SpyTool.Win32.Ardamax_2095e746d9 – Adaware

Trojan.Win32.Inject.nnyh (Kaspersky), Gen:Variant.Kazy.65374 (B) (Emsisoft), Gen:Variant.Kazy.65374 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2095e746d9c98f22703229c6ccabb083

SHA1: b9b825cf29e0e0018a70bdb1057dd0c58a0c9f1d

SHA256: b741696afe8691ca7b2d32ca5aaf305aeea5be0ccb9b02255bcdfc811b20b3a9

SSDeep: 49152:CXaU/Lt6a L/LGNvchKwHhx4xEuH/E6OaR6qh:CXrT2LjivcEwBxgE qagqh

Size: 2400256 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: A.P.P.

Created at: 2014-06-05 15:55:42

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The SpyTool creates the following process(es):

%original file name%.exe:1768
%original file name%.exe:1040

The SpyTool injects its code into the following process(es):

DHA.exe:2040

File activity

The process %original file name%.exe:1040 makes changes in the file system.

The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.02 (56 bytes)
C:\10365714_1421191098159363_177857ÃƒÂ©Ã¢â‚¬Â°Ã¢â‚¬Â° (37 bytes)

Registry activity

The process DHA.exe:2040 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 53 4C D0 BB A5 96 51 1F B0 29 08 2B 85 E9 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DHA Start" = "%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.exe"

The process %original file name%.exe:1768 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 BF DF E0 49 5E 84 03 63 5E 37 9E A5 97 12 0B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1040 makes changes in the system registry.

The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 DA 55 AB 56 0A 95 F3 22 C2 80 E1 CC 98 95 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\TVYLPM]
"DHA.exe" = "DHA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

Dropped PE files

MD5	File path
41f6f94d4f3d56d236ccbd800a8d3529	c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.01
a3d7d45bccaba8b2f3ec4d5faf9eaaf2	c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.02
1f4192a9345379c9caf2c11d775cacd8	c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: oki.b0.kl0.m0
Legal Copyright: just for them
Legal Trademarks:
Original Filename: gegetubsadertyu.exe
Internal Name: gegetubsadertyu.exe
File Version: oki.b0.kl0.m0
File Description: jokilo
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: oki.b0.kl0.m0Legal Copyright: just for themLegal Trademarks: Original Filename: gegetubsadertyu.exeInternal Name: gegetubsadertyu.exeFile Version: oki.b0.kl0.m0File Description: jokiloComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	2194372	2195456	5.48155	715071818c8a4d2d83d6f4badd05d7e9
.sdata	2203648	98	4096	0.166125	b4999f89b3daa9134388dab7f47dbcb7
.rsrc	2211840	189768	192512	3.34223	135caade275edb0dffe3c8c05c460906
.reloc	2408448	12	4096	0.011373	d16d7a3903a13c0cf7d62a1bc2b4bf98

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

DHA.exe_2040:

.text

`.rdata

@.data

.rsrc

PSSSSSSh

PSSSSSSh!

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

.EKSWU

FTPG

FTPj

FtPS

H%x\U

H%x]U

=KNILw.tT=RCNEw

_0 _8 _4;_,

SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>

SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro></appro>

Camellia for x86 by <appro></appro>

RC4 for x86, CRYPTOGAMS by <appro></appro>

FRegDeleteKeyExW

MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}