "%WINDIR%\Temp\SUINST\" /S /R /Y
'%WINDIR%\syswow64\findstr.exe' 64
'%WINDIR%\syswow64\reg.exe' QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
'%WINDIR%\syswow64\findstr.exe' REG_SZ
'%WINDIR%\syswow64\reg.exe' QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
'%WINDIR%\syswow64\cmd.exe' /c <SYSTEM32>\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion 2>nul | <SYSTEM32>\findstr.exe REG_SZ
'%WINDIR%\syswow64\reg.exe' QUERY "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727" /v "SP"
'%WINDIR%\syswow64\regedit.exe' /s "%TEMP%\environments.ini.70367340673261607333673E6D38777C"

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней