Analysis Date2014-11-22 05:20:39
MD5716ee6f8cb19597881bff72b4b014b13
SHA106614b0759617cfb42efc5e739abbdccf6c13181

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 80fc807ae6925766d510e3c40ac3a1dd sha1: 9d6f93e2e33bd7b52519a1ec7b24d7406d3e93e6 size: 119296
SectionDATA md5: 1e5389a3ad054e7a34daa1813f540bbd sha1: 3df08b3b6fa1ba422d8f485914065eac823d83b0 size: 98816
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 970505e66a05b2516c92dda48fdc2aeb sha1: 20d199f2a8d033a1102374dcacfba86d2be1bb85 size: 1024
Section.relac md5: c15cf27d1084386d6fdec878a9cbc576 sha1: 8f65fa807f1ebabf3e476a317e2f2b31feb3654a size: 512
Section.rsrc md5: 41bebebf8e999cbfeac97d17e00cb854 sha1: a85d2acba57d93cf2bd9c032c185c9d0828d4701 size: 10752
Timestamp1992-06-19 22:22:17
PEhasha3a2cd2cbf2674794abfb21209d38421ae9c93e7
IMPhasha67302fd52045d425124674252ac087b
AV360 SafeGen:Heur.Cridex.2
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVBullGuardGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/FraudLoad.AA!genus
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVWin.Trojan.Fakeav-1384
AVDr. WebTrojan.DownLoader3.30204
AVEmsisoftGen:Heur.Cridex.2
AVEset (nod32)Win32/Kryptik.OZA
AVFortinetW32/Delf.AR!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Heur.Cridex.2
AVGrisoft (avg)Win32/DH.FF8400F5{Mw}
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Riskware ( 0015e4f01 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVRisingno_virus
AVSophosMal/FakeAV-NJ
AVSymantecTrojan.Gen
AVTrend MicroTROJ_KRYPTK.SMDH
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
l
.
...C
&.
.
.
.
u
{.
.
e.

3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
kernel32.dll
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
0"0*020F0N0V0^0f0n0v0~0
^038Ek
060J$=
?=0~DC
0M`e~X
&~0s	c
0)zio{
&15$mK
 *1|5T
1@7lEtr
1hR|JG=
1JwO0`
,1QB;@
[1+	v;
.|1wn?<
2""333:"C8
2""#33:DC8
2@9!@D
2$B""""C38
2C4"""D338
^^2[\E
@2K|>	
~2#lRp
>2Q(PKzD
{2&$Sem
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
;3__$4
34""C33333833
3B""$33333
$3Py2N1
42}ijW
}4AqZd
4"*""C3338
4E@_W>
-)4GjP"v;
4]H^%}
_4K	C$t
:4mjR(
4X^['<
:5Cqh i
,5GQE 
5`J* b
5N6c6t6
`-5Oyw
5p'jxc
 @/6|?
63=7=rG
6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
6(~6\QIy
6:9W$jq
+6]Avp1
6!lH{?T@U
6Upif@
6W0I=F
6Wrf85
7,7S7Z7g7v7
+79eAZ
{7~AY<
7ef4da54
84s)#I
8 8-8?8K8
8$q999
,8=wkf
^\9'D	
9/EXI{
$	9?J4
[9;	XU>
<a4kS4
{	A5|s
A+$6\j
A%Ajfo
AbL;AL
!AE8	W
ag3#]s
a,H4Z;
^/AP]#^
  </application> 
  <application> 
appwiz.cpl 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
b`5Gy~<
b-F1#n$
bfqayL=
bl*"5,nS
bntA`E
!bT*7A[
;btRbKy
b[xby}
C%*\>/
C0~t;o
.c|0X\
!|^C%2
c2&p(j
:"C333
"C333333
"C3338
c?5]bQr(Zv
"C8338
cGo[F"
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
+CpL~%
*	)cPq
c'`[*q
:cVE!F%
cZu`1p`
D&)-")
"d0-2;
D{{1L 
$D53wo
D9"V{.
'Da0jf
d$bokF
:DC33:""$8
"DDB""$3
DdeEnableCallback
><D%e#
DefineDosDeviceA
DeletePrinterDriverW
DeletePrinterKeyA
DHP.s~
d+&J)0
.D`k!s
'd]N2mh
.DNbm'~y
[DPu*Udr0
dr#<AIW
DrawTextA
;Dv*>[
$'D-VD
,dvql'1
/"`dw9K
Dw*{Ha
@DXbSsN
?D%Y^\
d,y]4A|
dZf8#U
e	2ce 8^
E{2^|N+
[^E*|E<aA
eESC$E
|{EfF1}
Eg96tz
EKv'\G=P4q5
!EM7~!
EPB3&/
\Ew[}4JV!eA
ewZxo/
F;3Ii>
f4v3Q$
@}F8w<*OYI
)\Fd!w
fh>N>G9
f	KNF4
	^f#Qu
FreePrinterNotifyInfo
FxB;RZ
F~ZUY$c
`]g|6(
g6@sSb?J5Qr
gENCz+
GetACP
GetCaretPos
GetModuleHandleW
getpeername
GetPrinterDriverA
GetProcAddress
GetThreadPriority
GG&&G	m|
G"^IH9
g-@	im?h
!gK )h[~c
GM87f Vk
gN[0UB
gnr(R.//
]G!q({P
g:"sz\
g>ve_P
gwj7z5ff
':#\:)h
h,#A|{
+hAeKF
h*CH |
hDG=|s
hH=qG;
h}i80_U
:h	-JG
h{jzcg
h|kM{E
hQ!Skxiviy
HXS lm|!
"I0xmN
{iC#<<
.idata
^I+fKw
]|iLZK
@">I?m
IPYfo!H
#i}QfGprT
IsChild
iwU7@l
iYdcqD
:iz=V<
"J333333
J6$I%=o
J^9A#.X;&
]Jc|("
"J"C3333
J)\Dt/
[J}e'A
JfO#QdB
-jgaT^
Jh?lq|
J=;-kV>
jLK}Kr
jlt:r{
JL/~:u
J/LwTi
j]o*h*
J%/: P
JpE,A{!f
<Jqj~AHk
JRh\Au`
J<sd!6
>jt:999
}J_vJ=
,JW>dAv
<j'xwhm
*]<k1S
|:*=K5v
k$99BI
kernel32.dll
K!;:G$>Yu
/kLQ%X
k[^RS\
kSxTJV
kvH0-1
&`\l53Z
"&l_Dm
l:[fCgc&
listen
|.lLwz^
LMU+^~
ln	Q5[UqH
LoadBitmapA
LoadKeyboardLayoutW
LoadLibraryExA
loAm.Z
LocalAlloc
.=Los5
]LPm(</+
lq$r,|V0
LsR+G<[
lstrcmpiW
l$Y6[EA
LYGx?D
LzoEAE
M	0#jYEK
.:?M1y
ma	aj	4
<\#MDR
M,#ev6
m"E*wVU
MfKvX5
mlvTYlp?P
MRteX1
m&Tc,:]F
}MTHja
:#;m>u>~>
mweLXN
mZ0#-'o
{n	1t[FkVp
n2tB0	
n4sWim
Nc7V}h
NId1.hA
|N\"K9
NKu1NH
n;p!D{
n@QcEp
/-NU^+v
%nVd#w
NZafJ%
|Nz',u|:
(O3+[B
OAR~|W
oCe0!)
'ON6k{
oo'.mm
OPanw>
_oTW}&
&OuL}u
:OuNRB
P1T1X1\1`1d1h1l1|1
P2!.a	e'
PA]gVJ
p/b	W{
P=%	^e
'Pg>2R
pI	S4tW
p?+;l+
p]l+%(
P.rsrc
p{u	4~
%?$!Pw
p!^wkO
p?'_zJ
<q;`[A
qC%#8{
:#: qE
q.i5HT
]q:n:|
qoXm|e
Q*p^D0}Eo
~!|QUG
q]V:%(
Q`Vi@s{
q.+X|X
qy	w|g'
r4'@9I:
@RaL.2k
`/r&d&I
.relac
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
rhO.!=
r->_I4
r-JdzQA
R@"}M8
rOsuIn
rQgpkp
?RtI f
r_	yI>R)t
r	YwuM6
s>4kYO
^]/S6(CU
Sa%Qvgj
      </security>
      <security>
SetCaretPos
SFdYb&
s%)k`'
=ski D
So5$s.
SpoolerPrinterEvent
@sr;Fs
S|s5sK
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
,S`#yd
T2!UCm
T8B6[Mi@
ta->xUV
tFR^> C
TF#XCqR
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
?Ti{B`
tM>TR3
TN8fGuF
T#,oCjs
T|oi"I
@._T?	R
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ts,&xA
-TtE$\
|{t,U[
TU|yCt{i
TV)^CA
~ $	"U
U'!@2:$%
u, 80q
U%8gW*{z
ubhVOy
;ubSK`
u.!E`;wC
Ufh}g>[^
u+h+Jn
uhsZnt
u]HU0}jQn
Uj!e]s
uo_oRA
user32.dll
@U,*vn
	v+!4m
v4tP}r
v7pF+h
v9Ea}s
>v!-?Es
VirtualAlloc
VirtualProtect
"V<jdq
|{)VKB
vK;!!U.
v^NzYE
VtB+es
vxqUajW
w0fM13
W0rW_VV!
W}3p|O
"&W7(-Xu~
w\9zJ#V
WeS/-k
w+f'+"
winspool.drv
'>wi:]O
w<N;N%
W?R@Rr4
w.RwJM
ws2_32.dll
WSAAccept
WSAEnumProtocolsA
WSAGetOverlappedResult
WSCEnableNSProvider
WwQ7~ 
wWt@J"I
]wyd/a
W!=?Zl
]`'_x(
x3K?!k
X]`4G(@
X--.8w
X:hiwx
XmeBwO"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XOF%i)
X]S v\
X)]tXIG
/;\Y:`]
y1_	TP
&Y3]~!
}%y%a,yP
YC?!]<
Y{$cq~
Yg@,\u
YgyO0]P
!YjhHj
([Y_m^.
yM}!T4@
ySdoAv
Y-s:|,`U
&=Yt5-^
yu(K'`
YV}5k=D
"Y`yXD
YZ5b}/2l`
Z:2Cdb
z6D-ZAC
ZavWeF
{zj"#)8
-zJ>{9
z{NVT~
`=zqJ*
?ZrVzO/
ZTmv+[
&Z$vm 
zvpec}~r