Trojan.Generic.11549629 (B) (Emsisoft), Trojan.Generic.11549629 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fe1a3b627859d5458a4ef4ca396f6cea
SHA1: 035a982727bd2f6dfbc4aaacd96110a9eb8c0d49
SHA256: 714db1ea8f57d535407db9112c266ff6992c872dfc5763bbb6f4046fe0af52b3
SSDeep: 49152:mqQP7UjePQSVpKubB6mQuTNTS98eTAHTBNGh6j3zeJjU6bW:mZP7Ub32HTBywyJjJW
Size: 3145080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ACProtect141, UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: databases
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1744
Mutexes
The following mutexes were created/opened:
RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!__handy_clientMutexNPA_UnitVersioning_1744ShimCacheMutexZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexAMResourceMutex2
File activity
The process %original file name%.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
C:\Language\lng.ini (23 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (0 bytes)
Registry activity
The process %original file name%.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\HandyCafe\Client]
"Path" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\HandyCafe\Client\Settings]
"_clnorm" = "0"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnCloseAdvanced" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\HandyCafe\Client]
"Version" = "3.4.14"
"Path" = "c:\%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 9E FD 29 15 56 60 9F 87 C8 69 41 6E 49 03 70"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\HandyCafe\Client]
"Version" = "3.4.14"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hndclient" = "c:\%original file name%.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:handyCafe Client"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\handyCafe\Client\xp8_list.dat (10422 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\sets.ini (117 bytes)
%Documents and Settings%\All Users\handyCafe\Client\data\data.dat (210 bytes)
C:\Language\lng.ini (23 bytes)
%Documents and Settings%\All Users\handyCafe\Client\dump.log (58 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hndclient" = "c:\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Product Name: HandyCafe Client
Product Version: 3.4.14
Legal Copyright: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Legal Trademarks: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti
Original Filename: hndclient.exe
Internal Name: HandyClient
File Version: 3.4.1.4
File Description: HandyCafe Client
Comments:
Language: Language Neutral
Company Name: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiProduct Name: HandyCafe ClientProduct Version: 3.4.14Legal Copyright: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiLegal Trademarks: Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd StiOriginal Filename: hndclient.exeInternal Name: HandyClientFile Version: 3.4.1.4File Description: HandyCafe ClientComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 1620596 | 1620992 | 4.55744 | 7eb791ce09604919c9c9e30c24db957c |
DATA | 1626112 | 79836 | 79872 | 4.06234 | 2c8e3a356310691b1168b18ee971290e |
BSS | 1708032 | 30901 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 1740800 | 15140 | 15360 | 3.4921 | f47beb2645ff2fc27f35d9dc12ddfde5 |
.edata | 1757184 | 752 | 1024 | 3.06852 | 42d23f25848261f6c812164c804935b3 |
.tls | 1761280 | 392 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1765376 | 24 | 512 | 0.148841 | 2d64dc4211572e4d954d536cdde942f0 |
.reloc | 1769472 | 100544 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 1871872 | 1419776 | 1419776 | 5.08092 | b60e4159a430f26a14161bc725c2e556 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ad.handycafe.com/se/adx.php | 37.58.77.224 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /se/adx.php HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
User-Agent: AtWebPost
Host: ad.handycafe.com
Content-Length: 403
Connection: Keep-Alive
lang=EN&op=get_banner&RndID=545359&Mac=00-0C-29-5C-94-64&Version=3.4.14&LocalIp=192.168.11.129&ProductKey=&ClientID=33645-86709-55665-47610-90587&Serial=&Clients=0&ServerMac=&Screen=1276x846&LngID=1033&LngName=&LngCountry=United States&LngLang=ENU&Lng1=&Lng2=&MenuHeight=0&DefBrowser="C:Program FilesInternet Exploreriexplore.exe" -nohome&iType=0&Adtry=1&hpass=hcafe&rand_id=100456-545359
HTTP/1.1 200 OK
Date: Thu, 31 Jul 2014 19:23:06 GMT
Server: Apache/2.4.6 (Unix) OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.4.21
X-Powered-By: PHP/5.4.21
Vary: Accept-Encoding,User-Agent
Content-Length: 1348
Connection: close
Content-Type: text/html
HND_START.PAKET_ID%ENTT5359.AD_LANG%ENT%UA.CHROME_START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua%ENT%4%ENT%.START_PAGE%ENT%1%ENT%1%ENT%hXXp://search.handycafe.com/start?ua.POP_UP%ENT%2%ENT%2%ENT%hXXp://search.handycafe.com/?ua%ENT%search.handycafe.com%ENTF8%ENT"0%ENT%0%ENTÃŽNTER%ENT%0%ENT%0%ENT%handycafe.com%ENT%handycafe.com.COOKIE_START%ENT%1%ENT%0%ENT%0%ENT%1%ENT%0%ENT%0%ENT%1.MENU_AD%ENT%3000%ENT%hXXp://ads.handycafe.com/ads.php?l=ua%ENT0000%ENT 00%ENT%0%ENT%handycafe.com%ENT%handycafe.com%ENT%0.LOGO_AD%ENT 10%ENT%http://ads.handycafe.com/sr.php?l=ua%ENT%0%ENT%0%ENT%0%ENT%search.php%ENT%search.handycafe.com%ENT%0.URL_1%ENT10%ENT%hXXp://search.handycafe.com/?ua%ENT%Search%ENT%0%ENT%0%ENT