Analysis Date2014-12-12 22:41:13
MD5c4f270c31d66b00f39a9bce7ac6e092a
SHA176f4ca9b5da975da832c1096b5f5f367ac03d7a4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5a4aa784f7d1bbcb81546c4d7a56ae5b sha1: 066aff407b82409fa3d43246e8d05b2f985d93c2 size: 12800
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: 66e5238180ed3752735fc032fbeb0a92 sha1: 10cdb7c13428e2795bc43f24d6924be4a64c5b87 size: 104960
Section.rsrc md5: 97aac478275a5bfe67343c76af87820e sha1: 2c78e793e5b4158bdae2b9cfafd98859e886797d size: 5120
Timestamp2009-04-29 02:50:36
VersionLegalCopyright: Copyright © 2010 W PC Tools. 6X All rights reserved.
InternalName: Bdamas
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: H A
ProductVersion: 7.0.0.61
FileDescription: nESpyware Doctor ComponentBX
OriginalFilename: Bdamas
PEhash903e1a8b4cd4becd1a12e38af4edaa8686e9b1b9
IMPhash9d45645cf2d354cb13e69a1b2038811d
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-247483
AVDr. WebTrojan.DownLoader2.37373
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.AJNC
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Generic_s.AJA
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 0024d1131 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.1285FD93
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSgoogle.se
Type: A
173.194.125.56
DNSgoogle.se
Type: A
173.194.125.63
DNSgoogle.se
Type: A
173.194.125.55
DNSups.com
Type: A
153.2.228.50
DNSups.com
Type: A
153.2.224.50
DNScj.com
Type: A
64.156.167.85

Raw Pcap

Strings
c
..%
~u..^
.
j?..
.
..
040904E4
 2010 W PC Tools. 6X All rights reserved. 
7.0.0.61
BBABORT
Bdamas
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
ldxoB
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
nESpyware Doctor ComponentBX
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
Oz6h
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
0Ll7qFb
@ 0Pma48
0u4L@*
0vz/=;
1}8ApKE
1aDshlwapi
1#w6Gu
1Z`:,HSar
24*^pY
2nPk>G3
`(2Tjb
;2wO0ud
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
}^36>R
3GG&*e
3SE.2Q
3x*>	I
4|&4=,$
#-[4)V
4xXc8BS
<6DoL6
6g]~.r
+6Wte;
< 7`3Z
7-<'^A
^7mW/E
7$O$"c$
7 o(/j
83p5atzsX8L
8CoSHyj2
9rH4UBz5jK
9WhVHl
\Aa*A.
AdTKHg
a\Jj(7
a,Q8^\
AXKNYxPA9N5eOk@24
AzUPQJE
-/`$/`,/b4
Bdamas
BEIPODNpY
bpkGzS
bpnL)n
c2Ab5$8
_cCxEFn
cfi>:s
CharUpperA
}CpJ-#
CreatePopupMenu
cz9if9
@.data
@/d!/h
_ d~:q
DrawAnimatedRects
dwCd7F6IUJv
E1cf9*
Ef?hSa>
EGx[N'
eOi0Wm.s
EovzIp1
 ,ESVP~
etG~0Ut5
ExitProcess
#$F#&7
}F<8nr^
f9umWe
F.^u p
Gc9VgVq
gEfogKE
GetActiveWindow
GetCommandLineA
GetCurrentThreadId
GetMenu
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetWindowDC
gG98765
g+-P6z$
GQ/|d&
<G)[Stc
Gs;vGj#
h1d:57<4*
$h65\hN>
H\hCl.>
hHw^~I6
HiFoAk
HPF#>,
hSXw86
hxoBWXn
I7Y|C'
!+IFf^
iO1pWB
IsCharLowerA
IsCharUpperA
-__iwd
j4UjcL3Z
j6XoaC
JaPsrz
jRlsqmQ
jt#+7=\x
K?_@[#e
KERNEL32.dll
KQIUli
kX"fY8
l2V1lWNm
@<lfY<9
lG{pFz
LoadLibraryA
Lss8zZ
L{UErY
lYaGZh
MIaNPH7NJPqsZ@16
}m:m?mQ
MNksop
#M{oI}
ms+ #'
mVG8H6c
m(wndLiNUR
NT9thc3r
o8Vj@Qy
o9@A-?
obj[/-
ODf7ycs
og 1Y_
o./GxG-k
OiByOe
(}O`KAt
$okywz
OpenIcon
;pDtY]A\!FL
Pf%D")
Pjh&F)
PnxyH15PMq
Po 0f?
p:O=#36
^q2~&Sh
`q6^;Q
Q#).-c
Q}evcy%i
"}	Qju"
%@Qm6t
r7 K "
`.rdata
rDwfaula
R%Ga"7
-Ril%=p
S@1e|X
s1WoG6u^
SIDnyBx
sKG"2`-
s%$Kj]
suQ5me|
sValidCoAe
SVCP60
?swap-
,SxBseE
sZ_SUq
?/t@|/`
Tb1A~#
t	-ceH{C
tD0ipg
This program must be run under Win32
"TLjH4of
t_m+%z
.t!R:.,6V&
^t	USp
+t])/(Y(=
UF_+0R
*uK5w=
[*uK}ujo
uMU]@ee
user32.dll
.Ux2W3~
[&v1MO
v7YQZaU
VirtualAlloc
VirtualAllocEx
VK>DJK
VsJd3a
VV|6k,
vw5W\k
W32];,
@WE:y)
	w(h8t
%Wj7Ra
WUy8K3
WYFg31UJ
XjjR0kZ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
#XPe5&
XqfmqtL
xXd(07O-
xy}|C&/
Y-LS]o
yPwDIr2r
(yV$i?CK
/yw1b!
Yx83fa
z06TNy
Z1Q0Br
z BVcz3
Z(Mm}G
Z,r*mH