You are browsing the archive for Batch Analysis.

Wow6432Node key stats

April 8, 2015 in Batch Analysis, Forensic Analysis, Malware Analysis

I recently came back to play with strings artifacts extracted from a decently sized sample set. Looking at a normalized, clustered data set is always a good starting point for a research. It can be very boring, but every once in a while you will find something interesting.

To kick it off here are some stats about Wow6432Node key that I generated overnight.

With 64-bit boxes becoming pretty much the norm we naturally see more and more samples referring to this Registry key. If there is one reason for us to look at this data is to find out if there are perhaps some keys under Wow6432Node that may deserve some special attention… Who knows, maybe some new persistence mechanism or some new, interesting artifact is out there waiting for someone to discover it.

Obviously, stats may be misleading so use it at your own risk. Also, not all the keys are necessarily malicious. It’s just a bunch of keys that specifically refer to Wow6432Node, and are extracted from a large sample set.

Looking at the data below one thing strikes me immediately – the Run and RunOnce keys are pretty low on the list. Either software authors are not hardcoding them to avoid heuristic detections, or… there is really not that much software that modifies these keys directly.

  179506 software\wow6432node\microsoft\windows\
  42517 software\wow6432node\clients\startmenuinternet
  23631 software\wow6432node\microsoft\windows\currentversion\uninstall\avast
   5074 software\wow6432node\javasoft\java runtime environment
   4859 software\wow6432node\javasoft\java development kit
   3274 software\wow6432node\beattool
   3020 software\wow6432node\avast
   2601 software\wow6432node\sweetim
   1861 software\wow6432node\avira
   1686 software\wow6432node\microsoft\internet explorer\extensions\{ebd24bd3-e272-4fa3-a8ba-c5d709757cab}
   1641 software\wow6432node\sweet-pagesoftware
   1641 software\wow6432node\awesomehpsoftware
   1639 software\wow6432node\webssearchessoftware
   1638 software\wow6432node\qone8software
   1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{c4ed781c-7394-4906-aaff-d6ab64ff7c38}
   1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{889df117-14d1-44ee-9f31-c5fb5d47f68b}
   1638 software\wow6432node\classes\clsid\{4aa46d49-459f-4358-b4d1-169048547c23}
   1637 software\wow6432node\aartemissoftware
   1636 software\wow6432node\avg
   1551 software\wow6432node\microsoft\windows\currentversion\uninstall
   1515 software\wow6432node\avast software
   1465 wow6432node\clsid\
   1399 software\wow6432node\baidu security\antivirus
   1387 software\wow6432node\google\chrome\extensions
   1141 \software\wow6432node\baidu security\pc faster
    913 software\wow6432node\microsoft\windows\currentversion\uninstall\avira
    623 software\wow6432node\omiga-plussoftware\omiga-plushp
    583 software\wow6432node\red gate\
    559 wow6432node\clsid\%s
    502 software\wow6432node
    434 software\wow6432node\microsoft\internet explorer\extensions
    417 software\wow6432node\mozilla\mozilla firefox
    403 software\wow6432node\microsoft\windows\currentversion\uninstall\
    384 software\wow6432node\microsoft\internet explorer\toolbar
    372 software\wow6432node\mozilla\\%s\main
    372 software\wow6432node\mozilla\
    363 software\wow6432node\microsoft\windows\currentversion\run
    356 software\wow6432node\{smartassembly}
    326 software\wow6432node\microsoft\office\outlook\addins
    295 hkey_local_machine\software\wow6432node\vitalwerks\duc
    281 software\wow6432node\babylontoolbar\babylontoolbar
    265 software\wow6432node\brapp
    263 software\wow6432node\microsoft\windows\currentversion\runonce
    253 software\wow6432node\asktoolbar\macro
    215 software\wow6432node\mozilla\mozilla firefox\
    204 software\wow6432node\realnetworks\dlp
    189 software\wow6432node\microsoft\net framework setup\ndp\
    186 software\wow6432node\qone8software\qone8hp
    168 software\wow6432node\v9software
    163 software\wow6432node\qvo6software\qvo6hp

3500+ Visual Basic coders cannot be… wait a second

December 10, 2014 in Batch Analysis, Malware Analysis


Originally, this post had an incorrect title :) By mistake I used “3500K” which is equivalent to 3.5M. The number should be 3500 a.k.a. 3.5K

Old Post

The number of malware writers is enormous. This is a fact. If someone tells you that there are only 10-100 active ppl or groups doing so, then maybe they are right. But… they are most likely not.

Clustering large number of samples allows us to cherrypick a lot of interesting statistics. I shared quite a lot of them back in 2012-2013. Over last weekend I crunched my databases again and this time I focused on Visual Basic ‘goodness’.

Despite being old, this programming platform still has a lot of followers. It ‘helps’ writing RunPE  wrappers and their authors often leverage VB’s built-in virtual machine which produces executables that are a big pain to analyze w/o some dedicated tools.

Now, my focus on VB was very specific. If you ever looked at the VB apps before, you know that they often leave traces of the original project path used by the application author inside the file. Yes, the ‘.vbp’ path. Looking through a histogram of all normalized .vbp paths extracted from a decent collection of malware I was able to find over 3500 user names used in the profiles of people who code them (focusing only on c:\users\* and c:\documents and settings\*). The number is pretty high, but that is not surprising.  If you add it to 7000 names I extracted in 2013 from debug strings then we are already crossing 10K profiles (possibly people). Multiply it by 2 since I excluded a lot of non-user-accountish paths, and the same name can belong to many people.

Of course, stats are always biased:

  • I don’t have all samples
  • Some of these paths could be automatically generated/modified/made up
  • Lots of other reasons

but numbers speak for themselves anyway.

Here is a list of top user names – lots of variations of the Admin account in multiple languages top the list:

  • Administrator
  • Administrador
  • Admin
  • Administrateur
  • user
  • Owner
  • ADMINI~1
  • Pedro
  • David
  • Usuario
  • pc
  • 2fast4you
  • IubHost
  • ben
  • box1
  • xp
  • M3
  • Master
  • Tolga
  • o_O
  • M3N3G@TT1_
  • sher soft
  • Jhon
  • Antrax10

Various interesting names are also on the list:

  • Alpacino
  • WHO
  • Metal_Zone
  • MicrosoftCorporation
  • Emperor Zhou Tai Nu
  • mitnick
  • KingOfHackers
  • ^_^
  • AnTiviRus7
  • Compaq_Owner
  • Hacker test Machine
  • KillerMadara
  • x-men
  • ghost prince
  • SkY-NeT SySteMs
  • Administrator.VIRUS
  • Sauvegarde [ Don’t Toutch ]
  • Evil Karma
  • DJ-HacKeR
  • Fuck Yu !
  • H4x0r!
  • o-._.-o
  • Oracle Machine
  • Jesus Cristo
  • oussama
  • $T0N3R
  • DeV-PoInT HaCkEr
  • 0p3nf1r3
  • BaD HackeR
  • PrediatOr
  • PuNkDuDe
  • redC0mmand3r
  • Soda_Da_Pimp
  • British_Intel
  • Saeed_virus
  • wolverine
  • Computer Zimmer
  • E.M.I.N.E.M
  • _M3t4m0rf0siS_
  • -$-BaNdO’s CoRp-$-
  • A__L__I__E__N
  • BrainFart
  • FaTaLCoDeR
  • fucked up
  • FuckYou
  • g0df4th3r