Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IP RPC Search Tools Acquisition' = '<SYSTEM32>\kiiqhky.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Socket Now Thread Discovery] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\rfphdetu.exe' "<SYSTEM32>\kiiqhky.exe"
- '%WINDIR%\Temp\gbchhtod2py1rhbjx.exe' -r 47267 tcp
- '%TEMP%\gbchhtod2lytrhbjxp7chyl.exe'
- '<SYSTEM32>\kiiqhky.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\gsrtrwk\run
- <SYSTEM32>\gsrtrwk\rng
- %WINDIR%\Temp\gbchhtod2py1rhbjx.exe
- <SYSTEM32>\gsrtrwk\cfg
- <SYSTEM32>\rfphdetu.exe
- %TEMP%\gbchhtod2lytrhbjxp7chyl.exe
- <SYSTEM32>\gsrtrwk\tst
- <SYSTEM32>\kiiqhky.exe
- <SYSTEM32>\gsrtrwk\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\rfphdetu.exe
- <SYSTEM32>\kiiqhky.exe
Deletes the following files:
- %WINDIR%\Temp\gbchhtod2py1rhbjx.exe
- <DRIVERS>\etc\hosts
- %TEMP%\gbchhtod2lytrhbjxp7chyl.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'su###yknew.net':80
- 'mo###new.net':80
- 'su###ydone.net':80
- 'mo###one.net':80
- 'me###ifth.net':80
- 'si###hine.net':80
- 'me###one.net':80
- 'si###ifth.net':80
- 'me###hine.net':80
- 'mo###hine.net':80
- 'qu###done.net':80
- 'th###one.net':80
- 'qu###shine.net':80
- 'th###hine.net':80
- 'qu###knew.net':80
- 'mo###ifth.net':80
- 'su###yshine.net':80
- 'th###new.net':80
- 'su###yfifth.net':80
- 'tr###feet.net':80
- 'mi###ach.net':80
- 'da###new.net':80
- 'mi###eet.net':80
- 'tr###each.net':80
- 'mi###edge.net':80
- 'tr###wedge.net':80
- 'mi####sterday.net':80
- 'tr####esterday.net':80
- 'cl###knew.net':80
- 'si###new.net':80
- 'cl###fifth.net':80
- 'si###one.net':80
- 'me###new.net':80
- 'da###ifth.net':80
- 'cl###done.net':80
- 'da###one.net':80
- 'cl###shine.net':80
- 'da###hine.net':80
- 'th###ifth.net':80
- 'ri###nstorm.net':80
- 'wi###ifth.net':80
- 'ca####nbring.net':80
- 'al###being.net':80
- 'du###ifth.net':80
- 'wi###one.net':80
- 'du###one.net':80
- 'wi###hine.net':80
- 'du###hine.net':80
- 'pr####tbottom.net':80
- 'jo####ymeasure.net':80
- 'cr#####onaraminta.net':80
- 'ef###tbuilt.net':80
- 'th###while.net':80
- 'le###form.net':80
- 'ab###ell.net':80
- 'mo###olor.net':80
- 'mo###ugust.net':80
- 'mi###hown.net':80
- 'ca###hine.net':80
- 'he###hine.net':80
- 'ca###ifth.net':80
- 'he###ifth.net':80
- 'ca###one.net':80
- 'he###new.net':80
- 'qu###fifth.net':80
- 'he###one.net':80
- 'ca###new.net':80
- 'si###knew.net':80
- 'th###fifth.net':80
- 'si###fifth.net':80
- 'wi###new.net':80
- 'du###new.net':80
- 'th###shine.net':80
- 'si###done.net':80
- 'th###knew.net':80
- 'si###shine.net':80
- 'th###done.net':80
TCP:
HTTP GET requests:
- http://su###yknew.net/index.php
- http://mo###new.net/index.php
- http://su###ydone.net/index.php
- http://mo###one.net/index.php
- http://me###ifth.net/index.php
- http://si###hine.net/index.php
- http://me###one.net/index.php
- http://si###ifth.net/index.php
- http://me###hine.net/index.php
- http://mo###hine.net/index.php
- http://qu###done.net/index.php
- http://th###one.net/index.php
- http://qu###shine.net/index.php
- http://th###hine.net/index.php
- http://qu###knew.net/index.php
- http://mo###ifth.net/index.php
- http://su###yshine.net/index.php
- http://th###new.net/index.php
- http://su###yfifth.net/index.php
- http://tr###feet.net/index.php
- http://mi###ach.net/index.php
- http://da###new.net/index.php
- http://mi###eet.net/index.php
- http://tr###each.net/index.php
- http://mi###edge.net/index.php
- http://tr###wedge.net/index.php
- http://mi####sterday.net/index.php
- http://tr####esterday.net/index.php
- http://cl###knew.net/index.php
- http://si###new.net/index.php
- http://cl###fifth.net/index.php
- http://si###one.net/index.php
- http://me###new.net/index.php
- http://da###ifth.net/index.php
- http://cl###done.net/index.php
- http://da###one.net/index.php
- http://cl###shine.net/index.php
- http://da###hine.net/index.php
- http://th###ifth.net/index.php
- http://ri###nstorm.net/index.php
- http://wi###ifth.net/index.php
- http://ca####nbring.net/index.php
- http://al###being.net/index.php
- http://du###ifth.net/index.php
- http://wi###one.net/index.php
- http://du###one.net/index.php
- http://wi###hine.net/index.php
- http://du###hine.net/index.php
- http://pr####tbottom.net/index.php
- http://jo####ymeasure.net/index.php
- http://cr#####onaraminta.net/index.php
- http://ef###tbuilt.net/index.php
- http://th###while.net/index.php
- http://le###form.net/index.php
- http://ab###ell.net/index.php
- http://mo###olor.net/index.php
- http://mo###ugust.net/index.php
- http://mi###hown.net/index.php
- http://ca###hine.net/index.php
- http://he###hine.net/index.php
- http://ca###ifth.net/index.php
- http://he###ifth.net/index.php
- http://ca###one.net/index.php
- http://he###new.net/index.php
- http://qu###fifth.net/index.php
- http://he###one.net/index.php
- http://ca###new.net/index.php
- http://si###knew.net/index.php
- http://th###fifth.net/index.php
- http://si###fifth.net/index.php
- http://wi###new.net/index.php
- http://du###new.net/index.php
- http://th###shine.net/index.php
- http://si###done.net/index.php
- http://th###knew.net/index.php
- http://si###shine.net/index.php
- http://th###done.net/index.php
UDP:
- DNS ASK mo###one.net
- DNS ASK su###yknew.net
- DNS ASK mo###hine.net
- DNS ASK su###ydone.net
- DNS ASK mo###new.net
- DNS ASK me###hine.net
- DNS ASK si###hine.net
- DNS ASK me###ifth.net
- DNS ASK si###ifth.net
- DNS ASK su###yshine.net
- DNS ASK th###hine.net
- DNS ASK qu###done.net
- DNS ASK th###ifth.net
- DNS ASK qu###shine.net
- DNS ASK th###one.net
- DNS ASK su###yfifth.net
- DNS ASK mo###ifth.net
- DNS ASK qu###knew.net
- DNS ASK th###new.net
- DNS ASK me###one.net
- DNS ASK tr###feet.net
- DNS ASK mi###ach.net
- DNS ASK da###new.net
- DNS ASK mi###eet.net
- DNS ASK tr###each.net
- DNS ASK mi###edge.net
- DNS ASK tr###wedge.net
- DNS ASK mi####sterday.net
- DNS ASK tr####esterday.net
- DNS ASK cl###knew.net
- DNS ASK si###new.net
- DNS ASK cl###fifth.net
- DNS ASK si###one.net
- DNS ASK me###new.net
- DNS ASK da###ifth.net
- DNS ASK cl###done.net
- DNS ASK da###one.net
- DNS ASK cl###shine.net
- DNS ASK da###hine.net
- DNS ASK ri###nstorm.net
- DNS ASK wi###ifth.net
- DNS ASK ca####nbring.net
- DNS ASK al###being.net
- DNS ASK du###ifth.net
- DNS ASK wi###one.net
- DNS ASK du###one.net
- DNS ASK wi###hine.net
- DNS ASK du###hine.net
- DNS ASK pr####tbottom.net
- DNS ASK jo####ymeasure.net
- DNS ASK cr#####onaraminta.net
- DNS ASK ef###tbuilt.net
- DNS ASK th###while.net
- DNS ASK le###form.net
- DNS ASK ab###ell.net
- DNS ASK mo###olor.net
- DNS ASK mo###ugust.net
- DNS ASK mi###hown.net
- DNS ASK ca###hine.net
- DNS ASK he###hine.net
- DNS ASK ca###ifth.net
- DNS ASK he###ifth.net
- DNS ASK ca###one.net
- DNS ASK he###new.net
- DNS ASK qu###fifth.net
- DNS ASK he###one.net
- DNS ASK ca###new.net
- DNS ASK si###knew.net
- DNS ASK th###fifth.net
- DNS ASK si###fifth.net
- DNS ASK wi###new.net
- DNS ASK du###new.net
- DNS ASK th###shine.net
- DNS ASK si###done.net
- DNS ASK th###knew.net
- DNS ASK si###shine.net
- DNS ASK th###done.net
- '23#.#55.255.250':1900
