Analysis Date2014-12-14 15:06:46
MD5a6b9691fb2d4bd5c4f8933c2c5c0ed5d
SHA13c01dea99e516a7a801ef2bdfb41935cd3c7d809

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5be190b835a13dafc02407af89c7fec1 sha1: 990ac1f6f653a8b110d4e6c80223be69e9c204d4 size: 13824
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: 501e771d18ba8848268b6169b49540c2 sha1: 65ece592b1c2bf5cbae8f0d5efb5ef29f1c3d6b9 size: 105472
Section.rsrc md5: 023ba7fcba9721a052b1c91d9d760252 sha1: 2387f7b033666507af64bee9861bf2c6b323f568 size: 5120
Timestamp2009-03-21 17:53:55
VersionLegalCopyright: Copyright © 2010 PC Tools. c All rights reserved. WM
InternalName: 5BvertuVVm
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 7.0.0.61
FileDescription: fsSpyware Doctor Componentgn
OriginalFilename: 5BvertuVVm
PEhash194802d0e3761bd8cede667ab2424282fcf217ea
IMPhash2fbf283320bd2315de3e6bf475b7d766
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)Renosator [Cryp]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-246841
AVDr. WebTrojan.DownLoader2.38999
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.12871493
AVSophosMal/FakeAV-IZ
AVSymantecTrojan Horse
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSgoogle.se
Type: A
173.194.125.55
DNSgoogle.se
Type: A
173.194.125.56
DNSgoogle.se
Type: A
173.194.125.63
DNSups.com
Type: A
153.2.228.50
DNSups.com
Type: A
153.2.224.50
DNScj.com
Type: A
64.156.167.85

Raw Pcap

Strings
~
u
.(
...
040904E4
 2010  PC Tools. c All rights reserved. WM
5BvertuVVm
5lyx
7.0.0.61
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
fsSpyware Doctor Componentgn
HqJXQ
hwTw
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
kFA1
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
Wb3dE
0g|Gc 
0vFZF*GzE
0{VoF[
?13:57k4}
/. 15!
1h?Sai
_1kENcmObiDMM2a@12
<;1YknDOy
*2!4.r>
2-M)R5
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3T^I-D
4-9>1n
4SVJdD^ 
4TP9Qq
 \4_xx
5BvertuVVm
5XBKLX
6.Lv}W
7&a^;Q
7m{HS6%
]7tak\
7U\qd]
8 gfhA#f
$8ky -
8sOhYX5@24
8{-T1Px
` 8(xj
9[3/}i^
<aD8La
afL-;uO
Aj1bnm
BbtE	Y
%	.b__hj
_^[]`Bj
BYg,C4
c1iims
CharUpperA
CKI|'[
CloseHandle
CompareStringA
c|qc=,s
!(CQS;
CreateEventA
CthPt	
cZ9a}@
@.data
d @h@Z
dmXg3)
DOCDDy
D |SjX
eaGwkd
EnableWindow
	&e)qSh
'E;u>v
E(x /d
ExitProcess
f3vGz1Sd@20
"F4 vEx
fGmDoK
*Fko9%	
>fo=[;D
Fy^u '
G2FYC5
g5_]a]
GdnT0D
GetLastError
GetMenu
GetProcessHeap
GetSysColorBrush
GQx|dq
_GrlhsEk7DAA
gTV4JqTVrv
g!-x=;
H1V:jC
 h8sCZ
h8tDZ_w"
h9kI5K
H&HWl?
,H^m)A2
HPFti,
hpIVhrht@4
<`H-Q`L8T
HsAQtamJc@12
h]+TMgi{
i62Ege
Ib7_%)
i^B*cN
IsMenu
I`Y|C'
kbGOKBFTeml
kdz,AL
kernel32.dll
KillTimer
kXu1Y8
l8pLbz4
LDz 8K+
l	j&mC
LoadLibraryA
;L	RV-
LT?I@)
_LtVz0e1Rri_2QL
lY6GZh
m9inXg
MEu-\L
_mfrbFh06AkqX
*:m:h:
MhDivJ
mIBLvu
mP?:fh
my{6Vq
{N/RlH
N_t=39
$NWw4N
nX\8nb
nXv*Ml	
@NY|FR
oAHI6A
OemToCharA
oMPT3P
OpenClipboard
OpenIcon
o"/-pj	
oQP.nXg
O "t`^
out_Sfn":
p986Ab
PDb0FU
PeekMessageA
PeekMessageW
_phc1LQw
PjhqF)
Pvr6plg0gls@12
q8iTNV
qJu-[Ca
QSTRM0G98765X
R/4io3
`.rdata
rD faul6
RKzh49
Rmtj@*
r@Qm6t
RUD9I1hLR27nT5@12
S~(=}e#
#)Sh YjY
sValidCo
SVCP60
?swapzX\XcY
SxnOyZi
tDgip0
t$Ftq7C9
This program must be run under Win32
=t#+`j
`<tj@L
(}u	8a
uDh^!H
UpU!U]
user32.dll
UtG)vB
v8)-D=
VirtualAllocEx
VM+MTn~
Vm:Ye_
VRu5xG=
_w3~m&
w7mof3
_WBmQI@24
W<b{ZIs
@wgP:6coAUr
:$|wtp
	`:WxEP
xFBa\D
xhJZMhM
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XnMhNf
Xt!?NB
YB1PPnI
yS_\O~u
yxsBptJha
yyshlwapi
#^z42H{C
Z([?AA
zN$>*$
`z<p	A
:Z,(Q2e
<zX7Hz
zx7$x7,x54