Analysis Date2014-09-15 07:47:35
MD5437acf090adaa060fb9a153c029831dd
SHA14e29b41b229acf1b7aa3c77c57527b8cd745d1ba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6d9166aa3b4796ac10309b1a9347c256 sha1: 17c334d8d153fd0b9521c0b41e6c5b089ab1fc20 size: 24064
Section.rdata md5: 43333ee8bd22713fad65a0979e24892b sha1: 2ad088f1c7c85893ad6086807357bbea775ec579 size: 11776
Section.data md5: aa080851b6088e42c1b15bafab9ee983 sha1: 54cbe46078799ba011f5c9c8fdeab88f561d8cf5 size: 102912
Section.edata md5: 3c3b2e206f0954c90208e6f03c5885aa sha1: 52043de0bc9fe50585064525ded3fc5ad0a49b39 size: 3072
Section.badata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: 68506668e794d577bcf7cdd94b44a380 sha1: 829c7bb5a0077f40b5465108dcb1a681c5016123 size: 8704
Timestamp2009-09-20 08:49:58
VersionLegalCopyright: Copyright © 2009 CGSimon TathamC All rights reserved.1q
InternalName: nozer6.exe
FileVersion: 2.0.0.122
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: Q Bk
ProductVersion: 2.0.0.122
FileDescription: Codec7T Setup M
OriginalFilename: nozer6.exe
PEhashe5151d0d576b6fbcbf1a2b7f18791ec75efe29fc
IMPhash4d2250cca5ec43c7cee96bcd7a8d04b4
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVKasperskyHoax.Win32.FlashApp.gen
AVF-SecureGen:Heur.FKP.6
AVDr. WebTrojan.DownLoader3.2839
AVK7no_virus
AVFortinetW32/Krypt.QKV!tr
AVClamAVTrojan.Downloader-134589
AVArcabit (arcavir)Hoax.FlashApp.bsp
AVSymantecDownloader
AVGrisoft (avg)Downloader.Generic11.ADTS
AVCAT (quickheal)Trojan.Renos.LN
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVAlwil (avast)MalOb-EM [Cryp]
AV360 SafeGen:Heur.FKP.6
AVTrend MicroTROJ_RENOS.SM10
AVAd-AwareGen:Heur.FKP.6
AVZillya!Trojan.FakeAV.Win32.85534
AVAuthentiumW32/Downloader.CO.gen!Eldorado
AVFrisk (f-prot)W32/Downloader.CO.gen!Eldorado
AVIkarusTrojan-Downloader.SuspectCRC
AVNormandoslegacy/Crypt.AVMY
AVEmsisoftGen:Heur.FKP.6
AVAvira (antivir)TR/Dldr.Renos.PU.11
AVMalwareBytesTrojan.Downloader.VCP
AVMicroWorld (escan)Gen:Heur.FKP.6
AVMcafeeDownloader-CEW.au
AVRisingTrojan.Win32.Generic.12881E88
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\1BGZDODGYQ\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.152
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSarticlesbase.com
Type: A
216.146.46.11
DNSarticlesbase.com
Type: A
216.146.46.10
DNS10086.cn
Type: A
117.136.139.2
DNStopsaj.com
Type: A
DNStopjer.com
Type: A
DNShawfruit.com
Type: A

Raw Pcap

Strings