MD5: 4263fa00c06df9dec6b15a2f9ceac5f5
SHA1: f33d084472feaf2e82d846120b9255ea917bc2d0
SHA256: c3d326668f156155fb24c49ff2e32b938fd70da13dbe56cbadbd8f7eed98951e
SSDeep: 24576:a20rgUGwCjbM2/NmFogebaO yk1klUkqcuzhZS9UL0:L0rgjJZ8klUed9
Size: 865792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-16 01:59:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

kkpfzycjdf.exe:3948
%original file name%.exe:1136
ddjkuocysk.exe:3152
ddjkuocysk.exe:4812
ayfzta4lsrvb.exe:2896
ayfzta37y1vb.exe:5576
ayfzta36ujvbuo8oqayx.exe:2388

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process kkpfzycjdf.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\aicjinva\tst (10 bytes)

The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (6306 bytes)
%System%\aicjinva\tst (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (0 bytes)

The process ddjkuocysk.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\ayfzta37y1vb.exe (35 bytes)
%System%\aicjinva\rng (8 bytes)
%System%\drivers\etc\hosts (48 bytes)
%WinDir%\Temp\ayfzta4lsrvb.exe (35 bytes)
%System%\aicjinva\run (10 bytes)
%System%\aicjinva\ihst (82 bytes)
%System%\kkpfzycjdf.exe (6841 bytes)
%System%\aicjinva\cfg (512 bytes)
%System%\aicjinva\tst (10 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\ayfzta37y1vb.exe (0 bytes)

The process ddjkuocysk.exe:4812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\aicjinva\tst (10 bytes)

The process ayfzta36ujvbuo8oqayx.exe:2388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\aicjinva\etc (10 bytes)
%System%\ddjkuocysk.exe (6841 bytes)
%System%\aicjinva\tst (10 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process ddjkuocysk.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F7 42 B2 4E FF B3 B1 7A DD BA BA D0 1C E1 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process ayfzta4lsrvb.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 73 2D F9 47 D7 43 35 4C 3C 86 69 CC F3 02 9E"

The process ayfzta37y1vb.exe:5576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 20 2A 6B 9C DE AC 94 D0 77 C6 C7 6A D1 5A 53"

The process ayfzta36ujvbuo8oqayx.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 5D 7A 55 57 24 65 00 A0 F5 7A 79 A5 39 2B FC"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Foundation Window Input TP" = "%System%\ddjkuocysk.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 48 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
tablefruit.net
stickmarch.net

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

.text

`.rdata

@.data

SRSSSh

~ESSSh

D^!%f

SSSh ~D

t
~)SSSh
tUSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ddjkuocysk.exe
vb.exe
IP Awareness Device Keying Accounts Protocol
kkpfzycjdf.exe
>-.Fl
k.zrb
N.jm,
pZ*%uuk
P%uU(
BjMpD.tR
}%3Sy
l8.Nt
cx%CwI
6&.VI.
zcÁ
%Documents and Settings%\LocalService
|%System%\kkpfzycjdf.exe
|gentlefriend.net
WATCHDOGPROC "c:\windows\system32\ddjkuocysk.exe"
%System%\ddjkuocysk.exe
mscoree.dll
KERNEL32.DLL

kkpfzycjdf.exe_3948:


.text
`.rdata
@.data
SRSSSh
~ESSSh
D^!%f
SSSh ~D
t
~)SSSh
tUSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ddjkuocysk.exe
vb.exe
IP Awareness Device Keying Accounts Protocol
kkpfzycjdf.exe
>-.Fl
k.zrb
N.jm,
pZ*%uuk
P%uU(
BjMpD.tR
}%3Sy
l8.Nt
cx%CwI
6&.VI.
zcÁ
%Documents and Settings%\LocalService
%System%\kkpfzycjdf.exe
mscoree.dll
KERNEL32.DLL

ayfzta4lsrvb.exe_3132:


.text
`.data
.rdata
@.bss
.idata
Connection Type : %s
Status : %s, uptime=%us, LastConnectionError : %s
Time started : %s
MaxBitRateDown : %u bps
(%u.%u Mbps)
(%u Kbps)
MaxBitRateUp %u bps
GetExternalIPAddress() returned %d
ExternalIPAddress = %s
AddPortMapping(%s, %s, %s) failed with code %d (%s)
GetSpecificPortMappingEntry() failed with code %d (%s)
InternalIP:Port = %s:%s
external %s:%s %s is redirected to internal %s:%s (duration=%s)
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
option '%s' invalid
%s [options] -a ip port external_port protocol [duration]
Add port redirection
%s [options] -d external_port protocol [port2 protocol2] [...]
Delete port redirection
%s [options] -s
%s [options] -l
%s [options] -L
List redirections (using GetListOfPortMappings, IGD v2)
%s [options] -r port1 protocol1 [port2 protocol2] [...]
%s [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time
%s [options] -U uniqueID new_lease_time
%s [options] -C uniqueID
%s [options] -K uniqueID
%s [options] -D uniqueID
%s [options] -S
%s [options] -G remote_ip remote_port internal_ip internal_port protocol
%s [options] -P
Get Presentation url
protocol is UDP or TCP
-u url : bypass discovery process by providing the XML root description url.
desc: %s
st: %s
upnpDiscover() error code=%d
Found valid IGD : %s
Found a (not connected?) IGD : %s
UPnP device found. Is it an IGD ? : %s
Found device (igd ?) : %s
Local LAN ip address : %s
- %s %5s->%s:%-5s '%s' '%s' %s
GetGenericPortMappingEntry() returned %d (%s)
- %s %5hu->%s:%-5hu '%s' '%s' %u
GetListOfPortMappings() returned %d (%s)
UPNP_DeletePortMapping() returned : %d
Bytes: Sent: %8u
Recv: %8u
Packets: Sent: %8u
AddPinhole([%s]:%s -> [%s]:%s) failed with code %d (%s)
AddPinhole: ([%s]:%s -> [%s]:%s) / Pinhole ID = %s
CheckPinholeWorking: Pinhole ID = %s / IsWorking = %s
CheckPinholeWorking() failed with code %d (%s)
UpdatePinhole: Pinhole ID = %s with Lease Time: %s
UpdatePinhole: ID (%s) failed with code %d (%s)
GetPinholePackets() failed with code %d (%s)
GetPinholePackets: Pinhole ID = %s / PinholePackets = %d
UPNP_DeletePinhole() returned : %d
FirewallEnabled: %d & Inbound Pinhole Allowed: %d
Firewall Enabled: %s
Inbound Pinhole Allowed: %s
GetOutboundPinholeTimeout([%s]:%s -> [%s]:%s) failed with code %d (%s)
GetOutboundPinholeTimeout: ([%s]:%s -> [%s]:%s) / Timeout = %d
Presentation URL found:
Unknown switch -%c
%s#%s
M-SEARCH * HTTP/1.1
HOST: %s:1900
ST: %s
MX: %u
223.255.255.255
Socket error: %s, %d
239.255.255.250
getaddrinfo() failed: %d
NewExternalPort
NewInternalPort
NewPortMappingDescription
AddPortMapping
DeletePortMapping
NewPortMappingIndex
GetGenericPortMappingEntry
GetPortMappingNumberOfEntries
NewPortMappingNumberOfEntries
GetSpecificPortMappingEntry
NewStartPort
NewEndPort
NewNumberOfPorts
GetListOfPortMappings
RemotePort
InternalPort
PortMappingEntry
ProtocolNotSupported
InternalPortWildcardingNotAllowed
SamePortValuesRequired
WildCardNotPermittedInExtPort
RemoteHostOnlySupportsWildcard
ExternalPortOnlySupportsWildcard
OnlyPermanentLeasesSupported
getnameinfo() failed : %d
GET %s HTTP/%s
Host: %s:%d
User-Agent: MSWindows/5.1.2600, UPnP/1.0, MiniUPnPc/1.6
POST %s HTTP/%s
Host: %s%s
Content-Length: %d
SOAPAction: "%s"
getaddrinfo() error : %d
URLBase
presentationURL
controlURL
eventSubURL
SCPDURL
urlbase = '%s'
serviceType = '%s'
controlURL = '%s'
eventSubURL = '%s'
SCPDURL = '%s'
servicetype = '%s'
NewPortListing
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
IPHLPAPI.DLL
KERNEL32.dll
msvcrt.dll
WS2_32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   kkpfzycjdf.exe:3948
   %original file name%.exe:1136
   ddjkuocysk.exe:3152
   ddjkuocysk.exe:4812
   ayfzta4lsrvb.exe:2896
   ayfzta37y1vb.exe:5576
   ayfzta36ujvbuo8oqayx.exe:2388

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\aicjinva\tst (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (6306 bytes)
   %WinDir%\Temp\ayfzta37y1vb.exe (35 bytes)
   %System%\aicjinva\rng (8 bytes)
   %System%\drivers\etc\hosts (48 bytes)
   %WinDir%\Temp\ayfzta4lsrvb.exe (35 bytes)
   %System%\aicjinva\run (10 bytes)
   %System%\aicjinva\ihst (82 bytes)
   %System%\kkpfzycjdf.exe (6841 bytes)
   %System%\aicjinva\cfg (512 bytes)
   %System%\aicjinva\etc (10 bytes)
   %System%\ddjkuocysk.exe (6841 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Diagnostic Foundation Window Input TP" = "%System%\ddjkuocysk.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.