You are browsing the archive for Batch Analysis.

Appended data — goodware

September 7, 2019 in Batch Analysis, Clustering, File Formats ZOO

When you take a look at large corpora of appended data — the data that is a part of many PE files, but is not loaded as a part of PE image loading into memory (when a program starts) — patterns emerge.

For malware, this usually means an abuse of a popular installer.

For goodware, it’s a business as usual.

Using the state machine script I discussed in my other post today, I extracted 4 top hexadecimal values from the appended data of many goodware installers.

There are no surprises there — many of appended data blobs are typically in a format utilized by popular and ‘genuine’ installer packages (stub+appended data):

 181472 00 00 00 00 
 131876 4D 53 43 46 - CAB file
  36369 2E 66 69 6C - .file
  36359 7A 6C 62 1A - Inno Setup
  31960 13 00 00 00 
  27981 3B 21 40 49 - 7z SFX
  24883 50 4B 03 04 - Zip
  21721 40 55 41 46 - AMI Flash Utility
  13896 01 00 00 00 
   9489 A3 61 4A 6A 
   9470 5C 73 65 6C -  \self\bin\x86\msvcp60.pdb. 
   8021 52 61 72 21 - Rar!
   7077 0E 00 00 00 
   6855 5F 45 4E 5F - _EN_CODE.BIN

There is an appended that is a CAB, ZIP, RAR file, as well as some proprietary appended data file formats as well.

How can we utilize it from a detection perspective?

Some of them that are not popular among malware samples could become exclusions.

Outliers are a perfect test bed for any PE parser testing. Yes… Does your parser parse every PE file structures properly? While analyzing data for this blog post I have spotted many badly parsed PE files. This is quite a slap in my face. My parser has grown organically over many years and I was quite confident that it ‘handles’ many outliers. I know now that I have to improve it. A humble lesson for any sample collector really…

Finally, knowing what types of installers are being used by a goodware, you can use it as a hint on how to craft your red team tools not to stand out. It may sound silly, but if ‘next gen’/AI/ML algos really exist and they train on a crazily large corpora of samples… chances are that they will learn to ignore many of these popular file setups…

MZ stub strings

September 1, 2019 in Archaeology, Batch Analysis, Clustering

Analysing a large corpora of clean files is fun. Many of these files go as early as 1980s. Analysing them en masse gives us a rare insight into the ‘state of the MZ stub’ from that time…

You may ask why would we want to even look at it? Well, these files are still out there. On many inspected systems, servers, mirrors. Being able to recognize them is one way to cluster them into a bucket that we can… simply discard. Yup. We can create yara sigs to catch these old goodware files looking at signatures that were common back then, but today are no longer used. And even if some of them are old malware, they are not important for today’s standard anyway.

After I clustered my collection I was quite amazed. There are tones of strings and signatures that I have not seen for many years, many I never heard of, and many referenced technologies that are long gone.

Here are the stats for top > 1000 hits:

  • !This program cannot be run in DOS mode.
  • This program must be run under Win32
  • !This program requires Microsoft Windows.
  • !This program cannot be run in a DOS session.
  • PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • This program must be run under Microsoft Windows.
  • Not enough
  • !Require Windows
  • !PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • This is a Windows
  • dPMODE/W v1.33 DOS extender – Copyright 1994-1
  • LHA’s SFX
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • CMicrosoft Windows
  • This program cannot run in DOS mode
  • PKLITE Copr. 1990-91 PKWARE Inc. All Rights Reserved
  • [Y/N]
  • Overwrite
  • Broken file
  • !PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved
  • !Library created by Axialis IconWorkshop

I mentioned 1980s… here are the signatures for these:

  • !PKSFX Copr. 1989-1990 PKWARE Inc. All Rights Reserved.
  • $LHarc’s SFX 1.12S (c)Yoshi, 1989.
  • $LHarc’s SFX 1.13S (c) Yoshi, 1989
  • $LHarc’s SFX 1.13S (c)Yoshi, 1989.
  • 20G0732 (C) Copyright IBM Corporation, 1987-1995
  • Copyright (C) 1986
  • Copyright 1989-1990 PKWARE Inc. All Rights Reserved.
  • LHarc’s SFX 1.13L (c) Yoshi, 1989

And extenders:

  • 32bit DOS-extender and loader.
  • PMODE/W v1.33 DOS extender – Copyright 1994-1
  • PMODE\W v1.33 DOS extender – Copyright 1994-1
  • The pmodedj.exe stub loader is Copyright (C) 1993-1
  • This program requires Phar Lap’s 286|DOS-Extender.
  • WDOSX 0.95 DOS extender Copyright (c) 1996-1998 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2000 Michael Tippach
  • WDOSX 0.96 DOS extender Copyright (c) 1996-2001 Michael Tippach
  • WDOSX 0.97 DOS extender Copyright (c) 1996-2002 Michael Tippach

And finally stats for strings that start with ‘This’:

  • This program cannot be run in DOS mode.
  • This program must be run under Win32
  • This program requires Microsoft Windows.
  • This program cannot be run in a DOS session.
  • This program must be run under Microsoft Windows.
  • This is a Windows
  • This program cannot run in DOS mode
  • This program must be run under Win64
  • This program requires OS/2 Presentation Manager.
  • this is a Windows NT (own RTL) dynamic link library
  • this is a Windows NT dynamic link library
  • This program must be run under OS/2.
  • this is an OS/2 16-bit dynamic link library
  • This is a Win32 program.
  • This program cannot be run in DOS mode
  • this is an OS/2 32-bit dynamic link library
  • this is a Windows 16-bit dynamic link library
  • this is a Windows NT character-mode executable
  • This is a Windows program, you cannot run it in DOS.
  • this is an OS/2 32-bit executable
  • this is a Windows NT windowed executable
  • this is an OS/2 linear extended dynamic link library
  • This program cannot be run in DOS mode.$
  • this is a DOS/4G dynamic link library
  • this is an OS/2 and eComStation dynamic link library
  • this is a Windows NT character-mode dynamic link lib
  • this is a Windows 16-bit executable
  • This program cannot run in DOS mode.
  • This program cannot be run in DOS
  • This www.verypdf.combe run in DOS mode.
  • this is an OS/2 dynamic link library
  • this is a Windows dynamic link library
  • This is a Windows 95 dynamic link library
  • this is an OS/2 linear extended executable
  • This program requires Phar Lap’s 286|DOS-Extender.
  • this is a PE dynamic link library
  • this is a Windows 95 executable
  • This program requires Microsoft Windows
  • This is a TrueType font, not a program.
  • This program requires OS/2.
  • this is a Windows executable
  • this is a Windows NT windowed dynamic link library
  • This www.verypdf.com e run in DOS mode.
  • This is an OS/2 executable module
  • this is a PE executable
  • this is a 32 bit OS/2 Configurator executable
  • This program requires OS/2
  • This program must be run under Win32.
  • This program cannot be ran in DOS mode.
  • This is a Windows font file.
  • This Salford program requires Win32 or Win32s
  • This program runs under Win32/win64
  • this is a win32 executable
  • this is a Windows NT executable
  • This program requires Microsoft Windows.\r\n$
  • This is a SNAP binary portable dynamic link library

We can see references to OS/2, DOS, DOS Extenders, Windows 95, Windows NT, etc.

It’s a really old-school stuff.