Gen:Variant.FAkeAlert.105 (BitDefender), MonitoringTool:Win32/Ardamax (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Ardamax.nbq (v) (VIPRE), Trojan.KeyLogger.22339 (DrWeb), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Keylog-FAQ!5BBB105F8CA4 (McAfee), Win32.SuspectCrc (Ikarus), Gen:Variant.FAkeAlert.105 (FSecure), Ardamax.BZV (AVG), Win32:Malware-gen (Avast), Gen:Variant.FAkeAlert.105 (AdAware), SpyTool.Win32.Ardamax.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, Monitor, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5bbb105f8ca402be503cd6050e81c38d
SHA1: 24c14ba3c4849d564e2e587358abaea854c873ea
SHA256: 2475ae1c51e27d29771611ef4f4b6dbb3e1527266e78948119784c44d2268c7a
SSDeep: 49152:X6Bg4QexdkDjOu Et8kV/Hvz5a5rpJ5lNx:X6BgYwDjV Qz89J5z
Size: 2167296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Conduit
Created at: 2014-01-12 23:04:25
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
%original file name%.exe:864
TGKSrv.exe:1616
The SpyTool injects its code into the following process(es):
TGK.exe:1264
iexplore.exe:192
File activity
The process %original file name%.exe:864 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.00 (1 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.02 (56 bytes)
The process TGKSrv.exe:1616 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\Microsoft\DesktopLayer.exe (56 bytes)
The SpyTool deletes the following file(s):
%Program Files%\Microsoft\pxB4.tmp (0 bytes)
The process TGK.exe:1264 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\BDOBUI\TGKSrv.exe (56 bytes)
Registry activity
The process %original file name%.exe:864 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 5D 4A 36 EE 46 2E CF CA BF F6 7F 0D DB AC EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\BDOBUI]
"TGK.exe" = "TGK"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"
The process TGK.exe:1264 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 DC 09 05 3F 4E BD F8 CD B5 9A 1E 32 1F 5E 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TGK Start" = "%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.exe"
Dropped PE files
MD5 | File path |
---|---|
3a0c9f59247090f2643cd597adb4c411 | c:\%original file name%.exe |
f28ef7b714353ed1d5607b2d3bddb484 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.01 |
82eee2254218d9dfa2c2e6a9bf42e386 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.02 |
3d3b23bff124821d8cca6e8a78f26255 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.exe |
6ca5facebe3d5787dc313f7e69c9cb3b | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGKSrv.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 40340 | 40448 | 4.79593 | 81e45a5c05115536674bbb4173bba1a8 |
.rdata | 45056 | 9232 | 9728 | 3.72834 | 02fe36e76de5cc9f834ba0e75c9a5052 |
.data | 57344 | 8032 | 3584 | 1.58991 | d4668da877d58af66239b78e3837253f |
.rsrc | 65536 | 2106924 | 2107392 | 5.31123 | 895e2aed51123aefd63d96fa2387aa3e |
.reloc | 2174976 | 4752 | 5120 | 2.51801 | c1c353bf28dd868ed81faaad547dfa87 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
TGK.exe_1264:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.rmnet
@.rmnet
udPh
udPh
PSSSSSSh
PSSSSSSh
PSSSSSSh!
PSSSSSSh!
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
H%x\U
H%x\U
H%x]U
H%x]U
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}