Trojan.Win32.Inject.nnyh (Kaspersky), Gen:Variant.Kazy.65374 (B) (Emsisoft), Gen:Variant.Kazy.65374 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2095e746d9c98f22703229c6ccabb083
SHA1: b9b825cf29e0e0018a70bdb1057dd0c58a0c9f1d
SHA256: b741696afe8691ca7b2d32ca5aaf305aeea5be0ccb9b02255bcdfc811b20b3a9
SSDeep: 49152:CXaU/Lt6a L/LGNvchKwHhx4xEuH/E6OaR6qh:CXrT2LjivcEwBxgE qagqh
Size: 2400256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: A.P.P.
Created at: 2014-06-05 15:55:42
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The SpyTool creates the following process(es):
%original file name%.exe:1768
%original file name%.exe:1040
The SpyTool injects its code into the following process(es):
DHA.exe:2040
File activity
The process %original file name%.exe:1040 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.02 (56 bytes)
C:\10365714_1421191098159363_177857鉉 (37 bytes)
Registry activity
The process DHA.exe:2040 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 53 4C D0 BB A5 96 51 1F B0 29 08 2B 85 E9 BA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DHA Start" = "%Documents and Settings%\All Users\Application Data\TVYLPM\DHA.exe"
The process %original file name%.exe:1768 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 BF DF E0 49 5E 84 03 63 5E 37 9E A5 97 12 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1040 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 DA 55 AB 56 0A 95 F3 22 C2 80 E1 CC 98 95 FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\TVYLPM]
"DHA.exe" = "DHA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"
Dropped PE files
MD5 | File path |
---|---|
41f6f94d4f3d56d236ccbd800a8d3529 | c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.01 |
a3d7d45bccaba8b2f3ec4d5faf9eaaf2 | c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.02 |
1f4192a9345379c9caf2c11d775cacd8 | c:\Documents and Settings\All Users\Application Data\TVYLPM\DHA.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: oki.b0.kl0.m0
Legal Copyright: just for them
Legal Trademarks:
Original Filename: gegetubsadertyu.exe
Internal Name: gegetubsadertyu.exe
File Version: oki.b0.kl0.m0
File Description: jokilo
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: oki.b0.kl0.m0Legal Copyright: just for themLegal Trademarks: Original Filename: gegetubsadertyu.exeInternal Name: gegetubsadertyu.exeFile Version: oki.b0.kl0.m0File Description: jokiloComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 2194372 | 2195456 | 5.48155 | 715071818c8a4d2d83d6f4badd05d7e9 |
.sdata | 2203648 | 98 | 4096 | 0.166125 | b4999f89b3daa9134388dab7f47dbcb7 |
.rsrc | 2211840 | 189768 | 192512 | 3.34223 | 135caade275edb0dffe3c8c05c460906 |
.reloc | 2408448 | 12 | 4096 | 0.011373 | d16d7a3903a13c0cf7d62a1bc2b4bf98 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
DHA.exe_2040:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSSSSSSh
PSSSSSSh
PSSSSSSh!
PSSSSSSh!
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
.EKSWU
.EKSWU
FTPG
FTPG
FTPj
FTPj
FtPS
FtPS
H%x\U
H%x\U
H%x]U
H%x]U
=KNILw.tT=RCNEw
=KNILw.tT=RCNEw
_0 _8 _4;_,
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA1 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
SHA256 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro></appro>
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro></appro>
AES for x86, CRYPTOGAMS by <appro></appro>
Camellia for x86 by <appro></appro>
Camellia for x86 by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
RC4 for x86, CRYPTOGAMS by <appro></appro>
FRegDeleteKeyExW
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}