Win32/Cadelspy [Threat Name] go to Threat

Win32/Cadelspy.A [Threat Variant Name]

Category trojan
Size 636416 B
Detection created Dec 09, 2015
Detection database version 12695
Aliases Trojan-Spy.Win32.Cadelspy.a (Kaspersky)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
  Backdoor.Cadelspy!g1 (Symantec)
  DLOADER.Trojan (Dr.Web)

Win32/Cadelspy.A is a trojan that steals sensitive information. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %installfolder%\­ldr32_x64.exe (91648 B, Win64/Cadelspy.A)
  • %installfolder%\­ldr32_x86.exe (75264 B, Win32/Cadelspy.A)
  • %installfolder%\­_tmp001\­work.path
  • %installfolder%\­_tmp001\­x64\­2093101001.cfg (1006 B)
  • %installfolder%\­_tmp001\­x64\­2093101001.rou (85 B)
  • %installfolder%\­_tmp001\­x64\­ntsvc32.dll (518144 B, Win64/Cadelspy.A)
  • %installfolder%\­_tmp001\­x64\­ntsvcst32.dll (90624 B, Win64/Cadelspy.A)
  • %installfolder%\­_tmp001\­x86\­ntsvc32.dll (415232 B, Win32/Cadelspy.A)
  • %installfolder%\­_tmp001\­x86\­ntsvcst32.dll (79360 B, Win32/Cadelspy.A)
  • %installfolder%\­_tmp001\­x86\­2093101001.cfg (1006 B)
  • %installfolder%\­_tmp001\­x86\­2093101001.rou (85 B)

The %installfolder% is one of the following strings:

  • %systemvolume%\­Documents and Settings\­%username%\­Local Settings\­Temp\­
  • C:\­users\­%username%\­AppData\­Local\­Temp\­

The trojan moves the following files (source, destination):

  • %installfolder%\­_tmp001\­x86\­ntsvc32.dll, %system%\­ntsvc32\­ntsvc32.dll
  • %installfolder%\­_tmp001\­x86\­ntsvcst32.dll, %system%\­ntsvc32\­ntsvcst32.dll
  • %installfolder%\­_tmp001\­x86\­2093101001.cfg, %system%\­ntsvc32\­2093101001.cfg
  • %installfolder%\­_tmp001\­x86\­2093101001.rou, %system%\­ntsvc32\­2093101001.rou

The trojan may delete the following folders:

  • %installfolder%\­_tmp001\­x86\­
  • %installfolder%\­_tmp001\­x64\­

The trojan executes the following files:

  • %installfolder%\­ldr32_x64.exe "%malwarefilepath%" (x64)
  • %installfolder%\­ldr32_x86.exe "%malwarefilepath%" (x86)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­ntsvc32\­ntsvcst32.dll"
    • "LoadAppInit_DLLs" = 1

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­ntsvc32\­ntsvcst32.dll
Information stealing

The trojan collects the following information:

  • MAC address
  • computer name
  • list of disk devices and their type
  • list of files/folders on a specific drive
  • operating system version
  • capture screenshots
  • data from the clipboard
  • logged keystrokes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send requested files
  • run executable files
  • stop itself for a certain time period

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­DWN]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­FLS]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­HDD]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­HLT]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­HST]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­PAP]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­ROU]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­UPL]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­CDT]
  • [HKEY_CURRENT_USER\­SOFTWARE\­ntsvc32\­ROUSHDDWN]

The trojan keeps various information in the following files:

  • %windir%\­fonts\­ntpath\­%variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.