HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.759 (B) (Emsisoft), Gen:Variant.Barys.759 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR, SpyToolArdamax.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1b881bf3ec195b2de5cc5e72179ab29a
SHA1: b0ea54e80a02a39bd7acc39d6894e7072f193e1b
SHA256: 38ce237ee2e0274f29c44820a12d9c3ebc473c57bbc33368e491f1ee8b24feed
SSDeep: 24576:Y7654dNIZmVOszQgGth/hM00xOsX0X mayKWwkiX 1cy8Z/nEZa6b/RIO5eplWem:eNIZUchwhkXKvkiX y8V8aEr2bJa
Size: 1716224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: applications install
Created at: 2014-06-29 14:49:37
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
%original file name%.exe:432
%original file name%.exe:324
The SpyTool injects its code into the following process(es):
DJN.exe:2008
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:324 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\KEONCI\DJN.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\KEONCI\DJN.02 (56 bytes)
%Documents and Settings%\All Users\Application Data\KEONCI\DJN.01 (80 bytes)
%Documents and Settings%\All Users\Application Data\KEONCI\DJN.00 (2 bytes)
Registry activity
The process DJN.exe:2008 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C DD 8B A6 73 1C 5D 78 47 A2 63 03 A5 E6 B5 DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DJN Start" = "%Documents and Settings%\All Users\Application Data\KEONCI\DJN.exe"
The process %original file name%.exe:432 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 91 AE DD 5A 41 6B 45 D7 33 68 C9 86 B4 E2 5D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:324 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 82 98 81 C5 3F F6 56 CA 6F 55 06 49 77 3B B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\KEONCI]
"DJN.exe" = "DJN"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 8942289fe2d65d66fb8bbbd8f5f1bd5b | c:\Documents and Settings\All Users\Application Data\KEONCI\DJN.01 |
| dad4d733fbc7bb35c39be08f922a95bd | c:\Documents and Settings\All Users\Application Data\KEONCI\DJN.02 |
| 3710bdb7e3ba37a6773e2f9920bb0d94 | c:\Documents and Settings\All Users\Application Data\KEONCI\DJN.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name: z75EJ09k
Product Name: F17Mq02oY84QL6
Product Version: 116.236.179.55
Legal Copyright: a07kc15Sn64
Legal Trademarks: t50xw12gc84JQ9
Original Filename: cr5jkeks.exe
Internal Name: cr5jkeks.exe
File Version: 116.236.179.55
File Description: god
Comments: a41Gt68eB79gm2
Language: English (United Kingdom)
Company Name: z75EJ09kProduct Name: F17Mq02oY84QL6Product Version: 116.236.179.55Legal Copyright: a07kc15Sn64Legal Trademarks: t50xw12gc84JQ9Original Filename: cr5jkeks.exeInternal Name: cr5jkeks.exeFile Version: 116.236.179.55File Description: godComments: a41Gt68eB79gm2Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 1702388 | 1703936 | 5.53643 | 4338ff2737b300dca0cbdc51e97bafef |
| .rsrc | 1712128 | 992 | 4096 | 0.726898 | f923f9c785156a811a0a35e4e7b9c3fe |
| .reloc | 1720320 | 12 | 4096 | 0.011373 | 3f7ab1a6eb3b24cfb50a13584bdbaaf2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
DJN.exe_2008:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSSSSSSh
PSSSSSSh
YYht%S
YYht%S
t*hl%S
t*hl%S
t*hd%S
t*hd%S
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}