Analysis Date2014-12-19 17:59:59
MD504d1af0c3d6975704e86a358a1a08f2d
SHA15cdf945d549e1aa25d60337edeebd476ed3b834f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b787d2fe524d3a13b07304e63d92a55f sha1: 488b73f1d7caf5e419cbb96b17b1bb5e4a80b44f size: 28672
Section.rdata md5: 31003ee723ca06933ecd374b9c185d77 sha1: 01026fa46ea3643c17a5e36edad935f56ef6211b size: 9728
Section.data md5: 1bce409e1f57163cbc36b587b897d4ee sha1: d5a47a8e16f789a0fba70e98707f00169e4050b2 size: 102400
Section.edata md5: cf7e6376b7ecdef80fbde8ab17d350bb sha1: b51cad8e42752a6e1c7fe57a3e112cb08b912444 size: 2560
Section.badata md5: 46bfeb5537621e709fa09755f9f1f5c1 sha1: 974f4f4152f5fb212e90a3ff79b53ccb14ea55b2 size: 512
Section.rsrc md5: 08fadcd04656fef32275de90d9622b65 sha1: bc9f684eb3ddeaa99155fea4ec4fb89775bcc80b size: 8704
Timestamp2009-06-09 04:55:34
VersionLegalCopyright: Copyright © 2009 gSimon TathamCm All rights reserved.aB
InternalName: cZnozerrAR.exe
FileVersion: 2.0.0.122
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: l bA
ProductVersion: 2.0.0.122
FileDescription: Codec Setup Ne
OriginalFilename: cZnozerrAR.exe
PackerBorland Delphi 4.0
PEhasha68532f047181d0161a84ea083a714b749630626
IMPhash99761be8713284066aae761d7d84304d
AV360 SafeGen:Variant.Kazy.24373
AVAd-AwareGen:Variant.Kazy.24373
AVAlwil (avast)MalOb-EM [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.24373
AVAuthentiumW32/Downloader.CO.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.PU.10
AVBullGuardGen:Variant.Kazy.24373
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Agent-37543
AVDr. WebTrojan.DownLoader2.25030
AVEmsisoftGen:Variant.Kazy.24373
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/PackZbot.D!tr
AVFrisk (f-prot)W32/Downloader.CO.gen!Eldorado
AVF-SecureGen:Variant.Kazy.24373
AVGrisoft (avg)Citem.DSB
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Backdoor ( 04c501231 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader.VCP
AVMcafeeDownloader-CEW.au
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.24373
AVRisingTrojan.Win32.Generic.12882F73
AVSophosMal/FakeAV-IZ
AVSymantecDownloader
AVTrend MicroTROJ_RENOS.SM10
AVVirusBlokAda (vba32)BScope.Trojan.MTA.0129

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\J40NOZ44HU\OhuD ➝
5
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2
DNShawfruit.com
Type: A
DNSmusichalll.com
Type: A
DNStopjer.com
Type: A

Raw Pcap

Strings
.
.
f.
"
s..U](
.
.
.
 
9
~..Y

040904E4
2.0.0.122
 2009 gSimon TathamCm All rights reserved.aB
7Z7P6
Codec Setup Ne
Comments
CompanyName
Copyright 
	Ctrl+C
cvmh
cZnozerrAR.exe
FileDescription
FileVersion
InternalName
l bA
LegalCopyright
LegalTrademarks
 (MAP)
MS Shell Dlg
OriginalFilename
ProductName
ProductVersion
Simon Tatham
StringFileInfo
SysTreeView32
Translation
U(UK
VarFileInfo
VS_VERSION_INFO
 <'[)>
'&|'0)
`\[~0)0.YV
0-9C4f
0cinY$
 (0^p@
0YqMui
1fa9c[s
1xu0w7
2*a[Hu%
@2aS|u
33333333333333333333333333333333333333333333333333333333333333333333333333333333(
3A8Z&o
	(3 f9
3pHQ|	
4@ 7x!E
,4q_Vj
4&<{>X8$&F
\5o?4u
~5$W(X,
6)3SVk
7c,t@5o
7`QiBUT
.8nCU{
8sHqbq
8tZ& 75
_9~8|c
9~)V6A@Z
9XLvy0
A~3p0 >U
aCUoWpyFil
AdjustWindowRectEx
AE$bZhF
AeCypf0
A*glp]p
appwiz.cpl
ASUVWih
A)%_v@
'<awZD
@.badata
BEI%P%D
Bh 'v0
bPWOBC
b{w_w!
CC01Pgi
CharNextA
CharUpperBuffA
ch/{QN
C`/`j+
ClientToScreen
CLnip]
CloseHandle
CPj)hIR0
CreateIcon
CreateWindowExA
C]Tick=u4n
c|/u$DG
CytDBvY%
cZnozerrAR.exe
D4_MUp0
@.data
DeleteFileA
DeleteMenu
\d]ep_
DestroyCursor
DestroyIcon
DispatchMessageW
d#lhtC&t|eA3Y
D,$>Vl	3>
%E02xYHL
.edata
EnableWindow
EO]8mW
EPSTj4
@.eSRuv
([<eTB
 eUhPX
EwDT=v
ExitProcess
>:]^_F
f1'H3G]_
f95 f95$f95(f95,f950f954f958f95@c<HD]@
*f9Uso
;Fllv5
;fMZ#J&D
FQnAEIXZ
fsq}cd
@fs'{T
Fu_N-4
fwzPjQ
fYiq|2
fyUSHLW
g%(837
G98765
g@DU,s
GetACP
GetActiveWindow
GetClassNameA
GetClipboardData
GetCPInfo
GetCurrentThreadId
GetDateFormatA
GetDCEx
GetDesktopWindow
GetDiskFreeSpaceA
GetEnvironmentStrings
GetFileAttributesA
GetFileSize
GetFileType
GetFileVersionInfoA
GetFocus
GetIconInfo
GetKeyboardState
GetKeyState
GetMenu
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetScrollInfo
GetScrollPos
GetScrollRange
GetStartupInfoA
GetSysColor
GetSysColorBrush
GetSystemDefaultLangID
GetSystemMenu
GetSystemMetrics
GetTopWindow
GetWindowDC
GetWindowLongA
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextLengthA
%GiK5M
gKzoku
GVetComAandL%i
!#*h3M<
H4S 3}
HC+#UR
H<EcI_j
hnr:!D;
hpx@lZ
H{rS;W
HyPOP}
"~'i!;
I9BY;"
ibhg"=i
,#&IG1
<iLX/BZ#
i&.mVk@
IntersectRect
InvalidateRect
IsChild
IsDlgButtonChecked
IsRectEmpty
IsWindow
IsWindowUnicode
IsWindowVisible
:ixhy5
JlHsXP
jpIj8v
jsh@' 
ju5i9/
K3KJNS
k-|{=7k
k8YLgS
KAcpyl
KAY]M@|*
kernel32.dll
KillTimer
L2540:3O
l52z#6
l6|{]7z
l	KFY;
LkpL L\
LoadBitmapA
LoadIconA
LoadLibraryA
LoadResource
LoadStringA
LockResource
LP]8Lw9
<Lra{4
}LSLHF
lstrcmpiA
LTuxrK
lu.JX8{
[M5K!I
m6t2m5
|Maly /
MessageBeep
MessageBoxA
M_HiBy
mOjFDB
$/mp'Y
MSUVCP60
~Mvk,+<
m%Ykp@
M'z<mm
nczX$r
NHe`Vo
;Nign8
np |_+>+
`!nrIW
nW4YI]A
O<8$q,
OektaRES
OffsetRect
:|opE7
OTLEAUT2
[?-p}?
p>;)57pTl
P5XcTH\\
p8?x8y5
;%P9] /
PathGetCharTypeA
PostMessageA
Ps`@TYd
pt$hrC3J
PtInRect
PW7cZU
|p-xP?
q(1CqURI
@Qmu6t
Qpn?Do
QR9/~](
QTlzkHRKAvXG
qW>PK|
|Q}YaXv
`;r6E~
RaiseException
R(b	9N
rcUZW+
`.rdata
.rdhat
r@(dMm
ReleaseDC
r/}|"N@,4
rO@H!-
RohQ`J/
rO$rO,rE4A
@.rsrc
RV[KA-
|RWBQPjT
RZw}OE
S1-s@4f@l
S2g4K4D
SetClipboardData
SetCursor
SetForegroundWindow
SetMenu
SetParent
SetWindowsHookExA
s,H4Zp8
SHLWAPI.dll
sLKVSS[
`Sp("a
`sp@dYt
t^,-D	k
!This program cannot be run in DOS mode.
tj@3D-
-@TJ7<
Ts`@XYd
tu`G%B
	tVK7.E
{-U_^3
uFR0u4
Ug^Sm*<
UiY2g7tA
uLcDHX]
UlM3g;
user32.dll
%uyE`U\J%
v46~4U`
Vad32N
VerQueryValueA
version.dll
<(VHdm
VirtualAllocEx
VrlZ-K
vt#,tE
vt,yt\
W01OOapUNI_QSTR
WAUs3&D^faul=L
W#@H\m
WindowFromPoint
WRQXPSjaU
w't{`?
W`&Xf^'E
|wZa)K-
wzeFXmAaW
X58D Y
X8C@uP
^xa\~!
XJYSI^Y
X=[	kn
:xl53J
"xnA	x
?XswapD
XuO.AN]
X[YVZd
.xyY>KUX',
\Y5h#p{q
y}6q3P5
y&)by}
yClasoz
yCSnj!
yE2{5gT
yhV.z,J'
yl5-;m
yl5>z6im
ylgsbYi&
Y]@%p[AD<
Yp$ZMJ&
Yq$\56XF
[&[z4Stk
z5lxxmPuI
ZR:3w 
Ztt?^@
|zu!C#
Zw<"R[
Zxl53q
zxTMA	
zYC)-s!