I recently came back to play with strings artifacts extracted from a decently sized sample set. Looking at a normalized, clustered data set is always a good starting point for a research. It can be very boring, but every once in a while you will find something interesting.
To kick it off here are some stats about Wow6432Node key that I generated overnight.
With 64-bit boxes becoming pretty much the norm we naturally see more and more samples referring to this Registry key. If there is one reason for us to look at this data is to find out if there are perhaps some keys under Wow6432Node that may deserve some special attention… Who knows, maybe some new persistence mechanism or some new, interesting artifact is out there waiting for someone to discover it.
Obviously, stats may be misleading so use it at your own risk. Also, not all the keys are necessarily malicious. It’s just a bunch of keys that specifically refer to Wow6432Node, and are extracted from a large sample set.
Looking at the data below one thing strikes me immediately – the Run and RunOnce keys are pretty low on the list. Either software authors are not hardcoding them to avoid heuristic detections, or… there is really not that much software that modifies these keys directly.
179506 software\wow6432node\microsoft\windows\
42517 software\wow6432node\clients\startmenuinternet
23631 software\wow6432node\microsoft\windows\currentversion\uninstall\avast
5074 software\wow6432node\javasoft\java runtime environment
4859 software\wow6432node\javasoft\java development kit
3274 software\wow6432node\beattool
3020 software\wow6432node\avast
2601 software\wow6432node\sweetim
1861 software\wow6432node\avira
1686 software\wow6432node\microsoft\internet explorer\extensions\{ebd24bd3-e272-4fa3-a8ba-c5d709757cab}
1641 software\wow6432node\sweet-pagesoftware
1641 software\wow6432node\awesomehpsoftware
1639 software\wow6432node\webssearchessoftware
1638 software\wow6432node\qone8software
1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{c4ed781c-7394-4906-aaff-d6ab64ff7c38}
1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{889df117-14d1-44ee-9f31-c5fb5d47f68b}
1638 software\wow6432node\classes\clsid\{4aa46d49-459f-4358-b4d1-169048547c23}
1637 software\wow6432node\aartemissoftware
1636 software\wow6432node\avg
1551 software\wow6432node\microsoft\windows\currentversion\uninstall
1515 software\wow6432node\avast software
1465 wow6432node\clsid\
1399 software\wow6432node\baidu security\antivirus
1387 software\wow6432node\google\chrome\extensions
1141 \software\wow6432node\baidu security\pc faster
913 software\wow6432node\microsoft\windows\currentversion\uninstall\avira
623 software\wow6432node\omiga-plussoftware\omiga-plushp
583 software\wow6432node\red gate\
559 wow6432node\clsid\%s
502 software\wow6432node
434 software\wow6432node\microsoft\internet explorer\extensions
417 software\wow6432node\mozilla\mozilla firefox
403 software\wow6432node\microsoft\windows\currentversion\uninstall\
384 software\wow6432node\microsoft\internet explorer\toolbar
372 software\wow6432node\mozilla\zvu.com\%s\main
372 software\wow6432node\mozilla\zvu.com
363 software\wow6432node\microsoft\windows\currentversion\run
356 software\wow6432node\{smartassembly}
326 software\wow6432node\microsoft\office\outlook\addins
295 hkey_local_machine\software\wow6432node\vitalwerks\duc
281 software\wow6432node\babylontoolbar\babylontoolbar
265 software\wow6432node\brapp
263 software\wow6432node\microsoft\windows\currentversion\runonce
253 software\wow6432node\asktoolbar\macro
215 software\wow6432node\mozilla\mozilla firefox\
204 software\wow6432node\realnetworks\dlp
189 software\wow6432node\microsoft\net framework setup\ndp\
186 software\wow6432node\qone8software\qone8hp
168 software\wow6432node\v9software
163 software\wow6432node\qvo6software\qvo6hp