Analysis Date2014-10-31 15:45:17
MD5d4e9ce8e741970a1d86a9833217377f7
SHA15d01461f6096f0f97a07207310c17f4456e637fb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 8ce6f7dc87f5bdaada316606760371ec sha1: ae7cf539a7e81a1cb96832f76f19a677d28c073a size: 35840
SectionDATA md5: fbf92e3c6d3a35f5d96e7f4dbe22473e sha1: 9e49db03b5ce6f034bf2a9a75b8ccbac2267ca4a size: 100352
Section.ABSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 95603bf259bd1e1dd24052a527ddde3f sha1: 164595f8f581e0b5515516b852c921873a6a1b30 size: 1024
Section.relac md5: 8115b4e31b189d38c2f026b9ecc7fcff sha1: 98ec493558123f80c9d2fad63a5e305f5bf1a7fa size: 1024
Section.rsrc md5: 7c6c7de8738107b0fa81323c4a378a2d sha1: b7eda415ee26c7947cdcda7694ca066ee9b0d659 size: 10752
Timestamp1992-06-19 22:22:17
PEhash8cd59a9d800eb6755fd3ee4bcbebdf7d6820a467
IMPhash45402aae2cf08bd0586b96b8a5dd70cc
AV360 SafeGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVAd-AwareGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVBullGuardGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVCA (E-Trust Ino)Win32/FraudLoad.F!generic
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Downloader-109591
AVDr. WebTrojan.DownLoad2.30241
AVEmsisoftGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVEset (nod32)Win32/Kryptik.QTN
AVFortinetW32/Delf.AT!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVGrisoft (avg)Downloader.Generic11.AWNL
AVIkarusTrojan-Downloader.Win32.CodecPack
AVK7Trojan-Downloader ( 0027e2ae1 )
AVKasperskyTrojan-Downloader.Win32.CodecPack.axic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.jyW@cGjh!poc
AVNormanGen:Trojan.Heur.Renos.jyW@cGjh!poc
AVRisingno_virus
AVSophosMal/Delf-AR
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_RENOS.SMA1
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
.
M.j
C
T
RT
.^

3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
0"0*020:0B0J0R0Z0b0j0r0z0
011X1x1
%0:[6'E
0(E:{s
0 Z_oF
1004276340
1027117252
1063616471
110550704
1135529383
1154222168
1173501832
1241559669
1252653999
1267163546
1270381934
1324370334
134581779
1349746065
1369890615
1398894064
1464980624
1475453343
1490685672
1495509943
1564501607
164512996
1675394787
1699950502
1754799688
1771246539
1791271297
1797669536
1798991500
183003097
1857039659
1bdF](W
1BN(iu
1(DYDTP
1L1f2o2
]1tyQiB
2021422140
2102201403
2143803128
2""333:"C8
2""#33:DC8
2.3@3F3L3R3X3^3d3j3p3v3|3
258296531
26at|=H
297292878
2$B""""C38
2C4"""D338
3:"""""
30546844
311411922
329285909
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
338840204
33B$3333333
3?3G3$4,4
346833630
34""C33333833
355348362
360X.>R
366733538
381315567
3B""$33333
3qNE*k%C
3tvI3!
462470106
495811814
4"*""C3338
5430418
565486664
573324557
585@5i5
_5[,A`
5d'H	3
5drrJG
|5G9KG
5H6v6~6
%5pdPZ1
5=RowT
5V[5sx
5:vp^;
607575689
642034985
660769923
67&ovF
698414224
;#;/;6;<;F;L;T;Z;a;j;q;x;
6FM]bV
[6ls)@=
6-"P{v$
$6)R$B
<6]RrJ[
6Ys.bS
704291798
722527733
737949533
@74_gh.b
751883271
7!7+757?7I7S7]7&:-:@:
78283148
(7)IpzJ
//7;LT|=
7s:0rB^
7]?<Yb.?'q3
819790065
821224133
836649287
886979437
8972641
-8"dFZpMv
8PRPAG
({8+T]
^"&9E5
9+FZ'b)
9Gh2HJ1
9Qz1}=
?9u*2q
9U#OxH
A*6EY`
a8a404c
)AC.$W
  </application> 
  <application> 
appwiz.cpl
appwiz.cpl 
</assembly>
<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
axTL_E4
	b^0(Ig
B2"'E	
,b3n)0
b|"-	68
bDhG+|
BHHhT2@
<b=l=r=
>-?[?c?
:"C333
"C333333
"C3338
c4|0w+
$ C7mc
"C8338
!c8Fs1Ho
C$8yhC
c"E_j9
C%EVdE
;%C\FP
CgK(,L\
ChangeDisplaySettingsExA
CloseDesktop
'[CNc#7
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
cQ>2sx
CreateDirectoryExW
cY$9eD
:DC33:""$8
"DDB""$3
@De$<8
<description>Process handle and DLL viewer</description>
dG"?J:
[Dope=
Dz@*:[l
DzWA#X
Ekq|"(N
e/kqZd
E\o<%vK~
eR{M?o
ExpungeConsoleCommandHistoryA
\f2Bv|
F4!])c'(
$>F5'r^
![F,{71*
FindWindowExA
Fj?9d;V
)|f@+Kq
fmd[pK
fOib,B,K
:>;F;q;y;
_^]-Ftx
f%<w"$
G25a;w
/~G4ku
G :aG#
G#DnFY
GetModuleHandleA
GetProcAddress
GetThreadPriorityBoost
GetWindowModuleFileNameA
GlobalAlloc
GlRP$H
@_h0tZ
H}a*P1g
Heap32ListFirst
{hF0!2!$
H@UU@`
hWU1*	
.idata
iDj}5	
IsDialogMessageW
itu01f
iu]Yf#?e
<<;+;j
"J333333
J8"Eb%
"J"C3333
JI<Qp,Y5GWi
jjjWfP
j%Q}r 
JweSyJX
jX}D:\
K171ll @YO"
KAbHI"
KDt=+:
kernel32.dll
%k@EZ[oD
K']%FQqNE|"
kJT\n^C
K+l1CP
k)n66L
kpJQ!%
Ks\qTQ
KV<>0@X$
l3>J lz:
L{9kRR*
{L9<Os
lc-5{}
<=leL@
l>LQJe
l,Nago#5
Lnis^UY
LoadLibraryExA
lstrcpy
lTX?Dtwy`
|Lu1Pq
m[/9<5h	*
M9LmR<)
M"Dg_$
M~ikjv
mlS:mYS`
MU v2'xpST
+);`n/
n1<?b!
    name="UAC Setup (c) Windows"
Ndgqlk
>*N*F	
n.I}k,"
NLv&Pp,
n[Mf"T
\NqW7e
;+n%>V
nZC[J)
|O0-)q
{\,O2^
/o2xb*
O6]o9JL
O6og>3
O7yqB"
oF`Qn*L
,]|";|OG>3b
+OkT;z
#pah,p
^PK+YGqVJ
    processorArchitecture="x86"
P.rsrc
PzK3h,
q>5LIwc+!
q~;}|h}!K
q-:mdI
:qo7/	
qu_bZ6
qV\71q
<Q<X<d<|<
R90of_'*
RealGetWindowClassA
recvfrom
.relac
RemoveDirectoryW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
`.*rgi
@RQDAu
)r$>zI
S4Fsv^+
SbW)&H
 sd@,M\7
      </security>
      <security>
SetDeskWallpaper
!S,/Mp
Sn$n~,
s Si@!F6rh
         <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
         <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
=Sw@%5,
T1J'n~
|t:9?!G
ta'lB[
       <!--The ID below indicates application support for Windows 7 --> 
       <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
TileChildWindows
]TMk5hbs
Tp2?.Tbs
    </trustInfo>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
*trwe)Iv
^tTI~W
|tVu>8
>TY-e	
    type="win32"/>
U1G))C
%%U%2s
$U5fU+
=uceN8
uklCZu
UpdateWindow
U{]r3\BwW
user32.dll
uyVc{v
]+v-% ~
V#>2$"
v!<>7&
 V-CsB
v{c~yivinZoV
    version="5.1.0.0"
VirtualAlloc
VirtualProtect
	: vK9$Z
VMP '	-
vq:7-k
vs: iL
vS*m-(
VTWrgnz
w9\a"y
wALy 3y*T
:wHmd[
Wiw,UEJ
WJYd:#B
":WK.>Gh
.wmo&\
WrBW%^
Wrd[7t
ws2_32.dll
WSAAddressToStringW
WSAEnumProtocolsA
WSALookupServiceEnd
WSCEnumProtocols
wuwNJ(xYA
wvsprintfW
x0F,sg
X+:<8n
x<jO8.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X:+_,]N
X?us9w`<
xV{{izhh
xZ7Yl2;=
Y23uiH
Y{,%b~V
ydE]Lf?
YkT]jnR
Y"(m7;Z
yNS@?u
Y'RH\sh
Yw%QJx
_Y+xSG
_;)].z
z|=aMK
ZMEo%I
ZNG<|poa
zounHc
Z,$s"I8