Trojan.Siggen19.47105

Техническая информация

Для обеспечения автозапуска и распространения

Устанавливает следующие настройки сервисов

[<HKLM>\System\CurrentControlSet\Services\sj-app] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\sj-app] 'ImagePath' = '%ProgramFiles%\SJPulse\app\sj-pulse-proxy-server-app.exe'
[<HKLM>\System\CurrentControlSet\Services\sj-watchdog] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\sj-watchdog] 'ImagePath' = '%ProgramFiles%\SJPulse\app\sj-pulse-watchdog.exe'

Создает следующие сервисы

'sj-app' %ProgramFiles%\SJPulse\app\sj-pulse-proxy-server-app.exe
'sj-watchdog' %ProgramFiles%\SJPulse\app\sj-pulse-watchdog.exe

Изменения в файловой системе

Создает следующие файлы

%TEMP%\nsxb0aa.tmp
%ProgramFiles%\sjpulse\app\bz2.dll
%ProgramFiles%\sjpulse\app\date-tz.dll
%ProgramFiles%\sjpulse\app\fmt.dll
%ProgramFiles%\sjpulse\app\jpeg62.dll
%ProgramFiles%\sjpulse\app\libcrypto-3-x64.dll
%ProgramFiles%\sjpulse\app\liblzma.dll
%ProgramFiles%\sjpulse\app\libpng16.dll
%ProgramFiles%\sjpulse\app\libprotobuf.dll
%ProgramFiles%\sjpulse\app\libssl-3-x64.dll
%ProgramFiles%\sjpulse\app\msvcp140.dll
%ProgramFiles%\sjpulse\app\pcre2-16.dll
%ProgramFiles%\sjpulse\app\sentry.dll
%ProgramFiles%\sjpulse\app\spdlog.dll
%ALLUSERSPROFILE%\sjpulse\data\cacerts.pem
%ProgramFiles%\sjpulse\app\tiff.dll
%ProgramFiles%\sjpulse\app\vcruntime140_1.dll
%ProgramFiles%\sjpulse\app\wxbase32u_vc.dll
%ProgramFiles%\sjpulse\app\wxmsw32u_core_vc.dll
%ProgramFiles%\sjpulse\app\zip.dll
%ProgramFiles%\sjpulse\app\zlib1.dll
%ProgramFiles%\sjpulse\app\zstd.dll
%ProgramFiles%\sjpulse\app\sj-pulse-watchdog.exe
%ProgramFiles%\sjpulse\app\sj-pulse-watchdog.json
%ProgramFiles%\sjpulse\app\sj-pulse-proxy-server-app.exe
%ProgramFiles%\sjpulse\app\sj-pulse-proxy-server-app.json
%ProgramFiles%\sjpulse\app\crashpad_handler.exe
%ProgramFiles%\sjpulse\app\sj-pulse-win-driver.sys
%ProgramFiles%\sjpulse\app\sj-pulse-ui.exe
%ProgramFiles%\sjpulse\app\brotlidec.dll
%ProgramFiles%\sjpulse\app\brotlienc.dll
%ProgramFiles%\sjpulse\app\brotlicommon.dll
%ProgramFiles%\sjpulse\app\boost_iostreams-vc143-mt-x64-1_81.dll
%ALLUSERSPROFILE%\sjpulse\data\scripts\production\8ee4ea609a6346c4cf34c2b621ac79ba.js
%LOCALAPPDATA%\sjpulse\logs\installer\app-installer_20230211_214831.log
%TEMP%\nsmb0ba.tmp\nsexec.dll
%TEMP%\nsmb0ba.tmp\nsprocess.dll
%ALLUSERSPROFILE%\sjpulse\data\tzdata\readme
%ALLUSERSPROFILE%\sjpulse\data\tzdata\asia
%ALLUSERSPROFILE%\sjpulse\data\tzdata\backward
%ALLUSERSPROFILE%\sjpulse\data\tzdata\etcetera
%ALLUSERSPROFILE%\sjpulse\data\tzdata\europe
%ALLUSERSPROFILE%\sjpulse\data\tzdata\northamerica
%ALLUSERSPROFILE%\sjpulse\data\tzdata\southamerica
%ALLUSERSPROFILE%\sjpulse\data\tzdata\version
%ALLUSERSPROFILE%\sjpulse\data\tzdata\windowszones.xml
%ALLUSERSPROFILE%\sjpulse\data\public-suffixes.txt
%ProgramFiles%\sjpulse\app\sj-pulse-ui.json
%ProgramFiles%\sjpulse\app\vcruntime140.dll
%ALLUSERSPROFILE%\sjpulse\data\latinizer-mapping.dat
%ALLUSERSPROFILE%\sjpulse\data\settings\ads-manifest.json
%ALLUSERSPROFILE%\sjpulse\data\settings\ads.json
%ALLUSERSPROFILE%\sjpulse\data\settings\alias.json
%ALLUSERSPROFILE%\sjpulse\data\settings\allow-list.json
%ALLUSERSPROFILE%\sjpulse\data\settings\blacklist.json
%ALLUSERSPROFILE%\sjpulse\data\settings\block-list.json
%ALLUSERSPROFILE%\sjpulse\data\settings\constants.json
%ALLUSERSPROFILE%\sjpulse\data\settings\faq.json
%ALLUSERSPROFILE%\sjpulse\data\settings\features-and-splits.json
%ALLUSERSPROFILE%\sjpulse\data\settings\manifest.json
%ALLUSERSPROFILE%\sjpulse\data\settings\manifest_v2.json
%ALLUSERSPROFILE%\sjpulse\data\settings\pixels.json
%ALLUSERSPROFILE%\sjpulse\data\settings\whitelist.json
%TEMP%\nsmb0ba.tmp\system.dll
%ALLUSERSPROFILE%\sjpulse\data\cacerts.mid.pem
%ProgramFiles%\sjpulse\app\app-uninstaller.exe

Удаляет следующие файлы

%TEMP%\nsmb0ba.tmp\nsexec.dll
%TEMP%\nsmb0ba.tmp\nsprocess.dll
%TEMP%\nsmb0ba.tmp\system.dll

Сетевая активность

Подключается к

'localhost':49175

TCP

Другие

'localhost':49175

Другое

Ищет следующие окна

ClassName: '#32770' WindowName: ''
ClassName: 'SysListView32' WindowName: ''

Создает и запускает на исполнение

'%ProgramFiles%\sjpulse\app\sj-pulse-proxy-server-app.exe'
'%ProgramFiles%\sjpulse\app\sj-pulse-watchdog.exe'
'%WINDIR%\syswow64\sc.exe' stop sj-watchdog' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' stop sj-app' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' stop sj-pulse-win-driver' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' query sj-app' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' create sj-app binPath= "%ProgramFiles%\SJPulse\app\sj-pulse-proxy-server-app.exe" start= auto DisplayName= "SJ App"' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' query sj-watchdog' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' create sj-watchdog binPath= "%ProgramFiles%\SJPulse\app\sj-pulse-watchdog.exe" start= auto DisplayName= "SJ Health"' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' start sj-app' (со скрытым окном)
'%WINDIR%\syswow64\sc.exe' start sj-watchdog' (со скрытым окном)

Запускает на исполнение

'%WINDIR%\syswow64\sc.exe' stop sj-watchdog
'%WINDIR%\syswow64\sc.exe' stop sj-app
'%WINDIR%\syswow64\sc.exe' stop sj-pulse-win-driver
'%WINDIR%\syswow64\sc.exe' query sj-app
'%WINDIR%\syswow64\sc.exe' create sj-app binPath= "%ProgramFiles%\SJPulse\app\sj-pulse-proxy-server-app.exe" start= auto DisplayName= "SJ App"
'%WINDIR%\syswow64\sc.exe' query sj-watchdog
'%WINDIR%\syswow64\sc.exe' create sj-watchdog binPath= "%ProgramFiles%\SJPulse\app\sj-pulse-watchdog.exe" start= auto DisplayName= "SJ Health"
'%WINDIR%\syswow64\sc.exe' start sj-app
'%WINDIR%\syswow64\sc.exe' start sj-watchdog