Analysis Date2015-05-28 19:26:53
MD500d7ffbbda644ee8aab8a7f6068fde87
SHA16176ab7a18f9115acd733ca2886b16a16017e392

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 60ed94b0361e4b922f658e6c62e802a7 sha1: 298d75c14fa7a198e30186a07df8096e3c85f15c size: 120832
SectionDATA md5: 1255998be7eb1da78ed7fe869f560203 sha1: 808105818028f0f221a9119566a43773caf30621 size: 100352
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 1810641eaaf59b13695cb42da3319d14 sha1: 17e8a328efb2ca0c344ca6761e650fcaec2cb0f8 size: 1024
Section.zeloc md5: 9e1430675af953a92501a4dd283a8eab sha1: 18288edec2d3344da2cd8c0fb47661f12cad38e9 size: 512
Section.rsrc md5: fc9ede2a5f34b73ee24f4987dbb1617e sha1: 1e1e7bef807f6dec2b7adae06660febc907e477d size: 10752
Timestamp1992-06-19 22:22:17
PEhashe40afc0f456aa17964ac95548433fb6db16feb5e
IMPhashf89aecd6d002b7518f4093ce73cc61d2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSarticlesbase.com
Type: A
141.101.127.247
DNSarticlesbase.com
Type: A
108.162.200.248
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
.X..
.
..
.x....E
oQ^d[
9
.
y
.
R......
.\
.
.
..
.

1018784301
1045451454
1073800441
1104068477
1125850349
1143895782
1146050257
1182565934
1229804093
1235723843
1392534724
1404761976
1431711962
149240860
1500170644
1506096222
1517078665
154473942
1632793673
165018390
1710441000
1775750486
1780575281
181811255
1849075277
1860862109
1876366001
1879050032
1884466027
1927144148
1935197299
1935521598
1983598183
2037277338
2058870854
2068167048
2104067754
248988637
306698680
383133704
3D Light
621159803
623103451
674082625
719190676
808720827
818426960
923438600
979901450
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
>&-#.-
0"0*020F0N0V0^0f0n0v0~0
0=D`v7
0$FYoz
0+\kb;
0"k(Hy
0LEZvY
0L$Y*S
0@ r(E
|0?So;
101)j6
1273dde2
14G}MQ
1B[8\/A
1)cBWD
~1i3I/
,1n]@E
1xDd<g
2""333:"C8
2""#33:DC8
|2'5pGiu
2$B""""C38
2C4"""D338
.2>$EE
2N,f	n9h4
2nkPIkA
2([rEa
2S'}	o
'2z8U;
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
34""C33333833
3B""$33333
3`fWN3
3?i;7I
^3l|\>{
"3P}rg#0
4"*""C3338
>4g!j6
'4#[Ka
4Nexm=
4R~@%S
4siBfU
4Wzd @l
]#4/xY
^,4?Y;
4-y:}Fm
5/}24+
5'5R5Z5
?5a=C%
5Cl:#!
;%;.;5;<;D;K;`;
:/,5H|
$5nl^f
.5rA??d
5S/OAv]
5T6^6=8E8W9_9
5X*MCw
6^0xWeo
62okY	
66Ag.f
6e*%~}
6+e&Jf
6kS+B 2B
6v7# M
!|{7TJ~%
7Xo/Kj
8}BgV;J
8b"^QG9
8^(Hsr
8$q999
8V4/NM=
$9H~cf
9kJz%;P
9PE	hz@
9RrzL~I
<!<9<T<a<s<
 @9u_?
9"<\~W0_@
9WsMM.}
9x[z,E
],$A?;
A;>BbWAR
AddPrinterDriverExW
a(=,GaM
ak4*{<
aKOm~R
a@M 3.j
a%MzJU
  </application> 
  <application> 
appwiz.cpl 
a*sfb$
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
aw#Jn;-
AZK+-7
b);;*;_@?]
,b8Ih^h
badkyK
_bim=q
_.bNcs
:#B.qE
bS* m#
Bzf=7:
bzUjyP
c/0''&
{/c>03wY
:"C333
"C333333
"C3338
"C8338
c9	']?
cau GQx
cc.(8F
C/d4yf}XQ
CeCju(
ci3(F\
CLF#<R
CnZdwz
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CT>		[
ct<i>7
,c\W;J
]cz'6F
cZ){FY
d{!+?~
d8;\4f
:DC33:""$8
`dCe('|o
"DDB""$3
DeletePrinterDataW
DhP3gG
.D[K`K
+dKYnn`W
DocumentPropertiesW
DS}tsM
>Eah8.
$ EChm
&E&`EA
Eel#@`
+'el,:
,E*M#@!
e=??m5
emSvnyS:r
,*(eoW
ERNR@)
Es=h%Ak1
eUv|IP+
`eZ,<1
F6*(:0
FA"x3i
Fb	U}:
F^cv1?
f|I_aA
F>I/}f
FindWindowExW
[fI]t@	x6
-f^liU
FR:T}h
F[R^u,Z
f]t&Bh{
G6-<O"
gB	hR~
?.Gcr`
GetDlgItemInt
GetDlgItemTextA
GetEnvironmentVariableW
GetKeyboardLayoutList
GetModuleHandleA
getnameinfo
GetProcAddress
GetWindowLongW
gIA[ft/r
gId:$5
)gj]!c
G]JK|x
GlobalMemoryStatusEx
g:$tq9cP
G[uNSD
g{:*zi
h}0N5s
&H8z)I
%{h<_~b
HeapAlloc
HeapQueryInformation
heF7Ii
HJk3jAzk
@h^JMG=
HjMxNP=
hj	sGuvJ
HmMa(H
'H[V&0
hV-O;@WBV
]h(W`G
i5/:T^HS
I6r<:?
':i8Z/
iamdDdI
.idata
%&$iDG)5
%Igj)!Q
/Iin!t7	
I(@Jt*W
IM12+a<Y
iM	1Zb
iMipz_
I[>nA"
 i*NGo
I:@OhcrB_o
IQB_KMq
I^[qd;
iS<<+v
ITD,tf
iZ="`z
|j1f6l
"J333333
"J"C3333
&[jD6y
Je"W/E
{ jNWC
J.#P	Zl
jq?=?#p
]j}SH;75
]j&Sx4Cs
jT2ajL
>jt:999
`jv-9$
jwJPE'
Jyu<-z
*k0R@noPA
}	k*9`
')kA+0e
=^Ka$O
KCkp'Sh
~kDoUf
kernel32.dll
kfi-Xi{
K}HmoZV
(=*Kis
KM6&x]
kO:3wi%A
K:PqD,
K%u^v:T
;k:y=9r
ky'dJN8
?"L2'zy%@x?y
,l<3c4
L6W`nqlC#$
l,CA{rE
}~;l dM_U`jy
l?-fRF
]l]	GG
lhPV|/9
lk*{P%
LLsB{h
LoadLibraryA
LocalAlloc
L	qscN
L]R8bx
lt1n5a<e8r
lxO/{N
lyaYgy
;{~M}~
m2cmw	?
maO%:}
MapWindowPoints
Mc2#R.
_M@<dqQ
m!<hHL
MI=Ho4
~|mN%K
m^o)H%
m]qFnx
mSZmHV
~^;mU=
.M*|W<@
MwYF\j9
m?X9jaw
n|%|-^
N:,bA5;}\%>
NCU!uj
N:}d$p
&N?_hMr
	NHY4e
n]/L^Wy
*'No7:-t
nws=9{
,~NY'G
=!O.&?
}O0yk,"
o4=	B)
$\O6[RA
o9mEB[H Dc
 O!9on
	.o_-E
O@F)\?A
`O+f^B
Og^$?#
oK|yaB
OM 33n
O.n>|+V
OpenInputDesktop
ovksRw
O:VSNj>
|Ow2p_n	
O'[z9:
p1Jf)=
p4c&Xd
:P,?Ea
\pe\{b
PHBE4Zh
Pm.2hy!x
.pn,Ek
+PR>nj
P.rsrc
p,suS+
P{td3~
PV	83&
PxR636
q=;-|[
~']$Q:0I
+q0j0/'.
\+Q~Cn7
Q<C}/%NI
(Q' _e
!q%(l?h
q,M|RfK
QvjVsz
qxoZvl
qyqs|go,K>c
?)&;r_
RC;*,#
?rC1@)
;rCA`I
|R#?)d
r.dLa~
rdP'*{?:YS
?re3t0
R=|[-e4
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
ResetPrinterA
|:r|K5
; r(kQ
r^lIIq
rsVkIB+
R[&T-w
[_R;z 
S\2lvf
S	>5CY
s6qL&6b
s9 5lFOy
:S'@a/:
?}sAA6C
,s/*/C
      </security>
      <security>
SetPrinterDataA
sEz%"C
sf>"1J
s.<GFE
$S{`-j
S{[mv9
Sov@y<
S&Qjv(
+sR_"%
'SrW:.'
)\ssCx
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SVJV~K
<'-t":
TD2X;s
tF/	,^z
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
/tJuk}
T.l'$u
Tmf$@=
TmMc6o
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ts#6k}
tTgo>u|
{,TT>)J
[Twg@:J
tYII\\ZW
$u3oqg
		]U\4h0L
][U9j0
UD6!)f
uf<%RUu
>uh'7N
u l"W@
&uLW*c4|
UN|f]Yy|
user32.dll
(,+Uso
Ut?6#2
utm;G-
U)v]&F
]u w26
+V*a1.
(VAE#Mf3
Va(Wii
VeRnM:
VirtualAlloc
VirtualProtect
V	J{:41
VkKeyScanW
v	N'^?
V=.OQH-
v"OY+9
v.:Pg{
~v#Qq~
?\v^r6
Vt>tM}
'vw<:5<Vq
]-v/x[
W13%3<&
? W2k|_
>w4*0G
W&\4i4
	w'8t=
]W":Cp
=Wd 77
winspool.drv
wkIOJ&
W[l;Cx
!W^Mlm
w#OXI6B
WpCO_}e
W]QEba
ws2_32.dll
WSAAddressToStringA
WSAAsyncGetProtoByNumber
WSAConnect
WSAProviderConfigChange
WSASendTo
WSAStartup
WSCGetProviderPath
WuRBq	V
w@(V>%
'WV|:b^.q
wVtUJU
x:4_OY
x55Fpn
X6\6`6d6h6l6p6t6
XA. Dk$
xF	Aws
x=:I[V`%T
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
\^X>O}
xO:<Gp
X$PJx)
x>*@Wf
@y[2()
.Y\7cD[f
Yb^	2!
YbnZ<y
YCF%DV
y"EBz>
y>?jUW
Yq'G`,
yt)JiL
 yu[#y
yxt*w\
YzSrDa
@.'>?	z
]z5CYe
Z#/8W_F}-
ZC^ay	
Z;D-7&
ZEAtS@
.zeloc
zPnGX(
zSWJ=R
Z?tWSrn
Z!VB'0
:ZvlqP
|{,Z<x
z=`\YB