Analysis Date2014-11-23 05:33:58
MD5c3bb0c04b35039af180fca0dfb8c761d
SHA1681344d79a2a7e3dea04c993f97dc0f42f2f8401

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 90dd1ad8f61833121646b7a1dc5bdac3 sha1: 6fb04c05005696a25a9eb27866f54625080bd963 size: 11776
Section.data md5: 32814f4ab9427f7d25b0e16371b13e97 sha1: 400efa400fd251b6aa32fc0b5c5eafaa438f4985 size: 9728
Section.ihdata md5: 1245d44520f5b32c770618e2b19f0050 sha1: f72252eb6f9c147dbe8f135ce2170174e9fe62d5 size: 104448
Section.idata md5: c9bacc8cc35c3840bdc0441cf602a025 sha1: 28ea356d92580815272595e9234d14363e293a7f size: 512
Section.thdata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: 34f945f4795fca3caff1242eb908cb21 sha1: bc0b57621209183e3d53d1c4bc8e3341265ef2c8 size: 1536
Timestamp2009-12-15 06:15:53
VersionLegalCopyright: Copyright © 2009 FSimon TathameZ All rights reserved.Hn
InternalName: jorik1c.exe
FileVersion: 4.0.0.351
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: q 1Q
ProductVersion: 4.0.0.351
FileDescription: systemv Setup
OriginalFilename: jorik1c.exe
PEhash39f32a376dce2533eda5c83a584dd34176b5d147
IMPhashbb617b0cddb9c8fd604883942de36654
AV360 SafeGen:Variant.Kazy.26784
AVAd-AwareGen:Variant.Kazy.26784
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Downloader.CO.gen!Eldorado
AVAvira (antivir)TR/Winwebsec.ezym
AVBullGuardGen:Variant.Kazy.26784
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-299982
AVDr. WebTrojan.DownLoader3.32057
AVEmsisoftGen:Variant.Kazy.26784
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/PackZbot.D!tr
AVFrisk (f-prot)W32/Downloader.CO.gen!Eldorado
AVF-SecureGen:Variant.Kazy.26784
AVGrisoft (avg)Downloader.Generic11.ASDD
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan ( 0037efca1 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.au
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.26784
AVRisingTrojan.Win32.Generic.12890848
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen62
AVTrend MicroTROJ_RENOS.SMIE
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSarticlesbase.com
Type: A
216.146.46.11
DNSarticlesbase.com
Type: A
216.146.46.10
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
.
..
...\
..

040904E4
 2009 FSimon TathameZ All rights reserved.Hn
4.0.0.351
Comments
CompanyName
Copyright 
DVCLAL
FileDescription
FileVersion
InternalName
jorik1c.exe
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
q 1Q
Simon Tatham
StringFileInfo
systemv Setup 
TFORM1
Translation
VarFileInfo
VS_VERSION_INFO
05h(	"
&06EBT
07(;mH
084^<D
0_"$8Tv<ZM
"0jn=u
0NW1][}q
0oDE^&
+0Yq_<k]
>|1!CVHP=
1&';"G
2/3*Tv7
24H4}$?G
_2bCgL_G4c6@8
~2h;#D
<2ZOFH
2Z]T+j
:~`3^2
40%0Os\8
48<^DL
"4:MB"N
:5aAYaA
5ch2*`
`5d np
5H4NKp$
5~jmW(=
5QLFI;`
5VK;Je
5Z&{9:
^.6~|_
6-m)nZ
^$6VX6
78$^8L
79~8$|.Vy5
$`7e`+`WV1.
;7Ex9]d
7ZDUDH
&86^FV
/8*6"x
88@^HP
,88^HT
&8;9mN:
\8d^px
@8H^T\
<8P^hx
[!8#Sf p~{r
8#^sR80
@8T^fv
8Vjeid
_8yi4OBNn_lRN@12
,9&;_%
+&9gP7"
9_k,Q298c@
9_L4vw
A\f&6j
A&m2\~
*aSjF!
Ax30D}
a,XZYH
_bFntZ@16
BUZLCD
ByBT2oW
)):C^*
c#3Ysl-q}\
	\c53M
Caption
CGCP9QR
Cgo&eP
cKhEPf
	clBtnFace
ClientHeight
ClientWidth
clWindowText
comctl32.dll
cO-&\U
CP[^is
_CwnhNQqnay
CWO.\=,
{C~z3V2+
`.data
DEFAULT_CHARSET
DG$??/'
dj5_.J&]
D.}L<t2
(D?m'\
dn7u\}R
DnbXt$
&DX`; B
dX 	OfOm
_DYLEYqse5J1GY1
$eAshq
EGek/K
EI@~0"v
e_KshK4M3
E!_laf
e#nQr9
_ESMkSGO1OHZ
ExitProcess
Ex<URSYHZ
f0 "(Q
f3RDFl_Ji3pr
_faUC2vecF@16
 #f/?j
Fm?F,i
Font.Charset
Font.Color
Font.Height
	Font.Name
Font.Style
_fPi6e2wo@4
FUD;[T
_FUux1GGyu30
F) VmS,Vc
FXEVQH.
G9876254>0:\
GDI32.dll
{ge9$n`
GetBkMode
GetMenu
GetTextAlign
GetTur'
GetVersion
GetVersionExA
gH*owP
':!gn^
^,+H20o1
H2	V-7BNX$o
H8T^dt
H8T^hx
h"9U6NO
h%|VE`
I13S ?D
*:I'_3t
_i57ohqXKCTk
.idata
@.ihdata
ImageList_Add
ImageList_Read
IQSTRD
>i}rqm
IsCharLowerA
IsZoomed
(I=TSQ
,>IV#[
&jB~=I
jG_3TJ
J>!:	HAf&
J\l4H]
Jlv'^=f
<J n7tj
jorik1c.exe
_%jR=(
~'JR&0P#
Jun 13
:jW)5~2
J]}xTI
k;24Nb
K:=c\,
KERNEL32.dll
K=GC`7
]k;gKV
KHoH3j
KillTimer
k*N417G
Ko]^WS_
KpTF]h
k|r-qB
$KVP=t
l(3rhP
{l7)R"
L8X^dl
LEAUTxv
LE.r(`WO
lf:2SHLW
	Lf5BM
lfo"\.
~lK89u
LLGgnB
LoadBitmapA
LoadLibraryA
.}L/t#D
L}&+uJ>
LVS[R7V
main.cpl
MA ?Rc
#Mb-B}
m]F ?[
mKzV~V
`ML&a1
MulDi|v
_nc9i_P6rOxdu
_NQw51Neb0mpl
;N~x8P
N;YgvD
O;9r6_
oH5om2HUlR@20
OldCreateOrder
OpenIcon
`oSS9I/
>oxE@#"
+}OY8u
paDo++
P(bdtX)
P=e_QS
PixelsPerInch
PLfsoaL
;	Ppx@
pu0R274YKy3ml
pXqY>u
_Q13b105@16
_q8UmyG@12
qF;sKS>&'5OB
Qg SmN
@Qm6tZ
\Q&VHAQ
QZ^&~_
R1`2ClVBu
'R)*4L{
r8h^\P
Ra"#a]8
`.rdat
Rl;0KkH
RRpK08p
@.rsrc
Ruk9BWKksm
[	*)RV
RzWLCUZWhF_k@4
_S0hNEIJ
S1ncE~
}s7Kv_V
s[EktE
SjAAx=
sKE#RN
}^sM/e
SOdV<]
S ]*QT
_sVs8ljWzL4
SxNd5pwgzgkUbZ@8
Tahoma
?^)Tb	h(
t&Blz<
TextHeight
TForm1
@.thdata
!This program cannot be run in DOS mode.
~T,L,37u
tpi^;z
TP$sc	3I
-$T"QK
~tvElU
u1E/J3H9
U]9;C~
"(uc{Xv
USER32.dll
V*_#3~
/:V;6D
vD{"P":!
VirtualAllocEx
]=V^R=
W5WNT^[xT
wbqA4KN_w0TSd2
)w$-Ex
w@G(38,
W!rD$X:P
wUW83x6"
X0`QtG#
X53SGYP[8
XA9Lb_B
X]Dk@3
X)|pX2
xx8[te
Xz41g~8
*;=:y&
& \&)Y
+yC>A4
Y,@DUg8
Y&E9Y;
yf$HD:
Yn*DWJ1
YQ7+N[
YUVWtr
Z1SLQKy
Z$[8abzfS
	,	Z!D
*|Z/>d4
ZN:j'S
ZOQ*98cd
ZPWj43
=]ZzuR