Trojan.Win32.Autoit.bbw (Kaspersky), Trojan.GenericKD.1735684 (B) (Emsisoft), Trojan.GenericKD.1735684 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b212ec71b1aca8d6d3f7bbc75e109dad
SHA1: c85e07994c491578f9fcc1d96f1688404d8ed3fc
SHA256: 8f5189fa9bca055fd9fc009e9736662f48566bb5ab2be40af49f43b5cf0d86dd
SSDeep: 49152:mJZoQrbTFZY1ia8UkPBDGirD6DomY4tIkL7JTj9IQjSGTzamt8beJcKLjNPzBrRQ:mtrbTA15MBDGkD6DomY4tXJnZSmt8bSQ
Size: 2865010 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: iWebar
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
sal.exe:224
%original file name%.exe:860
%original file name%.exe:1756
attrib.exe:1308
The SpyTool injects its code into the following process(es):
RSV.exe:1340
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process sal.exe:224 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ztmp\tmp12293.bat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ztmp\tmp93643.exe (15 bytes)
The process %original file name%.exe:860 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (17237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img9.jpg (15116 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
The process %original file name%.exe:1756 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
C:\sal.exe (97 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.02 (56 bytes)
Registry activity
The process RSV.exe:1340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 2E 02 39 0E DB C9 36 67 41 68 EA FC 3A 44 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSV Start" = "%Documents and Settings%\All Users\Application Data\HSBQDH\RSV.exe"
The process %original file name%.exe:860 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED A4 E8 ED 7B 6F C5 C5 12 FE 73 F6 83 4A 04 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1756 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 03 54 8F A1 B8 76 FE F6 63 49 4F 17 1E 2D DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"sal.exe" = "sal"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\HSBQDH]
"RSV.exe" = "RSV"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process attrib.exe:1308 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 17 01 B5 CE A6 05 50 FF 22 CB 43 28 CC 97 93"
Dropped PE files
MD5 | File path |
---|---|
7059cdba57a398f80a9afd3de0ffbd07 | c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.01 |
def249d7a5f5aa0ae0caf1d3b9700171 | c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.02 |
3d09e558be6c81f8e5fdde46888944d6 | c:\Documents and Settings\All Users\Application Data\HSBQDH\RSV.exe |
41d036fa50ec185b664e18f3ab5ae708 | c:\sal.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 525852 | 526336 | 4.63347 | 61ffce4768976fa0dd2a8f6a97b1417a |
.rdata | 532480 | 57280 | 57344 | 3.32693 | 0354bc5f2376b5e9a4a3ba38b682dff1 |
.data | 589824 | 108376 | 26624 | 1.49032 | 8033f5a38941b4685bc2299e78f31221 |
.rsrc | 700416 | 79736 | 79872 | 3.00788 | ab202bb49cc61e8c9ffa54d52680b44b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5
7bb034e6bc40fb66af4d2386a73ee693
8787c6cc950dfdf0e11e456c8fccb16f
d4a31af72d07c107d7477c2bc56caeac
4f0406247d30943d185e3f34cef53655
dcdefc01bd63d0df51270230d85e2313
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
RSV.exe_1340:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
udPh
udPh
PSSSSSSh
PSSSSSSh
PSSSSSSh!
PSSSSSSh!
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
H%x\U
H%x\U
H%x]U
H%x]U
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}