Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe
Overview
General Information
Detection
Score: | 69 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 33 |
Range: | 0 - 100 |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Installs a global keyboard hook
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Writes a notice file (html or txt) to demand a ransom
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.Siggen21.29401.13949.1657.exe (PID: 1164 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Sig gen21.2940 1.13949.16 57.exe" MD5: F02AAAF0D308CF00B19CD2EE4F389AC5) - unpack200.exe (PID: 2296 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\crs-age nt.jar.p2" "C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pperTemp-1 713608892- 0-app\lib\ crs-agent. jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 4148 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\charset s.jar.p2" "C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\lib\c harsets.ja r" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 3628 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\jsse.ja r.p2" "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapperT emp-171360 8892-0-app \lib\jsse. jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 5832 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\jac cess.jar.p 2" "C:\Use rs\user\Ap pData\Roam ing\JWrapp er-Remote Support\JW rapperTemp -171360889 2-0-app\li b\ext\jacc ess.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 5428 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\sun pkcs11.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1713608 892-0-app\ lib\ext\su npkcs11.ja r" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 3288 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\acc ess-bridge .jar.p2" " C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp erTemp-171 3608892-0- app\lib\ex t\access-b ridge.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 6516 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\acc ess-bridge -32.jar.p2 " "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apperTemp- 1713608892 -0-app\lib \ext\acces s-bridge-3 2.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 5952 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\ope njsse.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\ope njsse.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 1216 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\leg acy8ujsse. jar.p2" "C :\Users\us er\AppData \Roaming\J Wrapper-Re mote Suppo rt\JWrappe rTemp-1713 608892-0-a pp\lib\ext \legacy8uj sse.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 1848 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\cld rdata.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\cld rdata.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 1268 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\ext\sun mscapi.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1713608 892-0-app\ lib\ext\su nmscapi.ja r" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - unpack200.exe (PID: 5428 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\rt.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17136088 92-0-app\l ib\rt.jar" MD5: 14A39388617FC5B75646EC85FC9FF9FD) - windowslauncher.exe (PID: 5060 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 13608892-0 -app\bin\w indowslaun cher.exe" "-Xshare:d ump" MD5: D56527919A78D6AC6CEF8A9CB3D0B922) - unpack200.exe (PID: 5496 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s32JRE-000 84000053-c omplete\bi n\unpack20 0.exe" "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper Temp-17136 08830-0-ap p\customer -jar-with- dependenci es.jar.p2" "C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pperTemp-1 713608830- 0-app\cust omer-jar-w ith-depend encies.jar " MD5: 14A39388617FC5B75646EC85FC9FF9FD) - Remote Support.exe (PID: 6224 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s32JRE-000 84000053-c omplete\bi n\Remote S upport.exe " -cp "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00102 236241-com plete\cust omer-jar-w ith-depend encies.jar " -Xmx512m -Xms5m -X X:MinHeapF reeRatio=1 5 -XX:MaxH eapFreeRat io=30 -Dja va.util.Ar rays.useLe gacyMergeS ort=true - Djava.net. preferIPv4 Stack=true -Dsun.jav a2d.dpiawa re=true -D https.prot ocols=TLSv 1,TLSv1.1, TLSv1.2,TL Sv1.3 -Dsu n.awt.font config=fon tconfig.pr operties j wrapper.JW rapper "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Remote Su pport-0010 2236241-co mplete\unr estricted\ JWLaunchPr operties-1 7136089442 17-1" MD5: D56527919A78D6AC6CEF8A9CB3D0B922) - windowslauncher.exe (PID: 744 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s32JRE-000 84000053-c omplete\bi n\windowsl auncher.ex e" -cp "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Remote Su pport-0010 2236241-co mplete\cus tomer-jar- with-depen dencies.ja r" -Xmx128 m -Xms5m - Dsun.java2 d.dpiaware =true "-Dj ava.librar y.path=C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00102 236241-com plete" com .aem.sdesk top.util.M ouseMover 127.0.0.1 49722 127. 0.0.1 4972 3 restrict ed MD5: D56527919A78D6AC6CEF8A9CB3D0B922) - Session Elevation Helper (PID: 5324 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s32JRE-000 84000053-c omplete\bi n\Session Elevation Helper" -c p "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apper-Remo te Support -001022362 41-complet e\customer -jar-with- dependenci es.jar" -X mx128m -Xm s5m -Dsun. java2d.dpi aware=true "-Djava.l ibrary.pat h=C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pper-Remot e Support- 0010223624 1-complete " com.aem. sdesktop.u til.MouseM over 127.0 .0.1 49726 127.0.0.1 49727 res tricted_ba ckup MD5: D56527919A78D6AC6CEF8A9CB3D0B922)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Max Altgelt (Nextron Systems): |