Analysis Date2014-12-19 16:43:28
MD514aff00375f38227530831bd33587069
SHA18c5a1bcee937c37896cf31f24c5174aa357992a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 4632fd53aa3259ec246f006e99cfe28c sha1: 6aabc43506128b2b10fd098bb84b1ce32889ce56 size: 117248
SectionDATA md5: 74dd5129bbefa79f2dbe37733823ac5b sha1: dbef207f31de481810b1f2649d044d2347291404 size: 98304
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 24a3e0d35a954aa33114ef52108a6fd7 sha1: 1d7540e90cdc488cdc168e2ed29b2306e7a0b37f size: 1024
Section.r2loc md5: cd820e48fbd0d9105640787a016d3487 sha1: b165480906ed2dd353df7d0a2bd08b7a7194e02c size: 512
Section.rsrc md5: a96fc5bc29806e6a6a52456137af89f4 sha1: 8794544e96bc5a092e8552f5f80b18fd269e9105 size: 10752
Timestamp1992-06-19 22:22:17
PEhash9b3f02eb7822949806bb5d9f1224b7dce0f9c7c1
IMPhash3a13b9862ad5bc5aecf48e77a8564d3b
AV360 SafeGen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVAd-AwareGen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)Gen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Fakealert.OP
AVBullGuardGen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVCA (E-Trust Ino)Win32/FakeCodec.I!generic
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Agent-297452
AVDr. WebTrojan.Fakealert.21574
AVEmsisoftGen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVEset (nod32)Win32/Kryptik.OON
AVFortinetW32/Delf.AR!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVGrisoft (avg)Generic22.BZNV
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 002a35bc1 )
AVKasperskyHoax.Win32.FlashApp.a
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.nyW@cWkRx1ic
AVRisingno_virus
AVSophosMal/FakeAV-NJ
AVSymantecTrojan.Gen
AVTrend MicroTROJ_KRYPTK.SMCZ
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSarticlesbase.com
Type: A
216.146.46.11
DNSarticlesbase.com
Type: A
216.146.46.10
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
...B
A
..TP.

32gs\12gdf\sddss
3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
e23gs\h34gdf23sdgs
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
sd1232223\sd
sdgfw3ew23\sd
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
untfs.dll 
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
}|;+)-
0"0*020:0B0V0^0f0n0v0~0
?$?*?0?6?<?B?H?N?
0Cq#oM
0!(D2\
0D"]cs
`0QzVK
0@^()sE
0-"SR?l
0vC0o$e
0	-W(\
0Zo^$h(E
13>]<&
!+17zi
;1}bMA
1FK(i'{
{1HU:|
*1.Mwv
1sHG<f
1SoCa%
1Xn=uw
..2%{/	
2""333:"C8
2""#33:DC8
2=72.*I	
:);2;b;
2$B""""C38
2C4"""D338
2EijgM
2J~$	:@a4aK
2xX[#-kY
3:"""""
31_JC<b%
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
34""C33333833
3B""$33333
3J4_4p4
3	Q`|.
3R@!=8k]
	"):4)
=$40eIUo
427784b9
4By !E
4"*""C3338
4G1Kkn
4\I		h
*4lU]z
5(5O5V5c5r5
&\5iq.p
5]KeVxaE
5@rFu2I9R
5rkEp<XE
5>U (Z
5v',nt
5(yE5.
6|?0}K6
`?61:m=
	;;64.
6)6;6G6
{6i,#nq
6.IqxQ
6=k==t
[6NX;=
6Qb+F 
6UAc6J;
{6{X(;
?7&7=:
7,CZBl
7v -=}n
]86Hx*
881C``%8
<:8n\q
8?q:Or
@@8~?s
{;{({9
99 j~#
]9em'u
|9m&{O
9x{6@[
AddPrintProcessorA
adsmsext.dll
AIBAB@
!\(Aln
and eax, 1
=anJTj
AP*$	}
	A+p)9IV:
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
.A`u!*
B2y'N	
B4:e4q
bASvY\
B,B>V;
]+\Bhuyaq
,b<IIy
\BksKF
BnF38/
BPkf_l
~B%q	k
bte`6.
BU{!-=
{<B	X1~
*bXpJ$w
by;,wF
:"C333
"C333333
"C3338
"C8338
cBUSj)
CcC]0v
cc}?Rv
c-ELVt<
={%>c+fk
cl?zv=Hi}
C'Nh9t
c\@Nvm|
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
cOP1vD$
CopyFileW
c%]pv"
CreateIcon
D2PY_>
#d\86r;B=
:DC33:""$8
"DDB""$3
DefFrameProcA
DeletePrinterIC
DevicePropertySheets
d[{j'&
Dlf/"&J
$ 	 dm
%&"d|mHR
dNDyDu
DrN PI
DwGKz"
&dy =Q
dZ5V'!
_E#].|
e3Q]lrw0
E43(_&
/E6!	@
EH}b@'
eh.Vw\
EnumerateLocalComputerNamesW
EnumSystemLanguageGroupsA
Ep+:.H
Eqj{Y|d
e	s~s+
e_T9	oC
E<|WO6p
EWpcB;
EY$]\[
E,YM=;H	
[	,f24+~
((f2e>#
(+f?3'
f~;57Ln
F9o=8)
` f;bB
fg'dAz%
F?-^I(L]S
FindNextPrinterChangeNotification
&F|jDZK
FlushInstructionCache
:F;L;[;y;~;
~@G!:4v
G{7;b*
g!`7zW
g&DkzX
GetCaretPos
GetProcAddress
>!g*kl=
gLd7N>
/GP=H	\
[G)r<r
GTK=UCrp
_g X"z
g%ZiY%
;h2P8RW
h('9%(
">$hBG
hC;[G:
HDNI-sL
)@h/I?{ #r	U
hQYkGp
^h_SEC
HUnQ3vC
h)]xGh
I;0<R8b
I2be%3
i 2w~0uH6
i	5VtUp
	(i[93
.idata
(I@h7tb2
IK#lt12
/<%IL70
i_L^{A;
-||ILK
i)R*mK2
IsChild
?I W3t
IxAG6-
IxZ7+@`
iYhw'D
izC7B:V
j;2#QCI;
"J333333
j3"(]b
},J5"NA<30
j6d-%=
J%'8arE
J(8vO$
J}C%2IN
"J"C3333
JdLC.<
(JjTw8
J"K~vo
j!M&,~
"jMu9'
^JR20$
js6Fm 
_Jsr%[F
}J:$TA=
jtF/"wA
=JTh~A
=@^@j?y%
j@Yco2
k0"Uj"
K2;HR	7
K#9g;6
Kat%c,
|~{K@B
@kBAMJ
Kb@CQx?
kernel32.dll
k#fS~8
=KHf,>
\%K_+I>
KillTimer
?>.kr0R
'Kr}v,
kv,DCN
K&WF>*
%l}/]<
!&L0]	
L1`,Y,
l2~3{@y(
L]~3_x8
*}Lb9);yC
lB&t|8>
}lcgU{}]w
LG=^'8
lj1xAc
L$$JAJI
lKmoF}
LmPX{5
Ln5n[np
LoadLibraryA
LoadLibraryExA
LoadLibraryW
LocalAlloc
LocalFree
LocalHandle
l	PDz4
!ly`o4
*M8F5_0
M.9\]N
 <:mdpq
mh5SH'
mJ[?y(
@m<(lF
MLvF;;}
MM<&)n
m#Ne/H
MqwTRL
mswK;F
&mu{#Z
`*M	xR
m;zs+2
N00u^o
n0Mu3oOf
#N9f|	
#nc&v2
"?NDKr
n#~hAd
NHYWJ{DZQ
n\jvkn
$Nm7!Q
!&^nSmT
n;<sn0n&D
N'tr p
O6k>~Q
O&ffD7
.oJ6+lA	
OpenSemaphoreW
O'V\m~
O'x9mG
}pbze*~
PDj,l7
pES"U0
p$e&$X
pIf/Bu
PI+wcP
P}LU$2?
PNN3{?
P.rsrc
P+Us{w
PVc4TRl
PVXDGt
pX"s>w@
q2>DT|L
Q4_>;$
q4Z=|&
_"|Q}6K
[Q8)W6
qBw_|\
	qHH4l
?qLoJ<
qL`r|^&)K	
%qL_|v7
Q<O';+6^
@*?|qpS
\QqAv#
q~~>t7
qVY"|`#
qXDAt}
.r2loc
"~R59QS
r"BLe_
R'\"|cn
R;ef/4
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
:rG:EI
R{sa};F
r?{t2E
%rv/@b>um
|rw\?Fy
R!YQ^3
RyUN"hvu
^s1"0e1
^S<9Er
>S+Azp-
":sB|qU
/{*Sd)
      </security>
      <security>
sE|P`@
'SH<;H
snIV-8
Sos:t<
sr_jAF
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
{&`%SX
+sXc#jM
szh{flo/
t/0H]m
t=A5N\
tb#pIy
Te$|CD
TeL8cJ6
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
tL31Ov
|Tl+\|5
=T{L+L
t:: <q
?[t`ri
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
}!;tsw
tX`O}y
T{']_y!xey
T(zTCk5v
U#${24
!u5sls
*#U]@6/
U6~\h=
u-6H<d
;@,Ua`
Ua1'|K
U&IUc	
uK'm^8;
ULB25A
 ,ulm;
UnloadKeyboardLayout
untfs.dll 
(	:u,Rq
user32.dll
u;V!WnA@i
UWe/HgtQ
uZ(0=t
@(v}?;
v8M3Wf
vE>S{@%
vI5K}CK
VirtualAllocEx
VirtualProtectEx
!`@vmX
vO&90xb
VT(i&CG
<,v*	w
VY9VtDT%
VyG~h0
WHw]l@
winspool.drv
w=KkJPO"A
wMovJ 
WTSGetActiveConsoleSessionId
Wvcgv@
wX0+[d>
w'yqb:
\w?^Z/r
X0yowv
?xAWECY
xbiB^y
&x,C.Z_
X;d%wE]
xGSS"`
X(ig$+
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
!X(NO%
XNti3!y
XS?!7y*
|XW,kk
XZoRY`9
X^Z}wLodJS
Y 1QDO
 y3^T"
y-64=X+
yb[x#1
	yi6"]
yK)[hR
=Yq5J2
'Ytu:D
"Z(79}
z88 g*
zkF*:SKW(f
,[Z!m=
(zMz%>B
Zn_vQ&
{z-VkM
z	"XQv