Trojan.Siggen21.38382

Malicious functions

Executes the following

'%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "<Full path to file>" "YRCserver" ENABLE
'%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "<Current directory>\Check.exe" "YCheck" ENABLE
'%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "<Current directory>\vpn.exe" "YVPN" ENABLE

Searches for windows to

detect analytical utilities:

Modifies file system

Creates the following files

%TEMP%\auteee0.tmp
%TEMP%\904vtvhelf
%TEMP%\autd078.tmp
<Current directory>\config.ini
<Current directory>\vpn.exe
%TEMP%\aut8153.tmp
<Current directory>\check.exe
%TEMP%\aut7207.tmp
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\s2s0prdb\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z3vq5rdd\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\h6fkeize\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7xxixurb\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%TEMP%\modern.bmp
%TEMP%\aut6bce.tmp
%WINDIR%\syswow64\show.dll
%TEMP%\aut6b51.tmp
%TEMP%\1004bhqtcmf
%TEMP%\aut37c2.tmp
%TEMP%\1396emazdoi
%WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
%WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7xxixurb\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\h6fkeize\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\z3vq5rdd\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\s2s0prdb\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini

Deletes the following files

Network activity

Connects to

TCP

HTTP GET requests

Other

UDP

Miscellaneous

Searches for the following windows

Creates and executes the following

'<Current directory>\check.exe' /ErrorStdOut 1004
'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Full path to file>" "YRCserver" ENABLE' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Current directory>\Check.exe" "YCheck" ENABLE' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Current directory>\vpn.exe" "YVPN" ENABLE' (with hidden window)

Restarts the analyzed sample

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Full path to file>" "YRCserver" ENABLE
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Current directory>\Check.exe" "YCheck" ENABLE
'%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "<Current directory>\vpn.exe" "YVPN" ENABLE