HexDive – Preview of a new tool (2)

Posted on by

I thought I will show some more output from the tool – these are malware-specific APIs only (tool outputs more stuff).

atm it’s over 70,000 keywords searched using modified Aho-Corasick algorithm:

Flame memory dump (partial)

A|mal-api|-|NtQueryInformationProcess
A|mal-api|-|select
A|mal-api|-|bind
A|mal-api|-|WSAAccept
A|mal-api|-|WSAIoctl
A|mal-api|-|EnumProcesses
A|mal-api|-|OpenProcessToken
A|mal-api|-|OpenThreadToken
A|mal-api|-|LookupPrivilegeValueW
A|mal-api|-|AdjustTokenPrivileges
A|mal-api|-|CreateProcessAsUserW
A|mal-api|-|ImpersonateLoggedOnUser
A|mal-api|-|RegCloseKey
A|mal-api|-|RegSetValueExW
A|mal-api|-|RegSetValueExA
A|mal-api|-|GetUserNameA
A|mal-api|-|CreateProcessWithLogonW
A|mal-api|-|GetUserNameW
A|mal-api|-|RasEnumConnectionsW
A|mal-api|-|NdrClientCall2
A|mal-api|-|FindWindowA
A|mal-api|-|WSASend
A|mal-api|-|WSARecv
A|mal-api|-|CloseServiceHandle
A|mal-api|-|DeleteService
A|mal-api|-|CreateServiceA
A|mal-api|-|StartServiceA
A|mal-api|-|ControlService
A|mal-api|-|CreateThread
A|mal-api|-|CreateMutexA
A|mal-api|-|CreateMutexW
A|mal-api|-|SetEnvironmentVariableW
A|mal-api|-|VirtualAllocEx
A|mal-api|-|ReadProcessMemory
A|mal-api|-|OpenProcess
A|mal-api|-|Sleep
A|mal-api|-|WriteFile
A|mal-api|-|FindFirstFileW
A|mal-api|-|CreateFileW
A|mal-api|-|GetModuleHandleW
A|mal-api|-|GetModuleFileNameW
A|mal-api|-|GetModuleHandleA
A|mal-api|-|VirtualProtect
A|mal-api|-|GetVersion
A|mal-api|-|GetSystemDirectoryW
A|mal-api|-|ExitThread
A|mal-api|-|GetThreadTimes
A|mal-api|-|GetThreadContext
A|mal-api|-|OpenThread
A|mal-api|-|GetProcAddress
A|mal-api|-|SetThreadContext
A|mal-api|-|GetTempPathW
A|mal-api|-|GetTempFileNameW
A|mal-api|-|GetFileAttributesW
A|mal-api|-|LoadLibraryW
A|mal-api|-|CreateProcessW
A|mal-api|-|DeleteFileW
A|mal-api|-|MoveFileExW
A|mal-api|-|Thread32First
A|mal-api|-|Thread32Next
A|mal-api|-|CreateToolhelp32Snapshot
A|mal-api|-|GetTickCount
A|mal-api|-|FindNextFileW
A|mal-api|-|CreateNamedPipeW
A|mal-api|-|DisconnectNamedPipe
A|mal-api|-|CreateDirectoryW
A|mal-api|-|LockResource
A|mal-api|-|GetStartupInfoW
A|mal-api|-|PeekNamedPipe
A|mal-api|-|ExitProcess
A|mal-api|-|FindFirstFileA
A|mal-api|-|FindNextFileA
A|mal-api|-|GetComputerNameA
A|mal-api|-|GetEnvironmentVariableA
A|mal-api|-|GetTimeZoneInformation
A|mal-api|-|GetComputerNameW
A|mal-api|-|CreateNamedPipeA
A|mal-api|-|CreateProcessA
A|mal-api|-|GetModuleFileNameA
A|mal-api|-|GetCommandLineA
A|mal-api|-|IsDebuggerPresent
A|mal-api|-|DeleteFileA
A|mal-api|-|GetStartupInfoA
A|mal-api|-|FreeEnvironmentStringsA
A|mal-api|-|FreeEnvironmentStringsW
A|mal-api|-|GetFileAttributesA
A|mal-api|-|GetStringTypeA
A|mal-api|-|GetStringTypeW
A|mal-api|-|SetEnvironmentVariableA
A|mal-api|-|DeviceIoControl
A|mal-api|-|GetSystemDirectoryA
A|mal-api|-|GetDriveTypeA
A|mal-api|-|SetThreadPriority
A|mal-api|-|GetDiskFreeSpaceW
A|mal-api|-|GetDiskFreeSpaceA
A|mal-api|-|GetTempPathA
A|mal-api|-|GetDriveTypeW
A|mal-api|-|FindFirstChangeNotificationW
A|mal-api|-|FindNextChangeNotification
A|mal-api|-|FindFirstVolumeW
A|mal-api|-|ExitThread
A|mal-api|-|ExitThread
U|mal-api|-|SLEEP
U|mal-api|-|SLEEP
U|mal-api|-|connect
U|mal-api|-|LoadLibraryW
U|mal-api|-|GetComputerNameA
U|mal-api|-|GetComputerNameW
U|mal-api|-|GetUserNameA
U|mal-api|-|GetUserNameW
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|DeleteService
U|mal-api|-|connect
U|mal-api|-|DeleteService
U|mal-api|-|connect
U|mal-api|-|DeleteService
U|mal-api|-|connect
U|mal-api|-|DeleteService
U|mal-api|-|Connect
U|mal-api|-|connect
U|mal-api|-|Connect
U|mal-api|-|SLEEP
U|mal-api|-|Send
U|mal-api|-|Send
U|mal-api|-|Send
U|mal-api|-|Send
U|mal-api|-|Send
U|mal-api|-|Select
U|mal-api|-|SLEEP
U|mal-api|-|SLEEP
U|mal-api|-|SLEEP
U|mal-api|-|SLEEP
U|mal-api|-|SLEEP
U|mal-api|-|Connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|select
U|mal-api|-|NtQuerySystemInformation
U|mal-api|-|RegLoadKeyW
U|mal-api|-|CreateToolhelp32Snapshot
U|mal-api|-|Process32First
U|mal-api|-|Process32FirstW
U|mal-api|-|Process32Next
U|mal-api|-|Process32NextW
A|mal-api|-|ExitThread
A|mal-api|-|Sleep
A|mal-api|-|VirtualProtect
A|mal-api|-|GetProcAddress
A|mal-api|-|GetModuleHandleA
A|mal-api|-|CreateMutexW
A|mal-api|-|NtQueryInformationProcess
A|mal-api|-|LoadLibraryW
A|mal-api|-|CreateFileW
U|mal-api|-|GetProcAddress
U|mal-api|-|GetModuleHandleA
U|mal-api|-|OpenThread
U|mal-api|-|ExitThread
U|mal-api|-|ExitThread
U|mal-api|-|GetModuleHandleW
A|mal-api|-|URLDownloadToFileA
A|mal-api|-|ExitThread
A|mal-api|-|SELECT
A|mal-api|-|bind
A|mal-api|-|bind

Random malware sample:

A|mal-api|-|CreateToolhelp32Snapshot
A|mal-api|-|Toolhelp32ReadProcessMemory
A|mal-api|-|Process32Next
A|mal-api|-|Process32FirstW
A|mal-api|-|Thread32First
A|mal-api|-|Thread32Next
A|mal-api|-|Module32First
A|mal-api|-|Module32Next
A|mal-api|-|Module32FirstW
A|mal-api|-|Module32NextW
A|mal-api|-|WSAStartup
A|mal-api|-|WSACleanup
A|mal-api|-|WSAASyncGetHostByName
A|mal-api|-|WSAASyncGetServByName
A|mal-api|-|bind
A|mal-api|-|listen
A|mal-api|-|connect
A|mal-api|-|WSACancelASyncRequest
A|mal-api|-|closesocket
A|mal-api|-|send
A|mal-api|-|recv
A|mal-api|-|WSACleanup
A|mal-api|-|accept
A|mal-api|-|bind
A|mal-api|-|closesocket
A|mal-api|-|connect
A|mal-api|-|ioctlsocket
A|mal-api|-|htonl
A|mal-api|-|htons
A|mal-api|-|inet_addr
A|mal-api|-|inet_ntoa
A|mal-api|-|listen
A|mal-api|-|ntohl
A|mal-api|-|ntohs
A|mal-api|-|recv
A|mal-api|-|recvfrom
A|mal-api|-|select
A|mal-api|-|send
A|mal-api|-|sendto
A|mal-api|-|setsockopt
A|mal-api|-|shutdown
A|mal-api|-|socket
A|mal-api|-|gethostbyaddr
A|mal-api|-|gethostbyname
A|mal-api|-|gethostname
A|mal-api|-|getservbyname
A|mal-api|-|WSASetLastError
A|mal-api|-|WSAAsyncGetServByName
A|mal-api|-|WSAAsyncGetServByPort
A|mal-api|-|WSAAsyncGetProtoByName
A|mal-api|-|WSAAsyncGetProtoByNumber
A|mal-api|-|WSAAsyncGetHostByName
A|mal-api|-|WSAAsyncGetHostByAddr
A|mal-api|-|WSACancelAsyncRequest
A|mal-api|-|WSAAsyncSelect
A|mal-api|-|__WSAFDIsSet
A|mal-api|-|WSAAccept
A|mal-api|-|WSACloseEvent
A|mal-api|-|WSAConnect
A|mal-api|-|WSACreateEvent
A|mal-api|-|WSAHtonl
A|mal-api|-|WSAHtons
A|mal-api|-|WSAIoctl
A|mal-api|-|WSANtohs
A|mal-api|-|WSARecv
A|mal-api|-|WSARecvFrom
A|mal-api|-|WSASend
A|mal-api|-|WSASendTo
A|mal-api|-|WSAWaitForMultipleEvents
A|mal-api|-|WSAProviderConfigChange
A|mal-api|-|AcceptEx
A|mal-api|-|WSARecvEx
A|mal-api|-|WSAStartup
A|mal-api|-|ZwQuerySystemInformation
A|mal-api|-|ZwOpenProcess
A|mal-api|-|ZwOpenSection
A|mal-api|-|ZwOpenFile
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|send
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|connect
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|shutdown
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|listen
U|mal-api|-|socket
U|mal-api|-|socket
U|mal-api|-|socket
A|mal-api|-|GetProcAddress
A|mal-api|-|GetModuleHandleA
A|mal-api|-|InternetReadFile
A|mal-api|-|StartServiceA
A|mal-api|-|WSACleanup
A|mal-api|-|WSAIoctl

2 thoughts on “HexDive – Preview of a new tool (2)

  1. I am wondering in what language the tool is programmed, and what kind of search speed are you seeing?

Comments are closed.