Yearly Archives: 2019

Logs from 1.6M sandboxed samples – release

Posted on by

Update

Silas offered to host a mirror of the file – you can download it from here. Thank you very much Silas!

Old Post

On 31st of Dec 2017 I released a sampleset of my sandbox reports. It was a subset of a much larger set.

Today I am releasing the whole set – 1.6M+ samples.

The biggest challenge for a release like this is… space. Luckily, VirusShare graciously offered space to host the project so… thank you very much J-Michael!!!

The file apilog_2019-07-14.zip is available from VirusShare page. It is a 11GB archive, and it takes 200GB after unzipping.

The file format is very straightforward: it’s a large, single text file where reports are saved one by one, with a delimiter similar to the one used in the previous dump:

SAMPLE #<number> – <md5>

<report>

Yup. This time you have got a md5 hash too, so can map reports to actual samples.

As usual, it may contain bugs, errors, omissions, and other booboos. You have been warned. Also, it’s not OK to use it commercially.

This is the top of the file:

Beyond good ol’ Run key, Part 111

Posted on by

I came across this entry by a pure chance. I was testing some software (sorry, can’t reveal which one) and noticed that at some stage it tried to read the following WOW6432Node entry from the Registry:

HKLM\SOFTWARE\WOW6432Node\Microsoft\BidInterface\Loader
:Path=?

Of course, anytime I see something like this I immediately test it as it is an opportunity to document yet another persistence mechanism. My quick test confirmed we can modify this value to load our DLL of choice when the aforementioned software starts.

Now… this entry is not software-specific. In fact, the tested software does talk to the databases a lot. And after a quick googling exercise I discovered why I saw this artifact in my logs – the key is documented and is used for ADO.NET Tracing.

Of course, it works in a non-WOW set up too:

HKLM\SOFTWARE\Microsoft\BidInterface\Loader
:Path=?

So you can either do the tracing, or load a badness. Your choice.