Hexacorn | Blog

You are browsing the archive for Batch Analysis.

UVWATAUAVAWH – Meet The Pushy String

May 16, 2013 in Batch Analysis, Malware Analysis, Silly

The title of this post is not a secret message and I am not intoxicated.

UVWATAUAVAWH happens to be the most popular string extracted from all .exe, .dll and .sys OS files on my 64-bit Windows. The string is so popular and at the same time suspicious that if you google it you will find people theorizing about it having something to do with BSODs / being a part of some internal ZeroAccess secret language.

If you convert the characters into hex:

UVWATAUAVAWH

you will get a string of bytes like these:

55 56 57 41 54 41 55 41 56 41 57 48

and these can be also represented as opcodes:

U  - push    rbp

V  - push    rsi

W  - push    rdi

AT - push    r12

AU - push    r13

AV - push    r14

AW - push    r15

H  - part of sub rsp, xxx opcode

The sequence is a very typical prologue for functions (64-bit code) – so typical that it is all over the place together with its variants (see below); the ‘vowelized’ properties of these strings remind me an interesting paper about shellcodes that look like English text.

UVWATAUAVAWH
WATAUH
WATAUAVAWH
SUVWATAUAVAWH
SUVWATH
VWATAUAVH
SUVWATAUH
ATAUAVH
USVWATAUAVAWH
UVWATAUH
SUVWATAUAVH
SVWATAUAVAWH
USVWATH
USVWATAUH
USVWATAUAVH
VWATAUAVAWH
WAVAWH
ATAUAVAWH
VWATAUAWH
WATAVH
UVWATAUAVH

Comments Off

…and the most popular day for malware compilation is:

May 16, 2013 in Batch Analysis, Malware Analysis

Saturday.

Thursdays, Fridays, Saturdays are the days when the malware is compiled the most often.

It kinda makes sense*.

Who would like to work Sundays and Mondays?**

*remember what they say about statistics (data based on 2.5M samples)
**obviously, the APT guys

Comments Off

…and the most popular windows account for compiling malware is:

May 8, 2013 in Batch Analysis, Malware Analysis

Administrator.

Many malware samples contain debug strings that include paths often directly pointing to a location where the source code is stored and so it happens that often it’s also a location under the USERPROFILE. For the fun of it, I extracted the strings from a large batch of samples and came up with the following statistics (showing top 50):

   3893 Administrator
   2963 JUANJO
   1121 ryanch
    928 Boy
    617 UserXP
    612 user
    519 1337
    502 User
    465 Admin
    435 root
    422 bld4act
    418 Owner
    347 nosferatus
    305 Administrateur
    300 M4x
    296 ismael
    277 goga
    277 Kyle
    255 Mirko
    247 1134
    244 kdglkrkjdfhslej
    241 FEDERIKO
    234 t0fx
    231 rstephens
    219 DarkCoderSc
    218 gcc
    205 icyheart
    200 Dave
    197 michael
    197 Roshan
    197 James
    195 Ben
    182 John
    178 admin
    173 Dev
    161 box1
    157 nonadmin
    153 FELIPE
    152 Familie
    151 Timothy
    137 Dhivin
    133 Vortex
    131 Robert
    130 dabdoub
    129 USER
    127 dr zinou
    125 packar
    122 David
    116 nathu
    116 Daniel

It’s obviously biased.

Other interesting names include:

tom age five
GANGSTA
Krusty the Clown
^_^
ItchyFingerz
irishboy
romantic
lol
brad pitt
Love Bebe
LorD^^$$steal3R
Cyber-Warrior Ender
auchan
F-B-I
Valued Sony Customer
SexyReplay
Microsoft
Poo
Trojan
P@wn3d
Emperor Zhou Tai Nu

There are over 7000 account names on the list. If you want the full list, please contact me offline.

Comments Off

Clustering and Batch Analysis of APT1 sampleset, part 3

March 12, 2013 in Batch Analysis, Malware Analysis

Part 1, Part 2, Part 3

In the last three posts I talked about batch analysis, clustering and applying these techniques to APT sampleset.

Batch processing is a step necessary for retrieving ‘clusterable’ data from samples in an automated fashion.

Clustering is a way of putting these samples into buckets, potentially grouping them into some families.

I want to see if w/o using any assumption/knowledge (retrieved from the white paper or other blogs) it is possible to cluster these samples in a reliable way. It is an interesting experiment and I am curious if I will ever get closer to already known clusters. Quite frankly, I don’t know yet. We shall see.

The clustering I have done so far was focused on dynamic analysis and a little bit on the source code analysis. In this post I will exploit code analysis further – this time focusing on disassembled .asm files generated as usual by the IDA Pro.

The resulting assembly code is quite nice for parsing as each line contains only one line of code – this allows to group the code into blocks on function boundaries and for each call to API or to another subroutine (including calls via registers), we can extract a simplified code of the program procedures e.g.

sub_401000    proc near        ; CODE XREF: _main+20Ap
[...]

lea    ecx, [esp+310h+szLongPath]
push    104h        ; nSize
push    ecx        ; lpFilename
push    0        ; hModule
call    ds:GetModuleFileNameA

lea    edx, [esp+310h+szLongPath]
push    104h        ; cchBuffer
lea    eax, [esp+314h+szLongPath]
push    edx        ; lpszShortPath
push    eax        ; lpszLongPath
call    ds:GetShortPathNameA

lea    ecx, [esp+310h+Parameters]
push    offset String2    ; "/c del "
push    ecx        ; lpString1
call    ds:lstrcpyA

mov    esi, ds:lstrcatA
lea    edx, [esp+310h+szLongPath]
lea    eax, [esp+310h+Parameters]
push    edx        ; lpString2
push    eax        ; lpString1
call    esi ; lstrcatA

lea    ecx, [esp+310h+Parameters]
push    offset s->>>nul    ; " >>NUL"
push    ecx        ; lpString1
call    esi ; lstrcatA

mov    esi, ds:ShellExecuteA
push    0        ; nShowCmd
push    offset Directory ; lpDirectory
lea    edx, [esp+318h+File]
push    offset Parameters ; "/c    del wuauclt.exe"
push    edx        ; lpFile
push    offset Operation ; "open"
push    0        ; hwnd
call    esi ; ShellExecuteA

push    0        ; nShowCmd
push    offset Directory ; lpDirectory
lea    eax, [esp+318h+File]
push    offset s->CDelSvchost_exe ; "/c    del svchost.exe"
push    eax        ; lpFile
push    offset Operation ; "open"
push    0        ; hwnd
call    esi ; ShellExecuteA

[...]
retnsub_401000    endp

becomes

GetModuleFileNameA

GetShortPathNameA

lstrcpyA

lstrcatA

lstrcatA

ShellExecuteA

ShellExecuteA

ShellExecuteA

and can be written as a single line of code

GetModuleFileNameA|GetShortPathNameA|lstrcpyA|lstrcatA|lstrcatA|ShellExecuteA|ShellExecuteA|ShellExecuteA

Applying such methodology on procedure boundaries and to each disassembled program I eventually came up with a shortened and flattened source code of each sample. I then built a histogram of the most common sequences of such code blocks across all the source code from all files and got the following stats:

   5514 |sub
   2507 |sub|sub
   1332 |sub|sub|sub
    860 |sub|sub|sub|sub
    558 |__security_check_cookie(x)
    479 |__security_check_cookie(x)|__security_check_cookie(x)
    475 |sub|sub|sub|sub|sub
    392 |sub|sub|sub|sub|sub|sub
    353 |operator delete(void *)
    276 |sub|operator delete(void *)
    269 |sub|sub|sub|sub|sub|sub|sub
    235 |sub|sub|sub|sub|sub|sub|sub|sub
    185 |sub|sub|sub|sub|sub|sub|sub|sub|sub
    168 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
    165 |__alloca_probe|sub|sub
    137 |eax
    132 |sub|sub|ecx
    132 |__alloca_probe|sub
    130 |_atexit
    123 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
    110 |_chkstk|sub|sub
    108 |strlen|operator delete(void *)|operator new(uint)|strcpy
    106 |nullsub
    106 |__alloca_probe
    101 |_chkstk|sub
     97 |eax|sub
     92 |__alloca_probe|sub|sub|sub|sub
     91 |__alloca_probe|sub|sub|sub
     88 |_chkstk|sub|sub|sub
     88 |__alloca_probe|sub|sub|sub|sub|sub|sub
     85 |__alloca_probe|sub|sub|sub|sub|sub
     80 |exception const &)
     75 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     73 |strlen
     73 |_chkstk|sub|sub|sub|sub|sub
     72 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     71 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     71 |_Tidy(bool,uint)
     69 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     68 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub
     68 |InternetCloseHandle|InternetCloseHandle|InternetCloseHandle
     67 |sub|eax
     63 |_chkstk|sub|sub|sub|sub|sub|sub
     62 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     62 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub
     61 |free
     60 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     60 |allocator<char>>(char const *)|_atexit
     59 |sub|_CxxThrowException(x,x)
     56 |_CxxThrowException
     56 |InternetReadFile
     55 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     55 |_chkstk
     55 |SetUnhandledExceptionFilter
     52 |operator new(uint)|exception(char const * const &)|_CxxThrowException(x,x)
     52 |operator delete(void *)|_CxxThrowException(x,x)
     52 |_flsall
     51 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     51 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub
     50 |_chkstk|sub|sub|sub|sub
     49 |j_free
     48 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     47 |sub|sub|_CxxThrowException(x,x)
     47 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     45 |sub|sub|sub|sub|eax
     44 |strchr|strchr
     44 |malloc|sub|sub|free
     43 |dword ptr [ecx+8]
     42 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     40 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     40 |sub|_Split(void)|_wmemmove|sub|_Eos(uint)|_Split(void)|_Tidy(bool)|sub
     40 |operator delete(void *)|operator delete(void *)
     40 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub
     40 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     40 |ReadFile|_memcpy_0
     39 |sub|_CxxThrowException
     39 |GetModuleFileNameA|GetShortPathNameA|GetEnvironmentVariableA|lstrcpyA|lstrcatA|lstrcatA|GetCurrentProcess|SetPriorityClass|GetCurrentThread|SetThreadPriority|ShellExecuteExA|SetPriorityClass|SetProcessPriorityBoost|SHChangeNotify|GetCurrentProcess|SetPriorityClass|GetCurrentThread|SetThreadPriority
     38 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     38 |_chkstk|sub|sub|sub|sub|sub|sub|sub
     37 |GetCurrentProcess|OpenProcessToken|LookupPrivilegeValueA|AdjustTokenPrivileges|CloseHandle|GetLastError
     36 |sub|sub|dword ptr [eax]|sub|sub|sub
     36 |sub|ecx
     36 |dword ptr [ecx+4]
     36 |_memset|sub|__security_check_cookie(x)
     35 |sub|sub|__security_check_cookie
     35 |sub|operator delete(void *)|operator delete(void *)|operator delete(void *)|operator delete(void *)
     35 |__invalid_parameter_noinfo
     34 |operator new(uint)
     34 |_free
     34 |_LocaleUpdate(localeinfo_struct *)|___strgtold12_l|sub|__security_check_cookie(x)
     33 |sub|sub|eax|sub
     33 |sub|operator delete(void *)|operator delete(void *)
     33 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     33 |__errno|__invalid_parameter
     32 |operator delete(void *)|operator new(uint)
     32 |memset
     31 |operator new(uint)|sub
     31 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     30 |eax|sub|sub|sub|sub
     30 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     30 |__EH_prolog|_Tidy(bool)|_strlen|sub|sub|_CxxThrowException(x,x)
     30 |SetServiceStatus
     28 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     27 |sub|_Split(void)|_memcpy|sub|_Eos(uint)|_Split(void)|_Tidy(bool)|sub
     27 |strlen|sub
     27 |memcpy
     27 |_strcmpi|memset|memset|CreateToolhelp32Snapshot|Process32First|sprintf|strcat|Process32Next|CloseHandle|_strcmpi|OpenSCManagerA|EnumServicesStatusExA|operator new(uint)|CloseServiceHandle|strcat|EnumServicesStatusExA|sprintf|strcat|operator delete(void *)|CloseServiceHandle|_strcmpi|GetLogicalDrives|sprintf|strcat|sprintf|strcat|lstrcatA|GetDriveTypeA|strcat|GetVolumeInformationA|strcat|strcat|sprintf|strcat
     27 |_strcmpi|atoi|OpenProcess|TerminateProcess|CloseHandle|strcat|_strcmpi|OpenSCManagerA|OpenServiceA|GetLastError|strcat|CloseServiceHandle|ControlService|GetLastError|strcat|CloseServiceHandle|CloseServiceHandle
     27 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub
     27 |GetProcAddress
     27 |GetExitCodeProcess|PeekNamedPipe|Sleep|ReadFile|CloseHandle|CloseHandle|memset|strcpy|strlen
     26 |sub|sub|sub|sub|_memcpy_s
     26 |sub|eax|sub|eax|sub
     26 |sub|_Tidy(bool)|_Tidy(bool)|sub
     26 |strstr|strchr|operator new(uint)|strchr|strchr|strchr|strchr|strchr|strchr|strchr|strchr|strchr|operator delete(void *)
     26 |strlen|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     26 |sprintf|HttpAddRequestHeadersA|HttpSendRequestA|GetLastError|InternetQueryOptionA|InternetSetOptionA|sprintf
     26 |__ld12cvt
     26 |___strgtold12|sub
     26 |__EH_prolog3|sub|sub|_CxxThrowException(x,x)
     26 |InternetOpenA|InternetSetOptionA|InternetSetOptionA|InternetSetOptionA|InternetConnectA|HttpOpenRequestA|strlen|HttpAddRequestHeadersA
     26 |$+5
     25 |rand
     25 |malloc|CreatePipe|CreatePipe|CloseHandle|CloseHandle|CloseHandle|CloseHandle|free|sub|CloseHandle|CloseHandle
     25 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     25 |__invalid_parameter_noinfo|__invalid_parameter_noinfo
     25 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     25 |URLDownloadToFileA|strcat
     24 |sub|sub|sub|sub|sub|GetProcAddress|sub|sub|sub
     24 |sub|edx|sub
     24 |sub|_Split(void)|_wmemmove|sub|_Eos(uint)|_Split(void)|sub|sub
     24 |shutdown|closesocket
     24 |send
     24 |fopen|fseek|fread|fseek|ftell|fseek|fread|fclose|fclose|fread|fclose|sub
     24 |edx
     24 |dword ptr [eax+40h]
     24 |_beginthreadex|CloseHandle
     24 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     24 |GetModuleHandleA|GetProcAddress
     23 |unknown_libname_1
     23 |sub|sub|sub|sub|operator delete(void *)
     23 |sub|OpenProcess|TerminateProcess|Sleep|CloseHandle|sub
     23 |strlen|CreateFileA|strlen|operator new(uint)|memset|WriteConsoleInputA|operator delete(void *)|CloseHandle
     23 |strcat|sub|WaitForSingleObject|strcat|strcat|strlen|sub
     23 |j_free|j_free
     23 |j_free|_CxxThrowException
     23 |LoadStringA|sub
     23 |CloseHandle
     22 |~type_info(void)|operator delete(void *)
     22 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     22 |sub|operator new(unsigned __int64)|exception(char const * const &)|_CxxThrowException|sub|sub|j_free
     22 |operator new(uint)|operator new(uint)|sub
     22 |operator new(uint)|operator delete(void *)
     22 |operator delete(void *)|operator delete(void *)|operator delete(void *)
     22 |exception(char const * const &)
     22 |eax|sub|sub|sub
     22 |GetCurrentProcess|GetCurrentProcess|DuplicateHandle|CreateProcessA|CloseHandle
     22 |CompareStringA
     22 |$+5|sub|sub
     21 |sub|_wcslen|sub|sub|sub|sub
     21 |sprintf|sprintf|sub
     21 |malloc|recv|sub|sub|_strnicmp|WriteFile|recv|free|ExitThread|SetEvent|free|ExitThread
     21 |malloc|PeekNamedPipe|ReadFile|sub|sub|_itoa|send|sub|Sleep|PeekNamedPipe|free|ExitThread
     21 |_strcmpi|memset|CreateProcessA|strcat|CloseHandle|_strcmpi|OpenSCManagerA|strcat|OpenServiceA|GetLastError|strcat|CloseServiceHandle|StartServiceA|GetLastError|strcat|CloseServiceHandle|CloseHandle
     21 |__get_sse2_info
     21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub
     21 |GetCurrentProcess|OpenProcess|GetLastError|sprintf|strcat|OpenProcessToken|memset|sprintf|CreateProcessAsUserA|strcat|CloseHandle|CloseHandle|GetLastError|sprintf|strcat|CloseHandle|GetLastError|sprintf|strcat|CloseHandle
     21 |CreateEventA|CreateEventA|sub|WaitForSingleObject|CloseHandle
     21 |$+5|sub

Using these shortened procedures for cluster generations gives some promising results e.g.:

sub
DeleteFileW
DeleteFileA

1328eaceb140a3863951d18661b097af.asm
31e5e58dbdfad05175613e795298ebb5.asm
6f9992c486195edcf0bf2f6ee6c3ec74.asm
c99fa835350aa9e2427ce69323b061a9.asm
e476e4a24f8b4ff4c8a0b260aa35fc9f.asm
ea1b44094ae4d8e2b63a1771a3e61fd5.asm
fc1937c1aa536b3744ebdfb1716fd54d.asm

LoadLibraryA
GetProcAddress
GetProcAddress
GetProcAddress

3f8682ab074a097ebbaadbf26dfff560.asm
4b19a2a6d40a5825e868c6ef25ae445e.asm
54d5d171a482278cc8eacf08d9175fd7.asm
56de2854ef64d869b5df7af5e4effe3e.asm
75dad1ccabae8adeb5bae899d0c630f8.asm
8462a62f13f92c34e4b89a7d13a185ad.asm

htons
socket
connect
closesocket

468ff2c12cffc7e5b2fe0ee6bb3b239e.asm
727a6800991eead454e53e8af164a99c.asm
bd8b082b7711bc980252f988bb0ca936.asm
db05df0498b59b42a8e493cf3c10c578.asm
e1b6940985a23e5639450f8391820655.asm

ecx
eax
dword ptr [esi+10h]
sub
ecx
eax
sub
sub
sub
sub
sub
sub
sub
sub

12f25ce81596aeb19e75cc7ef08f3a38.asm
268eef019bf65b2987e945afaf29643f.asm
468ff2c12cffc7e5b2fe0ee6bb3b239e.asm
4c6bddcca2695d6202df38708e14fc7e.asm
5a728cb9ce56763dccb32b5298d0f050.asm
727a6800991eead454e53e8af164a99c.asm
8e8622c393d7e832d39e620ead5d3b49.asm
bd8b082b7711bc980252f988bb0ca936.asm
c6a4bb1a4e4f69ec71855d70d6960859.asm
db05df0498b59b42a8e493cf3c10c578.asm
e1b6940985a23e5639450f8391820655.asm
ef8e0fb20e7228c7492ccdc59d87c690.asm

LoadLibraryA
GetProcAddress
sub
sub
strstr
strchr
GetSystemDirectoryA
time
srand
malloc
sub
sub
strncmp
Sleep
sub
Sleep
sub
Sleep
CreatePipe
CreatePipe
GetStartupInfoA
CreateProcessA
GetLastError
_snprintf
sub
CreateProcessA
CreateThread
CreateThread
WaitForMultipleObjects
GetExitCodeThread
TerminateThread
GetExitCodeThread
TerminateThread
GetExitCodeProcess
TerminateProcess
sub
sub
GetLastError
_snprintf
sub
CloseHandle
CloseHandle
CloseHandle
CloseHandle
sub
sub
Sleep
PeekNamedPipe
ReadFile
sub

0dd3677594632ce270bcf8af94819caf.asm
270d42f292105951ee81e4085ea45054.asm
523f56515221161579ee6090c962e5b1.asm

Notably, the disassembled code – after some selective processing and normalization – can be treated in a same way as student source code submissions for their assessments at uni and… be checked for plagiarism. The most common technique used for this purpose relies on measuring the cosine similarity. I am currently playing with it and will write more about my findings in another post.

Thanks for reading!

Comments Off

Clustering and Batch Analysis of APT1 sampleset, part 2

March 5, 2013 in Batch Analysis, Malware Analysis

Part 1, Part 2, Part 3

In my last post, I presented results of the batch analysis and clustering attempts of the APT1 sampleset. Today, I will continue on the topic of clustering, this time looking at the problem from a different angle. Again, results are not mind blowing, but it’s an experiment and it’s not about the destination, but about the journey

Typical programs, even if recompiled or rebuilt with different configuration often preserve their internal structure. It is partially a result of ‘if it works, don’t touch’ approach, programmer’s laziness, his/her coding habits, a side effect of the ‘business logic’ implemented in the program and many other factors. One can compare a patched file and immediately spot the changes; or, pick up a a characteristic sequence of code or data and search for similar sequences in the whole sampleset. The fact that it is possible to compare programs on a binary level is well known and pretty much every 0day hunter has at some stage used or is currently using this technique in their bughunting adventures (using tools like BinNavi).

In a context of sample clustering, I think we don’t necessarily need to go as far as in-depth binary code comparison – there are a lot of shortcuts we can take here. The easiest is to pick up these code sequences that refer to strings. And to narrow down the scope for this post, we only look at string comparisons. They are used for parsing of command line arguments, RAT/bot commands, data sent over the protocols and so on and so forth.

There are a few ways compilers implement string comparisons on a machine code level – based on a quick research and already done clustering on the APT1 sampleset, I know that plenty of string comparisons are done using just 5 functions: _strnicmp, memcmp, strcmp, strncmp, strstr.

In order to look at the code sequences of this sort we need to find a better way of extracting strings from the samples, because a typical static analysis tool extracts strings from the file in a ‘dumb’ way and doesn’t provide the necessary programming/algorithmic context. Using a tool like PESectionExtractor doesn’t help either as the context it provides is related only to a physical location of the string, and doesn’t tell us how the string is being used by the program. What we need is a tool that can disassemble the code properly or even better – decompile it. And the obvious choice here is Ida Pro with its Hex-Rays plugin.

The resulting files are a bit too large for the direct copy and paste in this post, so I am providing direct links to text files below:

Comments Off

Clustering and Batch Analysis of APT1 sampleset

March 4, 2013 in Batch Analysis, Compromise Detection, Malware Analysis

Part 1, Part 2, Part 3

As I mentioned in my previous post, I was toying around with various samplesets (e.g. zero access, APT1, etc.) and since the APT1 sampleset is all over the news, I took a stab at it and sandboxed the samples + attempted to cluster the results to see if I any patterns emerge…

The sampleset – batch analysis

Encryption

Some of the samples use DES and the following passwords:

Hello@)!0
!b=z&7?cc,MQ
1b=z7/lx+WK!
!b=z&7?cc,MQ>

File names / locations:

%USERPROFILE%\Application Data\Adobe8.0.0\update.exe
%USERPROFILE%\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
%USERPROFILE%\Application Data\Adobe\reader_sl.exe
%USERPROFILE%\Application Data\Help\svchost.exe
%USERPROFILE%\Local Settings\Application Data\Microsoft\svchost.exe
%USERPROFILE%\Local Settings\Application Data\Microsoft\wuauclt.exe
%USERPROFILE%\Local Settings\spoolsvr.exe
%USERPROFILE%\Local Settings\Temp\AcroRD32.exe
%USERPROFILE%\Local Settings\Temp\AdobeARM.exe
%USERPROFILE%\LOCALS~1\Temp\17DC75.dmp
%USERPROFILE%\LOCALS~1\Temp\17DC85.dmp
%USERPROFILE%\LOCALS~1\Temp\17DD6F.dmp
%USERPROFILE%\LOCALS~1\Temp\17DD9E.dmp
%USERPROFILE%\LOCALS~1\Temp\17DDEC.dmp
%USERPROFILE%\LOCALS~1\Temp\17E7CF.dmp
%USERPROFILE%\LOCALS~1\Temp\17EE48.dmp
%USERPROFILE%\LOCALS~1\Temp\AdobeUpdate.exe
%USERPROFILE%\LOCALS~1\Temp\AdobeUpdater.exe
%USERPROFILE%\LOCALS~1\Temp\BP Makes Two Gas Discoveries in Egypt’s Nile Delta.doc
%USERPROFILE%\LOCALS~1\Temp\ctfmon.exe
%USERPROFILE%\LOCALS~1\Temp\ctfmon.exe\svchost.exe
%USERPROFILE%\LOCALS~1\Temp\em.exe
%USERPROFILE%\LOCALS~1\Temp\Halliburton to Present at Dahlman Rose & Co. Ultimate Oil Services And E&P Conference.pdf
%USERPROFILE%\LOCALS~1\Temp\iTunesHelper.exe
%USERPROFILE%\LOCALS~1\Temp\Material Type Ore 20160605.pdf
%USERPROFILE%\LOCALS~1\Temp\Open letter of Dow Corning Corp.pdf
%USERPROFILE%\LOCALS~1\Temp\POWER_GEN_2012.pdf
%USERPROFILE%\LOCALS~1\Temp\runinfo.exe
%USERPROFILE%\LOCALS~1\Temp\svchost.exe
%USERPROFILE%\LOCALS~1\Temp\Top Stock Alerts for Day Traders – Facebook, Freeport-McMoRan Copper & Gold, Fastenal, Research In Motion, EnCana, and Dollar General.doc
%USERPROFILE%\LOCALS~1\Temp\US hesitant in condemning North Korean launch.pdf
%USERPROFILE%\LOCALS~1\Temp\WINWORD.EXE
%USERPROFILE%\Start Menu\Programs\Startup\adobe_sl.lnk
%USERPROFILE%\Start Menu\Programs\Startup\AdobeRe.exe
%USERPROFILE%\Start Menu\Programs\Startup\ctfmon.exe
%USERPROFILE%\Templates\adobe_sl.exe
c:\WINDOWS\ntshrui.dll
C:\WINDOWS\ntshrui.dll1
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\Nwsapagent.dll
C:\WINDOWS\system\ersvc.dll
c:\WINDOWS\system\ersvc.dll

Mutexes:

!@ADS@#$
1234
1qaz@WSX
COPYRIGHTMM2011V2
fire
Geman.do
Global\AdobeReaderX
GLOBAL\ADR32
GLOBAL\ADR64
GLOBAL\MSFT64
Globxxxxxxxxssssseeeeeeal\ADReeeerrttyyyy64
hackersuck
ijnrfv
letusgohtppmmv1.0
letusgohtppmmv2.0.0.1

Services:

.Net CLR (Microsoft .Net Framework COM+ Support)
DevFS (Device File System)
DevFS (Device File System)
DevSec (Rpc Device Management)
InfMon (Infrared Monitor)
Nwsapagent (Gateway Service for Netware)
RasAuto (Remote Access Auto Connection Manager)
tcpguard (tcpguard)

Connections (note, may contain clean IPs/URLs):

10.166.1.182
127.0.0.1
140.116.70.8
143.89.35.19
202.105.39.39
202.39.61.136
202.6.235.83
203.200.205.245
204.111.73.150
205.159.83.91
208.239.156.123
209.124.51.194
209.124.51.219
209.151.145.185
209.161.249.125
209.208.114.83
209.233.16.84
209.253.17.229
211.232.57.235
212.130.19.154
216.15.210.68
218.232.105.200
218.232.66.12
218.233.206.2
218.234.17.30
24.73.192.154
60.248.52.95
61.219.67.1
64.80.153.108
65.105.157.228
65.110.1.32
65.114.195.226
65.89.173.68
66.151.16.30
66.155.114.145
66.170.3.43
66.228.132.53
68.17.104.162
68.96.31.136
69.20.5.219
69.25.50.10
69.28.168.10
69.74.43.87
69.90.123.6
69.90.18.22
69.90.18.23
69.90.65.240
70.62.232.98
74.86.197.56
75.145.139.18
admin.datastorage01.org
AdobeFlash.info.tm
cas.ibooks.tk
cas.m-e.org.ru
code.mcafeepaying.com
Colville.com
conference.ddns.us
ctcs.bigdepression.net
ctx.comrepair.net
dev.teamattire.com
documents.downloadsite.me
eclipsecti.infobusinessus.org
exactearth.info.tm
fasa.arrowservice.net
fasa.bigish.net
fasa.newsonet.net
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
fni.bigish.net
help.purpledaily.com
hint.happyforever.com
hojutsu.com
japan.yahoodaily.com
jimnaugle.com
johnford985.appspot.com
ks.aoldaily.com
ks.cnndaily.com
ks.jaimeastorga.mx
ks.manguvaljak.ee
ks.petrotdl.com.ar
ks.utworld.ch
media.finanstalk.ru
meeting.toh.info
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
olmusic100.com
portal.itsaol.com
public.ddns.us
qhun-mons.businessformars.com
report.crabdance.com
safety.canadatvsite.com
share.canoedaily.com
software.myftp.info
sports.canoedaily.com
stratos.aoldaily.com
stratos.mcafeepaying.com
tcw.homier.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
un.linuxd.org
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
vop.earthsolution.org
wikileaks.ddns.us
www.bigish.net
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.heliospartners.com
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.newsesport.com
www.olmusic100.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net

URLs and URL-like patterns (from static analysis; may contain errors)

2.earthsolution.org
AdobeFlash.info.tm
www.mevatec.com
Colville.com
americanunfinished.com
aoldaily.com
appspot.com
aunewsonline.com
bigdepression.net
bluecoate.com
businessformars.com
canadatvsite.com
canoedaily.com
cnndaily.com
colville.com
com.tw
competrip.com
crabdance.com
cvba.com
datastorage01.org
ddns.us
deebeedesigns.ca
dnepr.com
doversolutions.co.in
drgeorges.com
dsds.co.kr
earthsolution.org
fbrshop.com
finanstalk.ru
freelanceindy.com
gnpes.org
gobroadreach.com
happyforever.com
hojutsu.com
homier.com
ibooks.tk
info.tm
itsaol.com
jimnaugle.com
kayauto.net
keenathomas.com
lksoftvc.net
mcafeepaying.com
mediaxsds.net
microsoft.com
micyuisyahooapis.com
msnhome.org
mwa.net
newsesport.com
newsonet.net
omegalogos.org
org.ru
pastorsrest.com
pcs157.com
purpledaily.com
rbaparts.com
sektori.org
slowblog.com
smilecare.com
spmiller.org
teamattire.com
tfxdccssl.net
thecrownsgolf.org
toh.info
usnewssite.com
uszzcs.com
vwrm.com
woodagency.com
yahoodaily.com
Hojutsu.com
Colville.com
Hojutsu.com
admin.datastorage01.org
cas.ibooks.tk
conference.ddns.us
ctcs.bigdepression.net
dev.teamattire.com
fasa.arrowservice.net
fasa.newsonet.net
fni.bigish.net
japan.yahoodaily.com
jimnaugle.com
media.finanstalk.ru
meeting.toh.info
moto.purpledaily.com
moto2.earthsolution.org
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
public.ddns.us
safety.canadatvsite.com
share.canoedaily.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
un.linuxd.org
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
wikileaks.ddns.us
www.BusinessForMars.com
www.bigish.net
www.bluecoate.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.omegalogos.org
www.pastorsrest.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net
K4Pu.ht
Olmusic100.com
Sdv.gf
Sh.sd
americanunfinished.com
aoldaily.com
appspot.com
aunewsonline.com
bigdepression.net
bluecoate.com
businessformars.com
canadatvsite.com
canoedaily.com
cnndaily.com
colville.com
com.tw
competrip.com
crabdance.com
cvba.com
datastorage01.org
ddns.us
deebeedesigns.ca
dnepr.com
doversolutions.co.in
drgeorges.com
dsds.co.kr
earthsolution.org
fbrshop.com
finanstalk.ru
freelanceindy.com
gnpes.org
gobroadreach.com
happyforever.com
hojutsu.com
homier.com
ibooks.tk
info.tm
itsaol.com
jimnaugle.com
kayauto.net
keenathomas.com
lksoftvc.net
mcafeepaying.com
mediaxsds.net
microsoft.com
micyuisyahooapis.com
msnhome.org
mwa.net
newsesport.com
newsonet.net
omegalogos.org
org.ru
pastorsrest.com
pcs157.com
purpledaily.com
rbaparts.com
sektori.org
slowblog.com
smilecare.com
spmiller.org
teamattire.com
tfxdccssl.net
thecrownsgolf.org
toh.info
usnewssite.com
uszzcs.com
vwrm.com
woodagency.com
yahoodaily.com
X:\command.com
admin.datastorage01.org
adobeflash.info.tm
asa.bigish.net
aspjk07@hotmail.com
att.infosupports.com
augle.com
bigdepression.net
bluecoate.com
businessus.org
canadatvsite.com
cas.ibooks.tk
cas.m-e.org.ru
code.mcafeepaying.com
colville.com
command.com
competrip.com
conference.ddns.us
content.ie
crz.dnsweb.org
ctcs.bigdepression.net
ctcs.earthsolution.org
ctx.comrepair.net
deebeedesigns.ca
dev.teamattire.com
dns.progammerli.com
dove.blackcake.net
drgeorges.com
e.canoedaily.com
eclipsecti.infobusinessus.org
eds1.infosupports.com
erence.ddns.us
essformars.com
exactearth.info.tm
fasa.arrowservice.net
fasa.bigish.net
fasa.newsonet.net
fbrshop.com
fetch.py
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
fni.bigish.net
freelanceindy.com
gateway.messenger.hotmail.com
gobroadreach.com
gro.sepng.su
h.lk
h:mm:ss.tt
help.purpledaily.com
hint.happyforever.com
hojutsu.co
hojutsu.com
hotmail.com
safety.canadatvsite.com
www.microsoft.com
admin.datastorage01.org
adobeflash.info.tm
cas.ibooks.tk
cas.m-e.org.ru
colville.com
conference.ddns.us
dev.teamattire.com
hint.happyforever.com
hojutsu.com
japan.yahoodaily.com
jimnaugle.com
media.finanstalk.ru
meeting.toh.info
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
portal.itsaol.com
public.ddns.us
report.crabdance.com
safety.canadatvsite.com
share.canoedaily.com
sports.canoedaily.com
tcw.homier.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
wikileaks.ddns.us
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.newsesport.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net
johnford985.appspot.com/fetch.py
code.mcafeepaying.com
ctcs.bigdepression.net
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
johnford985.appspot.com
ks.cnndaily.com
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
stratos.aoldaily.com
stratos.mcafeepaying.com
ic.ddns.us
ice.net
ille.com
ily.com
ing.toh.info
japan.yahoodaily.com
jimnaugle.com
johnford985.appspot.com
k.ca
kayauto.net
keenathomas.com
ks.aoldaily.com
ks.cnndaily.com
ks.jaimeastorga.mx
ks.manguvaljak.ee
ks.petrotdl.com.ar
ks.utworld.ch
m.ms
media.finanstalk.ru
meeting.toh.info
messenger.hotmail.com
microsoft.com
micyuisyahooapis.com
moc.yliadnnc.sk
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
mountainvalley.americanunfinished.com
msn.com
msnhome.org
mwa.net
n.datastorage01.org
n.linuxd.org
n.yahoodaily.com
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
nexus.passport.com
ni.bigish.net
nic.safalife.com
ntdetect.com
olmusic100.com
omegalogos.org
owservice.ne
pastorsrest.com
portal.itsaol.com
public.ddns.us
purpledaily.com
qhun-mons.businessformars.com
qusc12.infosupports.com
rbaparts.com
report.crabdance.com
rownsgolf.org
s.org
safety.canadatvsite.com
share.canoedaily.com
smilecare.com
sonet.net
sports.canoedaily.com
sra.blackcake.net
sra.infosupports.com
ssus.org
stratos.aoldaily.com
stratos.mcafeepaying.com
tcw.homier.com
te.dnepr.com
teamattire.com
thecrownsgolf.org
time.mediaxsds.net
tsu.com
ttl.tfxdccssl.net
ty.canadatvsite.com
un.linuxd.org
update.dnepr.com
update.mcafeepaying.com
update.sektori.org
update.slowblog.com
us.gnpes.org
usc12.blackcake.net
vop.earthsolution.org
vwrm.com
w.com
us.gn
wikileaks.ddns.us
woodagency.com
ww.bigish.net
www.BusinessForMars.com
www.bigish.net
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.heliospartners.com
www.holdent.com.au
www.inkscape.org
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.ne
www.mwa.net
www.newsesport.com
www.olmusic100.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net

HTTP Requests:

CONNECT HTTP/1.0
CONNECT /index.asp HTTP/1.1
GET HTTP/1.1
GET /1.asp?rands=FXMJVXGOJJ&acc=&str=select id from tab_online where regcode = ‘FXMJVXGOJJ’ HTTP/1.0
GET /197.1.16.3_7.html HTTP/1.1
GET /2011/n325423.shtml?pvid=fAAAACIkAOyJMGjxiYadwRyN9buY2MAeOtQPGgD7e0CsZAFTwA8txDliAAA= HTTP/1.0
GET /2651.asp HTTP/1.1
GET /3491.asp HTTP/1.1
GET /4823.asp HTTP/1.1
GET /4981.asp HTTP/1.1
GET /5310.asp HTTP/1.1
GET /5712.html HTTP/1.1
GET /6212.html HTTP/1.1
GET /6958.html HTTP/1.1
GET /_borders/top.htm HTTP/1.1
GET /A2/front/lm/mini/noborder/?AQB=1&ndh=1&t=480&lv=VDipXNKF&pageName=About&ss=ipWHkqSl&g=Council&cid=225&v1=c25&hp=N&tal=&AQE=1 HTTP/1.0
GET /aboutus_ohs.html HTTP/1.1
GET /adobe.html HTTP/1.1
GET /api/get_attention_num/adfshow?slot=7cLLvm4e&p=F&may=128&g=4363&n=0&i=Home HTTP/1.0
GET /aspnet_client/system_web/1_0_3705_0/SmartNav.jpg HTTP/1.1
GET /attachments/C262-240.jpg HTTP/1.1
GET /bbs/db/1.asp?rands=KKIJLONGAP&acc=&str=select id from tab_online where regcode = ‘KKIJLONGAP’ order by id asc HTTP/1.0
GET /bbs/db/1.asp?rands=SEXGJLSSXM&acc=&str=select id from tab_online where regcode = ‘SEXGJLSSXM’ order by id asc HTTP/1.0
GET /BerwickFire/rental.html HTTP/1.1
GET /css/about.htm HTTP/1.1
GET /css/style.html HTTP/1.1
GET /Default.aspx?INDEX=CGPEHQURTR HTTP/1.1
GET /Default.aspx?INDEX=EIGHIZHOMM HTTP/1.1
GET /Default.aspx?INDEX=EYZALCJEKE HTTP/1.1
GET /Default.aspx?INDEX=GIOJJREGBY HTTP/1.1
GET /Default.aspx?INDEX=IHPSYRANKA HTTP/1.1
GET /Default.aspx?INDEX=IPESEDUTED HTTP/1.1
GET /Default.aspx?INDEX=JBVUQETDVA HTTP/1.1
GET /Default.aspx?INDEX=MAJVUXJDAQ HTTP/1.1
GET /Default.aspx?INDEX=QFBMPJCWAL HTTP/1.1
GET /Default.aspx?INDEX=XMDOFYNHDY HTTP/1.1
GET /default.htm HTTP/1.1
GET /default.html HTTP/1.1
GET /download.htm HTTP/1.1
GET /download/confere.html HTTP/1.1
GET /download/device_ad.asp?device_t=2928269924&key=dxrqdgct&device_id=ad&cv=dxrqdgctnynmgjjfn HTTP/1.0
GET /downloadsoft.htm HTTP/1.1
GET /fax.html HTTP/1.1
GET /file/yahootemp.html HTTP/1.1
GET /Gallery/Winterfest/2.jpg HTTP/1.1
GET /html/proe_tcp.html HTTP/1.1
GET /images/1.asp?rands=HOWBTFQLOZ&acc=&str=select id from tab_online where regcode = ‘HOWBTFQLOZ’ order by id asc HTTP/1.0
GET /images/_vti_img/index.asp HTTP/1.1
GET /images/bs.gif HTTP/1.1
GET /images/btn_info.jpg HTTP/1.1
GET /images/button.jpg HTTP/1.1
GET /images/colt_defense.jpg HTTP/1.1
GET /images/db/1.asp?rands=BWFIMNAJEE&acc=&str=select id from tab_online where regcode = ‘BWFIMNAJEE’ order by id asc HTTP/1.0
GET /images/device_index.asp?device_t=5962704463&key=odnnmvgr&device_id=index&cv=odnnmvgrmftvujsyg HTTP/1.0
GET /images/error.jpg HTTP/1.1
GET /images/head_left.jpg HTTP/1.1
GET /images/icons/3224?meth=gc&tid=2005614&cqe=3884550&inif=tLu3v8eD3Lu+vqjHy8PI1MvMwtTCytTLycnct7uosceUkZzXgNy1qarHz9TL3LK+qbTHy8+fnw==&syun=250 HTTP/1.1
GET /images/index_0_02.jpg HTTP/1.1
GET /images/leftnav_prog_bg.jpg HTTP/1.1
GET /images/li.gif HTTP/1.1
GET /images/logo.png HTTP/1.1
GET /images/reach1.jpg HTTP/1.1
GET /images/record.asp?device_t=3134688572&key=ywbyftdd&device_id=index&cv=ywbyftddoirafvbak&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A50%3A15%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
GET /images/title.png HTTP/1.1
GET /index.htm HTTP/1.1
GET /index.html HTTP/1.1
GET /index.html HTTP/1.1
GET /index/default.htm HTTP/1.1
GET /index01.htm HTTP/1.1
GET /info/2013.html?1361695580 HTTP/1.0
GET /info/2013.html?1361695600 HTTP/1.0
GET /info/sh1/search.asp HTTP/1.1
GET /info/sh3/search.asp HTTP/1.1
GET /java/careers.html HTTP/1.1
GET /loa/database3/sun.html?a=1317&b=10043&typ=ntWVDtQM&user=home_page|homepage_2nd_banner_820x90&pagei=/8LfwOjw&border=0&local=yes&psi=170&f=1&form=&h=&i=100 HTTP/1.0
GET /logo.html HTTP/1.1
GET /logs/login.asp HTTP/1.1
GET /M&A_alliances.htm HTTP/1.1
GET /main/1.asp?rands=TGPJQNYBQY&acc=&str=select id from tab_online where regcode = ‘TGPJQNYBQY’ order by id asc HTTP/1.0
GET /marq.htm HTTP/1.1
GET /NET/kappa.jpg HTTP/1.1
GET /order.htm HTTP/1.1
GET /Ouo4f045.asp HTTP/1.1
GET /pop.htm HTTP/1.1
GET /postinfo.html?1361694906 HTTP/1.0
GET /postinfo.html HTTP/1.1
GET /pp/core/cgi/wor.asp?category=qiu&ace=i9t2&newText=&amer=160&eur=&mm=love HTTP/1.0
GET /public.html HTTP/1.1
GET /report/news.html HTTP/1.1
GET /Resource/device_Tr.asp?device_t=1626586307&key=wuagysqk&device_id=Tr&cv=wuagysqkptijnsayv HTTP/1.0
GET /Resource/record.asp?device_t=2620185844&key=majccsyr&device_id=Tr&cv=majccsyrufwyqrdkg&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A57%3A53%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
GET /Rossini.jpg HTTP/1.1
GET /s/asp?XAAAANoRA_U9K_o8YmGncEcjfW7mNjAHjrUDxoA8sgB_SAA=p=1 HTTP/1.0
GET /safe/1.asp?rands=LYWWLWYPSW&acc=&str=select id from tab_online where regcode = ‘LYWWLWYPSW’ order by id asc HTTP/1.0
GET /saler.gif HTTP/1.1
GET /staff.htm HTTP/1.1
GET /study.htm HTTP/1.1
GET /sun/moto.htm HTTP/1.1
GET /top.htm HTTP/1.1
GET /uc/myshow/blog/misc/gif/show.asp?a=mmRCP0L&p=2Fregion2F&u=n5vh8rmrnlopo1ec&b=vY6HjJ2C&n=0&c=233&x=400&y=4153&e=&wt=30q00dn00ei76hc9 HTTP/1.0
GET /update.jpg HTTP/1.1
GET /update.jpg HTTP/1.1
GET /update.png HTTP/1.1
GET /uwire/index.html HTTP/1.1
GET /windows.html HTTP/1.1
GET /word/display.asp HTTP/1.1
GET /worlda.html HTTP/1.1
GET /worldb.html HTTP/1.1
GET /Y/ HTTP/1.1
GET Default.asp HTTP/1.1
GET Default.asp?uid=86893&do=friend&view=41&_lgmode=pri&from=bkT7i2 HTTP/1.1
GET Default.asp?uid=86893&do=friend&view=toms HTTP/1.1
GET index.html HTTP/1.1
GET HTTP/1.1
POST /fetch.py HTTP/1.1
POST 404error.asp HTTP/1.1
POST aspnet_client/report.asp HTTP/1.1
POST aspnet_client/system_web/1_0_3705_0/addCats.asp HTTP/1.1
POST index.asp HTTP/1.1

User Agents:

08:52:09+[HOSTNAME]
08:52:27+[HOSTNAME]
10:03:44+[HOSTNAME]
10:04:02+[HOSTNAME]
5.1 04:15 [HOSTNAME]\[USERNAME]
5.1 04:19 [HOSTNAME]\[USERNAME]
5.1 04:45 [HOSTNAME]\[USERNAME]
5.1 04:46 [HOSTNAME]\[USERNAME]
5.1 04:47 [HOSTNAME]\[USERNAME]
5.1 07:43 [HOSTNAME]\[USERNAME]
5.1 09:35 [HOSTNAME]\[USERNAME]
5.1 09:36 [HOSTNAME]\[USERNAME]
5.1 09:38 [HOSTNAME]\[USERNAME]
5.1 09:39 [HOSTNAME]\[USERNAME]
Google+page
HTTP 1.1
HTTP Mozilla/5.0(compatible+MSIE
IPHONE8.5(host:[HOSTNAME],ip:[IP]
IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:20 2013
IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:40 2013
Internet SurfBear
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer Exelon [HOSTNAME]
Mozilla/4.0 (compatible;
Mozilla/4.0 (compatible; MSIE 6.0; Win32
Mozilla/4.0 (compatible; MSIE 6.0; Win32–[HOSTNAME]
Mozilla/4.0 (compatible; MSIE 6.0; Win32;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Ali;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Fly;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Google;
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1
Mozilla/4.0 (compatible; MSIE 8.0; Win32
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWCN
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWUS
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.NSF
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.004:48
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:36
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:37
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:47
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:48
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:07
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:13
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:27
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:50
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.010:19
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0
Mozilla/4.0 (compatible; MSIE7.0; Windows NT 5.1
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0
Mozilla/4.0
Mozilla/5.0 (compatible; MSIE 7.1; Windows NT 5.1; SV1
Mozilla/5.0 (compatible; MSIE 8.0; Win32
Mozilla/5.0
Win32
[HOSTNAME]+Mozilla/4.0 (compatible; MSIE 8.0; Win32
[HOSTNAME]
yahoo html

Delays in ms

100
1000
2000
3000
4000
5000
6000
10000
30000
60000
100000
120000
127000
300000
600000
900000
1500000
1620000
174000
1740000
1800000
2100000

Compilation timestamps:

2001-07-17 00:22:56 Tuesday 995329376
2003-08-06 18:34:23 Wednesday 1060194863
2003-10-16 03:41:02 Thursday 1066275662
2004-01-23 23:39:42 Friday 1074901182
2004-05-15 01:06:23 Saturday 1084583183
2004-07-07 02:17:12 Wednesday 1089166632
2004-08-04 06:02:53 Wednesday 1091599373
2004-08-04 06:10:04 Wednesday 1091599804
2004-08-04 06:14:22 Wednesday 1091600062
2004-08-04 06:14:38 Wednesday 1091600078
2004-08-04 07:56:01 Wednesday 1091606161
2004-08-04 07:56:07 Wednesday 1091606167
2004-08-04 07:56:21 Wednesday 1091606181
2004-08-04 07:56:23 Wednesday 1091606183
2004-08-04 07:56:26 Wednesday 1091606186
2004-08-04 07:56:30 Wednesday 1091606190
2004-08-04 07:56:36 Wednesday 1091606196
2004-08-04 07:56:37 Wednesday 1091606197
2004-08-04 07:56:39 Wednesday 1091606199
2004-08-04 07:56:40 Wednesday 1091606200
2004-08-04 07:56:42 Wednesday 1091606202
2004-08-04 07:56:44 Wednesday 1091606204
2004-08-04 07:56:58 Wednesday 1091606218
2004-08-04 07:57:08 Wednesday 1091606228
2004-08-04 07:57:38 Wednesday 1091606258
2004-08-04 07:59:14 Wednesday 1091606354
2006-08-03 12:45:02 Thursday 1154609102
2006-09-13 18:20:18 Wednesday 1158171618
2006-09-14 02:28:46 Thursday 1158200926
2007-06-29 15:18:22 Friday 1183130302
2007-07-25 17:44:33 Wednesday 1185385473
2007-08-08 03:16:50 Wednesday 1186543010
2007-09-17 09:21:03 Monday 1190020863
2007-11-18 23:50:13 Sunday 1195429813
2008-03-12 12:39:30 Wednesday 1205325570
2008-04-13 19:14:55 Sunday 1208114095
2008-06-17 01:20:04 Tuesday 1213665604
2008-07-30 03:25:13 Wednesday 1217388313
2008-08-22 00:43:16 Friday 1219365796
2008-08-27 08:41:19 Wednesday 1219826479
2008-09-16 08:40:03 Tuesday 1221554403
2008-09-16 08:42:05 Tuesday 1221554525
2008-09-16 09:20:31 Tuesday 1221556831
2008-10-22 00:12:21 Wednesday 1224634341
2008-10-27 02:18:16 Monday 1225073896
2008-10-27 08:31:43 Monday 1225096303
2008-10-27 13:48:37 Monday 1225115317
2008-11-10 08:29:48 Monday 1226305788
2008-11-10 08:30:00 Monday 1226305800
2008-11-21 07:46:32 Friday 1227253592
2009-01-07 08:09:33 Wednesday 1231315773
2009-01-15 03:30:11 Thursday 1231990211
2009-02-05 07:14:01 Thursday 1233818041
2009-02-05 07:16:28 Thursday 1233818188
2009-02-05 07:20:22 Thursday 1233818422
2009-02-17 09:40:38 Tuesday 1234863638
2009-03-02 09:52:20 Monday 1235987540
2009-03-06 14:10:18 Friday 1236348618
2009-03-16 13:30:51 Monday 1237210251
2009-03-17 03:34:24 Tuesday 1237260864
2009-03-17 13:21:25 Tuesday 1237296085
2009-03-25 13:11:56 Wednesday 1237986716
2009-04-12 09:14:38 Sunday 1239527678
2009-05-14 17:12:40 Thursday 1242321160
2009-05-26 07:37:57 Tuesday 1243323477
2009-06-08 10:17:38 Monday 1244456258
2009-07-08 13:30:46 Wednesday 1247059846
2009-07-16 15:04:29 Thursday 1247756669
2009-07-20 08:33:01 Monday 1248078781
2009-07-20 09:02:46 Monday 1248080566
2009-07-25 03:44:04 Saturday 1248493444
2009-07-29 14:34:24 Wednesday 1248878064
2009-07-30 09:20:04 Thursday 1248945604
2009-08-03 08:29:29 Monday 1249288169
2009-08-11 08:38:40 Tuesday 1249979920
2009-08-16 11:05:43 Sunday 1250420743
2009-08-24 13:16:23 Monday 1251119783
2009-08-28 02:17:30 Friday 1251425850
2009-11-11 06:33:02 Wednesday 1257921182
2009-11-17 22:13:19 Tuesday 1258495999
2009-12-01 00:40:09 Tuesday 1259628009
2009-12-21 01:39:02 Monday 1261359542
2010-01-15 17:20:56 Friday 1263576056
2010-02-03 08:22:33 Wednesday 1265185353
2010-02-03 08:22:50 Wednesday 1265185370
2010-02-09 08:29:43 Tuesday 1265704183
2010-02-11 03:27:04 Thursday 1265858824
2010-02-11 06:44:46 Thursday 1265870686
2010-02-25 00:49:53 Thursday 1267058993
2010-03-15 06:27:58 Monday 1268634478
2010-04-12 09:09:29 Monday 1271063369
2010-04-14 17:18:20 Wednesday 1271265500
2010-04-20 03:39:27 Tuesday 1271734767
2010-04-23 07:51:28 Friday 1272009088
2010-05-20 07:01:21 Thursday 1274338881
2010-06-23 01:24:31 Wednesday 1277256271
2010-06-25 09:26:47 Friday 1277458007
2010-06-29 00:31:41 Tuesday 1277771501
2010-08-23 02:17:20 Monday 1282529840
2010-09-19 08:34:11 Sunday 1284885251
2010-09-27 02:06:31 Monday 1285553191
2010-09-28 01:00:25 Tuesday 1285635625
2010-09-28 08:09:41 Tuesday 1285661381
2010-10-19 08:15:54 Tuesday 1287476154
2010-10-21 06:51:09 Thursday 1287643869
2010-10-29 06:50:40 Friday 1288335040
2010-10-29 06:51:08 Friday 1288335068
2010-11-02 08:35:56 Tuesday 1288686956
2010-11-04 06:07:11 Thursday 1288850831
2010-11-06 08:08:37 Saturday 1289030917
2010-11-17 13:37:00 Wednesday 1290001020
2010-11-18 01:54:57 Thursday 1290045297
2010-12-02 08:05:26 Thursday 1291277126
2010-12-16 03:14:07 Thursday 1292469247
2010-12-16 03:16:48 Thursday 1292469408
2010-12-18 08:10:11 Saturday 1292659811
2010-12-22 08:02:25 Wednesday 1293004945
2011-01-11 02:12:48 Tuesday 1294711968
2011-01-11 02:24:30 Tuesday 1294712670
2011-01-11 03:22:02 Tuesday 1294716122
2011-03-02 07:40:24 Wednesday 1299051624
2011-03-03 13:41:14 Thursday 1299159674
2011-03-07 09:42:59 Monday 1299490979
2011-03-08 02:36:50 Tuesday 1299551810
2011-03-16 19:26:23 Wednesday 1300303583
2011-03-22 12:59:55 Tuesday 1300798795
2011-03-23 14:34:10 Wednesday 1300890850
2011-03-23 14:36:19 Wednesday 1300890979
2011-03-28 13:35:35 Monday 1301319335
2011-03-29 08:40:16 Tuesday 1301388016
2011-04-02 09:07:51 Saturday 1301735271
2011-04-08 08:04:50 Friday 1302249890
2011-04-20 13:13:08 Wednesday 1303305188
2011-04-21 07:16:51 Thursday 1303370211
2011-04-21 07:51:21 Thursday 1303372281
2011-04-26 01:53:58 Tuesday 1303782838
2011-04-28 01:22:03 Thursday 1303953723
2011-05-17 07:45:35 Tuesday 1305618335
2011-05-17 12:37:22 Tuesday 1305635842
2011-05-20 01:14:53 Friday 1305854093
2011-05-30 08:29:29 Monday 1306744169
2011-06-28 22:39:19 Tuesday 1309300759
2011-07-11 03:38:22 Monday 1310355502
2011-07-18 03:10:56 Monday 1310958656
2011-07-19 01:55:13 Tuesday 1311040513
2011-07-28 04:50:57 Thursday 1311828657
2011-07-28 14:49:46 Thursday 1311864586
2011-07-29 07:10:31 Friday 1311923431
2011-08-09 08:15:29 Tuesday 1312877729
2011-08-11 13:15:49 Thursday 1313068549
2011-08-19 02:34:16 Friday 1313721256
2011-08-19 03:07:37 Friday 1313723257
2011-09-20 03:40:51 Tuesday 1316490051
2011-09-20 03:50:48 Tuesday 1316490648
2011-09-25 13:42:51 Sunday 1316958171
2011-09-25 13:43:28 Sunday 1316958208
2011-09-27 13:07:55 Tuesday 1317128875
2011-09-27 13:09:16 Tuesday 1317128956
2011-10-10 14:16:57 Monday 1318256217
2011-10-11 13:02:38 Tuesday 1318338158
2011-10-12 01:58:10 Wednesday 1318384690
2011-10-13 08:47:13 Thursday 1318495633
2011-10-14 08:42:16 Friday 1318581736
2011-10-14 11:58:04 Friday 1318593484
2011-10-18 00:58:17 Tuesday 1318899497
2011-10-19 09:16:10 Wednesday 1319015770
2011-10-19 09:17:10 Wednesday 1319015830
2011-10-19 09:19:09 Wednesday 1319015949
2011-10-24 08:19:05 Monday 1319444345
2011-11-01 02:43:26 Tuesday 1320115406
2011-11-05 09:27:34 Saturday 1320485254
2011-11-07 14:59:20 Monday 1320677960
2011-11-17 07:22:44 Thursday 1321514564
2011-11-21 12:36:14 Monday 1321878974
2011-11-21 12:36:51 Monday 1321879011
2011-11-22 01:15:22 Tuesday 1321924522
2011-11-28 12:32:07 Monday 1322483527
2011-12-12 03:28:15 Monday 1323660495
2011-12-20 02:23:38 Tuesday 1324347818
2012-01-19 00:50:11 Thursday 1326934211
2012-01-20 03:14:28 Friday 1327029268
2012-02-09 00:47:28 Thursday 1328748448
2012-02-09 00:47:52 Thursday 1328748472
2012-02-16 08:22:06 Thursday 1329380526
2012-02-17 14:55:21 Friday 1329490521
2012-02-23 07:20:31 Thursday 1329981631
2012-02-28 11:48:43 Tuesday 1330429723
2012-02-28 15:35:51 Tuesday 1330443351
2012-03-02 06:27:21 Friday 1330669641
2012-03-02 07:20:27 Friday 1330672827
2012-03-02 08:45:11 Friday 1330677911
2012-03-07 08:41:30 Wednesday 1331109690
2012-03-12 01:34:56 Monday 1331516096
2012-03-13 02:21:54 Tuesday 1331605314
2012-03-13 03:47:57 Tuesday 1331610477
2012-03-16 07:10:50 Friday 1331881850
2012-03-20 09:24:33 Tuesday 1332235473
2012-03-22 08:45:38 Thursday 1332405938
2012-03-28 15:39:00 Wednesday 1332949140
2012-04-12 15:02:26 Thursday 1334242946
2012-04-17 08:29:00 Tuesday 1334651340
2012-04-17 08:30:01 Tuesday 1334651401
2012-04-17 09:32:54 Tuesday 1334655174
2012-04-24 08:24:45 Tuesday 1335255885
2012-05-07 03:19:17 Monday 1336360757
2012-05-14 14:16:53 Monday 1337005013
2012-05-28 08:12:40 Monday 1338192760
2012-05-29 14:39:47 Tuesday 1338302387
2012-06-04 12:57:35 Monday 1338814655
2012-06-09 13:19:49 Saturday 1339247989
2012-06-09 13:19:53 Saturday 1339247993
2012-06-11 12:37:20 Monday 1339418240
2012-06-26 03:30:05 Tuesday 1340681405
2012-08-08 23:27:53 Wednesday 1344468473
2012-08-10 02:10:53 Friday 1344564653
2012-08-16 07:53:11 Thursday 1345103591
2012-08-20 12:56:12 Monday 1345467372
2012-08-20 12:59:08 Monday 1345467548
2012-08-20 14:06:56 Monday 1345471616
2012-08-20 15:16:12 Monday 1345475772
2012-08-21 13:46:15 Tuesday 1345556775
2012-08-22 15:50:16 Wednesday 1345650616
2012-08-28 07:34:32 Tuesday 1346139272
2012-08-28 13:40:13 Tuesday 1346161213
2012-08-30 13:06:09 Thursday 1346331969
2012-09-06 15:34:30 Thursday 1346945670
2012-09-10 14:25:34 Monday 1347287134
2012-11-07 14:12:48 Wednesday 1352297568
2012-11-13 14:55:39 Tuesday 1352818539
2012-11-14 07:58:27 Wednesday 1352879907
2012-11-16 07:35:22 Friday 1353051322
2012-12-06 13:09:40 Thursday 1354799380
2012-12-25 13:07:50 Tuesday 1356440870

The sampleset – clustering

Quite frankly, there is not so much to write about it here.

I do not find obvious distribution or significant spikes of specific patterns and the results are not very presentable – to provide a few specific examples – out of 285 samples:

The following samples use DES:

0CF9E999C574EC89595263446978DC9F
24259AE8B0018B0CE9992FB1D9B69E2A
468FF2C12CFFC7E5B2FE0EE6BB3B239E
476FEA8761A03BEF16E322996C2F6666
7AECB34616245EB6B2906358151BE55B
7F1A4BC267ACE340A5AA7A0B79CBF349
8E8622C393D7E832D39E620EAD5D3B49
929802A27737CEBC59D19DA724FDF30A
C04C796EF126AD7429BE7D55720FE392
CF9C2D5A8FBDD1C5ADC20CFC5E663C21
D0D5A20C5A6C4FDDAB4D43B85632B6A9
D34E357461C55D90C52309C1FF952B4C
DD21D1EA2146861A4219B1CBDAEFE59B

The following files run runinfo.exe:

09531F851EF74A7238685FD287A395BD
0CA6E2AD69826C8E3287FC8576112814
C3E5603A38E700274D1AB30CE93D08B9

The following samples use mutex !@ADS@#$

6B3D19CC86D82B06F5DB3AE9D5BA8A5F
831A67DC75E2D4505180888747BC8EA9

The following samples connect to 69.28.168.10:443

1F2EB7B090018D975E6D9B40868C94CA
D9FBF759F527AF373E34673DC3ACA462

The conclusion?

Diplomatically speaking – my clustering efforts are far from being actionable at this stage .

Sandboxing samples provides a good data for toying around, but w/o some normalization of this data and w/o ability to establish links between smaller clusters, it’s hard to draw any significant conclusion.

Sad, but watch this space

Comments Off

Clustering and Batch Analysis

March 4, 2013 in Batch Analysis, Malware Analysis

I have recently been toying around with clustering of various malicious sample sets – running files through a sandbox and static analysis tools, and then applying various normalization and histograms to the output. The results are not mind-blowing, but encouraging. They help in grouping various malware families into separate buckets, improve log parsing routines, and in some cases can be also leveraged to quickly discover hidden properties of the malware e.g. encryption keys, User Agents, HTTP verbs, etc. etc. – these may be then used for more in-depth analysis of proxy logs, etc.

Here is a short list of ‘clusterable’ attributes just in case you want to design your own clustering solution and are looking for a quick cheat list; it is certainly far from being complete, but may give you some pointers:

STATIC

File Name
File Extension
File Size
File Type
- This will have a lot of ‘subtypes’ – for MZ files see details here and here
- For executable – sequence of bytes at the entry point, and at the real entry point (for main, wmain, DLLMain, as well as for VB, Delphi code)
- For PE file – for each of these: their names where applicable, sizes, flags, entropy, strings:
  - sections (for list of known sections see here)
  - import tables
  - export tables
- For PE file -
  - PE type
  - Image base
  - Compilation/debug time stamps
  - Resources – number, topology
  - Debug strings
File Entropy
Compiler (PEiD, etc.)
Packer, protector
File hashes (MD5, SHA1, CTPH, …)
Extracted strings
Presence and characteristics of appended data (e.g. installers)
Sequences of code
- Disassembled code
- Decompiled code
- Selected code (e.g. map of calls)
Detection by various AVs
Multimedia properties (e.g. width, height, EXIF data, etc.)

DYNAMIC

Accessed IPs
Accessed URLs
GET and POST Queries
User Agents
Ports used
Created/accessed Mutexes/mutants
Created/accessed Atoms
Created/accessed Window names
Created/accessed Window classes
Created/accessed Windows topology
Windows’ visibility
Windows’ Unicodeness
Windows’ topology
Windows’ titles
Windows’ classes
Crypto used + built-in or API-based
Popular strings used (e.g. copyright banners as seen here)
Execution paths (code, sequences, code blocks, API sequences)
Use of location-independent code
Use of escalation of privileges tricks
Use and type of code injection
Use of kernel drivers (including system DLLs)
Use of stolen certificates
Use of anti-* techniques
Use of 0days
Use of timestomping
Use of dynamically vbuilt strings (run-time)
Use of code to adjust privileges)
Use of keylogging techniques (and what type: hook, API hook, etc.)
Use of external tools (e.g. cmd.exe, reg.exe, net.exe)
Use of autoruns.inf
Use of DKOM
Use of code directly accessing physical drives
Use of code directly accessing physical memory
Use of code directly accessing BIOS
Use of hypervisor
MBR – code modification
MBR – partition table modification
Passwords used for encryption and to access (e.g. FTP/SMTP/IRC)
Dropped file locations, names
Searched path locations, registry names
Targeted applications (e.g. browser, mail, IM and P2P clients, etc.)
Added/modified registry entries
APIs executed and their arguments
- Type of APIs (kernel32 win32 APIs or ntdll Zw/NT APIs)
- Delays used in waiting functions
- APIs/techniques used for memory allocation (heap, virtual*, stack-based, etc.)
- APIs/techniques used for self-deletion
- APIs/techniques used for running other .exes
- APIs/techniques used for network (winsock or wininet/also Rtl functions from ntdll)
- APIs/techniques used for network enumeration (Net*, WNet*, Domain*)
- Process enumeration APis
- …

Let me interrupt you here…

Okay, okay, I get i!!! It is a never ending list!!!

Comments Off

Top 100+ malicious types of 32-bit PE files

November 19, 2012 in Batch Analysis, Malware Analysis

Another round of stats – this time the top 100+ most ‘popular’ PE i386 file formats used by malware from over 1.2M samples.

Legend:

MZ PE i386 = PE 32 bit
DLL = DLL
Corrupted or Tricky = for some reason parser failed (usually some PE file tricks)
APPDATA xxxxxxxx = appended data followed by first 1-4 characters
SIG = contains directory entry pointing to signature (often it’s a random garbage though, not stolen certificates)
DEB = contains debugging information
COM = COM library
.NET = .NET PE
and lots of names related to various installers

 (44.17%)    560067    MZ PE i386
  (6.59%)     83554    MZ PE i386 DLL
  (6.16%)     78149    MZ PE i386 Corrupted Tricky
  (4.84%)     61379    MZ PE i386 DEB
  (3.51%)     44529    MZ PE i386 APPDATA 00000000
  (2.99%)     37871    MZ PE i386 SIG
  (2.81%)     35644    MZ PE i386 Tricky
  (2.01%)     25462    MZ PE i386 DLL COM
  (1.30%)     16478    MZ PE i386 NullSoft 2.46-1 SIG
  (1.28%)     16253    MZ PE i386 DLL DEB
  (1.28%)     16220    MZ PE i386 .NET
  (1.04%)     13128    MZ PE i386 SYS
  (0.98%)     12459    MZ PE i386 Tricky SIG
  (0.92%)     11614    MZ PE i386 NullSoft Unknown
  (0.82%)     10393    MZ PE i386 InnoSetup
  (0.78%)      9831    MZ PE i386  AutoIt or AutoHotKey
  (0.77%)      9709    MZ PE i386 Corrupted Tricky DEB
  (0.65%)      8273    MZ PE i386 .NET APPDATA 00000000
  (0.65%)      8217    MZ PE i386 DEB SIG
  (0.64%)      8166    MZ PE i386 NullSoft 2.46
  (0.61%)      7757    MZ PE i386 DLL APPDATA 00000000
  (0.54%)      6881    MZ PE i386 .NET DEB
  (0.48%)      6131    MZ PE i386 Zip Sfx
  (0.48%)      6054    MZ PE i386 Tricky DEB
  (0.47%)      5938    MZ PE i386 Rar SFX
  (0.46%)      5891    MZ PE i386 NullSoft 2.45
  (0.46%)      5836    MZ PE i386 APPDATA B80E0000
  (0.44%)      5631    MZ PE i386 DLL Corrupted Tricky
  (0.42%)      5318    MZ PE i386 Appended MZ
  (0.42%)      5312    MZ PE i386 APPDATA 01000000
  (0.42%)      5279    MZ PE i386 InstallAware
  (0.41%)      5232    MZ PE i386 Tricky DEB SIG
  (0.40%)      5074    MZ PE i386 NullSoft 2.27
  (0.37%)      4733    MZ PE i386 Trymedia
  (0.36%)      4549    MZ PE i386 APPDATA 00000000 DEB
  (0.36%)      4546    MZ PE i386 APPDATA 3C706172
  (0.34%)      4336    MZ PE i386 SYS DEB
  (0.33%)      4161    MZ PE i386 APPDATA A5B79A82
  (0.29%)      3690    MZ PE i386 NullSoft 2.46 SIG
  (0.23%)      2973    MZ PE i386 Trymedia SIG
  (0.23%)      2925    MZ PE i386 APPDATA 88110000
  (0.23%)      2918    MZ PE i386 .file
  (0.22%)      2799    MZ PE i386 Rar SFX DEB
  (0.22%)      2728    MZ PE i386 APPDATA B00E0000
  (0.19%)      2440    MZ PE i386 .NET Tricky
  (0.19%)      2422    MZ PE i386 DLL Tricky
  (0.19%)      2405    MZ PE i386 APPDATA 31353835
  (0.18%)      2255    MZ PE i386 DLL COM APPDATA 00000000
  (0.18%)      2234    MZ PE i386 APPDATA 56566245
  (0.17%)      2206    MZ PE i386 NullSoft 2.46-5 SIG
  (0.16%)      2078    MZ PE i386 APPDATA 08080000
  (0.16%)      2036    MZ PE i386 DLL COM DEB
  (0.16%)      1990    MZ PE i386 .NET DLL DEB
  (0.14%)      1750    MZ PE i386 APPDATA 001F0023
  (0.14%)      1750    MZ PE i386 APPDATA 5B424547 SIG
  (0.13%)      1706    MZ PE i386 DLL SIG
  (0.13%)      1678    MZ PE i386 NullSoft 2.24
  (0.13%)      1633    MZ PE i386 NullSoft 2.44
  (0.13%)      1597    MZ PE i386 DLL APPDATA 928F8C89
  (0.13%)      1585    MZ PE i386 Wise
  (0.12%)      1582    MZ PE i386 DEB
  (0.12%)      1576    MZ PE i386 DLL APPDATA 861DC8F1
  (0.12%)      1545    MZ PE i386 APPDATA 73676567
  (0.12%)      1537    MZ PE i386 APPDATA 50415443
  (0.12%)      1517    MZ PE i386 APPDATA 5A425245
  (0.11%)      1458    MZ PE i386 APPDATA 60170000 DEB
  (0.11%)      1417    MZ PE i386 DLL Corrupted Tricky DEB
  (0.11%)      1374    MZ PE i386 APPDATA 68480000
  (0.11%)      1367    MZ PE i386 NullSoft 25-Apr-2011.cvs
  (0.11%)      1359    MZ PE i386 APPDATA 3C62696E
  (0.10%)      1288    MZ PE i386 APPDATA 88190000
  (0.10%)      1272    MZ PE i386 APPDATA 980E0000
  (0.10%)      1219    MZ PE i386 APPDATA 6BD6EB2C
  (0.10%)      1213    MZ PE i386 InnoSetup SIG
  (0.09%)      1176    MZ PE i386 InstallShield DEB
  (0.09%)      1174    MZ PE i386 APPDATA 680C0000
  (0.09%)      1159    MZ PE i386 CAB SFX (shifted)
  (0.09%)      1137    MZ PE i386 SYS DLL DEB
  (0.09%)      1122    MZ PE i386 APPDATA 90909090
  (0.09%)      1102    MZ PE i386 APPDATA 00A80000 DEB
  (0.09%)      1091    MZ PE i386 APPDATA 05000000
  (0.09%)      1087    MZ PE i386 .NET DLL
  (0.09%)      1082    MZ PE i386 APPDATA 22A72792
  (0.08%)      1048    MZ PE i386 .NET Corrupted Tricky
  (0.08%)      1043    MZ PE i386 APPDATA C26402DF
  (0.08%)       990    MZ PE i386 Rar SFX (shifted) DEB
  (0.07%)       947    MZ PE i386 APPDATA 3C232440
  (0.07%)       903    MZ PE i386 DLL COM Appended MZ
  (0.07%)       896    MZ PE i386 NullSoft 2.14
  (0.07%)       892    MZ PE i386 Rar SFX (shifted)
  (0.07%)       885    MZ PE i386 APPDATA 0D0A0D0A
  (0.07%)       880    MZ PE i386 SYS DLL
  (0.07%)       877    MZ PE i386 NullSoft 01-Jun-2011.cvs SIG
  (0.07%)       874    MZ PE i386 SmartInstallMaker v.5.02
  (0.06%)       808    MZ PE i386 DLL COM SIG
  (0.06%)       807    MZ PE i386 NullSoft 2.37
  (0.06%)       802    MZ PE i386 ADAEBOOK
  (0.06%)       789    MZ PE i386 APPDATA 78766D00
  (0.06%)       764    MZ PE i386 DLL COM
  (0.06%)       737    MZ PE i386 Install Creator
  (0.06%)       719    MZ PE i386 APPDATA 2A2A2A2A
  (0.06%)       715    MZ PE i386 WebCompiler
  (0.06%)       707    MZ PE i386 APPDATA 00
  (0.05%)       693    MZ PE i386 APPDATA 08001700
  (0.05%)       669    MZ PE i386 APPDATA 00000000 SIG
  (0.05%)       665    MZ PE i386 NullSoft 2.24 SIG
  (0.05%)       656    MZ PE i386 APPDATA 31353836
  (0.05%)       651    MZ PE i386 DLL APPDATA 45474645 DEB
  (0.05%)       628    MZ PE i386 DLL DEB SIG
  (0.05%)       622    MZ PE i386 APPDATA 43434343
  (0.05%)       617    MZ PE i386 APPDATA 34120000

Comments Off

Random Stats from 24k drivers – APIs

November 12, 2012 in Batch Analysis, Malware Analysis

Over last few months I have been publishing various stats pulled out of malware collection that I am batch analyzing. The purpose of analysis is not only just getting interesting numbers and utilizing it as a nice filler for the blog – all this data is being retrieved with a purpose of enhancing HexDive and for my other projects.Until now, I have been presenting data from a superset of all malicious PE files in a collection. It crossed my mind recently that it would be interesting to focus on a subset of PE files as well and for starters I picked up kernel drivers.

Getting all strings and then cherrypicking up system functions out of the samples is relatively quick as there is not so many of them – the result of top 100 most popular APIs sorted by number of occurrence is presented below:

18431    RtlInitUnicodeString
16625    IofCompleteRequest
16214    ExAllocatePoolWithTag
14783    ZwClose
12899    MmGetSystemRoutineAddress
12002    ZwOpenKey
11911    ObfDereferenceObject
11719    IoCreateDevice
11430    IoGetCurrentProcess
11411    ExFreePool
11395    IoDeleteDevice
11198    RtlAnsiStringToUnicodeString
10969    ZwCreateFile
10895    wcslen
10848    strncmp
10672    strncpy
10585    wcscpy
10195    IoCreateSymbolicLink
10141    swprintf
9957    wcscat
9899    PsCreateSystemThread
9495    MmIsAddressValid
9466    ZwSetValueKey
9112    PsLookupProcessByProcessId
9106    ObReferenceObjectByHandle
8971    PsGetVersion
8630    ZwCreateKey
8600    RtlCopyUnicodeString
8334    KeDelayExecutionThread
7925    RtlCompareUnicodeString
7886    wcsncpy
7861    ZwQueryValueKey
7525    KeTickCount
7135    KeQuerySystemTime
7052    IoRegisterDriverReinitialization
6674    PsSetCreateProcessNotifyRoutine
5968    ExFreePoolWithTag
5671    ZwEnumerateKey
5427    ZwQuerySystemInformation
5414    ZwSetInformationFile
5249    ZwDeleteKey
5072    wcsstr
5017    KeWaitForSingleObject
4922    ZwCreateSection
4855    ZwMapViewOfSection
4757    IoDeleteSymbolicLink
4747    PsTerminateSystemThread
4708    wcschr
4605    wcsrchr
4540    KeServiceDescriptorTable
4226    KeQueryTimeIncrement
4218    ZwUnmapViewOfSection
4070    IoDeviceObjectType
3941    ZwReadFile
3740    KeInitializeEvent
3706    KeInitializeTimer
3562    ObQueryNameString
3538    ZwWriteFile
3522    KeSetEvent
3495    DbgPrint
3470    KeGetCurrentIrql
3381    KeBugCheckEx
3313    ZwQueryInformationFile
3286    ZwOpenFile
3232    IoFreeMdl
3171    RtlInitAnsiString
3043    memcpy
3037    IofCallDriver
2897    memset
2892    RtlFreeUnicodeString
2870    IoAllocateMdl
2629    MmProbeAndLockPages
2461    MmUnlockPages
2349    RtlUnicodeStringToAnsiString
2340    ZwAllocateVirtualMemory
2291    IoFreeIrp
2265    MmMapLockedPagesSpecifyCache
2144    KeGetCurrentThread
2134    KfReleaseSpinLock
2090    RtlFreeAnsiString
2031    KeStackAttachProcess
2025    KfRaiseIrql
2022    KfLowerIrql
1997    IoAllocateIrp
1997    ExAllocatePool
1994    RtlCompareMemory
1967    ExGetPreviousMode
1930    RtlTimeToTimeFields
1918    sprintf
1896    KeUnstackDetachProcess
1884    KfAcquireSpinLock
1870    ZwOpenProcess
1808    PsGetCurrentProcessId
1795    KeReleaseMutex
1747    RtlAppendUnicodeToString
1746    KeInitializeSpinLock
1740    IoCreateFile
1729    ProbeForRead
1727    KeClearEvent
1713    RtlUnwind

Comments Off

Random Stats from 1.2M samples – PE Section Names

October 14, 2012 in Batch Analysis, Malware Analysis

update2

updated section list/fixed bugs – thanks to Nicolas Brulez and Tomislav Pericin (ap0x)

update

added one more list – List of popular section names

old post

I continue to batch analyze my malware collection and the latest list I generated contains:

The most popular PE file section names
The packer/protector section names/keywords – I tried to build a separate list of known section names/keywords that belong to known packers/protectors

You can find the lists below – please let me know if you find any mistakes (especially in packer sections’ names/attribution); Thanks!

The most popular PE file section names (top 100)

 658574 .rsrc   
 590338 .text   
 545976 .data   
 442607 .rdata  
 298316 .reloc  
 194273         
 178386 .idata  
 111369 .tls    
 109676 CODE    
 105309 DATA    
 100668 BSS     
  40293 UPX0    
  37838 UPX1    
  35164 .adata  
  35020 .bss    
  31336 .edata  
  28137 .ndata  
  15890 .itext  
  15451 .aspack
  12818 INIT    
   9665 UPX2    
   9376 .Upack  
   7727 PS      
   6786 .CRT    
   6628 .vmp0   
   6602 .nsp1   
   6590 .nsp0   
   6560 .code   
   6542 .sdata  
   6423 .nsp2   
   6270 .pdata  
   5710 tldksods
   5462 .       
   5395 Themida
   4313 .vmp1   
   4054 .MaskPE
   3926 PAGE    
   3721 .text-co
   3721 .data-co
   3314 rdata   
   3249 BitArts
   3035 .didata
   2886 idata   
   2881 .packed
   2803   @   @
   2707 .textbss
   2299 .text1  
   2257 .data1  
   2150 .petite
   2079 .texc   
   1926 Shared  
   1793 pebundle
   1714   u     
   1557 MEW F   
   1536 .UPX0   
   1513     t   
   1450 .data2  
   1434 text    
   1346 .RLPack
   1331 .vmp2   
   1300 .ex_cod
   1286 sdt     
   1280 mdata   
   1267 cdata   
   1263 sdata   
   1240 .pklstb
   1238 .MPRESS1
   1235 .MPRESS2
   1204 .UPX1   
   1201 .rdata p
   1191 .brdata
   1183 .udata  
   1131 .crt    
   1114 .sxdata
   1091 htomaota
   1083 .perplex
   1076 PAGEWMI
   1057 edata   
   1044 .delete
   1038 .relo2  
   1031 pec1    
   1015 .mackt  
   1009 PAGEDRV
    981 .svkp   
    980 .avp    
    969 .ByDwing
    967 .DATA   
    963 .debug  
    943 0 ext   
    899 .xdata  
    876 .ccg    
    865 .data ri
    857 .wqvwbj
    857 .kewyo  
    857 .axlgt  
    852 .spack  
    849     ta  
    839 .exc    
    824 .avc    
    807 PAGESYS

The packer/protector section names/keywords

.aspack – Aspack packer
.adata – Aspack packer/Armadillo packer
ASPack – Aspack packer
.ASPack – ASPAck Protector
.ccg – CCG Packer (Chinese Packer)
BitArts – Crunch 2.0 Packer
DAStub – DAStub Dragon Armor protector
!EPack – Epack packer
FSG! – FSG packer (not a section name, but a good identifier)
kkrunchy – kkrunchy Packer
.mackt – ImpRec-created section
.MaskPE – MaskPE Packer
MEW – MEW packer
.MPRESS1 – Mpress Packer
.MPRESS2 – Mpress Packer
.neolite – Neolite Packer
.neolit – Neolite Packer
.nsp1 – NsPack packer
.nsp0 – NsPack packer
.nsp2 – NsPack packer
nsp1 – NsPack packer
nsp0 – NsPack packer
nsp2 – NsPack packer
.packed – - RLPack Packer (first section)
pebundle – PEBundle Packer
PEBundle – PEBundle Packer
PEC2TO – PECompact packer
PECompact2 – PECompact packer (not a section name, but a good identifier)
PEC2 – PECompact packer
pec1 – PECompact packer
pec2 – PECompact packer
PEC2MO – PECompact packer
PELOCKnt – PELock Protector
.perplex – Perplex PE-Protector
PESHiELD – PEShield Packer
.petite – Petite Packer
ProCrypt – ProCrypt Packer
.RLPack – RLPack Packer (second section)
RCryptor – RPCrypt Packer
.RPCrypt – RPCrypt Packer
.sforce3 – StarForce Protection
.spack – Simple Pack (by bagie)
.svkp – SVKP packer
Themida – Themida Packer
.Themida – Themida Packer
.packed – Unknown Packer
.Upack – Upack packer
.ByDwing – Upack Packer
UPX0 – UPX packer
UPX1 – UPX packer
UPX2 – UPX packer
UPX! – UPX packer
.UPX0 – UPX Packer
.UPX1 – UPX Packer
.UPX2 – UPX Packer
.vmp0 – VMProtect packer
.vmp1 – VMProtect packer
.vmp2 – VMProtect packer
VProtect – Vprotect Packer
WinLicen – WinLicense (Themida) Protector
.WWPACK – WWPACK Packer
.yP – Y0da Protector
.y0da – Y0da Protector

List of popular section names

.arch – Alpha-architecture section
.bss – Uninitialized Data Section
.BSS – Uninitialized Data Section
.code – Code Section
.cormeta – CLR Metadata Section
.CRT – Initialized Data Section (C RunTime)
.data – Data Section
.DATA – Data Section
.data1 – Data Section
.debug – Debug info Section
.debug$F – Debug info Section
.debug$P – Debug info Section
.debug$S – Debug info Section
.debug$T – Debug info Section
.didata – Delay Import Section
.edata – Export Data Section
.fasm – FASM flat Section
.flat – FASM flat Section
.idata – Initialized Data Section (Borland)
.idlsym – IDL Attributes
.itext – Code Section (Borland)
.ndata – Nullsoft Installer section
.pdata – Exception Handling Functions Section (PDATA records)
.rdata – Read-only Data Section (Borland)
.reloc – Relocations Section
.rodata – Read-only Data Section
.rsrc – Resource section
.sbss – GP-relative Uninitialized Data Section
.sdata – GP-relative Initialized Data Section
.srdata – GP-relative Read-only Data Section
.sxdata – Registered Exception Handlers Section
.text – Code Section
.text1 – Code Section
.textbss – Section used by incremental linking
.tls – Thread Local Storage Section
.tls$ – Thread Local Storage Section
.udata – Uninitialized Data Section
.vsdata – GP-relative Initialized Data
.xdata – Exception Information Section
BSS – Uninitialized Data Section (Borland)
CODE – Code Section (Borland)
DATA – Data Section (Borland)
edata – Export Data Section
idata – Initialized Data Section (C RunTime)
INIT – INIT section (drivers)
PAGE – PAGE section (drivers)
rdata – Read-only Data Section
sdata – Initialized Data Section

Comments Off

Hexacorn Ltd

You are browsing the archive for Batch Analysis.

UVWATAUAVAWH – Meet The Pushy String

…and the most popular day for malware compilation is:

…and the most popular windows account for compiling malware is:

Clustering and Batch Analysis of APT1 sampleset, part 3

Clustering and Batch Analysis of APT1 sampleset, part 2

Clustering and Batch Analysis of APT1 sampleset

The sampleset – batch analysis

Encryption

File names / locations:

Mutexes:

Services:

Connections (note, may contain clean IPs/URLs):

URLs and URL-like patterns (from static analysis; may contain errors)

HTTP Requests:

User Agents:

Delays in ms

Compilation timestamps:

The sampleset – clustering

Clustering and Batch Analysis

STATIC

DYNAMIC

Let me interrupt you here…

Top 100+ malicious types of 32-bit PE files

Random Stats from 24k drivers – APIs

Random Stats from 1.2M samples – PE Section Names

View older posts

Categories