Gen:Variant.FAkeAlert.105 (BitDefender), MonitoringTool:Win32/Ardamax (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Ardamax.nbq (v) (VIPRE), Trojan.KeyLogger.22339 (DrWeb), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Keylog-FAQ!5BBB105F8CA4 (McAfee), Win32.SuspectCrc (Ikarus), Gen:Variant.FAkeAlert.105 (FSecure), Ardamax.BZV (AVG), Win32:Malware-gen (Avast), Gen:Variant.FAkeAlert.105 (AdAware), SpyTool.Win32.Ardamax.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, Monitor, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5bbb105f8ca402be503cd6050e81c38d
SHA1: 24c14ba3c4849d564e2e587358abaea854c873ea
SHA256: 2475ae1c51e27d29771611ef4f4b6dbb3e1527266e78948119784c44d2268c7a
SSDeep: 49152:X6Bg4QexdkDjOu Et8kV/Hvz5a5rpJ5lNx:X6BgYwDjV Qz89J5z
Size: 2167296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Conduit
Created at: 2014-01-12 23:04:25
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
%original file name%.exe:864
TGKSrv.exe:1616
The SpyTool injects its code into the following process(es):
TGK.exe:1264
iexplore.exe:192
File activity
The process %original file name%.exe:864 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.00 (1 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.02 (56 bytes)
The process TGKSrv.exe:1616 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\Microsoft\DesktopLayer.exe (56 bytes)
The SpyTool deletes the following file(s):
%Program Files%\Microsoft\pxB4.tmp (0 bytes)
The process TGK.exe:1264 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\BDOBUI\TGKSrv.exe (56 bytes)
Registry activity
The process %original file name%.exe:864 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 5D 4A 36 EE 46 2E CF CA BF F6 7F 0D DB AC EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\BDOBUI]
"TGK.exe" = "TGK"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"
The process TGK.exe:1264 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 DC 09 05 3F 4E BD F8 CD B5 9A 1E 32 1F 5E 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TGK Start" = "%Documents and Settings%\All Users\Application Data\BDOBUI\TGK.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 3a0c9f59247090f2643cd597adb4c411 | c:\%original file name%.exe |
| f28ef7b714353ed1d5607b2d3bddb484 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.01 |
| 82eee2254218d9dfa2c2e6a9bf42e386 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.02 |
| 3d3b23bff124821d8cca6e8a78f26255 | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGK.exe |
| 6ca5facebe3d5787dc313f7e69c9cb3b | c:\Documents and Settings\All Users\Application Data\BDOBUI\TGKSrv.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 40340 | 40448 | 4.79593 | 81e45a5c05115536674bbb4173bba1a8 |
| .rdata | 45056 | 9232 | 9728 | 3.72834 | 02fe36e76de5cc9f834ba0e75c9a5052 |
| .data | 57344 | 8032 | 3584 | 1.58991 | d4668da877d58af66239b78e3837253f |
| .rsrc | 65536 | 2106924 | 2107392 | 5.31123 | 895e2aed51123aefd63d96fa2387aa3e |
| .reloc | 2174976 | 4752 | 5120 | 2.51801 | c1c353bf28dd868ed81faaad547dfa87 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
TGK.exe_1264:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.rmnet
@.rmnet
udPh
udPh
PSSSSSSh
PSSSSSSh
PSSSSSSh!
PSSSSSSh!
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
H%x\U
H%x\U
H%x]U
H%x]U
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}