Skip to main content

Trojan.Win32.Delphi_fb5bd21333


Trojan.Win32.Diss.susko (Kaspersky), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: fb5bd2133354f5f2f1b2a8784b69d3bc

SHA1: 56346c546f7f003c5e69ceb3bdc937830f785a10

SHA256: 15e85e3657d1a09135d50980594de1c134bb348ed2e3a5ffabff64ef8bc6a36e

SSDeep: 49152:2FN1Z04ewsXx/JHER8HAOGChn0CocgHgWt9qtBB7QtyjiD:2FN1S4e9hS8HAOGChcBHft8C6iD

Size: 2042606 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Video HDV04.10

Created at: 2015-01-31 10:27:21

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1868
_hndguard.exe:2012

The Trojan injects its code into the following process(es):

hndclient.exe:1176

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process hndclient.exe:1176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
%Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (0 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (0 bytes)

The process %original file name%.exe:1868 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

Registry activity

The process hndclient.exe:1176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "D:\hndclient.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\HandyCafe\Client]
"Version" = "3.3.21"
"Path" = "D:\hndclient.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"

"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 E8 AF E6 05 8F DF 8E C1 33 F7 91 54 BE 46 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "hndclient.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.3.21"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

"hndclient" = "D:\hndclient.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\D:]
"hndclient.exe" = "D:\hndclient.exe:*:Enabled:handyCafe Client"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process"

"VMware Tools"

"Adobe ARM"

"SunJavaUpdateSched"

"Adobe Reader Speed Launcher"

"hndclient"

The process %original file name%.exe:1868 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 3A FF 2B CF DC DB 25 76 45 25 05 3D C5 B6 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"hndclient.exe" = "HandyCafe Client"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process _hndguard.exe:2012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 01 37 8B 11 8B 96 79 0D 26 14 DA 80 EA 63 C9"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1868
    _hndguard.exe:2012

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
    %Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
    %Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hndclient" = "D:\hndclient.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961657701658884.6575d06d79869523ea3421d1bec81acb4dd3
.rdata17203220435204803.73648e22329333f8810a163be0adc3018660e
.data19251213623256322.402146754819d963e719555064632286f5a0d
.rsrc33177617624179203.223592228bf0d08f66c617dd72a81676d6c6b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 41
e00aa5fac6ac532217c355b289b0e89a
826cf2435f5afb5fc966fb473e8d2b8e
1e882c6b3e2534279251c88252f0f628
b4678a329d8286c971dfd2e70d1d4845
884a05bb7947421eb4fe326ee15de0a0
84e276f01e08e29e13bec8efeefe46cc
488a75892901c2712e9eb53a7e387e33
80a993f2093492df18ff7d11fc5e8056
79fec57324cbe4302312b8ad2d64dcd4
3386617b1889f1d72d489371f719ff67
7efafd8d7f804f93387eec1b6bb7c1ac
daf6de8401ce0f21a7c79e6f17241190
0593a4093b848bebd23ca37f01f1ce90
b030c3a9ee1062234d6b737da2e578d8
111d832cc08dc412d6b9bcf75f8b986d
6a6fe9e4673b9ca71207ea8fcf5d7b7f
70a114b46f916359ad20e58ff408c9a3
5fe8ca4ddbc27c75a11c25aba8d8710b
68bbff09c5706e565e4ca40df2936149
b337d41f49871facdc78ab5c2cef5765
e969757a6c88f7ff47e37e471bd6b110
a920ef131a7c9ec746db47c3b34fabcf
bbfc9e517f681bffc36d47babe7c6d7c
17bc21d4b381fd4781f929ad6b3e2904
82b455846c2e167bdf6f65ea439245af

Network Activity

URLs

URL IP
hxxp://ad.handycafe.com/se/adx.php37.58.77.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /se/adx.php HTTP/1.0

Content-Type: application/x-www-form-urlencoded

User-Agent: AtWebPost

Host: ad.handycafe.com

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Charset: UTF-8,*

Cache-Control: no-cache

Connection: close

Content-Length: 285

lang=EN&op=get_banner&RndID=1409156&Mac=00-0C-29-AC-63-98&Version=3.3.21&LocalIp=192.168.220.135&ProductKey=&Serial=&Clients=0&ServerMac=&Screen=1916x902&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&iType=0&Adtry=1&hpass=hcafe&rand_id=42724-1409156

HTTP/1.1 200 OK

Date: Thu, 12 Nov 2015 05:27:56 GMT

Server: Apache/2.4.12 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.42

X-Powered-By: PHP/5.4.42

Vary: Accept-Encoding,User-Agent

Content-Length: 1253

Connection: close

Content-Type: text/html

HND_START.PAKET_ID%ENT09156.AD_LANG%ENT%UA.START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%ENT%hXXp://search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%ENT"0%ENT%0%ENTÃŽNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.com.COOKIE_START%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT000%ENT%http://a4.handycafe.com/ad-ua.html%ENT%0%ENT 00%ENT%0%ENT%handycafe.com%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%hXXp://ads.handycafe.com/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%search.handycafe.com%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.com/?ua%ENT%Search%ENT%0%ENT%0%ENT