Trojan.Siggen10.31460

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Malwarebytes Anti-Exploit' = '%ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae.exe'

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\MbaeSvc] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\MbaeSvc] 'ImagePath' = '"%ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae-svc.exe"'
[<HKLM>\System\CurrentControlSet\Services\ESProtectionDriver] 'Start' = '00000001'
[<HKLM>\System\CurrentControlSet\Services\ESProtectionDriver] 'ImagePath' = '%ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae64.sys'

Creates the following services

'MbaeSvc' "%ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae-svc.exe"
'MbaeSvc' %ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae-svc.exe
'ESProtectionDriver' %ProgramFiles(x86)%\Malwarebytes Anti-Exploit\mbae64.sys

Malicious functions

Injects code into

the following system processes:

<SYSTEM32>\cmd.exe

the following user processes:

iexplore.exe

Terminates or attempts to terminate

the following user processes:

firefox.exe
iexplore.exe

Modifies file system

Creates the following files

%TEMP%\autee44.tmp
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-config.dat
%WINDIR%\temp\udd51d7.tmp
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-protector.xpe
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-svc.dat
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-service.log
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\malwarebytes anti-exploit\malwarebytes anti-exploit.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\malwarebytes anti-exploit\uninstall malwarebytes anti-exploit.lnk
%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-uninstall.log
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-default.log
%ProgramFiles(x86)%\malwarebytes anti-exploit\unins000.dat
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\edc238bff48a31d55a97e1e93892934b_c20e0da2d0f89fe526e1490f4a2ee5ab
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\35ddedf268117918d1d277a171d8df7b_02727cd9429a91dc1d2c7be7dfefde99
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\35ddedf268117918d1d277a171d8df7b_02727cd9429a91dc1d2c7be7dfefde99
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\bec6224b02d155a396218a2504f3ee0b
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\bec6224b02d155a396218a2504f3ee0b
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\739f2ff4259cdc6cbe7b90f1a95601ef
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\739f2ff4259cdc6cbe7b90f1a95601ef
%ALLUSERSPROFILE%\malwarebytes anti-exploit\mbae-report.dat
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\edc238bff48a31d55a97e1e93892934b_c20e0da2d0f89fe526e1490f4a2ee5ab
%ProgramFiles(x86)%\malwarebytes anti-exploit\is-rtlst.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\is-bonkp.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\is-hc5bs.tmp
%TEMP%\aut6f3.tmp
%WINDIR%\schemas\eapel\setup.exe
%TEMP%\aut87a.tmp
%WINDIR%\schemas\eapel\reg.reg
%TEMP%\is-n0gjj.tmp\setup.tmp
%TEMP%\is-n21jn.tmp\_isetup\_setup64.tmp
%TEMP%\is-n21jn.tmp\_isetup\_shfoldr.dll
%ProgramFiles(x86)%\malwarebytes anti-exploit\is-m33f3.tmp
%WINDIR%\schemas\eapel\banner.jpg
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-d8ei5.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-hfvhk.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-gj53k.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-sbijp.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-kemjr.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-32l0e.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-lg8sj.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-davrm.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\is-orsib.tmp
%ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-d5n4m.tmp
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\35ddedf268117918d1d277a171d8df7b_745a5d32ec1306e9394282e9e679293d
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\35ddedf268117918d1d277a171d8df7b_745a5d32ec1306e9394282e9e679293d

Deletes the following files

%TEMP%\autee44.tmp
%TEMP%\aut6f3.tmp
%TEMP%\aut87a.tmp
%WINDIR%\temp\udd51d7.tmp
%TEMP%\is-n21jn.tmp\_isetup\_setup64.tmp
%TEMP%\is-n21jn.tmp\_isetup\_shfoldr.dll
%TEMP%\is-n0gjj.tmp\setup.tmp
%WINDIR%\schemas\eapel\banner.jpg
%WINDIR%\schemas\eapel\reg.reg
%WINDIR%\schemas\eapel\setup.exe

Moves the following files

from %ProgramFiles(x86)%\malwarebytes anti-exploit\is-m33f3.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\unins000.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.exe to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.sys to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae64.sys
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.sys to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae.sys
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-api-na.dll to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-api-na.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-api.dll to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-api.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.dll to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae64.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.dll to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\is-rtlst.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\changelog.txt
from %ProgramFiles(x86)%\malwarebytes anti-exploit\is-bonkp.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae.chm
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.exe to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae64.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\is-hc5bs.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\license.rtf
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-davrm.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-lg8sj.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-api-na.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-32l0e.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-api.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-kemjr.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.sys
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-sbijp.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-svc.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-gj53k.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-hfvhk.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.dll
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-d5n4m.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.sys
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\is-d8ei5.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae64.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\is-orsib.tmp to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-uninstaller.exe
from %ProgramFiles(x86)%\malwarebytes anti-exploit\tmp\mbae-svc.exe to %ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-svc.exe

Network activity

TCP

'si####.mwbsys.com':443
'st###.#bamupdates.com':443

UDP

DNS ASK si####.mwbsys.com
DNS ASK st###.#bamupdates.com

Miscellaneous

Searches for the following windows

ClassName: 'MainGuiAnti-Exploit' WindowName: ''
ClassName: 'RegEdit_RegEdit' WindowName: ''

Creates and executes the following

'%WINDIR%\schemas\eapel\setup.exe' /VERYSILENT
'%TEMP%\is-n0gjj.tmp\setup.tmp' /SL5="$100154,1763115,56832,%WINDIR%\schemas\EAPEl\setup.exe" /VERYSILENT
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-uninstaller.exe' /install
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-svc.exe' -install
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-svc.exe'
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae64.exe' /mbt
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae64.exe' /Start 0 "eqnedt32.exe|winrar.exe|winzip.exe|7z.exe|7zFM.exe|7zG.exe|S7Z.exe|7zextractor.exe|Winzip32.exe|Winzip64.exe|wzdisktools.exe|winzipss.exe|cmd.exe|winhlp32.exe|mshta.exe|wscript.exe|cs...
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae.exe'
'<SYSTEM32>\cmd.exe' /C setup.exe /VERYSILENT' (with hidden window)
'%ProgramFiles(x86)%\malwarebytes anti-exploit\mbae-uninstaller.exe' /install' (with hidden window)
'%WINDIR%\regedit.exe' /S reg.reg' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c netsh interface set interface name="Ethernet" admin=disabled
'<SYSTEM32>\netsh.exe' interface set interface name="Ethernet" admin=disabled
'<SYSTEM32>\cmd.exe' /C setup.exe /VERYSILENT
'%WINDIR%\regedit.exe' /S reg.reg
'<SYSTEM32>\cmd.exe' /c netsh interface set interface name="Ethernet" admin=enabled
'<SYSTEM32>\netsh.exe' interface set interface name="Ethernet" admin=enabled

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial