Trojan.Generic.11549629_fe1a3b6278

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1744

Mutexes

The following mutexes were created/opened:

RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!__handy_clientMutexNPA_UnitVersioning_1744ShimCacheMutexZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexAMResourceMutex2

File activity

The process %original file name%.exe:1744 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
C:\Language\lng.ini (23 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (0 bytes)

Registry activity

The process %original file name%.exe:1744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\HandyCafe\Client]
"Version" = "3.4.14"
"Path" = "c:\%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 9E FD 29 15 56 60 9F 87 C8 69 41 6E 49 03 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.4.14"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hndclient" = "c:\%original file name%.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:handyCafe Client"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
   C:\Language\lng.ini (23 bytes)
   %Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "hndclient" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Product Name: HandyCafe Client
Product Version: 3.4.14
Legal Copyright: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Legal Trademarks: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Original Filename: hndclient.exe
Internal Name: HandyClient
File Version: 3.4.1.4
File Description: HandyCafe Client
Comments:
Language: Language Neutral

Company Name: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiProduct Name: HandyCafe ClientProduct Version: 3.4.14Legal Copyright: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiLegal Trademarks: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiOriginal Filename: hndclient.exeInternal Name: HandyClientFile Version: 3.4.1.4File Description: HandyCafe ClientComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	1620596	1620992	4.55744	7eb791ce09604919c9c9e30c24db957c
DATA	1626112	79836	79872	4.06234	2c8e3a356310691b1168b18ee971290e
BSS	1708032	30901	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	1740800	15140	15360	3.4921	f47beb2645ff2fc27f35d9dc12ddfde5
.edata	1757184	752	1024	3.06852	42d23f25848261f6c812164c804935b3
.tls	1761280	392	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	1765376	24	512	0.148841	2d64dc4211572e4d954d536cdde942f0
.reloc	1769472	100544	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	1871872	1419776	1419776	5.08092	b60e4159a430f26a14161bc725c2e556

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ad.handycafe.com/se/adx.php	37.58.77.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /se/adx.php HTTP/1.1

Pragma: no-cache

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

User-Agent: AtWebPost

Host: ad.handycafe.com

Content-Length: 403

Connection: Keep-Alive

lang=EN&op=get_banner&RndID=545359&Mac=00-0C-29-5C-94-64&Version=3.4.14&LocalIp=192.168.11.129&ProductKey=&ClientID=33645-86709-55665-47610-90587&Serial=&Clients=0&ServerMac=&Screen=1276x846&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&DefBrowser="C:Program FilesInternet Exploreriexplore.exe" -nohome&iType=0&Adtry=1&hpass=hcafe&rand_id=100456-545359

HTTP/1.1 200 OK

Date: Thu, 31 Jul 2014 19:23:06 GMT

Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.21

X-Powered-By: PHP/5.4.21

Vary: Accept-Encoding,User-Agent

Content-Length: 1348

Connection: close

Content-Type: text/html

HND_START.PAKET_ID%ENTT5359.AD_LANG%ENT%UA.CHROME_START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua%ENT%4%ENT%.START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%ENT%hXXp://search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%ENT"0%ENT%0%ENTÃŽNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.com.COOKIE_START%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT%3000%ENT%hXXp://ads.handycafe.com/ads.php?l=ua%ENT0000%ENT 00%ENT%0%ENT%handycafe.com%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%http://ads.handycafe.com/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%search.handycafe.com%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.com/?ua%ENT%Search%ENT%0%ENT%0%ENT