Win32/Caphaw [Threat Name] go to Threat
Win32/Caphaw.K [Threat Variant Name]
| Category | trojan |
| Size | 335872 B |
| Detection created | Nov 12, 2012 |
| Signature database version | 7789 |
| Aliases | Trojan.Win32.Bublik.aapp (Kaspersky) |
| Win32:Caphaw-R (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan hides its presence in the system.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\%variable%\%variable%.exe
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%appdata%\%variable%\%variable%.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 3
- "1609" = 3
- "2500" = 3
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "DisableCachingOfSSLPages" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "NoProtectedModeBanner" = 1
The trojan creates the following files:
- %appdata%\Mozilla\Firefox\Profiles\%profile%\user.js (392 B)
The trojan creates and runs a new thread with its own program code in all running processes.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Caphaw.K is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- CPU information
- memory status
- list of disk devices and their type
- computer name
- information about the operating system and system settings
- installed software
- Internet Explorer version
- Mozilla Firefox version
- antivirus software detected on the affected machine
- installed firewall application
- list of running processes
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- cookies
The trojan collects sensitive information when the user browses certain web sites.
The following programs are affected:
- Internet Explorer
- Mozilla Firefox
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTPS protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- send files to a remote computer
- remove itself from the infected computer
- monitor network traffic
- modify network traffic
- capture video of user's desktop
- delete cookies
The trojan hooks the following Windows APIs:
- NtQueryDirectoryFile (ntdll.dll)
- NtEnumerateValueKey (ntdll.dll)
- NtCreateUserProcess (ntdll.dll)
- NtCreateThread (ntdll.dll)
- ExitWindowsEx (user32.dll)
- GetMessageW (user32.dll)
- InitiateSystemShutdownExW (advapi32.dll)
- HeapDestroy (kernel32.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetSetStatusCallback (wininet.dll)
- send (ws2_32.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- PR_Close (nspr4.dll)
- CERT_VerifyCertName (nss3.dll)
- CERT_VerifyCertNow (nss3.dll)