Analysis Date2014-01-12 23:59:29
MD5e359748e1a5d8a68db53d5493a9a9c4c
SHA14f614226e77eb80c1fd4ce4a63084ad3359be53b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a7c2c0b0bf4257f59129a3499dc41fd4 sha1: 7cc6945796465cbaf8db170f05f9fcde2aca0fb4 size: 12288
Section.rdata md5: 25d2cf3a0676927528da8e1bebe0b9ab sha1: ef9577fc362a546d809564254957175ff668679c size: 2560
Section.data md5: 23d387638648a1a7a9112e632263cbd2 sha1: bec3f57dc1e4195eb64077006bb1d71ae2fcdbbc size: 102912
Section.rsrc md5: 97c035d08782b925f88d8d9752cee0de sha1: bcafb971856a7801c1aa0543d6324e94c9f6d102 size: 4608
Timestamp2009-09-10 05:56:31
VersionLegalCopyright: Copyright © 2010 q3 AVG Technologies CZ, s.r.o.s
InternalName: SWav_g_amrpv
FileVersion: 9.0.0.832
CompanyName: AVG Technologies CZ, s.r.o.
PrivateBuild: Win32 Release_Unicode
ProductName: AVG Internet Security 4i
SpecialBuild: Avg8VC84i_2010_0603_213001(832), SVNRev 132525ER (/branches/release/avg90_sp3)
ProductVersion: 9.0.0.832
FileDescription: A AVG Alert Manager
OriginalFilename: SWav_g_amrpv
PEhash1591af960c93ea1d8dfe4efcd6d34f31f858ad23
AVavgWin32/Cryptor
AVmcafeeDownloader-CEW.ai

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Deletes FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}

Network Details:

DNSameba.jp
Type: A
180.233.142.60
DNSwretch.cc
Type: A
98.139.102.145
DNSwretch.cc
Type: A
106.10.165.51
DNSwretch.cc
Type: A
77.238.178.122
DNSwretch.cc
Type: A
87.248.120.148
DNSwretch.cc
Type: A
68.180.206.184

Raw Pcap

Strings
040504b0
 2010 q3 AVG Technologies CZ, s.r.o.s
9.0.0.832
A AVG Alert Manager
Avg8VC84i_2010_0603_213001(832), SVNRev 132525ER (/branches/release/avg90_sp3)
AVG Internet Security 4i
AVG Technologies CZ, s.r.o.
BBABORT
biS2
Cannot open file "%s". %s
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PrivateBuild
ProductName
ProductVersion
Property is read-only
Property %s does not exist
PvhN
Resource %s not found
SpecialBuild
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
SWav_g_amrpv
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
Win32 Release_Unicode
XcxS
),0Eb[
0eeEFD5eM7wt
0M0-%M
|0Mp@X.|
0u44@R
1s7>9:$#
1s7{p7
1yC}XQ
{2PsKk
2q64>b
}2tDo[
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3a:aPe
	3KjeN
3:(oYp
4oMQ}Z
577gCY2
5C5j53F
5mcV6(
5Q3u	>p
6&#3ub 
_6KcDP
\75Z_V
[_^7RIpK
'9~`7A
9Biav8
9vP	dTd
aGSAQqaZ9
ap6J2ye3TO
B7E[KN
BEIPQDB
bImgIh
bqe8I1
c?+f!B
(c-$HmF
CopyEnhMetaFileA
`]cQm_
@.data
DNM-7}
DrawMenuBar
e[m{1}
EnableWindow
EqualRect
ExitProcess
e*XW	^B
=[-|F{7
[FdU	[#I
FHah_:Z
FillRect
FindWindowA
Fq3318
Fx)q77VSW
GDI32.dll
GetCommandLineW
GetCurrentProcess
GetCurrentThread
GetCursor
GetDCOrgEx
GetMenuItemCount
GetModuleHandleW
GetTextColor
GetTopWindow
GetV9r
GetWindow
g+ln<N
_g&R^e
GskV8wuE3
GuJ1^O
h`hElc
h;hW{m
H&^Mv+~y
^ HSjA
I3&z1*0
i5OfNd
I=8fgA=
^ia6}"
?iBy7e
IsBadReadPtr
IvI~SO
i%[>v%V
IXBadC
j0?|	]
:J]0Sj
j&&4	[j
'jA5z'
{ jD2bs%O
-;j$iW
Jo2^Fo2
jOhH'`3
JpI20yUV
'`jWgi
j,{z":
kernel32.dll
K=*;_r
Kz}j:}l
#l$I(j
(Ll_;0ti
LoadBitmapA
LoadCursorA
L/%	Xy
M4-Af';
M6]M0,MU
miNZ7V
^MkA|{
{'M^Q@N
|mVE]Yc
mW}UJ#_
^	)~'N
N0cdqw
n2d[$G
N!(H:Z9]
NU][m6
=nywLH
o~)130wR
O2p+4l
OLEAUTn
out_Qf
p7;7w~Y
pi0rHpd
pm*:3W~ 	
Pr7cAd<
puT1a\]`
QAE<XZ
qaH1	H
qf{]mC
q^mF,N
`.rdata
`.rdatI
.=Rj'0
Rv=MbP
}RWN^O
(+-</S
s(3=$a@
s +5\a@
_[s6kvt
shell32.dll
Shell_NotifyIconW
SHFileOperationA
SHGetDiskFreeSpaceA
SHGetSpecialFolderLocation
Sj	*LV
SWav_g_amrpv
t77-n[a
tC}8L-
.tc -Y
Tfr4MB
!This program cannot be run in DOS mode.
T!PKx^d
u|	!&	
u2iMo2
{UhgN8] 
UNIQSTR
user32.dll
v23zSNj
V4<*M$Ti
VCUHWyIc
Vi9hUfQ
VirtualAlloc
V??QHnc
vZ8]u_$+
Vz"KuGfIL
)w4X=w)
WJ+[;(
W&!OZ;
W\\<p\1
~W;QB^Q`
WQ=G?	
:;WR~^
WS!	KtF
W#VZP$~
XNPc,XNxc@XN
	.x NtEM
XOk7@zq
[yClaW
Y*$E,M
,YvuI9
Z0EMVd
Zd/.eWU
ZtBaQw[$A
ZtlD?v
Zt{p@?[
z	Y#5V