Analysis Date2015-01-22 19:46:24
MD542d3bf9f4704f242e505bdcfee002a99
SHA13a3db5e8ed4c726b632c2a259b33c440d078f69a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 732dc104697e4909c4d13dff37fa1500 sha1: f121f6e9706f4dbc2687ca236951898d650dff7e size: 117248
SectionDATA md5: ee7734d74ae1c1cdab5ad8c48eac7d6c sha1: b5b3f26020dc633cceb0ae6566b34f7890e27843 size: 100352
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 69d86fc73aabf9349c87d52a9e04f6be sha1: 840bb64858ec3cb7c5370c49d1750ccc664c7b1f size: 1024
Section.rezoc md5: d77ba3559253cea8c98f33d4f80d3714 sha1: b54ae9caad92264e933a15fd519c7bdca53d6860 size: 512
Section.rsrc md5: cee6bfb3989ac0aa2e05fe5d031c9709 sha1: 0077c909d4e684683405c5184a7e98f7330a5a11 size: 10752
Timestamp1992-06-19 22:22:17
PEhash396b24ce9e07a591ebf76c31dd83e0d5eb33ff85
IMPhash1346d14537c3514d7fa63b2e43432652
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.Renos.oyW@cmlFlxic
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)Gen:Trojan.Heur.Renos.oyW@cmlFlxic
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVBullGuardGen:Trojan.Heur.Renos.oyW@cmlFlxic
AVCA (E-Trust Ino)Win32/FakeCodec.I!generic
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Downloader-112315
AVDr. WebTrojan.DownLoader3.14003
AVEmsisoftGen:Trojan.Heur.Renos.oyW@cmlFlxic
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Delf.AR!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.oyW@cmlFlxic
AVGrisoft (avg)FakeAV.PIT
AVIkarusTrojan.Fakeav
AVK7Trojan ( 002a35bc1 )
AVKasperskyTrojan-Downloader.Win32.CodecPack.sjt
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.oyW@cmlFlxic
AVRisingno_virus
AVSophosMal/FakeAV-NJ
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_KRYPTK.SMCZ
AVVirusBlokAda (vba32)SScope.Trojan.ExpProc.019

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\3XQZ6EO4AP\OhuD ➝
5
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
yZF...
.
.
qo,.'..
+
;..
.
/..
.
W
..
.
.
/
..

3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
kernel32.dll
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
{+{|?\
@(|\?;
0&0.060>0F0N0n0
?$?*?0?6?<?B?H?N?T?
07K4:	UE
0g:J^z\
`0'&(k""k:r
)0vSiu
~0WKx)
0X,RH7;
1)131=1
?*1ir,
1W`=EQ
1xp;l1
2""333:"C8
2""#33:DC8
)2*}Ao
2$B""""C38
2C4"""D338
2hqWnE
2Ix 	m
&]<*2n
{2n-1f
2r83II
2`v_"(*
2x )1)
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
342aoC
34""C33333833
397f50f1
3B""$33333
?}3iQ=%
{3j(% 
?3kkra
3`S$+F
#'3}wh
`41SrO
4"*""C3338
4&K]>m
5&5,545:5A5J5Q5X5`5g5|5
5-646=6U6p6}6
5i!s%#NF\
$5k-%J.B
|:'5Q(
5t8{CVE
.5$[Y@B
63u8]x
68)]=s
6aTx=H
; 6c"t
%6f0z=I
6IM!bz
6Km`@M
6l|z('8R
6.m.%)
6,mFg_I
6*|^|u
,?6X;vy
<7@7D7H7L7P7T7X7h7l7p7
"7Nc9vN
`7*QkC
82tJR	
84T/k@R
8ePbo,
,8H{D);~
"|8H*f
8mKg2^09
$<8qNa
{9<ED<
9jdogzy
9LIyf2
9!lz#R{
-*9PI1
9yp>#*
-A,dS1
ADVANCEDSETUPDIALOG
[</A~E
aJWF5Avr|
a<KbD`
`AOW&8,
  </application> 
  <application> 
]AQpx_
a#q&rG
Asq+BH|
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
,<aUs)
B0f`U>
BFX \ew
?$]\Bg:
Bp.3uC/
	b	v4i
b<[x}a
Bxc(xa
	by:3y
BY:%Xuw
-b]&zM2bQG
c1T_5<
:"C333
"C333333
"C3338
c4iMve3
C6-Z'pay{w[
"C8338
|cD}L'
cER0`P
cFQuw}
C?^j5`
cm=#,H
cNk_>u
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
|_CR0Z
cTp^;U
cuWI]C
cZ[@>}+"
D9XQs{6YF
dB)ZL@.
:DC33:""$8
"DDB""$3
DeferWindowPos
DeleteFileA
DEVICEMODE
?D>f%u
Dg)isQ
dkj*<%
d<MU/#+w{
DocumentPropertiesW
d:>**q
DTd}J+
D]tW9R
dZ(.C::
!.E@|$
E/0vR3
e7\/!R
Eb579Kp
E &EGEj
EnumDisplaySettingsExW
EnumUILanguagesW
ES*scw
eSUjAMX
"EwAh"Q
EYNSiD%
/f1+E]<
}=F!1+{l
F4nC_t
f^6#*E9
)$F"9Q
!|<F,BJ
|F^~c.
FCBCIA
Fl2$ {@g
fn1N[b
FS\Yul
FV>i_h
|FXY7/
<g2Zaz
#g4~oz
G7NTJrGC
GClM6*
GetFirmwareEnvironmentVariableW
GetNativeSystemInfo
GetProcAddress
GetSystemMenu
G://J3
g*mW>H
%.gNY?
@h5(?{
h-7$D-
HAF:d$
Hc(udPp
]h'|#e
hEr$_@
]hg\P	
HJ2(1k	
h)#pGhl
Hq|_J!>
h&Qn5m
'.hrQZ4
H)sqn5FW
HTfw_C
H`TgY\
h\uU-T	
Hxf|dLm
;i4^_/
iA-<)7j
[i.As>
i]@CW??
'iD2_%I	
ID}6s>
.idata
|+?I|FU
IK!lt1
;IkO2+jB!
il	Mpj
inQ-D@
IPR.62uc
IpUyq<
i]Q}AwS
i!%tDg
IYXUER
,iz#Sqf
!J0z_t
"J333333
J5;YYp1
j6PLTL
JBF0=[
"J"C3333
J|C?	a
![>@JcB
JE'~*@
JEmL[i
{)jFq~
~|jjzK
jSBgCv
J#T{'L
J@u14E}jM^
j+_w .
^|Jw\/x(
jYTZ%'.=J`u
k8&1	a
KB3^([R4
kernel32.dll
?`Klrj
KqwA>y
k]@vHA?
"KVV9z
Kz,O>nM
+l7W}C
_l//#c
|lG|K?
lHz1x6
l{l.7o{
lL_{)i
LoadLibraryExA
LoadLibraryW
LocalAlloc
LocalFree
l=)Q#c
L;.sQn9
)L{/)W
;lz|n_
m;1P])
m-5oG	p
M$(cOv
MebXHvxw
mH:BJO~dv
Mq` h|b
mVI	 F]
MWx#Ys76c
Mx!h/B
m((-_z
}n0H<gJ1
n6=qrt
]N<7^=
NCig"2
NEy'::I
NKC@8\$
#^	nKy
n=_lOa
\NlwSu
nN)zf,vp
N(%VuvF
Ny4'uS
ODSzRu
}#>oE5
'O/lzB
OO 2BZL
OpenPrinterA
OpenProcess
{o%s.D
"O?]UE
OYhMB\
[	p344
PCPE58
:	PCqs
p.Dced
*&p%Dv
p E(LH@
:@PFpc
p(Gg9j[
phq7u"|
PostMessageW
pqCk?9
|pqQKs
P.rsrc
pvaD+~
.pY4v_
"Pz<9{
pZ`,&c<2WA
Q(4s@"
q8\"|Z
q@]aB*
qB5H|\
qdZuW.
QfE#	a
q%)s&H
QT8fpC;
.QwdS|J
}{qWl,
R0HonoNLm
r1UVIh
~(R$3J
rAk$I8
^:ra$q
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
.rezoc
rFkzI9P
+,r&j$
rK}Uhn
r:\sdjhskjbulds
Rs	Kox
~R|wR#
#r}Z1ID
)RzvDab
];S	~(
S1g?+<
s3s2sA
s*^4F<
sAC				
Sby!Fk5
      </security>
      <security>
SetFormA
SetLastError
Sg|?V5K6
S!S#'*
+st5rE
/S[[u"
sU}2;>d	7
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
"%t&!=
t0,g*j
%t=1]/
?~T3rp
%&T8*^
TbaY/;
tCp~s7q
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
t}mB6#j
]	To443
To{;CF
:t#;q"
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tsjj F|
u07Mzo
u7-h;l
uc_~+:ZF$
> U	gO
UgUqHF
u*G-YY2
<u(,hD
UiPf,*
U#|L 7T
um&VGv
Untfs.DLl   
/<U oaQ
user32.dll
=	u#tE
==u<=w
v	<1Ot
^v\43}z
V:8+no
&vDA.=
VirtualAlloc
VirtualProtectEx
VIz"|t
vlEBgO7
v+l@L%
:vl_%p|
.v_N'&
%vowi+
~!Vx#l
VX\]u3
w\a/J#^=A
W,GLcP
wgn!|m
winspool.drv
"Wl5KfF
wL}xJS=.AB
-WMS(M
wq!AA|
WTSGetActiveConsoleSessionId
{WW=jb
;wz	XS)e
X'0}R&
X2Jt~	:>
#X58Klp
X8@HX\
X#;a?6
XbFRK,
Xbu'x2mr3
}xd+1R
xds87:
#.XH4}C
X%jiVA
@xjq?K
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xMuMs{
XO?FTB
]x}Ol9fB
Xp*IBcI>
x$_PWQ
-X.vbs
:xvKq$F
;X,vn[
&xWrEL
XX2 nd	
x#Xsl6
XYnloD
>y2V=v
Y!"&45
!#:Y	6P
yaR:Vt)d
YcBrrv
yDGJ/C
y#FP'6
)y)I7uM#5
Yl_xD+
:Y;_;n;
y"npm:J-
yq	QI1
y]QUbI
YS.ND&B+sD
y	w2@U
Y\"Y]0,t
Yzu7q\
)Z1Z6q
Z3/p:L
~`Z8%^
?z*C9@
#(	^ZD
'ZepZu
Z#f.l6
ZgA.qz
Z: )H	
zHt98#
'Zs>S/V
zup+O&
Z)\Wen