You are browsing the archive for Malware Analysis.

3M samples – random stats

November 26, 2016 in Clustering, Malware Analysis, Visualisation

It’s been a while since I published some stats on a substantial corpora of samples, so here’s a quickie – re-visiting the compilation timestamp.

Three things to note:

  • these stats are biased (I don’t have all the malware under the Sun)
  • many samples in 2015-2016 show traces of compilation tampering so compilation timestamp is no longer reliable
  • many malware samples are Delphi samples and their timestamps are wrong

Still… quasi-scientific pictures are always nice to look at 😉

  • 3M samples, excluding non-sensical timestamps (I may investigate that spike in July 2015 one day):

3m

  • 3M samples, compilation time by the day of the month (end of the month = time to wrap it up and procrastinate):
    3m_dayofthemonth
  • 3M samples, compilation time by the day of the week (weekends are defo a thing for everyone):
    3m_dayoftheweek
  • 3M samples, compilation time by the hour (Europe is a malware cradle, apparently):
    3m_hour
  • 3M samples, compilation time by the hour:minute (I have no idea what it shows):
    3m_hour_minute_condensed

Beyond good ol’ Run key, Part 51

November 24, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

There is a number of persistence mechanisms related to Office that I have already discussed in the past, but the most obvious one – one that is actually documented – has not been covered in my posts yet. I am fixing it now 😉

When Word starts, it looks for the items inside the STARTUP folder that it can load. The older version of Office would look for files with the following extensions: .lnk, .wll (Word Add-in DLLs), or .dot  f.ex.:

  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.dot
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.lnk
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.wll

Newer versions look for additional files *.dotm and *.dotx.

The location above is a STARTUP folder common for all users (and it’s a WORD STARTUP persistence location #1).

The user-specific folder is located… well, this is where it gets interesting 🙂

So… Winword tries to find the following registry key:

  • HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH

f.ex.

  • HKCU\Software\Microsoft\Office\15.0\Word\Options\STARTUP-PATH

If exists, it will read its value and treat it as a user-specific STARTUP folder. if we change it to our own, we can abuse it (WORD STARTUP persistence location #2):

regstartup1

Otherwise… if it doesn’t exist, Word will read another Registry entry:

  • HKCU\Software\Microsoft\Office\<version>\Common\General\Startup

The default value is ‘STARTUP’, but we can change it to anything we want.

So, if the value is ‘Common\General\Startup’ default and equal ‘STARTUP’, the path will be:

  • %APPDATA%\Microsoft\Word\STARTUP (WORD STARTUP persistence #3a)

But if we change it to f.ex. TEMP, the location will be

  • %APPDATA%\Microsoft\Word\TEMP (WORD STARTUP persistence #3b)

We can try to wrap it up as follows (Word/Office 15.0):

  • c:\Program Files\Microsoft Office\Office15\STARTUP
  • %APPDATA%\Microsoft\Word\STARTUP
    OR

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Startup = FOOBAR
    • %APPDATA%\Microsoft\Word\FOOBAR

Excel behaves in a similar way, except the paths and keys are (for Office 15.0):

  • C:\Program Files\Microsoft Office\Office15\XLSTART
  • %APPDATA%\Microsoft\Excel\XLSTART
    OR

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Xlstart = FOOBAR
    • %APPDATA%\Microsoft\Excel\FOOBAR

Here are the Word and Excel options that dictate what are the actual user-specific %APPDATA% startup folders for both programs:

regstartup2

That’s all!