Analysis Date2015-01-16 04:55:53
MD53e8abd244d679454fcc007c3124bfb8a
SHA18d675881cd4592bbdccc2d5d23fbe3252cf3d635

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 01187df5d4334d7e45998c82dec1b8ed sha1: ed2c99ab96d999e56804aebffd6376ff4f3c0780 size: 119808
SectionDATA md5: 8d3bff42aeaa1cb0e12a694aa7f2a4e1 sha1: 11266f6641ca528a4b53793769784ce636bbd4cf size: 97280
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 2055e965702beed25bd445d5f46af71c sha1: 4d7f9f3c73d768ef8e5fa005bd257b77a32a12d0 size: 1024
Section.reloc md5: dd61b4a906505a45227643bd65256898 sha1: 2bcc0138850de72d6925068f59fb75ff3f5666cb size: 512
Section.rsrc md5: 6a99009d3b51dd81e0cc4c0c0a984a58 sha1: cefbf88f91a8147026fe7fea8c4acb4125424a2e size: 10752
Timestamp1992-06-19 22:22:17
PEhashf2a33ab9bac0f95dce0f4fcf2650b08e4d468015
IMPhashd27bc50985acb3e11f6228d277de282a
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVAlwil (avast)MalOb-GP [Cryp]
AVArcabit (arcavir)Gen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVAuthentiumW32/FakeAlert.NZ.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVCA (E-Trust Ino)Win32/FakeCodec.I!generic
AVCAT (quickheal)Trojan.Renos.PG
AVClamAVTrojan.Downloader-109457
AVDr. WebTrojan.DownLoader2.25030
AVEmsisoftGen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVEset (nod32)Win32/Kryptik.OJP
AVFortinetW32/Delf.AR!tr
AVFrisk (f-prot)W32/FakeAlert.NZ.gen!Eldorado
AVF-SecureGen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVGrisoft (avg)FakeAV.PAK
AVIkarusTrojan-Downloader.Win32.CodecPack
AVK7Trojan-Downloader ( 0026c2921 )
AVKasperskyTrojan-Downloader.Win32.CodecPack.aujy
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ba
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PG
AVMicroWorld (escan)Gen:Trojan.Heur.Renos.oyW@cGuQGEhc
AVRisingno_virus
AVSophosMal/FakeAV-NJ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_FAKEAV.SM86
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\J40NOZ44HU\OhuD ➝
5
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2
DNShawfruit.com
Type: A
DNSmusichalll.com
Type: A
DNStopjer.com
Type: A

Raw Pcap

Strings
[
-..
6o.
..
...
.
..<S..
.
.
.
.
5E
V.

3D Light
Abort
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Access violation
&All
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
BBABORT
BBALL
BBNO
BBOK
BBRETRY(
Bitmaps
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
BkSp
Cancel
Cannot assign a %s to a %s
Cannot drag a form	Metafiles
Canvas does not allow drawing
&Close
Confirm
Control-C hit
December
Division by zero
Enhanced Metafiles
Enter
Error
Exception in safecall method
External exception %x
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRightE%d is an invalid PageIndex value.  PageIndex must be between 0 and %d
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
&Help
Home
Icons
&Ignore
Information
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid filename
Invalid ImageList
Invalid image size
Invalid numeric input
Invalid pointer operation
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant type
Invalid variant type conversion
I/O error %d
January
July
June
kernel32.dll
Left
March
Menu index out of range
Menu inserted twice
Monday
No argument for format '%s'"Variant method calls not supported
No help keyword specified.&Cannot change the size of a JPEG image
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
N&o to All
November
October
Operation not supported
Out of memory
Out of system resources
PgDn
PgUp
Privileged instruction(Exception %s in module %s at %p.
Range check error
Read
Read beyond end of file	Disk full
&Retry
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Saturday
Space
%s property out of range
%s%s
%s (%s, line %d)
Stack overflow
Sub-menu is not in menu
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Unable to Replace Image
Unexpected variant error
Unsupported clipboard format
untfs 
)Variant or safe array index out of bounds
Variant or safe array is locked
Variant overflow
Warning
wegwe\ehfwehetr
Window Background
Window Frame
Window Text
Write$Error creating variant or safe array!'%s' is not a valid integer value
&Yes
Yes to &All
0"0*020:0B0V0^0f0n0v0~0
0o8:z)
(|0?T}eV
0U@{bnP
1293459309
129Y]S+
1365c06e
139209211
13zK<&
,1[CP*
{1G3T3n7r7v7z7~7
+1^\h<
#1pS*Y
^1RSi@p
2^;/	>
2""333:"C8
2""#33:DC8
27p+#3#4
$2 $b	
2$B""""C38
2C4"""D338
&+ *2dO
2^|@}f`
|^2+K	
*2KD9^
2ne@)1
2.}nwR
2&S>	f
2\$Y&)
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
3333333
$3333333
#3333333
33333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
:*"*"$3338
333838
333DDD33333?
$334B"$3
334C33333338
33B$3333333
34""C33333833
3B""$33333
3'c-(%
|3d5	q
3ElO6T
]<-3F<*N
3lEWS{w
3p!m,6l
>3yCF:
3Z]F_6{
{"4_"9
4"*""C3338
"4iPyln
4|,|'^;O
4PX6lD}
\[4Q7t
4z87ws
56)hp0
#~<5$g
||5Y7mxD
6^5Nt^o56%
6)7/7G8
.67Xubfw
6a h+$]
6]KlV}h
6lk2^a
6nw='NJP{,A
6oc	\=
6O?TBB
6Ql8]~P
-6WPWqP:
6yBCWAd
}=}&}7
7	iJ@4
7J^i/=
-7k]$N
7{Q#L$5
7 SW{O
8"949:9@9F9L9R9X9^9d9j9p9v9|9
8 }c28
'&8#SbA
]8(T0aa
	|8x4;h>
8y{As}
98:6q(
9jUfAd
9n0zVLoX?F
9@_.r^
\9ZAw;
{a)^.7
aD0..sF
AdjustWindowRect
A!GiVl
`AHrC}
ak<jsk
AOtRhurp
+]Ao]x_
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows (c) Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
_A=Tfb
\a=Ug{#
=AvAxE
AX:@BDq~
AyUpMo)
a>z(0,
bD;sds
'\$bGw
},BJ%;
b>J!yD
\BM!36I
'=b~O@/B?
{;BO"n=
boXEN%
/bP1ny
BT;u,z
/?C1{;	<
:"C333
"C333333
"C3338
"C8338
c;~h-|9
<C<J<W<f<u<
CKS>vw
cl[0v=
cOl7vD
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
<!c_V"
 cX	yH
:DC33:""$8
"DDB""$3
DdeKeepStringHandle
+DhiMh
Dl"VF{p
DnN,F<u
D%=oswgXF
D\Q8%0
["DQr9
{D&t*bm
d|%\ws;
DxkNlM
DX)Q!{zg
^+(~e~
^"\@E5WI@
E5W^qp
 E5X?*Uwy
.EHy=@'
#EJb6_
EmptyClipboard
eo3Qlg/
e?Qj9J
<*E'\r@
E`V	@_
>EV02_
"F\a9yh
fb	gM0%[
F.bXR,y
F_c)mK
fe]A[Y7
#FF{?7C
FhP(Xc
f%iKoa
^Fjj^)
FPInEiE
^F'~QB.
G8T(j	
g9e=gq
G'^CQm
g!<CzW
GetCursorFrameInfo
GetProcAddress
GetProcessHeap
GetTimeFormatA
GetWindowModuleFileNameW
gL6)V}"
GlobalAlloc
GlobalFree
}GO`I>
g"Q\J-
gyrPy%
h~1K^^\(#z2
^	!hE0
(\h/I_G6
ho*IGv/
?h?S&)
*{\h}T
@h#u@(r
>:Hw(O
I.19VIp
i6\xar097o
{$i|co
.idata
InvertRect
iP!!-2(l
iP^L$p3
Ir>atl
IsBadReadPtr
iS%~oW
@+IsOZ{
-I]@Zt
"J333333
j6EOj	
<`j(8:
jb*.=y@
"J"C3333
`jCJ:2
"jF79M
J	FTy-
JG2,rB`N
. !jG/l
JhuG#:
j>jz/*);@>h
#Jm>F.
JS3IAB
j}tjgS
jXc_45
&jXduHl
(#J ZE
k02x+|	
ka=WK5
kernel32.dll
K~Hxv\
 K/jn/7
kJxQe}
kKk I#'
KOCG8U
"Ko@i>_
@KON4>
ksJRhF
>&Ks)m
{l3A%X
l5(s\Opus9
L7mowM;
|lD7}{
lgoS%-
^lkYEw%9@
LoadCursorW
LoadLibraryExW
LoadLibraryW
$l.Q_$
Lz}ma`
_m5U&Cp
^M>7zf
mB	OWX
MBU*_@
{mcv]fe+HC
!*MDld
Mdu)!2
M|F$yk
~mg5$^z[
mg`sHZ
)m;[*H
	'MNKx
m{!OH^r
MXw](Q$`
(;+|.n
NCI$w&q
+NDe4u
&&-N-m
n&NJ8X
N[{`~.o
NophuQ&
nteMD 
Nuefm$S
NufZl;
*[NX9@u
O^0lB]
O'`6^#
OAo4B$T
ON| _O5
/on#rv
orZVLI=
OT BB[
oxF~a$
@+O~XZ
P0lOO$;
P^0Xvio
!p"2+W
P4;u,z
p`7-XKo
p9h6R-
pA`{v8g
@~,P(c
p?Cc[d
"%P iu
P:j}~FR
pq1fTpJ\|
P.rsrc
_P,s!	
P;T;X;\;`;d;h;l;|;
|`^pw%
p\wX.~gU
#-{PZ>
|pZYPF
^q-]10'
q1Hf-<
qa	k|/T
^Q"duSA
QEj.5i
qQ1EHc
Q!\sS9
&q^t |
QUA(	DR
rB-'7i
.reloc
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
rF!VI9
R-=h<&
RH5kEJp
RJm?_A
RLAESmX
RlXg.r2
RtlZeroMemory
r:TP0I
RV!&Kf
r"&(v/W
{ s8<{
s.axCP
:>;S;d;
SdJjoAA
      </security>
      <security>
seONO{qu
!"Sep9
ShowCaret
Sm[G(hJ=Q
:sn?qU
S NtV*
sNXjAr5
SQ83iJ
[srAHF
"#S\sF
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
sU_!P*Vy
T3!YI>
##)TD6
td NW7
teP	KcyR
-#tgj6B
|Th	CF
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
T~&ICI
ti >tX
TKvaS6*
Tn aCyKO
~T&PCC
(tq/h,P
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
^T[SMe
u5q-)po	
]ub6)t
),}|U;d
\&u>~H
UI`5Lt
ujw"{h=?
user32.dll
U,[TL7
UTnOTf
_u'u.<EcZ
uV00=@
uw7Q<\
_uZ9Gp
V5hQPp
^vDOEA"
/vi4BD
VirtualAlloc
VirtualProtectEx
vj4g+y
VNbZ=G
v;%^`nDi
w6:y/B
w8N<JOj
W ;"8zA
*wbJpO
w"(@h9s4
w	%k&4
wMKYJ 
W+(Nyb
WritePrivateProfileSectionW
W^S(PEr
w;{Vf-
!W|xksK
._w{xO=
@x0>?Kz
|=	x-3
xE*ii]
xh(XKG
X;KfFn2
]XM1Ki6Wg
&	X{mC:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XOM\wI"
X<>`\pt
X`qiH	|
xQKI|/?
XrshwP
X'S4wA
$xT\oz
xwH2NJ
xZ8,t5
ygX<N:
yh;l(vn_
]|}YJb
ynz.L!<
&y&()Vm
\=Yw:-_
YY:`.d
Z	5^Nh\
Z@ktc?
ZMkdA|
zn#;>5a
Z&Wt/7