{
	"id": "a7ac1fc1-0dad-48e0-a349-b13ceb6ce38e",
	"created_at": "2026-04-06T00:07:12.329335Z",
	"updated_at": "2026-04-10T03:21:53.704643Z",
	"deleted_at": null,
	"sha1_hash": "7ceab9c75a1e80dd228fe524c610c5f939ede78b",
	"title": "Elusive HanJuan EK Drops New Tinba Version (updated)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 947045,
	"plain_text": "Elusive HanJuan EK Drops New Tinba Version (updated)\r\nBy Jérôme Segura\r\nPublished: 2015-06-23 · Archived: 2026-04-05 23:42:04 UTC\r\nUpdate 07/03/15: AdFly contacted us and we are publishing their statement below:\r\nWe are sorry for the inconvenience but this is something AdFly is obviously not letting happen on\r\npurpose. We count with several methods to prevent fraudulent advertising, unfortunately (and very\r\nocassionally) if a fraudulent advertising changes the redirection of a campaign after been reviewed by\r\nus, this is a possibility.\r\nThis specific campaign has been located now and cancelled.\r\nWe normally ask our users to report malicious ads to the email abuse@adf.ly providing the IP address\r\nthat has seen it at least in the last 48 hours. This should allow us to track it and in most of the cases\r\nsuspend the advertiser’s account.\r\nAdFly Support\r\nUpdate\r\n: Dutch security firm Fox-IT has identified the payload as an evolution of a Tinba v2 version, a well-known\r\nbanking piece of malware.\r\nIn this post, we describe a malvertising attack spread via a URL shortener leading to HanJuan EK, a rather elusive\r\nexploit kit which in the past was used to deliver a Flash Player zero-day.\r\nOften times cyber-criminals will use URL shorteners to disguise malicious links. However, in this particular case,\r\nit is embedded advertisement within the URL shortener service that leads to the malicious site.\r\nIt all begins with Adf.ly which uses interstitial advertising, a technique where adverts are displayed on the page for\r\na few seconds before the user is taken to the actual content.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 1 of 20\n\nFollowing a complex malvertising redirection chain, the HanJuan EK is loaded and fires Flash Player and Internet\r\nExplorer exploits before dropping a payload onto disk.\r\nThe payload we collected uses several layers of encryption within the binary itself but also in its communications\r\nwith its Command and Control server.\r\nThe purpose of this Trojan is information stealing performed by hooking the browser to act as a man-in-the-middle and grab passwords and other sensitive data.\r\nTechnical details\r\nMalvertising chain\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 2 of 20\n\nThe first four sessions load the interstitial ad via an encoded JavaScript blurb:\r\nGoogle Chrome’s JavaScript console can help us quickly identify the redirection call without going through\r\na painful decoding process:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 3 of 20\n\nSubsequent redirections:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 4 of 20\n\nThe next three sessions were somewhat different from the rest and an actual connection between them could not\r\nbe established right away. A deeper look revealed that the intended URL was loaded via Cross Origin Resource\r\nSharing (CORS).\r\nCross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts,\r\nJavaScript, etc.) on a web page to be requested from another domain outside the domain from which the\r\nresource originated. Wikipedia\r\nContent is retrieved from the adk2.com ad network via the Access-Control-Allow-Origin request.\r\nThis takes us to the actual malvertising brought by youradexchange.com:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 5 of 20\n\nThe inserted URL may look benign and it is indeed a genuine Joomla website but it has one caveat: It has been\r\ncompromised and is used as the gate to the exploit kit.\r\nExploit kit\r\nThe exploit kit pushed here looked different than what we are used to seeing (Angler EK, Fiesta EK, Magnitude\r\nEK, etc.). After some analysis and comparisons, we believe it is the HanJuan EK.\r\nWe have talked about HanJuan EK only very few times before because little is known about it. What we once\r\ndescribed as the Unknown exploit kit, was in fact HanJuan and it has been extremely stealthy and evasive ever\r\nsince.\r\nAnd yet, here we found HanJuan EK hosted on a compromised website and with an easy way to trigger it on\r\ndemand.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 6 of 20\n\nThe landing page is divided into two main parts:\r\nCode to launch a Flash exploit\r\nCode to launch an Internet Explorer exploit\r\nThe filename for the Flash exploit is randomly generated each time using close patterns to the original HanJuan\r\nwe’ve observed before.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 7 of 20\n\nHowever a new GET request session containing the Flash version used is inserted right after the exploit is\r\ndelivered.\r\nFinally, the payload is delivered via another randomly generated URL and filename with a .dat extension.\r\nContrary to previous versions of HanJuan where the payload was fileless, this one drops an actual binary to disk.\r\nFiddler traffic:\r\nLanding page (raw):\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 8 of 20\n\nFlash exploit: (up to 17.0.0.134 -\u003e CVE-2015-0359)\r\nThe exploit performs a memory stack pivoting attack using the VirtualAllocEx API.\r\nInternet Explorer exploit (CVE-2014-1776):\r\nIn this case we also have a memory stack pivoting exploit but in the undocumented NtProtectVirtualMemory API.\r\nMalwarebytes Anti-Exploit users were already protected against both these exploits:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 9 of 20\n\nMalware payload\r\nThe malware payload delivered has been identified by our research team as\r\nTrojan.Agent.Fobber.\r\nThis name was derived from a folder called “Fobber” that’s used to store the malware along with its associated\r\nfiles.\r\nUnlike a normal Windows program, Fobber makes it a habit to “hop” between different programs. The flow of\r\nexecution for Fobber looks something like that seen below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 10 of 20\n\nFrom what we have observed in our research, the purpose of the Fobber malware appears to be stealing user\r\ncredentials for various accounts. While we have not confirmed any ties between Fobber and other known malware\r\nas of yet, we suspect it may be related to other information-stealing Trojans, like Carberp or Tinba.\r\nFobber.exe\r\nThis is the original file dropped by the exploit kit in the user’s temporary directory. The file itself has a random\r\nname, but will be referred to as fobber.exe in this article.\r\nFobber.exe is mildly obfuscated program. The samples we have observed always attempt to open random registry\r\nkeys and then the malware performs a long sequence of jumps in an effort to create something like a “rabbit hole”\r\nfor analysts to follow, slowing down analysis.\r\nAt the end of the jumps, the program decodes additional shellcode and creates a suspended instance of\r\nverclsid.exe. Verclsid.exe is a legitimate Microsoft program that is part of Windows, used to verify a Class\r\nID. The shellcode is in injected into verclsid.exe and fobber.exe resumes execution of verclsid.exe. Below is an\r\nAPI trace of this behavior.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 11 of 20\n\nAt this point fobber.exe terminates and the malware execution continues in verclsid.exe.\r\nVerclsid.exe (Fobber shellcode)\r\nThe main purpose of the Fobber shellcode inside of this process is to retrieve the process ID (PID) of Windows\r\nExplorer (explorer.exe) and inject a thread into the process. Injecting code into Windows Explorer is a very\r\ncommon stealth technique that’s been used in malware for many years.\r\nIt is also worth nothing that, starting with the Fobber shellcode inside of the verclsid process, the malware begins\r\nusing an interesting unpacking technique designed to slow analysis that is exhibited throughout the remainder of\r\nthe Fobber malware’s operation.\r\nBefore a function can be executed, its code is first decrypted, as seen in the image below (notice the junk\r\ninstructions following “decode_more”).\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 12 of 20\n\nAnd then after the call, the instructions become clear.\r\nEventually, when the function wants to return, it calls a special procedure that uses a ROP gadget.\r\nIn side the call seen above (“return_caller”), the return pointer is overwritten to point to the return pointer of the\r\nparent function (in this case, sub_41B21A). In addition, all the bytes of the function that was just executed have\r\nbeen re-encrypted, as seen below.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 13 of 20\n\nSuch techniques can make the Fobber malware more difficult to analyze than traditional malware that unpack the\r\nentire binary image. Similar functionality is also seen in many commercial protectors, like Themida.\r\nIn order to locate the PID of Explorer, the malware searches for a known window name of “Shell_TrayWnd”\r\nthat’s used by the Explorer process.\r\nThe shellcode uses the undocumented function RtlAdjustPrivilege to grant vercslid.exe the\r\nSE_DEBUG_PRIVILEGE. This will allow verclsid.exe to inject code into Windows Explorer without any issues.\r\nFollowing this function, more shellcode is decrypted in memory and a remote thread is created inside Explorer.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 14 of 20\n\nFollowing successful injection, verclsid.exe terminates and the malware continues inside of Windows Explorer\r\nExplorer.exe (Fobber shellcode)\r\nAt this point the Fobber malware begins its main operations, to include establishing persistence on the victim\r\ncomputer, contacting the C\u0026C server, and many more actions.\r\nPersistence Fobber keeps a foothold on the victim computer by copying itself (fobber.exe) into an AppData folder\r\ncalled “Fobber” using the name nemre.exe. On a typical computer, this path might look like:\r\nC:UsersAppDataRoamingnemre.exe\r\nThe binary is launched when a user logs in using a traditional “Run” key method in the registry.\r\nWhenever nemre.exe is launched at login, it will proceed using the same flow of execution, injecting into\r\nverclsid.exe and then inside Windows Explorer.\r\nModifying Internet Settings Fobber also makes a few various changes to the victim’s Internet settings to ensure\r\neverything runs smoothly\r\nHKCUSoftwareMicrosoftInternet ExplorerMain Value: TabProcGrowth - Set to 1 (on) HKCUSoftwareMicrosoft\r\nIn addition, if the Firefox browser is installed, Fobber will attempt to modify browser settings by disabling the\r\nSPDY protocol, although it doesn’t seem like this function was implemented correctly.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 15 of 20\n\nContacting the command server Communication with C\u0026C is encrypted using what is believed to be a custom\r\nalgorithm. Additionally, the content sent by the server is signed by it’s RSA1 key (to prevent botnet hijacking),\r\nwhile the Fobber code has the public key embedded within, verifying the signature before processing the content.\r\nThe communication is initialized by the infected client’s POST request; the data sent from the client is always\r\nprompted by it’s ID that consists of the hard disk volume serial number and the OS install date. Following this\r\ncontent is content specific to the request made to the server. Example (initial request: 18 bytes long) raw:\r\n79 3B C3 40 9B AC 80 55 00 05 00 00 00 50 4C 00 00 FF |y;Ă@›¬€U....PL..˙|\r\nafter encoding:\r\n7A 32 53 3C 6E B6 BC 3F 92 27 5C 3F F7 0C 21 0F 0B C8 |z2S.n..?.'?..!...|\r\nDuring the process of communication, the command server may sent some notable payloads, i.e:\r\nUpdated explorer shellcode\r\nList of new command servers\r\nThe payloads are saved in the malware’s directory – in encrypted form – and decrypted by Fobber as needed:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 16 of 20\n\nThus far we have observed three particular files the Fobber malware looks for, which are: ktx.sdd, lerp.wpo, and\r\nmlc.dfw. As of the time of this writing, the we have not ascertained what mlc.dfw is used for, although we believe\r\nit will still be stored in an encrypted format like other Fobber files.\r\nUpdating Command Servers One file Fobber downloads periodically from the command server is called\r\n“lerp.wpo”. This file contains updated command server information to help the malware stay operational provided\r\nany command servers are taken down. The format for lerp.wpo is:\r\n[Domain][Post Directory]\r\nBelow is an example of a decrypted lerp.wpo file:\r\n003F810C | 35 2E 31 39 36 2E 31 38 39 2E 33 34 00 2F 48 63 | 5.196.189.34./Hc 003F811C | 6D 44 75 6F\r\nWhen the list of new command servers arrives, Fobber switches to the new server:\r\nBrowser injection Fobber also keeps a close eye on processes that are running on the victim’s computer. In\r\nparticular, Fobber checks for Google Chrome, Internet Explorer and Mozilla Firefox web browsers. Unlike\r\ntraditional process enumeration used by malware, however, Fobber first takes each process name that is running\r\nand creates a checksum-like value to compare against hard-coded process checksums. By doing this, Fobber does\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 17 of 20\n\nnot have to include the name of the actual process it is searching for, only the checksum, which can further inhibit\r\nanalysis. For example, the checksum for Internet Explorer is 0xFC03162D.\r\nOnce Fobber has found a browser running, it will inject code into it using the same routine following the Windows\r\nExplorer injection.\r\nUpdating the malware Over time, Fobber can update itself by contacting the command server and downloading an\r\nadditional file called “ktx.sdd”. This file will be downloaded into the Fobber directory along with nemre.exe and\r\nloaded into memory if it exists.\r\nBy doing this, the Fobber malware can “refresh” itself, further enabling it to maintain a foothold in the victim\r\nsystem, and also looking for new or different information to steal.\r\nChrome, Internet Explorer, or Firefox (Fobber shellcode)\r\nFollowing successful browser injection, Fobber looks for the presence of library used by IBM Security Trusteer\r\nRapport and tries to unload it from memory. Rapport offers protection of browser sessions, which will likely\r\ninterfere with the malware’s operation.\r\nFollowing this check, Fobber checks to see what process it’s in and hooks certain functions accordingly.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 18 of 20\n\nUsing the Internet Explorer browser, common functions from wininet.dll are hooked: InternetCloseHandle and\r\nHttpSendRequest.\r\nWhen a request is made where a user has to enter credentials for a website, Fobber checks to see if it’s something\r\ninteresting. To do this, it compares the url in the request to list regular expression strings that are decoded in\r\nmemory. Each item in the list is prefixed with either “P” or “!GP,” the meaning of which is not clear. \r\nWhen Fobber finds a request matching an expression, it packages it by using the same custom algorithm,\r\nfollowed by sending it to the command server. Below is an example of a request to login to a Google account,\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 19 of 20\n\nwhere the username and password are intercepted before being encrypted and sent to Google servers for\r\nauthentication (username and password filtered).\r\nOnce it has arrived at the command server, the package will be decrypted and likely parsed using a separate\r\nprogram to extract relevant information, like usernames and passwords.\r\nConclusion\r\nEvery encounter with HanJuan EK is interesting because it happens so rarely. As always the exploit kit only\r\ntargets the pieces of software that have the highest return on investment (read: most deployed and with available\r\nvulnerabilities): Internet Explorer and the Flash Player.\r\nThe malvertising component was a little bit out of place for such a stealthy exploit kit. This is also true for the site\r\nhosting the kit, a genuine Joomla! website in the Netherlands. We have passed on the information about that server\r\nso that a forensic analysis and full investigation can be conducted.\r\nThe dropped binary, which we nicknamed Fobber, has the ability to steal valuable user credentials and is also\r\nfairly resistant to removal by receiving updates to both itself and command servers. While our research teams have\r\nnot observed Fobber stealing any banking information, it certainly seems possible considering the flexibility\r\noffered by the malware’s update model. We will continue to provide any updates on Fobber in our blog as we see\r\nany improvements made in the malware.\r\nContributing analysts: @joshcannell @hasherezade\r\nSource: https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/"
	],
	"report_names": [
		"elusive-hanjuan-ek-caught-in-new-malvertising-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434032,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ceab9c75a1e80dd228fe524c610c5f939ede78b.pdf",
		"text": "https://archive.orkl.eu/7ceab9c75a1e80dd228fe524c610c5f939ede78b.txt",
		"img": "https://archive.orkl.eu/7ceab9c75a1e80dd228fe524c610c5f939ede78b.jpg"
	}
}