Win32/Caphaw [Threat Name] go to Threat

Win32/Caphaw.K [Threat Variant Name]

Category trojan
Size 335872 B
Aliases Trojan.Win32.Bublik.aapp (Kaspersky)
  Win32:Caphaw-R (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan hides its presence in the system.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%appdata%\­%variable%\­%variable%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­3]
    • "1406" = 3
    • "1609" = 3
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "DisableCachingOfSSLPages" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1

The trojan creates the following files:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­user.js (392 B)

The trojan creates and runs a new thread with its own program code in all running processes.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Caphaw.K is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • CPU information
  • memory status
  • list of disk devices and their type
  • computer name
  • information about the operating system and system settings
  • installed software
  • Internet Explorer version
  • Mozilla Firefox version
  • antivirus software detected on the affected machine
  • installed firewall application
  • list of running processes
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • cookies

The trojan collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTPS protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer
  • remove itself from the infected computer
  • monitor network traffic
  • modify network traffic
  • capture video of user's desktop
  • delete cookies

The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • ExitWindowsEx (user32.dll)
  • GetMessageW (user32.dll)
  • InitiateSystemShutdownExW (advapi32.dll)
  • HeapDestroy (kernel32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetSetStatusCallback (wininet.dll)
  • send (ws2_32.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PR_Close (nspr4.dll)
  • CERT_VerifyCertName (nss3.dll)
  • CERT_VerifyCertNow (nss3.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.