Trojan.Win32.Diss.susko (Kaspersky), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fb5bd2133354f5f2f1b2a8784b69d3bc
SHA1: 56346c546f7f003c5e69ceb3bdc937830f785a10
SHA256: 15e85e3657d1a09135d50980594de1c134bb348ed2e3a5ffabff64ef8bc6a36e
SSDeep: 49152:2FN1Z04ewsXx/JHER8HAOGChn0CocgHgWt9qtBB7QtyjiD:2FN1S4e9hS8HAOGChcBHft8C6iD
Size: 2042606 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Video HDV04.10
Created at: 2015-01-31 10:27:21
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1868
_hndguard.exe:2012
The Trojan injects its code into the following process(es):
hndclient.exe:1176
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process hndclient.exe:1176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
%Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (0 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (0 bytes)
The process %original file name%.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
Registry activity
The process hndclient.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "D:\hndclient.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\HandyCafe\Client]
"Version" = "3.3.21"
"Path" = "D:\hndclient.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"
"NewTabPageShow" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 E8 AF E6 05 8F DF 8E C1 33 F7 91 54 BE 46 4E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "hndclient.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.3.21"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
"hndclient" = "D:\hndclient.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\D:]
"hndclient.exe" = "D:\hndclient.exe:*:Enabled:handyCafe Client"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
"Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process"
"VMware Tools"
"Adobe ARM"
"SunJavaUpdateSched"
"Adobe Reader Speed Launcher"
"hndclient"
The process %original file name%.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 3A FF 2B CF DC DB 25 76 45 25 05 3D C5 B6 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"hndclient.exe" = "HandyCafe Client"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process _hndguard.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 01 37 8B 11 8B 96 79 0D 26 14 DA 80 EA 63 C9"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1868
_hndguard.exe:2012 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\handyCafe\Client\default.swf (44 bytes)
%Documents and Settings%\All Users\handyCafe\Client\Banners\shbanner.htm (739 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp4_list.dat (391 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\%current user%\handyCafe\tmp\hc14096096778.tmp (1 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (30278 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hndclient" = "D:\hndclient.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Common Files\Java\Java Update\jusched.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 165770 | 165888 | 4.6575 | d06d79869523ea3421d1bec81acb4dd3 |
.rdata | 172032 | 20435 | 20480 | 3.73648 | e22329333f8810a163be0adc3018660e |
.data | 192512 | 136232 | 5632 | 2.40214 | 6754819d963e719555064632286f5a0d |
.rsrc | 331776 | 17624 | 17920 | 3.22359 | 2228bf0d08f66c617dd72a81676d6c6b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 41
e00aa5fac6ac532217c355b289b0e89a
826cf2435f5afb5fc966fb473e8d2b8e
1e882c6b3e2534279251c88252f0f628
b4678a329d8286c971dfd2e70d1d4845
884a05bb7947421eb4fe326ee15de0a0
84e276f01e08e29e13bec8efeefe46cc
488a75892901c2712e9eb53a7e387e33
80a993f2093492df18ff7d11fc5e8056
79fec57324cbe4302312b8ad2d64dcd4
3386617b1889f1d72d489371f719ff67
7efafd8d7f804f93387eec1b6bb7c1ac
daf6de8401ce0f21a7c79e6f17241190
0593a4093b848bebd23ca37f01f1ce90
b030c3a9ee1062234d6b737da2e578d8
111d832cc08dc412d6b9bcf75f8b986d
6a6fe9e4673b9ca71207ea8fcf5d7b7f
70a114b46f916359ad20e58ff408c9a3
5fe8ca4ddbc27c75a11c25aba8d8710b
68bbff09c5706e565e4ca40df2936149
b337d41f49871facdc78ab5c2cef5765
e969757a6c88f7ff47e37e471bd6b110
a920ef131a7c9ec746db47c3b34fabcf
bbfc9e517f681bffc36d47babe7c6d7c
17bc21d4b381fd4781f929ad6b3e2904
82b455846c2e167bdf6f65ea439245af
Network Activity
URLs
URL | IP |
---|---|
hxxp://ad.handycafe.com/se/adx.php | 37.58.77.224 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /se/adx.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: AtWebPost
Host: ad.handycafe.com
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: UTF-8,*
Cache-Control: no-cache
Connection: close
Content-Length: 285
lang=EN&op=get_banner&RndID=1409156&Mac=00-0C-29-AC-63-98&Version=3.3.21&LocalIp=192.168.220.135&ProductKey=&Serial=&Clients=0&ServerMac=&Screen=1916x902&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&iType=0&Adtry=1&hpass=hcafe&rand_id=42724-1409156
HTTP/1.1 200 OK
Date: Thu, 12 Nov 2015 05:27:56 GMT
Server: Apache/2.4.12 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.42
X-Powered-By: PHP/5.4.42
Vary: Accept-Encoding,User-Agent
Content-Length: 1253
Connection: close
Content-Type: text/html
HND_START.PAKET_ID%ENT09156.AD_LANG%ENT%UA.START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%ENT%hXXp://search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%ENT"0%ENT%0%ENTÃŽNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.com.COOKIE_START%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT000%ENT%http://a4.handycafe.com/ad-ua.html%ENT%0%ENT 00%ENT%0%ENT%handycafe.com%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%hXXp://ads.handycafe.com/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%search.handycafe.com%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.com/?ua%ENT%Search%ENT%0%ENT%0%ENT