Analysis Date2014-11-04 09:18:42
MD52bd495df86f96274ccdb2dd49d025e99
SHA1378aa7589c8dcff3c49c2f99ebe0c95486254d8a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 67125af68e68c67e05cbe83227c00c74 sha1: e7eeee4bf5d3202cd8fd8ce74f20d50f70299766 size: 120832
SectionDATA md5: e397231cf62b4dccd8bd7fb41adf2eef sha1: 2ee1528e2f0a076b0912032411bc9cb9137cfdf0 size: 100352
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 488e8791d1b5a72c5df136b6f576b70c sha1: c2a74124918ca810b7531b11cd4ad23df454389f size: 1024
Section.reroc md5: 352cf58b2454ab76aa60e786dbb6eba6 sha1: d7afacb18b8bfeded7241d014b82cdbc0da1c8d7 size: 512
Section.rsrc md5: 3252a51a48d112647d74a481d4a4e4ed sha1: b306702bae730c5f2451eab6d0404e84c6565344 size: 10752
Timestamp1992-06-19 22:22:17
PEhashe40afc0f456aa17964ac95548433fb6db16feb5e
IMPhash1acc480719ee52208d721cf78a98834f
AV360 SafeGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVAd-AwareGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Agent-246419
AVDr. WebTrojan.DownLoad2.30241
AVEmsisoftGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVEset (nod32)Win32/Kryptik.QYI
AVFortinetW32/Delf.AT!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVGrisoft (avg)Generic23.LAO
AVIkarusTrojan.Win32.Arto
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVNormanGen:Trojan.Heur.Renos.oyW@c0yHD8pc
AVRisingPacker.Win32.Undef.j
AVSophosMal/Delf-AR
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_KRYPTK.SMDH
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
91.218.244.152
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSarticlesbase.com
Type: A
216.146.46.11
DNSarticlesbase.com
Type: A
216.146.46.10
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
h.
Q'
"
".
...
[.*0
2
.
Y..
P
-
..
.
..

3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
appwiz.cpl 
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
;,?%>#
0&0.060>0F0N0V0^0f0n0v0~0
0(*2e{
|09>K3
0)*Fo{
#0qO~p
0:>	U.w
><*0W[&
}1"Aw	
1Eh{AyG
1"kG:i=
1@{pv?
1v4z4~4
+1Y8 g
1/]^ZF =Hwd
2""333:"C8
2""#33:DC8
27E`yI@_
2$B""""C38
2C4"""D338
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
34""C33333833
*37pO2
3B""$33333
3biMay
3:d2Ie#
3_M\<Y"
3nU|q'
3*	|P6
 3"Rwj
+@42k:^
4a74c0cd
4"*""C3338
4J-RT[
{4kCkz2
4("#TT
4ty&V}c>
4v%ik}o2
5a`:FK
5ivT(/"
5Ns6ph
5qv2a@w
5*v~Pl
5wV<TJU
6(8/8p:w:
6FQ]Y@{x
6iO}kPB0
#6L&B=wXe
-;6>N>%
6N'Rkq
6{T"f~^
7a[=$hj
:%:7:C:
7F8[8l8
{>7nk)
7*Z+0O-
(<7Zj,eDD"
.8+0bi
&=&8\2a
82)I0]"{m
+@8~B?
8Il{`$
-8}IUP
]|8MFK
&8nE`c
96k%,=J
9$9K9R9_9n9}9
9FlBNc
9g_3dy
'A1Ddzys
a=;&A|.m
.aEmUb
?^Aj}E
Aj;/Ml
A:PBNt
  </application> 
  <application> 
aq[*qY
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
aTd.mCw
a;t%\ur8
aujbf`[
AX'idQG
{A}y~';
:b5)BBp
b:8D|?
"B)..ej
b Gn5/#
bHooyF
bl_+<Y2
<b@N[y
'{bp:6
b-qGP+
brK4KI:
BSSh?v1
BU$P1]l
B*xd.?|
b/&$yA
}c%0VQ
:"C333
"C333333
"C3338
"C8338
C9DXA4
CJm@R|H
c=*lF 
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
\.CvCk
/d1NF:
D5F<sG)k
D7H7L7P7T7X7\7`7p7t7x7
:DC33:""$8
"DDB""$3
~^D`&Eo
@ DFgeH
{dgH~.
@D'Ids
DIe2%S
(D	}j{
djnhF/'
Dross 7z
d'w>q:
e0A~Xo
E9]:JTQ5CC@
^'EN]{@
ENf#,st
EnumPrinterDataA
Eo}e3*
*EwH-@
F3LtVY
f;5lwC
F9:%JT
^fCVM\
(F<G[9"
:FLzuNg1
fUFjUE
FuL_nw
F?zgkr<
=g5M4f
g>=@\A
GetConsoleKeyboardLayoutNameW
GetConsoleNlsMode
GetCurrentThread
GetModuleHandleA
GetProcAddress
getservbyname
getsockname
GetSubMenu
GetWindowLongA
GetWindowModuleFileName
%<}gHZ
GO$-yB
gqI1S2<
?	(:gr
'>gT:]
h/0tG6
H1n;B/	
H;7mam
"h9Szh
*:h<bq
hCnUG:
Heap32First
HF)&dn
:HGc[)
hhO]cr
HjI+!!$ Q
H!Nu|n
^h<SiK
H,S J;z
\ht2Q2
#hvS*d,v\
HW"ZwP
i0q0z0
I/#7H=
IAcm$>eK
.idata
I>E_*)
IFF;E4
I(H1$y
I"IOh+
I,j[\;
,IJK<V
 INb^plM
/ItF&$JR
Ito }@
ivB-eF
iv_;k}
Iw%,RJ
J1Bf~X
"J333333
#j5|(%
_jBVNJd5f
"J"C3333
J@d]Oc
J{fhgs
jgal~Z\rdO
JHH0As("
&JhVCQGq
Jk[pAzs
JlMx8z
;j=)/M{
#Jr4tI
Jr&~=h
>jU;1L
jV&Cu/U
JwGu/,
jYA#<<
JzV{VOh
|{-K|~#
*K6J	K=
K,_{a;
K)aG|[\
<KA/LM
.+K*Bj
kb!ud_
kernel32.dll
KSRX;F
k\v#1S~
`l/\\{
>>$~]l
l2!Q{@
l@3P!H\
ld6Y{J
lI-lK\
Lls~n{MU
]	lLsp5
ln4|]N
LoadLibraryW
LocalAlloc
lo''\U
;l]R"X
*.	l`zV
mI}_S^'
mKrCiCI
]mLd]H
mlG`H[
m;O8,RB)
\,m_Pe
M]r\?Hf
mrh'H)^
MtAD^;
mTcFH#
'N7|:-
NeScY<uF
_N`PRwY
?\>Nr6
?N(	U%
,NU_lf
N|viTT
N>]YarN
nZQdj#
@O2/wB/
,_o+$aD
O,: BS
Oc,*iF
ocVQD1
oc{&w%
^`!oeh<A
o:(HD*&F
oHnRr}
O'i8#:
/o;Q_M
os)e^Q
?)OUE,w
OW	_t,*
@O`X0[ls!
{P{0`	
p<10<"
p+5"[	j
<P`lC=
PQmzdI
P.rsrc
PV^XX;
PWcNL 
=?q2qy
>q4IB,
q6]?:=
Q7Us;t
QADK%8
qc5bm|
q">i#kJ
#|q'K"
q<O&p$B
?{Q@PK
/'?^Qsr
qxFz8SLk<N
QyT1Qc
?>%/r0
r|2?IwF
r(2kI3
R;_^3Pb
-r|<7mK
r7ohI6
"/<R8f
r9~]eg
rd7+2K
R{Ejf7
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
.reroc
ResetWriteWatch
]-rfsJr
rIiv($F
rJ*+NAm'
,@rL;C.K>
R[Oe//
rr(U@D
R%SB./
=S04=v*
%s.&5*
%$s6(#x=
ScreenToClient
sDXT<YwJ
      </security>
      <security>
SetActiveWindow
SetMenu
SetWindowWord
;?S]Fs$Q
Sht@oGw
 `@=Sl
smkf+H
SmyN H
'S:<:.O9q
so`^L57
s$PnhC
S@PvYV
sTj LO
SuKVvk
sU.l	&
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
S>V#'c_
Svfqj}
SX@O"wF
sx`{vfsfkWlS
SY?+e2x
Sy,!X%
S\zJvf/
+S-Z v
T3?FmbN
^~T7D/j
~Tc)5C
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
T.J<C9
TjsZ{1
TMp=O.
tN{]c7tlxW
tNH*}]*
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
)#Tu/vk
Tv_dOU
T;XYP|w&
u:0qYq
u|2]>(CrG
U2,q3	4
&u"_3.9~
U;D80Ql
uDE(Mh@
u}dvZ<
U)=\Eh0~
Uf2?n2	k/
;	u!jZ
UMM(3q
user32.dll
uSxxfwee
UV -h<
'/v3:Z
VcNn-F
`V+CyDn
+"vDr+
VirtualAlloc
VirtualProtect
viSqTx
.V@k4l
Vmi43j
VM|Qj	
vN5l}D
v(&={O
VW1;e1
{w5PWJ
WaCsS$
W&CkS5
W,FzJe
winspool.drv
w~JV7hoP8
w*lmKqd
"wmrEX5'
woZkJZJ
ws2_32.dll
WSAAsyncGetHostByName
WSANtohl
.+wuz4
wvsprintfW
XcQ\wM
'X!J:/
Xj'g.g:2
XKC.l5
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x&qD|m
\Xr xy
XS{c[j
Y9h(?lG
y\a3G"zk\7
YA8NxZ
^Y'dE@*H@
Y_I$wL$E
&Y~*l0<
yn=[hY3
yq2Hr4
,YUf67
?"Z3_9}
z<\(46
z6pi-=K
`ZDz=6$zJ
ZpF{ux
'zSz:i
ZT=ec*Ej~s"}
&ZTMm oOH
ZW	l8k
zx!Vdg
ZyW{nHVH