…and the most popular windows account for compiling malware is:

May 8, 2013 in Batch Analysis, Malware Analysis

Administrator.

Many malware samples contain debug strings that include paths often directly pointing to a location where the source code is stored and so it happens that often it’s also a location under the USERPROFILE. For the fun of it, I extracted the strings from a large batch of samples and came up with the following statistics (showing top 50):

   3893 Administrator
   2963 JUANJO
   1121 ryanch
    928 Boy
    617 UserXP
    612 user
    519 1337
    502 User
    465 Admin
    435 root
    422 bld4act
    418 Owner
    347 nosferatus
    305 Administrateur
    300 M4x
    296 ismael
    277 goga
    277 Kyle
    255 Mirko
    247 1134
    244 kdglkrkjdfhslej
    241 FEDERIKO
    234 t0fx
    231 rstephens
    219 DarkCoderSc
    218 gcc
    205 icyheart
    200 Dave
    197 michael
    197 Roshan
    197 James
    195 Ben
    182 John
    178 admin
    173 Dev
    161 box1
    157 nonadmin
    153 FELIPE
    152 Familie
    151 Timothy
    137 Dhivin
    133 Vortex
    131 Robert
    130 dabdoub
    129 USER
    127 dr zinou
    125 packar
    122 David
    116 nathu
    116 Daniel

It’s obviously biased.

Other interesting names include:

  • tom age five
  • GANGSTA
  • Krusty the Clown
  • ^_^
  • ItchyFingerz
  • irishboy
  • romantic
  • lol
  • brad pitt
  • Love Bebe
  • LorD^^$$steal3R
  • Cyber-Warrior Ender
  • auchan
  • F-B-I
  • Valued Sony Customer
  • SexyReplay
  • Microsoft
  • Poo
  • Trojan
  • P@wn3d
  • Emperor Zhou Tai Nu

There are over 7000 account names on the list. If you want the full list, please contact me offline.

Share this :)

Comments are closed.