» hndclient.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (34)

hndclient.exe

HandyCafe Client

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘hndclient’. This file is installed with the program handyCafe Client.

File name:

hndclient.exe

Publisher:

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti (signed and verified)

Product:

HandyCafe Client

Version:

3.4.1.4

MD5:

c199cc7b60b06dca2220a6499777b33d

SHA-1:

a50bc23811d45d77d954e3de0fb98d5211b4402d

SHA-256:

a0f9797d06a913c64d4bac17deb4498ba442a86bd75f09beb665df232a0f07d4

Scanner detections:

1 / 68

Status:

Inconclusive (not enough data for an accurate detection)

Analysis date:

4/26/2024 5:01:53 PM UTC (today)

Scan engine

Detection

Engine version

Norman

Malware

11.20140112

File size:

3 MB (3,145,080 bytes)

Product version:

3.4.14

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Trademarks:

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Original file name:

hndclient.exe

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\Program Files\handycafe\client\hndclient.exe

Digital Signature

Signed by:

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Authority:

VeriSign, Inc.

Valid from:

11/17/2013 8:00:00 AM

Valid to:

11/18/2015 7:59:59 AM

Subject:

CN="Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti", L=Istanbul, S=TR, C=TR

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

6E54E478C4B86CD0A3A473682202D107

File PE Metadata

Compilation timestamp:

6/20/1992 6:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

49152:mqQP7UjePQSVQKubB6mQuTNTS98eTAHTBNGh6j3zeJjU6bW:mZP7U232HTBywyJjJW

Entry address:

0x18C82C

Entry point:

55, 8B, EC, B9, 05, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 53, B8, 84, BF, 58, 00, E8, 46, AC, E7, FF, 8B, 1D, B0, 03, 5A, 00, 33, C0, 55, 68, 00, CA, 58, 00, 64, FF, 30, 64, 89, 20, 68, 10, CA, 58, 00, 6A, 00, 68, 01, 00, 1F, 00, E8, D5, B2, E7, FF, A3, B0, 88, 5A, 00, 83, 3D, B0, 88, 5A, 00, 00, 76, 10, A1, B0, 88, 5A, 00, 50, E8, D4, AE, E7, FF, E9, 5C, 01, 00, 00, 6A, 00, 68, 20, CA, 58, 00, E8, 8B, B8, E7, FF, 85, C0, 0F, 87, 48, 01, 00, 00, 68, 10, CA, 58, 00, 6A, 00, 6A, 00, E8, FD, AE, E7, FF, A3... 
[+]

Entropy:

7.0518

Developed / compiled with:

Microsoft Visual C++

Code size:

1.5 MB (1,620,992 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

hndclient

Command:

C:\Program Files\handycafe\client\hndclient.exe

The file hndclient.exe has been discovered within the following programs.

handyCafe Client by Ates Software

This is the ad-supported client for connecting to a handyCafe enabled platform.

www.handycafe.com

About 1% of users remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to castaclip.static.ds1.syseleven.net (109.68.230.135:80)

TCP (HTTP):

Connects to track-eu.adform.net (37.157.6.226:80)

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.42:80)

TCP (HTTP):

Connects to retarget.xf.dc.openx.org (173.241.248.7:80)

TCP (HTTP):

Connects to presentation-hkg1.turn.com (50.116.226.21:80)

TCP (HTTP):

Connects to n-prd-pxl-adcom-ntc.evip.aol.com (207.200.81.20:80)

TCP (HTTP):

Connects to ni-in-f155.1e100.net (74.125.135.155:80)

TCP (HTTP):

Connects to mpr2.ngd.vip.sg3.yahoo.com (106.10.198.32:80)

TCP (HTTP):

Connects to mpr1.ngd.vip.sg3.yahoo.com (106.10.198.33:80)

TCP (HTTP):

Connects to kul01s07-in-f13.1e100.net (173.194.126.13:80)

TCP (HTTP):

Connects to jumptap.com (209.94.144.19:80)

TCP (HTTP):

Connects to float.1201.bm-impbus.prod.sin1.adnexus.net (68.67.176.33:80)

TCP (HTTP):

Connects to float.1188.bm-impbus.prod.sin1.adnexus.net (68.67.176.20:80)

TCP (HTTP):

Connects to float.1179.bm-impbus.prod.sin1.adnexus.net (68.67.176.11:80)

TCP (HTTP):

Connects to edge-star-shv-02-kul1.facebook.com (31.13.67.17:80)

TCP (HTTP):

Connects to edge-star-shv-01-kul1.facebook.com (31.13.67.1:80)

TCP (HTTP):

Connects to ec2-54-83-22-147.compute-1.amazonaws.com (54.83.22.147:80)

TCP (HTTP):

Connects to ec2-54-254-155-171.ap-southeast-1.compute.amazonaws.com (54.254.155.171:80)

TCP (HTTP):

Connects to ec2-54-251-55-126.ap-southeast-1.compute.amazonaws.com (54.251.55.126:80)

TCP (HTTP):

Connects to ec2-54-251-159-58.ap-southeast-1.compute.amazonaws.com (54.251.159.58:80)

Scan hndclient.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.