SpyTool.Win32.Ardamax_b212ec71b1

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The SpyTool creates the following process(es):

sal.exe:224
%original file name%.exe:860
%original file name%.exe:1756
attrib.exe:1308

The SpyTool injects its code into the following process(es):

RSV.exe:1340

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process sal.exe:224 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ztmp\tmp12293.bat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ztmp\tmp93643.exe (15 bytes)

The process %original file name%.exe:860 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (17237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img9.jpg (15116 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

C:\sal.exe (97 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.02 (56 bytes)

Registry activity

The process RSV.exe:1340 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 2E 02 39 0E DB C9 36 67 41 68 EA FC 3A 44 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSV Start" = "%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.exe"

The process %original file name%.exe:860 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED A4 E8 ED 7B 6F C5 C5 12 FE 73 F6 83 4A 04 0A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1756 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 03 54 8F A1 B8 76 FE F6 63 49 4F 17 1E 2D DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"sal.exe" = "sal"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\HSBQDH]
"RSV.exe" = "RSV"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process attrib.exe:1308 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 17 01 B5 CE A6 05 50 FF 22 CB 43 28 CC 97 93"

Dropped PE files

MD5	File path
7059cdba57a398f80a9afd3de0ffbd07	c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.01
def249d7a5f5aa0ae0caf1d3b9700171	c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.02
3d09e558be6c81f8e5fdde46888944d6	c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.exe
41d036fa50ec185b664e18f3ab5ae708	c:\sal.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	525852	526336	4.63347	61ffce4768976fa0dd2a8f6a97b1417a
.rdata	532480	57280	57344	3.32693	0354bc5f2376b5e9a4a3ba38b682dff1
.data	589824	108376	26624	1.49032	8033f5a38941b4685bc2299e78f31221
.rsrc	700416	79736	79872	3.00788	ab202bb49cc61e8c9ffa54d52680b44b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
7bb034e6bc40fb66af4d2386a73ee693
8787c6cc950dfdf0e11e456c8fccb16f
d4a31af72d07c107d7477c2bc56caeac
4f0406247d30943d185e3f34cef53655
dcdefc01bd63d0df51270230d85e2313

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

RSV.exe_1340:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

udPh

udPh

PSSSSSSh

PSSSSSSh

PSSSSSSh!

PSSSSSSh!

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

.EKSWU

.EKSWU

FTPG

FTPG

FTPj

FTPj

FtPS

FtPS

H%x\U

H%x\U

H%x]U

H%x]U

=KNILw.tT=RCNEw

=KNILw.tT=RCNEw

_0 _8 _4;_,

_0 _8 _4;_,

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

6-9'6-9'

6-9'6-9'

$6.:$6.:

$6.:$6.:

*?#1*?#1

*?#1*?#1

>8$4,8$4,

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro></appro>

AES for x86, CRYPTOGAMS by <appro></appro>

Camellia for x86 by <appro></appro>

Camellia for x86 by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

FRegDeleteKeyExW

FRegDeleteKeyExW

MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}