Exploit.Siggen3.11892

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\MsRkNrL] 'ImagePath' = '<SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"'

Creates the following services

'MsRkNrL' <SYSTEM32>\wscript.exe //B "C:\autoexec.vbs"

Malicious functions

Creates and executes the following (exploit)

'<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"

Modifies file system

Creates the following files

%TEMP%\dm6331.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
%WINDIR%\temp\rad2e3c3.tmp
%WINDIR%\temp\rad88ca6.tmp
%WINDIR%\temp\rad6eca1.tmp
%WINDIR%\temp\radfd778.tmp
%WINDIR%\temp\rad456a7.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
%WINDIR%\temp\radd3df3.tmp
%WINDIR%\temp\rad88ab5.tmp
%WINDIR%\temp\rad11e44.tmp
%WINDIR%\temp\radc9585.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
%TEMP%\radfb10b.tmp
%WINDIR%\temp\rad3aed1.tmp
%WINDIR%\temp\rad40060.tmp
%WINDIR%\temp\radf5d10.tmp
%WINDIR%\temp\rad06c31.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\url[1].htm
%TEMP%\rad3e3ec.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[2].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
%TEMP%\rad6e2cf.tmp
%TEMP%\rade3860.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
%TEMP%\radefc4e.tmp
%WINDIR%\temp\radea976.tmp
%WINDIR%\temp\rad43714.tmp
%WINDIR%\temp\rad7cfc0.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[2]
%TEMP%\rad1f7d0.tmp
%TEMP%\rad04a74.tmp
%WINDIR%\temp\rad1c515.tmp
%TEMP%\rad579dc.tmp
%TEMP%\radc15ee.tmp
%WINDIR%\temp\rknrl.vbs
%TEMP%\winstart.vbs
%WINDIR%\temp\winstart.vbs
%WINDIR%\temp\dm6331.tmp
%TEMP%\rknrl.vbs
%TEMP%\rad42a53.tmp
%WINDIR%\temp\rad8cdd7.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
%WINDIR%\temp\radc6633.tmp
%WINDIR%\temp\radff175.tmp
%WINDIR%\temp\rad59626.tmp
%WINDIR%\temp\radfbbd0.tmp
%WINDIR%\temp\radf8508.tmp
%WINDIR%\temp\rada7af5.tmp
%WINDIR%\temp\radabae3.tmp
%WINDIR%\temp\rad00f91.tmp
%WINDIR%\temp\rad55fe2.tmp
%WINDIR%\temp\radbd711.tmp
%WINDIR%\temp\rad94417.tmp
%WINDIR%\temp\rad0f823.tmp
%WINDIR%\temp\radc4a63.tmp
%WINDIR%\temp\rad13f37.tmp
%WINDIR%\temp\radd3432.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
%WINDIR%\temp\raddbab5.tmp
%WINDIR%\temp\radeb38e.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[2].tmp

Deletes the following files

%TEMP%\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\dm6331[2].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\dm6331[1].tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
%WINDIR%\temp\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[2]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\url[1].htm

Moves the following files

from %TEMP%\radc15ee.tmp to %TEMP%\dm6332.tmp
from %WINDIR%\temp\rad1c515.tmp to %WINDIR%\temp\dm6332.tmp

Substitutes the following files

%TEMP%\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\api[1]
%WINDIR%\temp\dm6332.tmp
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\url[1].htm
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\api[1]
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\rknrl[1].vbs
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\playback[1].php
<SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\dm6331[1].tmp

Network activity

Connects to

'ap#.##herscan.io':80
'ai########ill.aigoingtokill.club':80
'm.#####ngtokill.club':80

TCP

HTTP GET requests

http://ap#.##herscan.io/api?mo#############################################################################
http://ai########ill.aigoingtokill.club/ctrl/file/DM6331.TMP
http://ai########ill.aigoingtokill.club/ctrl/file/rknrl.vbs
http://ai########ill.aigoingtokill.club/ctrl/playback.php

UDP

DNS ASK ap#.##herscan.io
DNS ASK ai########ill.aigoingtokill.club
DNS ASK m.#####ngtokill.club

Miscellaneous

Creates and executes the following

'<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\rknrl.vbs"
'<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\winstart.vbs"
'<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.vbs"
'<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"' (with hidden window)

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial