home

cafconsetup.exe

caf_2

CAFCON Co.,Ltd.

The application cafconsetup.exe by CAFCON Co.,Ltd has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from cafcon.devone.co.kr.
Publisher:
CAFCON Co.,Ltd.  (signed and verified)

Product:
caf_2

Version:
1.00

MD5:
e9e91dbbd20891eded712467dd44ee59

SHA-1:
2d24fec1cdef03337209cc27d19ad52ee534df66

SHA-256:
34a677d6e9c89db6c0a4c4f04cc3656859f990670926c78f2e3c1cfd68b7c3c1

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
5/7/2024 2:13:39 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Wnmu.1
370

AhnLab V3 Security
PUP/Win32.Cafcon
2015.01.13

Comodo Security
UnclassifiedMalware
20692

Dr.Web
BACKDOOR.Trojan
9.0.1.030

F-Secure
Gen:Variant.Wnmu.1
11.2016-30-01_7

McAfee
GenericR-CLT!E9E91DBBD208
5600.6504

MicroWorld eScan
Gen:Variant.Wnmu.1
17.0.0.90

Rising Antivirus
PE:Trojan.Win32.Generic.14C6EB92!348580754
23.00.65.16128

Trend Micro House Call
ADW_KRADDARE
7.2.30

Trend Micro
ADW_KRADDARE
10.465.30

File size:
3.2 MB (3,369,528 bytes)

Product version:
1.00

Original file name:
caf_2.exe

File type:
Executable application (Win32 EXE)

Language:
Korean (Korea)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\cafconsetup.exe

Digital Signature
Signed by:
CAFCON Co.,Ltd.

Authority:
Thawte, Inc.

Valid from:
12/23/2013 4:00:00 PM

Valid to:
12/24/2014 3:59:59 PM

Subject:
CN="CAFCON Co.,Ltd.", OU=IT Team, O="CAFCON Co.,Ltd.", L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
39C5BD8C073E535063B058AD0A5F35CD

File PE Metadata
Compilation timestamp:
6/1/2014 11:52:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:IiOZ3eTQHNKRAAbv3+0CfUkZMaq4KHiqf+JAsl5RKzUk5D6XvC+Sv+ZN1HX30:ItZ3EQHNKlwUkZ04vqkWIrXNZX30

Entry address:
0x1A54

Entry point:
68, 78, BF, 43, 00, E8, F0, FF, FF, FF, 00, 00, 48, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 38, 00, 00, 00, 32, 06, 3D, 74, 0B, FE, 45, 4C, AC, BD, 27, ED, E5, BF, C2, 34, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, B7, 00, 00, 00, 63, 61, 66, 5F, 32, 00, 61, 5C, 63, 61, 66, 5F, 32, 00, 61, 63, 00, 75, 70, 5C, 77, 6F, 72, 6B, 00, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00, 01, 00, 00, 00, 69, C1, 84, 29, F4, 24, 6B, 4D, 86, 40, B1, BE, E4, A7, A7, 4E, 01, 00, 00, 00, A0, 00, 00, 00...
 
[+]

Entropy:
7.7965

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
324 KB (331,776 bytes)

The file cafconsetup.exe has been seen being distributed by the following URL.

http://cafcon.devone.co.kr/.../cafconsetup.exe

Remove cafconsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.