Analysis Date2014-09-14 04:46:55
MD53428dbcec8d165778f5e511accda8481
SHA162bee89a65f6a6ff6e24c4f3e25af2fc766e9a6f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 8434846c3630a93cdfdafefe8e5f0903 sha1: 6d8782e9e75643279b00495497110be038be8490 size: 13824
SectionDATA md5: 694b5cbeba10ae15256aa68a9e00dcad sha1: 23550e1b8beb63e115bf829da06d0edab353edec size: 10752
Section.lkdata md5: c1139907706ee68f160bc61ef5a24f50 sha1: e174b02584e6bded8029d5f08f178b3099989f7e size: 104448
Section.idata md5: 66b62f5609a406b4bf0c22f0449dc2c8 sha1: 9197b0fc099383ed651a2f2d347809671b408143 size: 1536
Section.jdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.rsrc md5: 85219dcba12acf71a3838e72d2fd29a5 sha1: d84f4ba3172e54c674b70e62139e8751721b58b1 size: 1536
Timestamp2010-02-13 05:41:37
VersionLegalCopyright: Copyright © 2009 xiSimon Tathamz All rights reserved.us
InternalName: porikg.exe
FileVersion: 2.0.0.133
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: Jb
ProductVersion: 2.0.0.133
FileDescription: pInsideW Setup
OriginalFilename: porikg.exe
PackerBorland Delphi 4.0
PEhash22df0fd0bdc20d5b020f465f289d76e77e35e349
IMPhash8fdb0a1e2c79e4ac5e7b24dcb5253b7e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.152
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
.
..I
.
Z
.X
.

040904E4
2.0.0.133
 2009 xiSimon Tathamz All rights reserved.us
Comments
CompanyName
Copyright 
DVCLAL
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
pInsideW Setup 
porikg.exe
ProductName
ProductVersion
Simon Tatham
StringFileInfo
TFORM1
Translation
VarFileInfo
VS_VERSION_INFO
.0\KouSt d
?"[0N8]R
0npP"oc
0u4F@ 
0u5sPO`
.1S0,tK
2&fzJI
)2oQzTO8
=!}4}:
-4=QWT
5VhuD=
6|zv]G
7R5]^2\\d
8J7h?z
8N;-<19E
.9~cnA
9:ORhWV
9Pc0GP:y
A4,PP\
:|A9^p
a9QiA`A
a/	?B^
^$au8|0
BEIP#D0
=/b@p@P%^}
brofrhh
Bs-0S']
-|[c+_
Caption
CharLowerA
CharLowerBuffA
CharNextA
CharNextW
{CHRT\
	clBtnFace
cli40s
ClientHeight
ClientWidth
CloseHandle
clWindowText
_c:ODE:
comctl32.dll
_$CxhF>
DEFAULT_CHARSET
DeleteFileA
DuYveL
e8JD&A5\
ExitProcess
~f>5a&
FhGi9]B
fI|tv!
Font.Charset
Font.Color
Font.Height
	Font.Name
Font.Style
F%XC!sE
G5q!d\
GcpY\2'
}Ge7ze11
GetACP
GetDiskFreeSpaceA
GetFileAttributesA
GetMenu
GetModuleFileNameA
GetProcAddress
GetStartupInfoA
GetUserDefaultLCID
GlobalAddAtomA
=hep=!et
(i4SiI
.idata
IlCp0B
ImageList_Add
ImageList_Create
ImageList_GetBkColor
(i=R9@
IsBadHugeReadPtr
IsWindowEnabled
IsWindowUnicode
j"}2RR(2
>j8]NtS
@.jdata
&<{J%h
\j	'{I
j&%j.&
jO'IjG%h
j?'ujH'=hm
Jun 13JX0z
j<W!S_
K;0T~T
KERNEL32.dll
K*k|V?U
K=MC"=
Ko]^WS_
=let%i
@.lkdata
LoadLibraryA
LoadResource
LockResource
LoPa}:T
L(=PeX=
lqRMIf
lstrlenA
:=luO:\
main.cpl
MG9876
MoveFileExA
M#S$K&k
MWftElKO
n:0YKDzd-
^,N3GW
nCMF1WT
[NCVn}{l7
.]Nj;SW:kvY
og15<&(
Ogzi"q
OldCreateOrder
oleaut32.dll
OleLoadPicture
o$/MxM-a
oNxl}2
|oPz6^*I	
o\qJN-
o_wkR)
+}OY8u
pbY(,;
?PEh/t
PixelsPerInch
PjhM@9
porikg.exe
PUB%<,
QGK_QFh
/@Qm6t
Q/Mk!=
qmUEI)
RaiseException
|Rb~7d>R\~
`.rdatf
RegisterTypeLib
}$r~F	{
r":GfV
_RpU;9
@.rsrc
SafeArrayCreate
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayPtrOfIndex
SetLastError
SHLW=\
SizeofResource
S> N}i
s>O]rh
s'o^RK
&S*Q:f
/Srdg&-
S sp7C5
SW?yBF
SysAllocStringLen
SysStringLen
$t~~3O
Tahoma
tESvI6+"
TextHeight
tf3g4X22#9=
TForm1
!This program cannot be run in DOS mode.
TmjEndL
_TOaSY@12
tPg)uJu
%TrH_K
((u_**%
u/@3)t&A7
<uedJl$
uh!zin
UM17:2g
UncbMku
USER32.dll
\/uXf(K=
]?U-YF`
-ValiYC
VariantCopyInd
VirtualAlloc
VirtualAllocEx
VirtualQuery
VJUs}*
v]pBWk8
&VP$zQR
vU]t9U
W5gUM9W
WO_>W4
X8,SOWL
XK>/,t
 x+Mde8q
:|'|:?Y
Y8P3A=
YW$#+"
ZHx%Aq;
@<&ZKs
-|z@	o
]}Z_P|
zQW)Im o
ztR'oi
ZXS[/Ok