Backdoor.Win32.Caphaw_QKKBAL_9f61a9b532

by malwarelabrobot on March 8th, 2014 in Malware Descriptions.

Trojan.Win32.Generic!BT (VIPRE), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 9f61a9b532ec5d517f8ec29d1eab88fb
SHA1: 36a6311230dc4745e2c724a50a2880c9b6e4e8b1
SHA256: e60baf782cbdb2872d877b49ea2e0936b7a0173481a5e2489901fb4a544ad058
SSDeep: 6144:Ga Cc25XMZUqcbePWTXgmodOUzNdVyrXXy6w8RuYvP9:GaW0DwWkmow2Ndsny3Yu09
Size: 302440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-28 18:17:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

inbe.exe:1588
inbe.exe:2768
%original file name%.exe:2388
%original file name%.exe:2508

The Backdoor injects its code into the following process(es):

ctfmon.exe:252

File activity

The process inbe.exe:1588 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\debug.txt (12081 bytes)

The process %original file name%.exe:2508 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Bouxb\inbe.exe (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7d2c3fd2.bat (177 bytes)
C:\debug.txt (9523 bytes)

The process ctfmon.exe:252 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\debug.txt (5345 bytes)

Registry activity

The process inbe.exe:1588 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 9E 5F AC 1E 46 74 4F E9 F0 33 E3 3E 21 72 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process inbe.exe:2768 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 5E 68 8A 84 78 CF E4 F9 EC 4A BD C6 A8 76 1A"

The process %original file name%.exe:2388 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 8C 51 79 FF 83 C0 82 8D 22 0D C6 4B 2D 27 DB"

The process %original file name%.exe:2508 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 99 7B 95 CB 93 7E DC 61 04 58 AB D4 1D E5 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ctfmon.exe:252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 48 2D B2 0B 37 73 B9 02 11 79 C6 07 84 96 DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Ywox]
"Gaox" = "17 97 F1 EE 65 BB 21 29 1E DD 9B 98 1C 47 D8 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnonBadCertRecving" = "0"

"EnableSPDY3_0" = "0"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crt
hxxp://crl.globalsign.net/root.crl
hxxp://crl.alphassl.com/Alpha.crl
hxxp://www.google.com/webhp
hxxp://www.google.ca/webhp?gfe_rd=ctrl&ei=YGEZU9rKMaSC8Qf2tIDIDg&gws_rd=cr
hxxp://e6845.ce.akamaiedge.net/crls/secureca.crl
hxxp://e6845.ce.akamaiedge.net/crls/gtglobal.crl
hxxp://www3.l.google.com/GIAG2.crl


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Backdoor installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Backdoor installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Backdoor installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    inbe.exe:1588
    inbe.exe:2768
    %original file name%.exe:2388
    %original file name%.exe:2508

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    C:\debug.txt (12081 bytes)
    %Documents and Settings%\%current user%\Application Data\Bouxb\inbe.exe (302 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp7d2c3fd2.bat (177 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now