SpyTool.Win32.Ardamax_055b1b27c3

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The SpyTool creates the following process(es):

%original file name%.exe:1936

The SpyTool injects its code into the following process(es):

JWN.exe:1508

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1936 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\JTGBUR\JWN.01 (80 bytes)
%Documents and Settings%\All Users\Application Data\JTGBUR\JWN.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\JTGBUR\JWN.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\JTGBUR\JWN.02 (56 bytes)

Registry activity

The process %original file name%.exe:1936 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F A5 E2 09 E0 DF 9E 37 4E B4 07 74 94 06 26 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\JTGBUR]
"JWN.exe" = "JWN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process JWN.exe:1508 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 52 2F 7B DE D8 5C 8F 13 0B 51 61 37 2B CB 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JWN Start" = "%Documents and Settings%\All Users\Application Data\JTGBUR\JWN.exe"

Dropped PE files

MD5	File path
8942289fe2d65d66fb8bbbd8f5f1bd5b	c:\Documents and Settings\All Users\Application Data\JTGBUR\JWN.01
dad4d733fbc7bb35c39be08f922a95bd	c:\Documents and Settings\All Users\Application Data\JTGBUR\JWN.02
3710bdb7e3ba37a6773e2f9920bb0d94	c:\Documents and Settings\All Users\Application Data\JTGBUR\JWN.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	40468	40960	4.78678	78f9c43f3b88e633742875f0cceded97
.rdata	45056	9232	9728	3.72695	d2f81dfadfcce0d494b79d2e2d060fe1
.data	57344	7968	3584	1.58728	63b9326f18f0a1ff160ad7cf40aa3066
.rsrc	65536	1651488	1651712	5.47822	3bd301538192a8871a08fff4f41c16f4
.reloc	1720320	4754	5120	2.52776	95435be1bfe3bcb26cc9847484661299

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
2e28d42a05c26a4a62b4f986c4262aea
67a80f4bf63e30cdf9027ad673174cfb

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

JWN.exe_1508:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

PSSSSSSh

PSSSSSSh

YYht%S

YYht%S

t*hl%S

t*hl%S

t*hd%S

t*hd%S

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

.EKSWU

.EKSWU

FTPG

FTPG

FTPj

FTPj

FtPS

FtPS

=KNILw.tT=RCNEw

=KNILw.tT=RCNEw

_0 _8 _4;_,

_0 _8 _4;_,

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

6-9'6-9'

6-9'6-9'

$6.:$6.:

$6.:$6.:

*?#1*?#1

*?#1*?#1

>8$4,8$4,

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro></appro>

AES for x86, CRYPTOGAMS by <appro></appro>

Camellia for x86 by <appro></appro>

Camellia for x86 by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

FRegDeleteKeyExW

FRegDeleteKeyExW

MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}