Trojan.Siggen18.28350

Техническая информация

Для обеспечения автозапуска и распространения

Модифицирует следующие ключи реестра

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'VfTrayIcon' = '"%ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\x64\vf_host.exe" -trayicon'

Вредоносные функции

Регистрирует BHO

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A87C84E-8C85-4E23-966D-081EF2EE16EE}]
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A87C84E-8C85-4E23-966D-081EF2EE16EE}]

Изменения в файловой системе

Создает следующие файлы

%TEMP%\nsr61fe.tmp\sibuia.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_host.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_elevate.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_elevate.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_bho.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_bho.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\config\vf_agent.txt
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_rem.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.ver
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\procmonconfiguration.pmc
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\openprocmonconfiguration.pmc
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\log4net.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin2.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\epmsupportutil.exe.config
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\dotnetzip.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\kerneltracecontrol.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\event_message_file.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\system.data.sqlite.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\sqlite.interop.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\pasagentintegration.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin9.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin8.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin7.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin6.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin5.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin4.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\support util\epmsupportutil.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin3.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_host.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfdrv.inf
%ProgramFiles%\cyberark\endpoint privilege manager\agent\config\rt.dat
%WINDIR%\installer\{ca791754-880d-4ff4-be07-7d576385fb8d}\arpproducticon.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vftrace.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vftrace.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vftrace.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfpd.sys
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfpd.inf
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfpd.cat
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfnet.sys
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfnet.inf
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfnet.cat
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfdrv.sys
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_inj.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_inj.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_util.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_util.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_util.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_updater.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_tslocal.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_tracelogging.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_shex_proxy.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x64\vf_shex.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_shex_proxy.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_shex.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_rec.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_movie.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\drv\vfdrv.cat
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin12.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin11.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin10.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\manualzerotouchrequest.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\logoff.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\killvideoauditedapps.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\killapp.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\elevateondemand.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\elevatenotification.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\computersleep.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\computershutdown.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\computerreboot.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\computerlock.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\computerhibernate.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\policyautomationuac.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\challengeresponse.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\about.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\bb flashback recorder.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\bblogs.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\bbflashbackeditor.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\defaultpoliciestemplate.xml
%TEMP%\~868d.tmp
%TEMP%\wac8768.tmp
C:\epminstall.log
%TEMP%\sib6318.tmp\0\vfagentsetupx64.msi
%TEMP%\sib6318.tmp\0\cyberarkepmagentsetupwindows.config
%TEMP%\sib6318.tmp\sibclr.dll
%TEMP%\sib6318.tmp\sibca.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\block.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\policypropagate.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\policyautomationnonuac.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\policysuspend.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\plugins\paplugin1.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\cybkerneltracker.sys
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\sip.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\sfdp_detours64.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\sfdp_detours32.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\sfdp.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagentintegration.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagent.ver
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagent.util.dll.config
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagent.util.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagent.exe.config
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\pasagent.exe
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\newtonsoft.json.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\log4net.dll
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\cybkerneltracker.inf
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\restrictedaccess.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\pasagent\cybkerneltracker.cat
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\vfonelevatedone.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\vfonelevatedenied.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\vfonelevate.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\startalert.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\softwaredistribution.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\servicerestartonupgrade.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\screenrecordingnotification.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\screenrecordinglowdisk.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\screenrecordingconfirmation.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\runusingauthorizationcode.htm
%ProgramFiles%\cyberark\endpoint privilege manager\agent\dialogs\rtauthorization.htm
%WINDIR%\help\mdtd\kds kcab
%ProgramFiles%\cyberark\endpoint privilege manager\agent\trace\vf_movie.trace

Удаляет следующие файлы

%TEMP%\wac8768.tmp
%TEMP%\~868d.tmp
%TEMP%\sib6318.tmp\0\cyberarkepmagentsetupwindows.config
%TEMP%\sib6318.tmp\0\vfagentsetupx64.msi
%TEMP%\sib6318.tmp\sibca.dll
%TEMP%\sib6318.tmp\sibclr.dll
%TEMP%\nsr61fe.tmp\sibuia.dll

Сетевая активность

Подключается к

'microsoft.com':80
'oc##.thawte.com':80

TCP

Запросы HTTP GET

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

UDP

DNS ASK microsoft.com
DNS ASK oc##.thawte.com

Другое

Ищет следующие окна

ClassName: 'MS_WINHELP' WindowName: ''

Создает и запускает на исполнение

'%TEMP%\wac8768.tmp' {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DCD55F88-87DF-4562-8FFC-53C35107BEC4}
'%TEMP%\wac8768.tmp' {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E77E9453-4802-4184-A4B0-BD8C1FE6DC10}
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\x32\vf_movie.exe' /regserver
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe' -InstDrv "%ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\drv\vfdrv.inf"
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe' -InstDrv "%ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\drv\vfnet.inf"
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe' -InstDrv "%ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\drv\vfpd.inf"
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe' -InstDrv "%ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\PASAgent\CybKernelTracker.inf"
'%ProgramFiles%\cyberark\endpoint privilege manager\agent\vf_agent.exe'

Запускает на исполнение

'%WINDIR%\syswow64\msiexec.exe' /i "%TEMP%\sib6318.tmp\0\vfagentsetupx64.msi" INSTALLATIONKEY="PD9qVH5PZCNYc05SeV16SXtoV2Q/YXIrPHBPbW5dOi8=" CONFIGURATION="CyberArkEPMAgentSetupWindows.config" /log "c:\EPMinstall.log" /qn

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней