SpyTool.Win32.Ardamax_a601709940 – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Gen:Variant.FAkeAlert.105 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a60170994035160438a1a45d6ea6c7d2

SHA1: 4cd697e415511cee789fc631e7599801a6342f7c

SHA256: dc3bd5049bf7f2b61f7f79ad8f7465f5df8a781928695220030ecd7360d99cc6

SSDeep: 49152:/ ohb9F7pUsAKZ1FYN7ABhXo97S4MmNKf4Py1wC:/Fhb9NmoJa7ATo9utmIwPy1

Size: 2126848 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Ke v in S o l w a y

Created at: 2014-06-09 15:04:01

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The SpyTool creates the following process(es):

a60170994035160:1276

The SpyTool injects its code into the following process(es):

YEI.exe:580

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process a60170994035160:1276 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\DEBCLS\YEI.02 (56 bytes)
%Documents and Settings%\All Users\Application Data\DEBCLS\YEI.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\DEBCLS\YEI.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\DEBCLS\YEI.01 (82 bytes)

Registry activity

The process YEI.exe:580 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 E7 E9 4C 16 E9 08 CA 51 A5 7F 74 E9 9D BA 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YEI Start" = "%Documents and Settings%\All Users\Application Data\DEBCLS\YEI.exe"

The process a60170994035160:1276 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 A8 F7 BD 38 EF 44 F6 BB A7 FC 50 07 BD F8 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\DEBCLS]
"YEI.exe" = "YEI"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
462afb96a7f72c384bcf2298f6c4cca0	c:\Documents and Settings\All Users\Application Data\DEBCLS\YEI.01
0ab9390b7752a5a312788b3ca8260770	c:\Documents and Settings\All Users\Application Data\DEBCLS\YEI.02
4e01d49a3b6a486a413e3428ab22a683	c:\Documents and Settings\All Users\Application Data\DEBCLS\YEI.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	40820	40960	4.81526	e8f77fb9c65812cca65166988ff24e1a
.rdata	45056	9182	9216	3.85367	ff7f3faff04c8d6f2d499233bb8a1364
.data	57344	8032	3584	1.58866	c5201588891eef4e2562e593674d6f74
.rsrc	65536	2066944	2066944	5.3204	ccc5af14efbf63c84ccfafa9d3611dd4
.reloc	2134016	4756	5120	2.51166	28db7a9e1c1804a4e4740e67543b0c09

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

YEI.exe_580:

.text

`.rdata

@.data

.rsrc

SSh0FS

PSSSSSSh

PSSSSSSh!

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

.EKSWU

FTPG

FTPj

FtPS

=KNILw.tT=RCNEw

_0 _8 _4;_,

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro></appro>

Camellia for x86 by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

FRegDeleteKeyExW

MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}