home

ipsrv.exe

HandyCafe - Filtre Server

Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

The executable ipsrv.exe has been detected as malware by 8 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘HandyCafe Filter Server’. While running, it connects to the Internet address li1424-167.members.linode.com on port 80 using the HTTP protocol.
Publisher:
Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti  (signed and verified)

Product:
HandyCafe - Filtre Server

Version:
4.1.1.0

MD5:
6136e921be110faee81f80d5885fa9a7

SHA-1:
1d8ba7adca3615ec31049191926bbf336b561afa

SHA-256:
d0ba2c0b2b7c43b62fd23558c8c24ece6dfede86f4ed3071d06a9423a31f96b7

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
11/27/2024 1:03:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.12339429
737

Bitdefender
Trojan.Generic.12339429
1.0.20.145

Emsisoft Anti-Malware
Trojan.Generic.12339429
8.15.01.29.06

F-Secure
Trojan.Generic.12339429
11.2015-29-01_5

G Data
Trojan.Generic.12339429
15.1.24

MicroWorld eScan
Trojan.Generic.12339429
16.0.0.87

nProtect
Trojan.Generic.12339429
14.12.16.01

Rising Antivirus
PE:Malware.InstallMonstr!6.38
23.00.65.15127

File size:
7.1 MB (7,496,544 bytes)

Product version:
4.1.10

Copyright:
Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Trademarks:
Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Original file name:
ipsrv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\handycafe\filter server\ipsrv.exe

Digital Signature
Signed by:
Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti

Authority:
VeriSign, Inc.

Valid from:
11/16/2013 4:00:00 PM

Valid to:
11/17/2015 3:59:59 PM

Subject:
CN="Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Ates Yazilim, Bilgisayar & Internet Teknolojileri Tic Ltd Sti", L=Istanbul, S=TR, C=TR

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6E54E478C4B86CD0A3A473682202D107

File PE Metadata
Compilation timestamp:
12/12/2014 1:51:27 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:I6/m+FWxFNCyllkvy5Z/lZojbU8lnq5uLHNjEtBMJT7+wHxibDhvS0Ee:IA7UFoaZ0jbU8lqWV6yxihvS0Ee

Entry address:
0x387158

Entry point:
55, 8B, EC, B9, 05, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 53, 56, 57, B8, D4, 8B, 77, 00, E8, 7C, 8A, C8, FF, 33, C0, 55, 68, B8, 73, 78, 00, 64, FF, 30, 64, 89, 20, 68, C8, 73, 78, 00, 6A, 00, 68, 01, 00, 1F, 00, E8, 25, CB, C8, FF, A3, 0C, 2F, 83, 00, 83, 3D, 0C, 2F, 83, 00, 00, 76, 10, A1, 0C, 2F, 83, 00, 50, E8, 30, C7, C8, FF, E9, EC, 01, 00, 00, 6A, 00, 68, E4, 73, 78, 00, E8, 1B, D2, C8, FF, 85, C0, 0F, 87, D8, 01, 00, 00, 68, C8, 73, 78, 00, 6A, 00, 6A, 00, E8, 61, C7, C8, FF, A3, 0C, 2F, 83, 00...
 
[+]

Entropy:
7.0709

Developed / compiled with:
Microsoft Visual C++

Code size:
3.5 MB (3,692,544 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
HandyCafe Filter Server

Command:
"C:\Program Files\handycafe\filter server\ipsrv.exe" -h


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to li1424-167.members.linode.com  (139.162.157.167:80)

Remove ipsrv.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.