Analysis Date2015-01-06 15:07:00
MD528ec62e616955ff8a8787128d34d242f
SHA1bb08b3180f2e3ff187986d4c158d41fdd657d962

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 72d350e25371f3082772a7c328553929 sha1: 5f26f0b8221d085620e2f3d5b806a72c4dfda4dd size: 70144
SectionDATA md5: c3d6177d5b0d95fa28b196dbeb9d6c72 sha1: 8603194e9f8d0c85d96f972cfd854e48d45cce09 size: 1024
Section.rsrc5 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.rsrc0 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc8 md5: 208520df7fbaa13d416358dfa90fcc2b sha1: 406621e93c8f93bf7af2067196ca40ac4c50631b size: 135680
Section.rsrc4 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc1 md5: 9a5d27199cb691583d553220bfaad9b7 sha1: f1a564cc1f272a9751394b2f9cb6ebdc08db3315 size: 5120
Section.rsrc md5: c1d77256b3ef2198436b03e664239748 sha1: c634b699db42703ef5e6d703fa077fe941be7e8b size: 1024
Timestamp2009-12-15 13:03:00
VersionLegalCopyright: Copyright © MS Extrim Edition 2011
InternalName: Extrim Edition.exe
FileVersion: 6.0.7007.17771
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Extrim Edition Version 2011
ProductVersion: 6.0.7007.17771
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PEhash0b8e3cf4459eb980e48b6c99a3827ff4b8a69cf0
IMPhasha5af1242792a7f2f99e1d569a6e27924
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.866
AVAlwil (avast)MalOb-DP [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.866
AVAuthentiumW32/FakeAlert.IV.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Variant.Kazy.866
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.Downloader-99932
AVDr. WebTrojan.DownLoader1.42928
AVEmsisoftGen:Variant.Kazy.866
AVEset (nod32)Win32/Kryptik.IYL
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.IV.gen!Eldorado
AVF-SecureGen:Variant.Kazy.866
AVGrisoft (avg)FakeAV.GMW
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan-Downloader ( 001e160f1 )
AVKasperskyPacked.Win32.Krap.ih
AVMalwareBytesRootkit.Agent
AVMcafeeDownloader-CEW.q
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Variant.Kazy.866
AVRisingTrojan.Win32.Generic.1262E433
AVSophosMal/EncPk-NS
AVSymantecDownloader
AVTrend MicroTROJ_FAKEAV.SM2
AVVirusBlokAda (vba32)BScope.Trojan.MTA.01233

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\H3O8CABBPI\OhuD ➝
5
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{C814BC71-BD20-47f7-8107-9BCB142C6F1C}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSvkontakte.ru
Type: A
95.213.4.243
DNSvkontakte.ru
Type: A
95.213.4.241
DNSvkontakte.ru
Type: A
95.213.4.242
DNSsoso.com
Type: A
220.181.124.154
DNSsoso.com
Type: A
106.120.151.169
DNSplusvan.com
Type: A
174.137.132.100
DNSnewfsite.com
Type: A
DNShomebuyline.com
Type: A
HTTP POSThttp://plusvan.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 174.137.132.100:80

Raw Pcap

Strings