Analysis Date2015-01-09 22:26:51
MD5ab64543ab0d978bba887d729aa847d33
SHA140a8b3c409094fe029f5cadbb0870ab991e8b1a5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: c6428e6922ceecba58b08eb676704c0a sha1: 243fd005ad7cd245bf7eb6385cb61eb5ef325494 size: 11264
Section.data md5: 65983c86925e1f9d748c0cf011dac38f sha1: 240663124d9c8bacfc7bddf99a987abd9a6b5b88 size: 9728
Section.ihdata md5: e594f53ace96a44a299cee29f90e383c sha1: 7814dca28c0958071977963a7ff2262032505b34 size: 106496
Section.idata md5: a247e958da6d84720f97e07fc3648c34 sha1: 69b6167dc6b93054c00a720f7bc03c3b34d48535 size: 1024
Section.thdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc md5: c33e65591a0f6879611e21c31483ddb2 sha1: 4ddd7b7eb0507a6c323ba5250b2902177edf18b7 size: 1536
Timestamp2009-03-29 20:37:47
VersionLegalCopyright: Copyright © 2009 Simon TathamJK All rights reserved.r3
InternalName: EjorikA.exe
FileVersion: 2.0.0.110
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: sO U
ProductVersion: 2.0.0.110
FileDescription: 2systemq Setup 2c
OriginalFilename: EjorikA.exe
PEhash393415e97988d511b32159b9b0fc97fa1ce1dfc2
IMPhash86094fc5ae5983068453f54e5dabdd23
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.27026
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.27026
AVAuthentiumW32/Downloader.CO.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.ptvi
AVBullGuardGen:Variant.Kazy.27026
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Renos-2134
AVDr. WebTrojan.DownLoader3.33250
AVEmsisoftGen:Variant.Kazy.27026
AVEset (nod32)Win32/Kryptik.PEC
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/Downloader.CO.gen!Eldorado
AVF-SecureGen:Variant.Kazy.27026
AVGrisoft (avg)Generic23.LGD
AVIkarusGen.Variant.Kazy
AVK7Trojan ( 0037efca1 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.au
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.27026
AVRisingTrojan.Win32.Generic.12892676
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen63
AVTrend MicroTROJ_RENOS.SMIE
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\W1WIWQ1NPG\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2
DNScardcabaret.com
Type: A
54.209.129.218
DNSblogdemand.com
Type: A
107.161.23.204
DNSblogdemand.com
Type: A
107.191.99.114
DNSblogdemand.com
Type: A
142.4.203.239
DNSrochesterresidential.com
Type: A
HTTP POSThttp://cardcabaret.com/getjson
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 54.209.129.218:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6765 746a736f 6e204854   POST /getjson HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a436f6e 74656e74 2d547970   */*..Content-Typ
0x00000030 (00048)   653a2061 70706c69 63617469 6f6e2f78   e: application/x
0x00000040 (00064)   2d777777 2d666f72 6d2d7572 6c656e63   -www-form-urlenc
0x00000050 (00080)   6f646564 0d0a486f 73743a20 63617264   oded..Host: card
0x00000060 (00096)   63616261 7265742e 636f6d0d 0a557365   cabaret.com..Use
0x00000070 (00112)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000080 (00128)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000090 (00144)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x000000a0 (00160)   6f777320 4e542035 2e30290d 0a436f6e   ows NT 5.0)..Con
0x000000b0 (00176)   74656e74 2d4c656e 6774683a 20333235   tent-Length: 325
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436163 68652d43 6f6e7472   ose..Cache-Contr
0x000000e0 (00224)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000f0 (00240)   64617461 3d652f65 3672354a 5a523130   data=e/e6r5JZR10
0x00000100 (00256)   4669776f 474c6735 31516743 39686e62   FiwoGLg51QgC9hnb
0x00000110 (00272)   45786f32 31617433 614f5967 73552f48   Exo21at3aOYgsU/H
0x00000120 (00288)   4c6b7a66 33637577 70447452 7379352b   Lkzf3cuwpDtRsy5+
0x00000130 (00304)   65305a5a 5237336c 4558787a 39534467   e0ZZR73lEXxz9SDg
0x00000140 (00320)   4d367833 30656463 7364774d 4a4f6441   M6x30edcsdwMJOdA
0x00000150 (00336)   462f566a 56735748 46304579 377a444a   F/VjVsWHF0Ey7zDJ
0x00000160 (00352)   57392f73 394a4572 4a307066 72383251   W9/s9JErJ0pfr82Q
0x00000170 (00368)   59366238 48436753 754e6155 71696734   Y6b8HCgSuNaUqig4
0x00000180 (00384)   6f563342 42774b32 74327a37 33524765   oV3BBwK2t2z73RGe
0x00000190 (00400)   7955446a 67737548 4670434c 4f696b52   yUDjgsuHFpCLOikR
0x000001a0 (00416)   50534c39 536a7550 31494238 624b706a   PSL9SjuP1IB8bKpj
0x000001b0 (00432)   746d4a30 69673356 6d566346 6d626f4b   tmJ0ig3VmVcFmboK
0x000001c0 (00448)   73445268 596e5975 435a3154 35514f68   sDRhYnYuCZ1T5QOh
0x000001d0 (00464)   726b6838 6f43676a 36424750 65503656   rkh8oCgj6BGPeP6V
0x000001e0 (00480)   48377a70 4f6d4259 47445750 69463763   H7zpOmBYGDWPiF7c
0x000001f0 (00496)   41374138 46456348 6d6e3470 64637847   A7A8FEcHmn4pdcxG
0x00000200 (00512)   3548415a 51354c50 63357869 7833526a   5HAZQ5LPc5xix3Rj
0x00000210 (00528)   494a7769 794e6573 4a653168 75473573   IJwiyNesJe1huG5s
0x00000220 (00544)   4570376a 7670796b 532f5169 445a754c   Ep7jvpykS/QiDZuL
0x00000230 (00560)   72587941 3d                           rXyA=


Strings
....`
.
.
.
).
.
.1
040904E4
2.0.0.110
 2009 Simon TathamJK All rights reserved.r3
2systemq Setup 2c
7gbp
Comments
CompanyName
Copyright 
DVCLAL
EjorikA.exe
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
Simon Tatham
sO U
StringFileInfo
TFORM1
Translation
VarFileInfo
VS_VERSION_INFO
=04d+U
!0\:?5
0l`$% @Nw
{0w#4<8)
(]+0zk
1kYj6wNgnn@4
%(-1N|x-P
2(Jw})
< 2mYg
2shrFVUtyIYY@24
^2Sj!/
3-5a3Y
*3^7cM%h
3BAVni@20
3.C:/e
48}2j^
+-4MB+N
4=QWT;
_4yVi1fSmXiG@24
5'1*m07
5b^j74GJ
5RQS1P
5SUVWPh
6LS7d6
6O?wn$u
%6;THG
7	%].%
`74<vzz
7: %bp
$7]F#Q
7jag5hbHk@8
_7JnrAy4HVpFC
7Pj]h=@9
7Y\>nu=
89JisW
8dnAQN
9*~8|.
_9Aq3ojv177@20
?!9GVC
9._Lvw
9M&@%kQ-
_9whL3mOa20@16
~A$#(,,
A&,0aH
a\7l{T]
,AD,<mP
'=,"aFg
ah	<C4
`-AlWw
|_/ao,@
AxwAeBfc~
A^Y2aE
#B,aTf
_Bc2yhUr
bE;v^N
BLUJcb
BnRPFoc
By/}ToW
Caption
|[c +_b
	clBtnFace
ClientHeight
ClientWidth
clWindowText
-cOlCy
COMCTL32.dll
?!cpy*
$c@"w.
%D@6Y;
D<8d	u
`.data
,d@}CN
DEFAULT_CHARSET
dgVpCa6
	?_</dyv
{e10b%
e4'e5^e
{EBY|oE
e{-e}\
EjorikA.exe
EmptyClipboard
EnableMenuItem
EnableScrollBar
eQxDn6v@24
;euIo	
eVnsaRNQJ
evWC`|
ExitProcess
,	F8;G
_?fac/
F,=a|jy
f`%jd|
,F_N<Y
fNZFm@20
Font.Charset
Font.Color
Font.Height
	Font.Name
Font.Style
F$r,D]
FTh>)adV
g](1Q_k
g35m5WYinhhpQd
#\'G7&
G98/7654
Gaj*xG
GetLastError
GetMenu
GetThreadLocale
Getvur
giHP7w
;glgcT
GlobalAlloc
	_	g.MxQ
gu maP
Gz7XMW20Bc3UiJ
h4qiw{
I]<bF$
.idata
@.ihdata
I+iuH7d&7
ImageList_Add
ImageList_Draw
-it`"a
_IyI2Lfz4l@8
JCD^3)
.j.DWI
j!g`?<
j[N99Z
j@Sdp|(-
K;9yRj
_KEqUvd@8
KERNEL32.dll
_kjL400GGwK0U
Ko]^WS
|kwK:M
_l3kuOPOTwPL
	L5S\5
/L6Gl3)f 
{)l7R"
	L:.BM
l\IAls
li:CojeP
Ll gG"Km
LL[=J`/
LoadBitmapA
LoadLibraryA
lu- c<
M3aH|R
m4KDhmNdK9s
m6Kz~'ia
main.cpl
Mgg?{d
M~I|vg
mlnn3J
_mMp61wP1PrSba@24
=`Mn9[
mNw~P`m
$MSVCP60
Mul<Div1
^mWPB/
MZTyTEyn
N8Seop3kRsi
Nesv&!
n;`lwz
NT@1*$H0
of_-bv
/OKgRT{UA
OldCreateOrder
o%=M-1	=
ooD~@B,&
oWaL3h
+}OY8&u
OYIHF6mPc@8
~P%3|,
<P3'69
`P3)R]
P4T1oA
P}>BA9
%p<hSi
{PiQL`k
PixelsPerInch
_PKWt0lY@20
/%:PL`K?
%pL,Wa`
pnlj&b
_pQIVnuOLmRs
PQ%[yX
pT7TYJ
pTUoli
pZzU3VLD@4
_q2CajogrNej
Q%i5|j
_qKGzT9z2D9_U
qof5z$OLEAUT}I
QOVI4YUx1cs@8
qS*I^lf
QZ^|&`<
#`.rdaWt
}RRRGLv*
@.rsrc
_rv2ACOYv
R#,yCla41
(#$& S
S67Erjrwgn4A@8
{sAEv3
ScL+KERNLL#/.
SetFilePointer
SetLastError
SetThreadLocale
_SFAQpln
SizeofResource
_sMl3N1QJlU
_sMoSUSmNJHR1@24
sQqFb@
s(UdCe
sV`g#2
s="Y9XL
t<|}5EV
T6k#T0
t7YH=-
|.T8g9
_t8sWlkuR@8
Tahoma
TextHeight
TForm1
@.thdata
!This program cannot be run in DOS mode.
tIsm`8a"
t%la!K-
\tSj][
[TSNY|{XAu
tu#A=?
t.UhdR
_ubNHGliX_6sxrb
ucL8RY
$UNIQSTR
uPaidsH~
$|Uqe7
USER32.dll
<)	UtL-
u/,u9u
<U@YEL
UYluS8
V0-yqw;
v5,zftJ
|V|9<N
VerQueryValueA
VERSION.dll
Vg5Bq.jm
VgiDGlWC0f
VirtualAllocEx
=/]VLb
V_)sion9u
<|w)$<
>;=%W@
W4E1*3u
_WBB1S7
_wBQ8qfqku_jRc
w/ Fu.G
_WNEcW2_pM@8
wq`<|d)
$wq%U%
wV+vr_JF
_w_XO_Q@16
XESOsqUVKH
?Xkt5K
xM|49=
/X_Nu 
XpiCq#P?
xs$NP !G
xY3qZj
X[&YZd
;Y3WjX
,+y5.<!
"][Y<c
Y\\dQ3
-Yg~	{
_ykCjOY
)YnDWu1
Y."NkM
YOjpY3XQm1@8
_YOuKuk9RT@16
_Yp47pE0d0oV_f@8
Y'Qg,4
\y%{rV2v
Z8Ayex:
z&AA<o1
=(z i;
zM3y#1
zN4KiLhg@20
|z@"	oY
z:S"+tO