Trojan.Siggen12.53534

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Sysdiag' = '"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsTray.exe"'

Sets the following service settings

[<HKLM>\SYSTEM\CurrentControlSet\services\sysdiag] 'Start' = '00000001'
[<HKLM>\SYSTEM\CurrentControlSet\services\sysdiag] 'ImagePath' = 'system32\DRIVERS\sysdiag.sys'
[<HKLM>\SYSTEM\CurrentControlSet\services\hrwfpdrv] 'Start' = '00000002'
[<HKLM>\SYSTEM\CurrentControlSet\services\hrwfpdrv] 'ImagePath' = 'system32\DRIVERS\hrwfpdrv.sys'
[<HKLM>\System\CurrentControlSet\Services\HipsDaemon] 'ImagePath' = '"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon'
[<HKLM>\System\CurrentControlSet\Services\HipsDaemon] 'Start' = '00000002'

Creates the following services

'HipsDaemon' "%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon

Modifies file system

Creates the following files

%TEMP%\nsr602a.tmp
%ALLUSERSPROFILE%\huorong\sysdiag\virdb\prop.db
%ALLUSERSPROFILE%\huorong\sysdiag\virdb\hwl.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\splock.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\webres.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\wlst.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\tradesafe.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\malurl.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\behav.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\hrfw.db
%ALLUSERSPROFILE%\huorong\sysdiag\db\hips.db
%ProgramFiles(x86)%\huorong\sysdiag\license.libdt
%ProgramFiles(x86)%\huorong\sysdiag\license.libcodecs
%ProgramFiles(x86)%\huorong\sysdiag\license.3rd
%ProgramFiles(x86)%\huorong\sysdiag\bin\libvxf.tdl
%ProgramFiles(x86)%\huorong\sysdiag\bin\libvxf.dat
%ALLUSERSPROFILE%\huorong\sysdiag\virdb\pset.db
%TEMP%\nsg603a.tmp\nsexec.dll
%ALLUSERSPROFILE%\huorong\sysdiag\quarantineex.db
%WINDIR%\temp\udd70bc.tmp
%ALLUSERSPROFILE%\huorong\sysdiag\quarantineex.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\user.db
%ALLUSERSPROFILE%\huorong\sysdiag\user.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\hips.db
%ALLUSERSPROFILE%\huorong\sysdiag\hips.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\wlfile.db
%ALLUSERSPROFILE%\huorong\sysdiag\wlfile.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\log.db
%ALLUSERSPROFILE%\huorong\sysdiag\log.db-journal
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\huorong security lab\sysdiag\uninstall huorong.lnk
%ProgramFiles(x86)%\huorong\sysdiag\uninst.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\huorong security lab\sysdiag\huorong log.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\huorong security lab\sysdiag\huorong network security.lnk
C:\users\public\desktop\huorong network security.lnk
%WINDIR%\temp\udd70ec.tmp
%ProgramFiles(x86)%\huorong\sysdiag\bin\libvxf.vds
%ALLUSERSPROFILE%\huorong\sysdiag\virdb\troj.db
%ProgramFiles(x86)%\huorong\sysdiag\bin\libvxf.vdl
%ProgramFiles(x86)%\huorong\sysdiag\bin\hipsdb.dll
%ProgramFiles(x86)%\huorong\sysdiag\version
<SYSTEM32>\dtrampo.dll
%WINDIR%\syswow64\dtrampo.dll
<DRIVERS>\hrwfpdrv.sys
<DRIVERS>\hrfwdrv.sys
<DRIVERS>\sysdiag.sys
%ProgramFiles(x86)%\huorong\sysdiag\bin\usysdiag.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\behavior.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\usysdiag.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\uactmon.dll
%TEMP%\nsg603a.tmp\system.dll
%TEMP%\nsg603a.tmp\accesscontrol.dll
%TEMP%\nsg603a.tmp\installer-helper.dll
%TEMP%\nsg603a.tmp\inst.ui
%TEMP%\nsg603a.tmp\duilib.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hipsdaemon.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\hipstray.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\libcobra.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hipsmain.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\libcodecs.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\libxsse.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hrupdate.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\jansson.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\libcurl.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\upgrade.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hrcomm.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hrshell-x64.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hrshell.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\duilib.dll
%ProgramFiles(x86)%\huorong\sysdiag\bin\hipslog.exe
%ProgramFiles(x86)%\huorong\sysdiag\bin\update.ui
%ProgramFiles(x86)%\huorong\sysdiag\bin\popup.ui
%ProgramFiles(x86)%\huorong\sysdiag\bin\log.ui
%ProgramFiles(x86)%\huorong\sysdiag\bin\main.ui
%ProgramFiles(x86)%\huorong\sysdiag\bin\libxscore.bundle
global\pipe\hips_mon_new

Deletes the following files

%WINDIR%\temp\udd70bc.tmp
%WINDIR%\temp\udd70ec.tmp
%ALLUSERSPROFILE%\huorong\sysdiag\log.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\wlfile.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\hips.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\user.db-journal
%TEMP%\nsg603a.tmp\accesscontrol.dll
%TEMP%\nsg603a.tmp\duilib.dll
%TEMP%\nsg603a.tmp\inst.ui
%TEMP%\nsg603a.tmp\installer-helper.dll
%TEMP%\nsg603a.tmp\nsexec.dll
%TEMP%\nsg603a.tmp\system.dll
%ALLUSERSPROFILE%\huorong\sysdiag\quarantineex.db-journal

Substitutes the following files

%ALLUSERSPROFILE%\huorong\sysdiag\log.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\wlfile.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\hips.db-journal
%ALLUSERSPROFILE%\huorong\sysdiag\user.db-journal

Network activity

Connects to

'up####.huorong.cn':80

UDP

DNS ASK up####.huorong.cn

Miscellaneous

Creates and executes the following

'%ProgramFiles(x86)%\huorong\sysdiag\bin\hipsdaemon.exe' -sHipsDaemon
'%ProgramFiles(x86)%\huorong\sysdiag\bin\usysdiag.exe' 300
'%ProgramFiles(x86)%\huorong\sysdiag\bin\hipstray.exe'
'%ProgramFiles(x86)%\huorong\sysdiag\bin\hrupdate.exe' /inst
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HRShell-x64.dll"' (with hidden window)
'<SYSTEM32>\sc.exe' create HipsDaemon binpath= "\"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon"' (with hidden window)
'<SYSTEM32>\sc.exe' config HipsDaemon binpath= "\"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon" type= own type= interact start= auto group= Base DisplayName= "Huorong Network Security Daem...' (with hidden window)
'<SYSTEM32>\sc.exe' description HipsDaemon "Huorong Network Security Daemon"' (with hidden window)
'<SYSTEM32>\net.exe' start HipsDaemon' (with hidden window)
'%ProgramFiles(x86)%\huorong\sysdiag\bin\usysdiag.exe' 300' (with hidden window)

Executes the following

'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HRShell-x64.dll"
'<SYSTEM32>\sc.exe' create HipsDaemon binpath= "\"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon"
'<SYSTEM32>\sc.exe' config HipsDaemon binpath= "\"%ProgramFiles(x86)%\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon" type= own type= interact start= auto group= Base DisplayName= "Huorong Network Security Daem...
'<SYSTEM32>\sc.exe' description HipsDaemon "Huorong Network Security Daemon"
'<SYSTEM32>\net.exe' start HipsDaemon
'<SYSTEM32>\net1.exe' start HipsDaemon

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial