You are browsing the archive for Batch Analysis.

The art of Stuffing and Dressing of Application Data folder

December 22, 2015 in Batch Analysis, Clustering, Forensic Analysis, Incident Response

Application data folder is a very popular destination for malware. The files are typically dropped either directly inside it, or into subdirectories that are either randomized, leverage existing OS subdirectories, or sometimes malware creates their own – often mimicking the well-known applications’ folders (f.ex. Mozilla).

The attached list contains over 7000 file names for files that are ‘dropped’ inside the application data folder. The file names are extracted from a large set of sandbox reports.

Once stuffed in the folder, the malware often dresses itself impersonating popular applications f.ex.:

chrome.exe

  • \Application Data\23405d2\Chrome.exe
  • \Application Data\4236aa7\Chrome.exe
  • \Application Data\cchrome.exe
  • \Application Data\Chrome.exe
  • \Application Data\Directory\Chrome.exe
  • \Application Data\Google\Chrome\Application\chrome.exe
  • \Application Data\GoogleChrome.exe
  • \Application Data\Orbitum\Application\chrome.exe
  • \Application Data\qChrome\chrome.exe
  • \APPLICATION DATA\SVCHOST\CHROME.EXE
  • \Application Data\temp\chrome.exe
  • \APPLIC~1\chrome.exe

firefox.exe

  • \Application Data\firefox.com
  • \Application Data\firefox.exe
  • \Application Data\firefox32.exe
  • \Application Data\firefox32\fox32.exe
  • \Application Data\Mozilla\Firefox\firefox.exe
  • \APPLIC~1\Firefox.exe

java.exe

  • \Application Data\google\java.exe
  • \Application Data\Java.exe
  • \Application Data\java\java.exe
  • \Application Data\logjava.exe
  • \application data\sys\jre\bin\java.exe
  • \application data\x10flasher_lib\jre\bin\java.exe
  • \application data\x10flasher_lib\winjre32\bin\java.exe
  • \application data\x10flasher_lib\winjre32\jre\bin\java.exe

smss.exe

  • \Application Data\CDWD\ntsmss.exe
  • \Application Data\GHGF\ntsmss.exe
  • \Application Data\ipseol32\rtcssmss.exe
  • \Application Data\Microsoft\smss.exe
  • \Application Data\Microsoft\Windows\smss.exe
  • \Application Data\secetupn\mqsvsmss.exe
  • \Application Data\smss.exe
  • \Application Data\sys\smss.exe
  • \Application Data\sysdrivers\smss.exe
  • \Application Data\syssmss.exe
  • \Application Data\System\Oracle\smss.exe
  • \Application Data\WINDOWS\SMSS.EXE
  • \Application Data\winhelp\smss.exe
  • \Application Data\zbwpukwyg\smss.exe
  • \APPLIC~1\smss.exe

and so on and so forth including some ridiculous Corporate hybrids like these:

  • \Application Data\\Application Data\Google\hkcmd.exe
  • \Application Data\google\java.exe
  • \Application Data\Google\MicrosoftSecurity64.exe
  • \Application Data\Google\svchost.exe
  • \Application Data\GOOGLE\winlogon.exe
  • \Application Data\install\csrss.exe
  • \APPLICATION DATA\INSTALL\EXPLORER.EXE
  • \APPLICATION DATA\INSTALL\IEXPLORER.EXE
  • \Application Data\Java\svchost.exe
  • \Application Data\MicOffice\MicOffice.scr
  • \Application Data\Microsoft\Adbeflashplugin.exe
  • \Application Data\Microsoft\GoogleToolbarNotifier.exe
  • \Application Data\Microsoft\Micromedia\winconime.exe
  • \Application Data\Microsoft\SystemCertificates\LeapFTP.exe
  • \Application Data\Microsoft\SystemCertificates\My\CRLs\Flashfxp.exe

or AV impersonators:

  • \Application Data\Karpesky.exe
  • \Application Data\KASPERANTIVIRUS.EXE
  • \Application Data\KasperskyAV.exe
  • \Application Data\MCAFEEANTIVIRUS.EXE
  • \Application Data\MCAFEEAV32.EXE
  • \Application Data\NOD32KERNELS.EXE
  • \Application Data\NOD64.EXE
  • \Application Data\NORMANANTIVIRUS.EXE
  • \Application Data\NortonLive.exe
  • \Application Data\SYMANTECAV.EXE
  • \Application Data\SYMANTECAV2.EXE

Since it’s a blacklist, it can be applied to hunting and file list analysis. FPs are definitely there, so you have been warned :)

Monitoring unapproved apps/PUA/PUP/downware using default User Agents used by Installers

December 20, 2015 in Batch Analysis, Clustering, Forensic Analysis, Incident Response, Proxy Logs Analysis

While looking at the user agent list I shared today, I thought it might be an interesting idea to monitor unapproved/PUA/PUP/downware applications by paying attentions to all downloads that are leveraging the default user agents used by common installation packages, or the associated libraries (f.ex. inetc.dll used by Nullsoft packages).

Reviewing the list I came across a few low-hanging fruits:

  • AdvancedInstaller
  • Inno Setup Downloader
  • InnoTools_Downloader
  • InstallMaker
  • NSIS_INETC
  • NSIS_Inetc (Mozilla)
  • NSIS_InetLoad (Mozilla)
  • NSIS_ToolkitOffers (Mozilla)
  • NSISDL/1.2 (Mozi
  • NSISDL/1.2 (Mozilla)
  • Setup Factory
  • Setup Factory 8.0
  • Setup Factory 9.0
  • TryMedia_DM_2.0.0

Monitoring these may not only help to discover people installing unapproved applications, PUA/PUPs/downware, but also potentially malware spreading using popular installers.

Obviously, many dodgy apps use dedicated/proprietary downloaders and it’s not difficult to change the default user agent, so there are still some gaps here, but I believe the value is there and this could become yet another alert helping to protect ‘open internet’ environments.