Analysis Date2015-01-17 23:42:48
MD5ae2a250874e6ed4b79d4080870c1fbb8
SHA10ea7d534e3e4b60aff37ff5a0155b678c373d430

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: cd62a8cebe59203e6a52bc39eb73bc0c sha1: 357d504b0d35029ecaf91c665b2061c794272f85 size: 116736
SectionDATA md5: 8a75795602f232a9217ac10201f6397c sha1: f8e9321acefe02d4255b7296d8532e73699cfd59 size: 97280
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: f13dd5ac693e57d6807988a3b484ec64 sha1: a6a6c7b2ab14de5f11791efc9dc9c0b3fbc115a9 size: 1024
Section.reloc md5: c07dbb740610045bcb0773a42b98d453 sha1: ddbc27b30e155d2a7cd53ace077feba504f4f96e size: 512
Section.rsrc md5: 01c9ebe6665ef1662738bf258c6db2cf sha1: 930590b49fba456cccf1ffe01e5e94bdb4aadfc8 size: 10752
Timestamp1992-06-19 22:22:17
PEhash385e2aebb8b69adbb3054eeb970ae9b51ad4d6ee
IMPhashf47458d9214a379eea5a24ed3d4c5fe6
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)Gen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVCA (E-Trust Ino)Win32/FakeCodec.I!generic
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Renos-2095
AVDr. WebTrojan.DownLoader2.25030
AVEmsisoftGen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVEset (nod32)Win32/Kryptik.OJP
AVFortinetW32/Delf.AR!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVGrisoft (avg)Downloader.Generic11.AEQK
AVIkarusGen.Variant.Renos
AVK7no_virus
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.nyW@cGeb9Hbc
AVRisingno_virus
AVSophosMal/FakeAV-NJ
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_KRYPTK.SMCZ
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\J40NOZ44HU\OhuD ➝
5
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2
DNShawfruit.com
Type: A
DNSmusichalll.com
Type: A
DNStopjer.com
Type: A

Raw Pcap

Strings
..
.
.
3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
kernel32.dll
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
untfs 
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
wegwe\ehfwehetr
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
^ ),^_#
0"0*020:0B0V0^0f0n0v0~0
0E;'aVmV
'0mYjd%
<0`/to
'0z9]+
,1%/;@
1-a,<X
1c+bJnp
[;1cTi<
?"?'?1?;?E?O?Y?c?m?
1lgK6]
{1~u6V
21(j	5
2""333:"C8
2""#33:DC8
27a554fd
2">a	2
2$B""""C38
2C4"""D338
2Jd.@A
2M2.Sn/
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
3$3,333?3F3L3V3\3d3j3q3z3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
34""C33333833
3B""$33333
3EzRU@1
3KFQL,
-3L\W$
/'/3{(M$TZ
3qvx]|
3R17Wv!
="=(=.=4=:=
4[}1P 5
4*4]4d4m4
4b81Dyv
4"*""C3338
4	<]c4
4ck6+zE=
4s;-b6
4!x'2M
4YH_WB
5`2iOl
53nO!@K
|54E_A*
{.5]8l
59Z\mIe
]5A=ip
5e%?i^Z
5@g)p2,
*5"!)gZ
5Jy0OA
5	o}p'P
5*yz)F
62=2P2
699d9i:
}=}&}7
75'J:~Izq$
7:iNwj
7J"@!{9
7mm>:V
7P;i:]
%7Qp\z@_
7@XL6?
; ;$;(;8;<;@;
8)]16Ru
&:8nXboA
8:^vpq
8W>~nJ
95;1>	W
9~8(Otj
9J+\$A:
9tWzfYS'
a04SCoJ
(!.A7m
a!#7N(@8*B!
AddJobA
AddPortW
AD<|ns
A*mllPH
a,oC%;
  </application> 
  <application> 
a<}$ Q
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
avCwi}u0
AvuMci
A W!I5T
b;0l>>W~
]bBG_yx
BdzkzXd
bG@}yy
B~,hlv
b`i7y~
%bL-fyz
bM|uyv
bOgCar
B:@OIi
b:.(>v;
!b Zl<
!-&C``
:"C333
"C333333
"C3338
"C8338
cb0+W6
cBOC	-r
CCCj9:T
[CeJH`
^c[IEBf
CIf)Ht
cMe=2]
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
ctMLR=
,CyA]0
;D:0>[
d9="\$
(dB,dw;;
:DC33:""$8
"DDB""$3
DeletePortA
D@GiEd
+dg%nn
D!iOsC
D;[K}F
D&N,sD
	'dO4*
/Dop~!
dpv]/7
'Dq_jhH
DrawTextExW
#"-Du"T
E^5_355
e(	f\!
Efnv@-
Ek:2:k/
E/L8@"R'?m
Eq/2x|%1
eqRcmpH
Etq&@cr
ev)4) 
 EY)mG{
_e%ZdY
_f0PBYv
f1-(I)`)
f?bYMg
f$f q5Iv`
f|i LK
F=i#x&
fNeyd_[f@
fo& R,m
f:R:oq
ftGUiJ
g9/2*A!	
GetFirmwareEnvironmentVariableA
GetProcAddress
GetProfileIntA
GetWindowLongA
gi4=(Az
GlobalAlloc
GlobalFree
GM}+ `
gP\(#4
@+/g&<s7
g,`^w;
gYRN[0
h[11do
H|]6Cpx
;Hdf9~u
hiDNU8
h[iuo?
HJt?>q
*[h$loGg
hof8g|
{HrI"JI
,	Hva\
HXDW4R
hY0\ )N`k
hz,OGE
i?1G+?g
>$=I$2B
iaUg,=q
Ic,Gti:
.idata
ieUT#G
iG U46
i"|)h9
I]I1Mf
^IN9Ep
i}QDzu
Isf"u"
]It%T|
+I`wjS
!j%1Eo
"J333333
J97()f:U;]qOW
&JAXmP
"J"C3333
j<d^Qo
JL2b	5}
JNamHh#
jnKYfL
#j/PFS
+j:&q+D
~,jRMW
JU^h*V
j_ZTmR
k2-xNy!
K	~)!4
	k6A&@
]k7c9|
-KDW7&
kernel32.dll
K)FYB2
Kgxt]z4
~Khi'bq"6t
\K$~>L
kO3/2r
,K*pM 
)k*SK]
>,k:y;
]l)2\{
]L4%x.
-l7:4{AQ
L?$mDb^
;LmRuD
LoadLibraryExW
LoadLibraryW
LoadMenuIndirectA
LookupIconIdFromDirectoryEx
LqX}_SXX
lZG,{H
MapWindowPoints
MiPn0Q
mJ::H!(>
mMEOzOM
MNUPYu
m>SOa1v
m;SU) v
MUhU2IG
&MV L5
m(w_Jjz
My-	:*
N4	.j2@
NB)d}y
NcD.CR
#?nI)=
NLncuJx
NO%o94^i
NP!gnT
NU7>Kg
$nv>>U}t?h
;}O|,+
O0d9rB
o|36jfE=}`U
OcnQ@5
O?#dG	H
O^D$MEo
oe*o?$
OM*}ER=4p5
OMET"[@
Omq#iH\t
OMq&r;
	OO}42'i
)|oovK
OuRIrCmpI
O*xB@o
OX%>rJ#}ImK
oY*6=#
|p{cLm
_P'fB;
&p:N.?2
PrinterMessageBoxA
Process32FirstW
P.rsrc
*q23 |
q9_#-*
Q9|N0dK9tB
qD6~g>o@
qeaO}?
Qeu%%i
*&q[Jz|al
;qlp>dZ%
_qMu.|+
`qOLfu:t
qWV%|-eTK
r"?_D.
R]D:l/~Vi1
*Rd<q#*
ReadConsoleA
.reloc
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
RES$)@
rfMI.Z
rKW{Z41gG
R,K\yV
rld{_@
rPii ;
r	 Y<4
s2"i(f	
{ s8<{
s9&Mr+
Saihvg
      </security>
      <security>
SetForegroundWindow
@sgP?J9
Sl5%9j
&s/L}I
s*n)J|
"}S(oB
sr.CaI
SRS,vd\
S!*RZY5/IAY
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
'S	='v
&S?&*v-
t)9un) 9%
T_AxCv
T+>CHk\1
tEqo|6|e
TermsrvAppInstallMode
TFwWCq
{_TH~-.
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
T$(NA@
T$(NA@j
tOhx,L
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TV}]CA
T`vpCC
<{=U=&
?\Uhe?T
UnionRect
UnregisterClassA
UP8Er\>6
user32.dll
U s@kkp
Ut2#.H	
u"%vx:
+,*v2^
;v<gG}
,\v[?H
>vHdO}vE
VirtualAlloc
VirtualProtectEx
v{iu&~/3
vO	N%R
vP57A|
vtn7Q*
V@W!G?
VXGEz]
`[^@v@y
vY+]@D
>vy.q^
w2OLz:
=W7UO4:
{Wc~Lmf6
W,c%n1
winspool.drv
_wLHVv
WL<yb*
wUkUx.
_ww@!z;
`*w>x1
)w)z0%O
w	.ZC<
X1B"wC
X1Q)~g
XE?>wGT\z
x:I-)tt+8
XLrnAf
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xS4<i0(-F
x%Sg^>
xs+%`V
,y|5wC
y6\[EN
YDPl@b6R
YIA/D$
YqvQS>}
YsM$AW9
ywgv:K
Z	`;|4
'<"Z8C
Z8pO1w
ZB9bvo
 zDc[ks
z&Ds-ds
z!h.?l
Zli4g@
zuF4%h
&~.ZxM
_^z&YE