Trojan.Siggen32.25437

Техническая информация

Для обеспечения автозапуска и распространения

Модифицирует следующие ключи реестра

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdate' = '<Полный путь к файлу>'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsUpdate' = '<Полный путь к файлу>'
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdate' = '<Полный путь к файлу>'
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdate' = '<Полный путь к файлу>'

Подменяет следующие исполняемые системные файлы

<SYSTEM32>\svchost.exe файлом <Полный путь к файлу>

Вредоносные функции

Для затруднения выявления своего присутствия в системе

блокирует запуск следующих системных утилит:

Интерпретатора командной строки (CMD)
Редактора реестра (RegEdit)

добавляет исключения антивируса:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '<Полный путь к файлу>'"

Запускает на исполнение

'<SYSTEM32>\taskkill.exe' /F /IM MsMpEng.exe

Запускает большое число процессов

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\windowspowershell\v1.0\powershell.exe

Изменения в файловой системе

Создает следующие файлы

D:\svchost.exe
D:\autorun.inf
nul

Присваивает атрибут 'скрытый' для следующих файлов

D:\svchost.exe
D:\autorun.inf

Сетевая активность

Подключается к

'19#.#68.227.67':4444
'<LOCALNET>..26.254':445
'<LOCALNET>..26.1':445
'<LOCALNET>..26.2':445
'<LOCALNET>..26.3':445
'<LOCALNET>..26.4':445
'<LOCALNET>..26.5':445
'<LOCALNET>..26.130':445
'<LOCALNET>..26.7':445
'<LOCALNET>..26.8':445
'<LOCALNET>..26.9':445
'<LOCALNET>..26.6':445
'<LOCALNET>..26.131':445
'<LOCALNET>..26.193':445
'<LOCALNET>..26.133':445
'<LOCALNET>..26.134':445
'<LOCALNET>..26.10':445
'<LOCALNET>..26.135':445
'<LOCALNET>..26.136':445
'<LOCALNET>..26.137':445
'<LOCALNET>..26.138':445
'<LOCALNET>..26.139':445
'<LOCALNET>..26.140':445
'<LOCALNET>..26.141':445
'<LOCALNET>..26.142':445
'<LOCALNET>..26.143':445
'<LOCALNET>..26.11':445
'<LOCALNET>..26.12':445
'<LOCALNET>..26.13':445
'<LOCALNET>..26.194':445
'<LOCALNET>..26.195':445
'<LOCALNET>..26.196':445
'<LOCALNET>..26.144':445
'<LOCALNET>..26.197':445
'<LOCALNET>..26.145':445
'<LOCALNET>..26.198':445
'<LOCALNET>..26.146':445
'<LOCALNET>..26.147':445
'<LOCALNET>..26.199':445
'<LOCALNET>..26.148':445
'<LOCALNET>..26.200':445
'<LOCALNET>..26.149':445
'<LOCALNET>..26.201':445
'<LOCALNET>..26.150':445
'<LOCALNET>..26.151':445
'<LOCALNET>..26.152':445
'<LOCALNET>..26.202':445
'<LOCALNET>..26.203':445
'<LOCALNET>..26.204':445
'<LOCALNET>..26.205':445
'<LOCALNET>..26.206':445
'<LOCALNET>..26.207':445
'<LOCALNET>..26.153':445
'<LOCALNET>..26.154':445
'<LOCALNET>..26.155':445
'<LOCALNET>..26.156':445
'<LOCALNET>..26.157':445
'<LOCALNET>..26.158':445
'<LOCALNET>..26.159':445
'<LOCALNET>..26.160':445
'<LOCALNET>..26.132':445
'<LOCALNET>..26.161':445
'<LOCALNET>..26.162':445
'<LOCALNET>..26.163':445
'<LOCALNET>..26.164':445
'<LOCALNET>..26.165':445
'<LOCALNET>..26.166':445
'<LOCALNET>..26.167':445
'<LOCALNET>..26.208':445
'<LOCALNET>..26.209':445
'<LOCALNET>..26.210':445
'<LOCALNET>..26.211':445
'<LOCALNET>..26.168':445
'<LOCALNET>..26.169':445
'<LOCALNET>..26.170':445
'<LOCALNET>..26.171':445
'<LOCALNET>..26.14':445
'<LOCALNET>..26.172':445
'<LOCALNET>..26.15':445
'<LOCALNET>..26.16':445
'<LOCALNET>..26.17':445
'<LOCALNET>..26.18':445
'<LOCALNET>..26.19':445
'<LOCALNET>..26.20':445
'<LOCALNET>..26.212':445
'<LOCALNET>..26.213':445
'<LOCALNET>..26.214':445
'<LOCALNET>..26.215':445
'<LOCALNET>..26.216':445
'<LOCALNET>..26.217':445
'<LOCALNET>..26.218':445
'<LOCALNET>..26.219':445
'<LOCALNET>..26.220':445
'<LOCALNET>..26.221':445
'<LOCALNET>..26.173':445
'<LOCALNET>..26.222':445
'<LOCALNET>..26.223':445
'<LOCALNET>..26.174':445
'<LOCALNET>..26.175':445
'<LOCALNET>..26.224':445
'<LOCALNET>..26.176':445
'<LOCALNET>..26.225':445
'<LOCALNET>..26.177':445
'<LOCALNET>..26.178':445
'<LOCALNET>..26.179':445
'<LOCALNET>..26.21':445
'<LOCALNET>..26.22':445
'<LOCALNET>..26.23':445
'<LOCALNET>..26.24':445
'<LOCALNET>..26.25':445
'<LOCALNET>..26.26':445
'<LOCALNET>..26.27':445
'<LOCALNET>..26.226':445
'<LOCALNET>..26.180':445
'<LOCALNET>..26.227':445
'<LOCALNET>..26.181':445
'<LOCALNET>..26.228':445
'<LOCALNET>..26.182':445
'<LOCALNET>..26.229':445
'<LOCALNET>..26.230':445
'<LOCALNET>..26.231':445
'<LOCALNET>..26.183':445
'<LOCALNET>..26.232':445
'<LOCALNET>..26.184':445
'<LOCALNET>..26.185':445
'<LOCALNET>..26.186':445
'<LOCALNET>..26.187':445
'<LOCALNET>..26.233':445
'<LOCALNET>..26.188':445
'<LOCALNET>..26.189':445
'<LOCALNET>..26.234':445
'<LOCALNET>..26.190':445
'<LOCALNET>..26.191':445
'<LOCALNET>..26.28':445
'<LOCALNET>..26.192':445
'<LOCALNET>..26.29':445
'<LOCALNET>..26.30':445
'<LOCALNET>..26.235':445
'<LOCALNET>..26.31':445
'<LOCALNET>..26.32':445
'<LOCALNET>..26.33':445
'<LOCALNET>..26.236':445
'<LOCALNET>..26.34':445
'<LOCALNET>..26.237':445
'<LOCALNET>..26.35':445
'<LOCALNET>..26.238':445
'<LOCALNET>..26.36':445
'<LOCALNET>..26.239':445
'<LOCALNET>..26.37':445
'<LOCALNET>..26.240':445
'<LOCALNET>..26.38':445
'<LOCALNET>..26.241':445
'<LOCALNET>..26.39':445
'<LOCALNET>..26.242':445
'<LOCALNET>..26.40':445
'<LOCALNET>..26.243':445
'<LOCALNET>..26.41':445
'<LOCALNET>..26.244':445
'<LOCALNET>..26.42':445
'<LOCALNET>..26.245':445
'<LOCALNET>..26.43':445
'<LOCALNET>..26.44':445
'<LOCALNET>..26.45':445
'<LOCALNET>..26.250':445
'<LOCALNET>..26.46':445
'<LOCALNET>..26.47':445
'<LOCALNET>..26.251':445
'<LOCALNET>..26.48':445
'<LOCALNET>..26.252':445
'<LOCALNET>..26.49':445
'<LOCALNET>..26.253':445
'<LOCALNET>..26.50':445
'<LOCALNET>..26.247':445
'<LOCALNET>..26.51':445
'<LOCALNET>..26.246':445
'<LOCALNET>..26.52':445
'<LOCALNET>..26.53':445
'<LOCALNET>..26.249':445
'<LOCALNET>..26.54':445
'<LOCALNET>..26.55':445
'<LOCALNET>..26.56':445
'<LOCALNET>..26.248':445
'<LOCALNET>..26.93':445
'<LOCALNET>..26.58':445
'<LOCALNET>..26.59':445
'<LOCALNET>..26.60':445
'<LOCALNET>..26.61':445
'<LOCALNET>..26.62':445
'<LOCALNET>..26.63':445
'<LOCALNET>..26.64':445
'<LOCALNET>..26.65':445
'<LOCALNET>..26.66':445
'<LOCALNET>..26.67':445
'<LOCALNET>..26.68':445
'<LOCALNET>..26.69':445
'<LOCALNET>..26.70':445
'<LOCALNET>..26.71':445
'<LOCALNET>..26.72':445
'<LOCALNET>..26.73':445
'<LOCALNET>..26.74':445
'<LOCALNET>..26.75':445
'<LOCALNET>..26.76':445
'<LOCALNET>..26.77':445
'<LOCALNET>..26.78':445
'<LOCALNET>..26.57':445
'<LOCALNET>..26.94':445
'<LOCALNET>..26.79':445
'<LOCALNET>..26.80':445
'<LOCALNET>..26.81':445
'<LOCALNET>..26.82':445
'<LOCALNET>..26.83':445
'<LOCALNET>..26.84':445
'<LOCALNET>..26.85':445
'<LOCALNET>..26.86':445
'<LOCALNET>..26.87':445
'<LOCALNET>..26.88':445
'<LOCALNET>..26.95':445
'<LOCALNET>..26.96':445
'<LOCALNET>..26.97':445
'<LOCALNET>..26.98':445
'<LOCALNET>..26.99':445
'<LOCALNET>..26.100':445
'<LOCALNET>..26.101':445
'<LOCALNET>..26.102':445
'<LOCALNET>..26.103':445
'<LOCALNET>..26.104':445
'<LOCALNET>..26.89':445
'<LOCALNET>..26.90':445
'<LOCALNET>..26.105':445
'<LOCALNET>..26.91':445
'<LOCALNET>..26.106':445
'<LOCALNET>..26.92':445
'<LOCALNET>..26.107':445
'<LOCALNET>..26.119':445
'<LOCALNET>..26.118':445
'<LOCALNET>..26.120':445
'<LOCALNET>..26.108':445
'<LOCALNET>..26.121':445
'<LOCALNET>..26.109':445
'<LOCALNET>..26.122':445
'<LOCALNET>..26.110':445
'<LOCALNET>..26.123':445
'<LOCALNET>..26.111':445
'<LOCALNET>..26.124':445
'<LOCALNET>..26.112':445
'<LOCALNET>..26.125':445
'<LOCALNET>..26.126':445
'<LOCALNET>..26.127':445
'<LOCALNET>..26.128':445
'<LOCALNET>..26.113':445
'<LOCALNET>..26.114':445
'<LOCALNET>..26.129':445
'<LOCALNET>..26.115':445
'<LOCALNET>..26.116':445
'<LOCALNET>..26.117':445
'<DNS_SERVER>':53

TCP

Другие

'<LOCALNET>..26.17':445

Другое

Ищет следующие окна

ClassName: '' WindowName: ''

Запускает на исполнение

'<SYSTEM32>\reg.exe' add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c "reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
'<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\attrib.exe' +h +s D:\svchost.exe
'<SYSTEM32>\cmd.exe' /c "sc start" 3372
'<SYSTEM32>\cmd.exe' /c "netsh advfirewall set allprofiles state off"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled} | ForEach-Object { $ip=$_.IPAddress[0]; $subnet=$ip.Substring(0,$ip.LastIndexOf('.')+1); 1..254 | ...
'<SYSTEM32>\cmd.exe' /c "sc stop wuauserv"
'<SYSTEM32>\cmd.exe' /c "schtasks /create /tn \"MicrosoftUpdate\" /tr \"<Полный путь к файлу>\" /sc minute /mo 1 /f"
'<SYSTEM32>\cmd.exe' /c "sc config wuauserv start= disabled"
'<SYSTEM32>\attrib.exe' +h +s D:\autorun.inf
'<SYSTEM32>\cmd.exe' /c "reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Features\" /v TamperProtection /t REG_DWORD /d 0 /f"
'<SYSTEM32>\cmd.exe' /c "netsh firewall set opmode disable"
'<SYSTEM32>\cmd.exe' /c "reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\" /v NoAutoUpdate /t REG_DWORD /d 1 /f"
'<SYSTEM32>\cmd.exe' /c "schtasks /create /tn \"WindowsUpdateTask\" /tr \"<Полный путь к файлу>\" /sc onlogon /f"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней