MD5: 5245e5767e585d7538e142a739547c69
SHA1: 6d20b0b8d4a2348307fbf6a7ee7cfaa9b04eb689
SHA256: 5613d8b4d75580b7d9b8040b0eb7bb30697157782cd97f0566c713154759630a
SSDeep: 6144:tmOJP/P792XmCdHXtHVAQPb4hNCXuALGAcFoVF3hmpxfaB41o0PN2lCoJVX:tmM/PB2XZHXtH6QPb47iVGA00FRmpxf0
Size: 308224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1996-03-25 03:42:49

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

5245e5767e585d7538e142a739547c69.exe:2412

The Trojan injects its code into the following process(es):

ctfmon.exe:252

File activity

The process 5245e5767e585d7538e142a739547c69.exe:2412 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
%WinDir%\AppPatch\nwjaypi.exe (2041 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process 5245e5767e585d7538e142a739547c69.exe:2412 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 14 72 89 A7 DC FA 58 19 DA 97 29 BC AD 6C F5"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\nwjaypi.exe_, \??\%WinDir%\apppatch\nwjaypi.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "CêkæÚ`Ã¥D 5õÔPâ^SÂ¥pa.)Üà”¸a4d‚\yìqA}(Äé¼ü4|Âá@
”°™,¡¤üHrѼ©€©”´D0}éiXª¸|Èy4¡RYÑúièmÑ
©È„IáØð±¼(¤ ádIÚبìd˜ XYâÀeœiü¥AšIi¸r¥(¡A\y 9€éñ$ZÔaxÙ9
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL	IP
hxxp://cihunemyror.eu/login.php	50.116.56.144
hxxp://kefuwidijyp.eu/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious)	173.230.133.99
hxxp://galokusemus.eu/login.php	50.116.32.177
hxxp://jewuqyjywyv.eu/login.php (ET TROJAN Known Sinkhole Response Header , Malicious)	166.78.144.80
hxxp://digivehusyd.eu/login.php	96.43.141.186
jefapexytar.eu	50.116.56.144
fokyxazolar.eu	50.116.56.144
xuqohyxeqak.eu	50.116.56.144
lyruxyxaxaw.eu	50.116.56.144
gadufiwabim.eu	50.116.56.144
www.bing.com	65.172.31.50
foxivusozuc.eu	50.116.56.144
ryqecolijet.eu	50.116.56.144
gahihezenal.eu	Unresolvable
puregivytoh.eu	Unresolvable
qegytuvufoq.eu	Unresolvable
vojacikigep.eu	Unresolvable
makagucyraj.eu	Unresolvable
tucyguqaciq.eu	Unresolvable
nozoxucavaq.eu	Unresolvable
puvopalywet.eu	Unresolvable
ciliqikytec.eu	Unresolvable
tunujolavez.eu	Unresolvable
xutekidywyp.eu	Unresolvable
dikoniwudim.eu	Unresolvable
divywysigud.eu	Unresolvable
lyvejujolec.eu	Unresolvable
puzutuqeqij.eu	Unresolvable
fobonobaxog.eu	Unresolvable
rydinivoloh.eu	Unresolvable
lysovidacyx.eu	Unresolvable
qeqinuqypoq.eu	Unresolvable
magofetequb.eu	Unresolvable
tupazivenom.eu	Unresolvable
rytuvepokuv.eu	Unresolvable
qetoqolusex.eu	Unresolvable
masisokemep.eu	Unresolvable
gatedyhavyd.eu	Unresolvable
fodakyhijyv.eu	Unresolvable
cicaratupig.eu	Unresolvable
vocumucokaj.eu	Unresolvable
nofyjikoxex.eu	Unresolvable
tuwikypabud.eu	Unresolvable
kepymexihak.eu	Unresolvable
xuxusujenes.eu	Unresolvable
lymylorozig.eu	Unresolvable
jepororyrih.eu	Unresolvable
xubifaremin.eu	Unresolvable
dimutobihom.eu	Unresolvable
voniqofolyt.eu	Unresolvable
fogeliwokih.eu	Unresolvable
dixemazufel.eu	Unresolvable
qederepuduf.eu	Unresolvable
kemocujufys.eu	Unresolvable
nojuletacuf.eu	Unresolvable
marytymenok.eu	Unresolvable
rynazuqihoj.eu	Unresolvable
jejedudupuc.eu	Unresolvable
volebatijub.eu	Unresolvable
ciqydofudyx.eu	Unresolvable
vofozymufok.eu	Unresolvable
cinepycusaw.eu	Unresolvable
keraborigin.eu	Unresolvable
pumadypyruv.eu	Unresolvable
nopegymozow.eu	Unresolvable

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
InternetReadFile

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   5245e5767e585d7538e142a739547c69.exe:2412
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\config\software (3028 bytes)
   %System%\config\software.LOG (5300 bytes)
   %WinDir%\AppPatch\nwjaypi.exe (2041 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.