You are browsing the archive for Malware Analysis.

Enter Sandbox – part 8: All those… host names… will be lost, in time, like tears… in… rain

August 25, 2015 in Compromise Detection, Forensic Analysis, Malware Analysis, Sandboxing

Analysis of malware often lead to discovery of anti-sandbox tricks. Many of them rely on long lists of ‘known sandbox computer names’ (i.e. computer network names given to sandboxes) and ‘known sandbox user names’ (i.e. user names for accounts under which sandbox executes samples).

The topic of exploiting sandbox frameworks in order to reveal their secrets is not new and many malware-related forums discuss them in details. In this short post I am dropping a bunch (800+) of host names that are commonly recognized by malware as sandboxish. I gathered it over a couple of years from sample analysis, posts online, my own research on various malware forums and lists I got from other people. There may be certainly errors in this list, but I made any effort possible to ensure it is correct. I do not own any copyright on it, but… lots of work went into it – if you want to use it in a commercial product, courses, slides – at least mention where you got it from. Thanks :)

In any case, if you own them, it’s time for randomization, because some malware samples already know them!

074evbxgva9hgql
093954
0e2e44df465c41a
1-57aa74bec7f14
1281412f6b
141700
1c213c79d1
25-5f69a00d9b64
333333
675052
6cf004c2543846a
724536
7qts0m12600mtvt
9015045e99a846d
928100
a-think
a113b083ad3342d
a52018701
abc-dd731ae3a20
abc-xp
abdon
acer-ex
acme-997999da9b
ad-europe-1
adier-pc
adm
adm2
admin
admin-4ee07168e
admin-85a7bf2c3
admin-b2619d2d3
admin-de9cb88bb
admin-pc
administ-722bce
adriano
adriano-pc
agnaldo-pc
ahnlab-ffa1203f
ahnlabmds
ailton-pc
alam-wahla-pc
alanwak-pc
alberto-pc
alcimar-suexp
alejandro-pc
alessandra-pc
alessandro-pc
alessandro-pc1
alex-pc
alexandre-pc
alexandro-pc
alexpassamani
alfredo-pc
algo-bddc445bd1
ali
aline-060da2530
alinebarreto-pc
allandsonwesley
alone
amb01
amd
anaclaudia-win
anderson-pc
andre-pc
andreluiz-pc
andrey-pc
andreza-pc
android
andréluiz-pc
angelarita
angy
anna-client-59
anna-cws311
antonia
antonie
antony
antony-pc
apto44
arlisson-yagami
arthur-pc
asd-vp-test
asim-pc
assistsocial
ast-001
auto
baixajat-906443
bal02
balbino-pc
banco_01
barreto-f3a0ac5
bb-01-14
bb-03-21
bb-04-66
bd-urlsclav6
bd-urlsclav9
benevide-lpix7n
bento-pc
beron
besouro-pc
bespawl
beto
beton-rats1
beton-ratsl
biano
billy
blr1-soumyad-v1
blype
bolacha-pc
borel
br-taylor-87
brbrb-d8fb22af1
brenno-pc
brian-75445f269
brsao0692
bruna
bruno
bruno-e214bfa09
bruno-pc
brunoefamília
brunoreis
btig-ht
buteri-pc
c2f3f0b206c14e9
ca-brian-75
caio-pc
caixa
caixa1
cameras
camila
camp-08-pc
carlosalberto
carlosmello
carol-pc
carolina-pc
carvalho-pc
casa
casa-010a80cf0b
casa-2d7ed3857a
casa-pc
casa29-pc
casaisestaleiro
cat02-pc
cdata
cen_gui_10
cepa-14
cesarmello-pc
cftv
cgjto-005
changeme1
charles-3cccf5a
chintan
christia-51e582
cida-pc
cidb-pc
claudemir-pc
claudia-pc
claudina-pc
claudio-pc
clayton-pc
cleiton-pc
cliente
cliente-1323c95
cliente-2223686
cliente-339673e
cliente-4659bdf
cliente-6c1119d
cliente-cec8e04
cliente-pc
cliente5518830
clientrep-pc
cmas-73f49570c3
cmdt001
cntsm5002
comp
comp-73ac1ec5e6
comp-e87d7c32d1
comp-home261245be
comp10
compaq
computad-ea50a5
computador
computador-pc
computer-pc
computer-xxxxxx
computername
connect-pc
contab-06
coro-pc
corp089120471
cpu-47
crea-6777291f93
cris
cristiano-pc
crux
cssv-lav-melnt
cti-778ee90c19e
ctsandress
cuckoo05-2
cuckoo0801-vm
cuckoo0806-vm
cws01_20
cws02_n29
cws03_28
cws04_27
cws05d205
cws06d208
cws09d002
cws09ex02
cws10d002
cws10d007
cws12d007
cwsandbox
cássio-pc
célia-pc
damiana-pc
daniel-pc
daniela-pc
daniella-hp
daniellemendonç
danilo-pc
dany-pc
david-pc
dbd27012570
debora-pc
dede-pc
dell-c13c53a412
dell-d3e62f7e26
delta
dener-pc
desktop
dh4023xp
dh61ww
dhianinny-pc
diego-pc
diegofelix
digital-pc
dijkstra-b459ad
dinda
diogo-2ef6fca36
dionifer-pc
diva-pc
dnapc
documentos-pc
donato-pc
dono-pc
dooku01
dooku02
douglas-ae6c0b0
drogaria-pc
drs-pc
dt-103
duda-pc
dudalina-469862
dulcina-sti
dwi-9625ac2e275
edeilson-pc
ediene
edmara-pc
edna-pc
edson-pc
eduardo-pc
eduardo-win
elaine
elaine-pc
elchante
elelson-pc
eletricista-pc
eli-pc
eliasepaty-pc
eliz
elizange
elvis-pc
emerson
emilia_note
emiliodias-pc
equipo
equipo01
erick
escritorio
escritorio2
esf-748514fd982
especialistas
estagcoordenada
estoque
estudiolf-pc
everson-pc
examplepc
express-860a48f
fa02conpc18
fabiana-mega
fabiana-pc
fabinho-pc
fake
familia-pc
familiacabral
familycruzperez
fanoleoy_dp_ind
faster02
felipe-pc
fenix-pc
fernanda
fernando-pc
figueiredo-pc
fireeye
flytour-pc
fortinet-5b6acf
frederick-pc
gabriel82497752
gabriela-pc
gabyrodarte
gabyzona-pc
gean-397b7cd2f8
gems-3d59a99f5e
genilson
geovane-1551e38
geral-b1c99ac61
gerencia-pc
gerenciador
gerenciageral
gfi-client
gfi-client5
gilvan-pc
giseleeronaldo
glauco-pc
gordinho
grafica
gt-fdccd9a7405d
guilherme-pc
gunna-pc
gustavo
gustavo-4e92a09
hans
hardxp-test
hayandra-pc
hbxpeng
hd8r2jds87rew82
helder-pc
heloisa-pc
heros
home
home-1afd6d458b
home-6eca5ee0b6
home-off-d5f0ac
home-pc
home1
honey
host-932c51a1d7
hp
hp30512952714
hppavilion-pc
hudson-pc
ice
icec-pc
igor-pc
impressora-pc
info-1a42164f8b
infornet-3b9e72
inventarios
ioavm
iracema-pc
isabella-272349
itautec-pc
ivaldo-sti
ivis-pc
jaime-pc
janaina-pc
janettedoe
jeferson-2c60e6
jeff-pc
jessica
jessica-pc
jfserv
jhonata-pc
jhonatas-pc
jhonatta-fc85e2
jhow
joe-
joe-8a81c76c9df
john-pc
johnson-pc
jonas-pc
jonatham-pc
jonathan-c561e0
jorge-almeida
josecarlos01
joseluiz
joseroberto-pc
josicléia-pc
joséadelmo-pc
jp-patricia
juan-pc
juceli-pc
juliano-pc
julyano-pc
junior-pc
kaik-hp
kamilosoft
kamino
karine-4b483d0c
kayky
khune-pc
kide-pc
kinho-pc
kl-pc
klone-pc
klone_x64-pc
lab
lab-fe8333022ab
lailla-pc
lair-lair-pc
lalo
lan04
laptop
larissa-win
lazaro
lecio-pc
lego-02
leh-hp
lemos-pc
lenovo01
leo
leonardo
leonardo-607757
lespino-pzr
lika-pc
lilian-0450a94e
liliane-sti
lite
livia-pc
logatti-0415d02
lopes-pc
luan-pc
luannarosa-pc
luis
luisbaggio-pc
lula
luser-pc
luziene-pc
léia-pc
m-5842fbb816684
m3
machine_name
magdo-pc
mahmood-pc
majaslam-pc
malekal
manoel-pc
maq05
maq30-ana
maquina1
maquina10
marcelino
marcelo
marcelo-d936308
marcelo-pc
marcia-pc
marcio-285c334d
marcio-pc
marcosaurelio
marcowillma
mariaeliza-pc
marilene
marineuza-pc
mario-pc
marta
mauro-64217af1b
mauro-ad6cc462b
max
maykemoraes
me-pc
medeiros-pc
melissa-pc
michael-f156cf7
michele
michelleailton
micro-casa
micro-pc
micro004
micro02
micro07
micro20
microsof-3cde6c
microsof-be1a00
milerson
mip-xp-cht
miraely-pc
mirella-tecno
moacir-pc
morte+
mr-computer
my_pc_home
mypc
na-win
nageral-pc
nazareth-pc
nb00023-ar
neide-6950231e6
neila-pc
nelson-pc
neopc
new775
niko-pc
none-dusez58jo1
not-325
note01
note03
noteasus
notebm-pc
notebook
notebook_vika
nova-pc
ntblucas
nunes-pc
nuria
o-92cc2a5742b94
oem-9ecf19511ee
office-d
oficina03gh
oi-d9cc29398c70
oi-pc
ok-pc
opala-ascnet
orlando-pc
os2019-pc
oscar06
pablo
pabola-ccf85bc5
palmeiras-mega
pan-1e6ecc1f78b
particul-3d9849
particul-c1a251
particul-ec6138
particular-pc
patricia-9mprqb
patriciagurgel
paulo-pc
paulocesar-pc
pc
pc-05
pc-10-15
pc-1central
pc-2
pc-2423eb1b5d14
pc-71cfa7a097c7
pc-7c18ad05454e
pc-aaf7dbdc1907
pc-fffdcbe8f2bd
pc-jp
pc-pc
pc-user
pc0
pc01-camila
pc02
pc06
pc1
pc11545
pc2
pc220-michael
pc4
pc5
pc8
pc9
pc_coord02
pcrodrigo
pcsuporte
pcum
pcvista
pcwe
pedrinho
pedrosa
peixe
personal-pc
pessoal
pessoal-2863f28
pessoal-e151137
pessoal-pc
petraschauff-pc
pierre-0a6da9db
ping-78a0089269
placehol-6f699a
plat-1df898110e
positivo-ba00dc
presidência-pc
professores
pronaf2
public-ea8367e7
quad-pc
quarto
qumica_rita
r-pc
rafael
rafael-pc
raissa-pc
raphaelcosta
rats-pc
recepcao6
recepcion
recepção
regina-20130606
reginaldo-pc
replik4tor
residenc-f47065
residencia
rh
rh-00
ricardo-pc
rodrigo-pc
rodrigo-vaio
rogeriocapaz
rogeriomaq
rogilene-pc
rogérioejully
ron-ac13bf686b1
root-98563fe0cb
root-9a37cb520d
root-d
rosana-pc
rosesouza-pc
rsa0
rswt-win7-32-00
ruan-pc
ruizinho
ruth-pc
s3-002
sa17-testxp
sacada3
safira1-pc
sala1
salita
salut
sam-nb
samlab
samuel
sanches-pc
sandbox
sandra-mega
sandro
sc14_23
sc15_01
scscs<u)ws##pw
sdd-pc
sec_edu
secgoverno
selda-38a0c09e5
sergio-679a5b36
server
servidor
servidor-a546b3
servtec-41daf81
seven-pc
shawl-pc
shawl-vaio
shimelly-fb6099
shimohiro-pc
sidnei-pc
simone-pc
sincoder-b046f9
sincoder-zzzzzz
siraj-hp
smk®
sos-a456b0343ef
soufoda-pc
sp3
spacebr-pc
sportrenie
starter-pc
sti
stop
suene-80951215f
sulene-pc
support
susana-hp
svj03
tadeu-pc
tamires
tata
tatiana-pc
tato-pc
tayeh-pc
tel11s1a0
tequilaboomboom
terminal05
tespc0
tespc09
test-2f0ddd7e5f
test-pc
testpc0
thatiane-pc
thorsten-f495f3
tiaguinhoo-pc
time6
titan
traxpall
tvmcom
tz
uelisson-pc
uelitonbad-pc
ultramed-02
urls-windowsref
user
user-2a6e79da98
user-307b6f9098
user-30d30d6468
user-4b0c7e4c46
user-55f6b64612
user-69d0983294
user-7add3c5ffa
user-8994620187
user-a03bc07abf
user-b9d8d85c48
user-pc
user201
username
userpc
userpc336346446
userpcccccccccc
usu-40afa2bad72
usuario
usuario-23eef58
usuario-acb1418
usuario-bb903fa
usuario-pc
usuario-vaio
usuarios-a17a00
usuário
usuário-pc
utilizador-vaio
valter
valéria-pc
vanciefancie
vanderle-1bb433
vani-6ed3c14093
vania-pc
vanusa-pc
varfileinfo
vendedor
via07
victor-pc
video
vip05-pc
virtual
virtual-7
virtual-win7
virtual-xp
virtualxp-56529
vista
vista-real2
vistaexperience
vm-pc
vm_winxp
vmg-client
vmg_client
vpsvst01
vs_version_info
vv
vwin7-maltest
vwin7pro-maltest
vwinxp-mailtest
vwinxp-maltest
vwinxppro-maltest
wanderson-pc
wellington
wellingtonramos
wilbert-sc1310
wilbert-sc1724
wilbert-sc2006
wilbert-sc2201
wilbert-sc2403
wilbert-sc2511
william-pc
wilson-pc
win-e7ejc94fkp6
win-ehu9f33g4as
win7-maltest
win7-pc
win7even-pc
win7pro-mailtest
win7pro-maltest
windows-pc
windows7-pc
windowshost02
windowshost04
windowshost06
windowshost07
windowsxp-sp2
winxp
winxp-maltest
winxp01
winxp_re
winxphostname
winxppro-maltest
winxpsp3
winxpsp3x32
wko105
wks-029
wolf
workstation
wscript.shell
x-pc
xanny
xjoybook54
xp-449dffbc2bd5
xp-c374c7c20a7d
xp-ps3
xp-silo5yeiykex
xp-soak1
xp-sp3-template
xp1001
xp1002
xp3-host01
xpamas07
xpamas08
xpamas09
xpc
xpsp2-4f417033d
xpsp2-9c443b10c
xs946t04f78kkmi
xx-pc
xxxxx-437226f51
xyoreu
your-5d270b6669
yuri-pc
z-235
zalo-pc

Craving for time? Carve some timestamps out… – TimeCraver v0.1

August 22, 2015 in File Formats ZOO, Forensic Analysis, Malware Analysis, Software Releases

Analysis of binary data is always challenging. Data can be encrypted, encoded, and stored in a number of proprietary formats. Understanding of what data represents and how it is stored is non-trivial. It typically involves either analysis of the code that writes stuff to a file, or trying our luck by guessing what is a possible structure of the actual data. The typical approach is to simply look at it and its properties.

This can involve checking its entropy and how it changes over the file, looking for patterns typically associated with popular compression algorithms, attempting to brute-force various trivial encryption algos, checking if any data is recognized as a string, Unicode string, localized string, a potential absolute or relative offset to other data, or maybe a byte-, word-, dword- long length preceding data etc.

One of the most popular tools that is used to analyze unknown data is binwalk and it helped me on many occasions by providing hints on what is possibly ‘in the file’. Sometimes, even if it didn’t recognize anything interesting was also a good hint – typically meaning encryption, or something really unusual/proprietary.

Existing tools are always handy, but I can’t count how many quick & dirty (and often completely stupid) scripts I wrote to get some data to look more ‘reasonable’ and ‘normal’.

In today’s post I am showing a simple example of such ‘unknown data analysis script’.

When we see a binary file, we typically run ‘strings’ on them and we gather a nice readable ‘printable’ data for analysis.The ‘non-printable’ is also interesting though, so another tool I often run is a strings-like script that carves timestamps out. This comes handy for smaller files, especially for these that look like a config, a quarantine, and anything really that looks like may have  a potential timestamps embedded in it.

Carving works following a simple rule – read 4/8 bytes, convert it to an epoch using various conversion algos (based on assumed timestamp format), see if epoch converts to a date between years 2000-2015, and if it does – just print it out, together with the offset and some extra metadata.

Example:

     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F   0123456789ABCDEF
---------------------------------------------------------------------------
00 : 80 86 F6 34 00 C0 5D CE 56 CF CD 01 00 40 FA 13   ...4..].V....@.. 00
10 : 0F 00 CE 01 00 40 8B B7 0F 16 CE 01 00 80 59 DA   .....@........Y. 16
20 : 6B 2E CE 01 00 00 BE D2 FE 45 CE 01 00 A4 03 01   k........E...... 32
30 : 85 95 C2 01                                       ....             36

Looking at such binary data doesn’t give us much useful information.

Running timecraver over it, gives us the following:

===========================================
 TimeCraver v0.1, Hexacorn.com, 2015-08-23
===========================================
00000000,DOSTIME ,44C257B0,2006-07-22 16:52:00,8086F634
00000004,FILETIME,50B94880,2012-12-01 00:00:00,00C05DCE56CFCD01
0000000A,EPOCH   ,400001CD,2004-01-10 13:44:45,CD010040
0000000C,FILETIME,510B0580,2013-02-01 00:00:00,0040FA130F00CE01
00000012,EPOCH   ,400001CE,2004-01-10 13:44:46,CE010040
00000014,FILETIME,512FEF7F,2013-02-28 23:59:59,00408BB70F16CE01
0000001C,FILETIME,5158CDFF,2013-03-31 23:59:59,008059DA6B2ECE01
00000024,FILETIME,51805B00,2013-05-01 00:00:00,0000BED2FE45CE01
00000026,EPOCH   ,45FED2BE,2007-03-19 18:13:18,BED2FE45
0000002C,FILETIME,3DE3D068,2002-11-26 19:50:00,00A403018595C201

The first column is an offset, followed by the timestamp type, then hexadecimal EPOCH calculated from the data, then its YYYY-MM-DD hh:mm:ss representation and finally the actual bytes from the file that are converted to EPOCH.

The data is immediately more readable and certain conclusions can be drawn. If you look at the offsets, distance between them and type of timestamps you may actually ‘see through’ the data and potentially ‘define’ a reasonable structure.

In this particular case, we can see that FILETIME is

00000004, 0000000C
00000014, 0000001C
00000024, 0000002C

– looks like a sequence of FILETIME records. Following this logic, we can guess that structure of the file is potentially like this:

00000000,DOSTIME ,44C257B0,2006-07-22 16:52:00,8086F634
00000004,FILETIME,50B94880,2012-12-01 00:00:00,00C05DCE56CFCD01
0000000C,FILETIME,510B0580,2013-02-01 00:00:00,0040FA130F00CE01
00000014,FILETIME,512FEF7F,2013-02-28 23:59:59,00408BB70F16CE01
0000001C,FILETIME,5158CDFF,2013-03-31 23:59:59,008059DA6B2ECE01
00000024,FILETIME,51805B00,2013-05-01 00:00:00,0000BED2FE45CE01
0000002C,FILETIME,3DE3D068,2002-11-26 19:50:00,00A403018595C201

I can confirm it since it is one of the test files I created :)

The script can be found here.

Happy craving & carving !

Bonus: if you look at the data in Registry, you will find more timestamps than you thought are actually there. This is a subject for another post :)

Update

Bonus will be here faster than expected – turns out Andrew Case, Jerry Stormo, Joseph Sylve, and Vico Marziale wrote an awesome python script for timestamp carving in Registry