You are browsing the archive for 2012 June.

Random stats from 300k malicious samples

June 30, 2012 in Batch Analysis, Malware Analysis

Playing around with strings extracted from 300K unique samples gave me a top 100 strings (as usual with statistics, don’t trust it too much as my sampleset is obviously biased)

-in any case,  as you can see, code snippets (‘SVWU’), Borland strings and a few DLL/API names are highly prevalent:

4521498 SVWU
4008104 Left
3858393 Width
3849138 Height
3651737 SVW3
34282840 ZYYd
2631375 QSVW
1599950 OnClick
1494950 TImage
1470032 ParentFont
1446438 ffffff
1445277 TabOrder
1418101 Font.Color
1418071 Font.Style
1418037 Font.Name
1417970 Font.Height
1416432 Font.Charset
1209103 Z]_^[
1208133 TObject
1110345 SVWUQ
1105144 Sender
1102700 Cursor
1093772 crHandPoint
 975848 SVWQ
 965275 Integer
 913541 Caption
 879263 BorderStyle
 863747 ANSI_CHARSET
 863173 Z_^[
 845681 MaxLength
 838228 TEdit
 830785 clWindowText
 829954 bsNone
 820032 TLabel
 701264 Color
 692145 fsBold
 685461 AutoSize
 682814 OnChange
 637873 Self
 636857 YZ]_^[
 629787 YZ^[
 588869 Transparent
 586796 Boolean
 584700 DEFAULT_CHARSET
 561879 Verdana
 536738 fffffffff
 516176 Controls
 503455 MS Sans Serif
 494892 Graphics
 491681 OnKeyPress
 476489 YZ_^[
 475843 kernel32.dll
 463060 Classes
 443913 Forms
 392601 Visible
 379947 clBlack
 349269 ffffffffffff
 345758 GetProcAddress
 341988 PasswordChar
 323528 bvNone
 320939 GetModuleHandleA
 303360 ParentColor
 301265 OnMouseDown
 299551 clWhite
 295778 Y_^[
 294468 Picture.Data
 288858 JFIF
 287837 BevelOuter
 287467 BevelKind
 287029 LoadLibraryA
 278017 SUVW
 272626 bkFlat
 269891 GWgw
 260838 QQQQSV
 254750 SSSSS
 252854 user32.dll
 249821 ExitProcess
 244095 CloseHandle
 243855 WriteFile
 243140 GetModuleFileNameA
 239566 VVVVV
 236286 rdf:Description>
 231692 Enabled
 231218 Menus
 229567 XYZ
 225944 RegCloseKey
 225145 UUUUUU
 223352 Alignment
 220329 rdf:Description rdf:about=""
 219210 MessageBoxA
 216162 String
 215643 fffffffffffffff
 213682 CreateFileA
 211018 Sleep
 210632 advapi32.dll
 209798 VirtualAlloc
 207239 Arial
 206138 KERNEL32.DLL
 202769 RegQueryValueExA
 200100 Ctl3D

HexDive 0.2

June 21, 2012 in HexDive, Malware Analysis

I just released a new version of HexDive. Added really lots of new strings so it should be picking up more juice from malicious samples :)

New strings include:

  • pcap (winpcap related strings)
  • libraries
  • mime types
  • charset encodings
  • formatted strings patterns
  • OS file names
  • protocols
  • IPs
  • User agents
  • information-stealing related keywords
  • and more

Note, at this stage HexDive doesn’t search for any regexes (e.g. URLs/emails/etc ), but it is in the making, so stay tuned.

You can download it here.

If your .exe download is blocked, you can try a zip file.

Note1:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings ofr free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job :) just let me know what is missing. Thanks!

Note2:

hdive can be ran on static samples (unpacked) and process memory dumps as well; for the benchmark purposes – an example when it is ran on a 27MB file which is a process memory dump of a simple trojan takes 12-13 seconds.

TimeThis :  Command Line :  hdive malware.DMP
TimeThis :    Start Time :  Fri Jun 22 20:24:02 2012

TimeThis :  Command Line :  hdive malware.DMP
TimeThis :    Start Time :  Fri Jun 22 20:24:02 2012
TimeThis :      End Time :  Fri Jun 22 20:24:15 2012
TimeThis :  Elapsed Time :  00:00:12.683