Batch Analysis | Hexacorn

Part 1, Part 2, Part 3

As I mentioned in my previous post, I was toying around with various samplesets (e.g. zero access, APT1, etc.) and since the APT1 sampleset is all over the news, I took a stab at it and sandboxed the samples + attempted to cluster the results to see if I any patterns emerge…

The sampleset – batch analysis

Encryption

Some of the samples use DES and the following passwords:

Hello@)!0
!b=z&7?cc,MQ
1b=z7/lx+WK!
!b=z&7?cc,MQ>

File names / locations:

%USERPROFILE%\Application Data\Adobe8.0.0\update.exe
%USERPROFILE%\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
%USERPROFILE%\Application Data\Adobe\reader_sl.exe
%USERPROFILE%\Application Data\Help\svchost.exe
%USERPROFILE%\Local Settings\Application Data\Microsoft\svchost.exe
%USERPROFILE%\Local Settings\Application Data\Microsoft\wuauclt.exe
%USERPROFILE%\Local Settings\spoolsvr.exe
%USERPROFILE%\Local Settings\Temp\AcroRD32.exe
%USERPROFILE%\Local Settings\Temp\AdobeARM.exe
%USERPROFILE%\LOCALS~1\Temp\17DC75.dmp
%USERPROFILE%\LOCALS~1\Temp\17DC85.dmp
%USERPROFILE%\LOCALS~1\Temp\17DD6F.dmp
%USERPROFILE%\LOCALS~1\Temp\17DD9E.dmp
%USERPROFILE%\LOCALS~1\Temp\17DDEC.dmp
%USERPROFILE%\LOCALS~1\Temp\17E7CF.dmp
%USERPROFILE%\LOCALS~1\Temp\17EE48.dmp
%USERPROFILE%\LOCALS~1\Temp\AdobeUpdate.exe
%USERPROFILE%\LOCALS~1\Temp\AdobeUpdater.exe
%USERPROFILE%\LOCALS~1\Temp\BP Makes Two Gas Discoveries in Egypt’s Nile Delta.doc
%USERPROFILE%\LOCALS~1\Temp\ctfmon.exe
%USERPROFILE%\LOCALS~1\Temp\ctfmon.exe\svchost.exe
%USERPROFILE%\LOCALS~1\Temp\em.exe
%USERPROFILE%\LOCALS~1\Temp\Halliburton to Present at Dahlman Rose & Co. Ultimate Oil Services And E&P Conference.pdf
%USERPROFILE%\LOCALS~1\Temp\iTunesHelper.exe
%USERPROFILE%\LOCALS~1\Temp\Material Type Ore 20160605.pdf
%USERPROFILE%\LOCALS~1\Temp\Open letter of Dow Corning Corp.pdf
%USERPROFILE%\LOCALS~1\Temp\POWER_GEN_2012.pdf
%USERPROFILE%\LOCALS~1\Temp\runinfo.exe
%USERPROFILE%\LOCALS~1\Temp\svchost.exe
%USERPROFILE%\LOCALS~1\Temp\Top Stock Alerts for Day Traders – Facebook, Freeport-McMoRan Copper & Gold, Fastenal, Research In Motion, EnCana, and Dollar General.doc
%USERPROFILE%\LOCALS~1\Temp\US hesitant in condemning North Korean launch.pdf
%USERPROFILE%\LOCALS~1\Temp\WINWORD.EXE
%USERPROFILE%\Start Menu\Programs\Startup\adobe_sl.lnk
%USERPROFILE%\Start Menu\Programs\Startup\AdobeRe.exe
%USERPROFILE%\Start Menu\Programs\Startup\ctfmon.exe
%USERPROFILE%\Templates\adobe_sl.exe
c:\WINDOWS\ntshrui.dll
C:\WINDOWS\ntshrui.dll1
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\Nwsapagent.dll
C:\WINDOWS\system\ersvc.dll
c:\WINDOWS\system\ersvc.dll

Mutexes:

!@ADS@#$
1234
1qaz@WSX
COPYRIGHTMM2011V2
fire
Geman.do
Global\AdobeReaderX
GLOBAL\ADR32
GLOBAL\ADR64
GLOBAL\MSFT64
Globxxxxxxxxssssseeeeeeal\ADReeeerrttyyyy64
hackersuck
ijnrfv
letusgohtppmmv1.0
letusgohtppmmv2.0.0.1

Services:

.Net CLR (Microsoft .Net Framework COM+ Support)
DevFS (Device File System)
DevFS (Device File System)
DevSec (Rpc Device Management)
InfMon (Infrared Monitor)
Nwsapagent (Gateway Service for Netware)
RasAuto (Remote Access Auto Connection Manager)
tcpguard (tcpguard)

Connections (note, may contain clean IPs/URLs):

10.166.1.182
127.0.0.1
140.116.70.8
143.89.35.19
202.105.39.39
202.39.61.136
202.6.235.83
203.200.205.245
204.111.73.150
205.159.83.91
208.239.156.123
209.124.51.194
209.124.51.219
209.151.145.185
209.161.249.125
209.208.114.83
209.233.16.84
209.253.17.229
211.232.57.235
212.130.19.154
216.15.210.68
218.232.105.200
218.232.66.12
218.233.206.2
218.234.17.30
24.73.192.154
60.248.52.95
61.219.67.1
64.80.153.108
65.105.157.228
65.110.1.32
65.114.195.226
65.89.173.68
66.151.16.30
66.155.114.145
66.170.3.43
66.228.132.53
68.17.104.162
68.96.31.136
69.20.5.219
69.25.50.10
69.28.168.10
69.74.43.87
69.90.123.6
69.90.18.22
69.90.18.23
69.90.65.240
70.62.232.98
74.86.197.56
75.145.139.18
admin.datastorage01.org
AdobeFlash.info.tm
cas.ibooks.tk
cas.m-e.org.ru
code.mcafeepaying.com
Colville.com
conference.ddns.us
ctcs.bigdepression.net
ctx.comrepair.net
dev.teamattire.com
documents.downloadsite.me
eclipsecti.infobusinessus.org
exactearth.info.tm
fasa.arrowservice.net
fasa.bigish.net
fasa.newsonet.net
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
fni.bigish.net
help.purpledaily.com
hint.happyforever.com
hojutsu.com
japan.yahoodaily.com
jimnaugle.com
johnford985.appspot.com
ks.aoldaily.com
ks.cnndaily.com
ks.jaimeastorga.mx
ks.manguvaljak.ee
ks.petrotdl.com.ar
ks.utworld.ch
media.finanstalk.ru
meeting.toh.info
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
olmusic100.com
portal.itsaol.com
public.ddns.us
qhun-mons.businessformars.com
report.crabdance.com
safety.canadatvsite.com
share.canoedaily.com
software.myftp.info
sports.canoedaily.com
stratos.aoldaily.com
stratos.mcafeepaying.com
tcw.homier.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
un.linuxd.org
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
vop.earthsolution.org
wikileaks.ddns.us
www.bigish.net
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.heliospartners.com
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.newsesport.com
www.olmusic100.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net

URLs and URL-like patterns (from static analysis; may contain errors)

2.earthsolution.org
AdobeFlash.info.tm
www.mevatec.com
Colville.com
americanunfinished.com
aoldaily.com
appspot.com
aunewsonline.com
bigdepression.net
bluecoate.com
businessformars.com
canadatvsite.com
canoedaily.com
cnndaily.com
colville.com
com.tw
competrip.com
crabdance.com
cvba.com
datastorage01.org
ddns.us
deebeedesigns.ca
dnepr.com
doversolutions.co.in
drgeorges.com
dsds.co.kr
earthsolution.org
fbrshop.com
finanstalk.ru
freelanceindy.com
gnpes.org
gobroadreach.com
happyforever.com
hojutsu.com
homier.com
ibooks.tk
info.tm
itsaol.com
jimnaugle.com
kayauto.net
keenathomas.com
lksoftvc.net
mcafeepaying.com
mediaxsds.net
microsoft.com
micyuisyahooapis.com
msnhome.org
mwa.net
newsesport.com
newsonet.net
omegalogos.org
org.ru
pastorsrest.com
pcs157.com
purpledaily.com
rbaparts.com
sektori.org
slowblog.com
smilecare.com
spmiller.org
teamattire.com
tfxdccssl.net
thecrownsgolf.org
toh.info
usnewssite.com
uszzcs.com
vwrm.com
woodagency.com
yahoodaily.com
Hojutsu.com
Colville.com
Hojutsu.com
admin.datastorage01.org
cas.ibooks.tk
conference.ddns.us
ctcs.bigdepression.net
dev.teamattire.com
fasa.arrowservice.net
fasa.newsonet.net
fni.bigish.net
japan.yahoodaily.com
jimnaugle.com
media.finanstalk.ru
meeting.toh.info
moto.purpledaily.com
moto2.earthsolution.org
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
public.ddns.us
safety.canadatvsite.com
share.canoedaily.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
un.linuxd.org
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
wikileaks.ddns.us
www.BusinessForMars.com
www.bigish.net
www.bluecoate.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.omegalogos.org
www.pastorsrest.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net
K4Pu.ht
Olmusic100.com
Sdv.gf
Sh.sd
americanunfinished.com
aoldaily.com
appspot.com
aunewsonline.com
bigdepression.net
bluecoate.com
businessformars.com
canadatvsite.com
canoedaily.com
cnndaily.com
colville.com
com.tw
competrip.com
crabdance.com
cvba.com
datastorage01.org
ddns.us
deebeedesigns.ca
dnepr.com
doversolutions.co.in
drgeorges.com
dsds.co.kr
earthsolution.org
fbrshop.com
finanstalk.ru
freelanceindy.com
gnpes.org
gobroadreach.com
happyforever.com
hojutsu.com
homier.com
ibooks.tk
info.tm
itsaol.com
jimnaugle.com
kayauto.net
keenathomas.com
lksoftvc.net
mcafeepaying.com
mediaxsds.net
microsoft.com
micyuisyahooapis.com
msnhome.org
mwa.net
newsesport.com
newsonet.net
omegalogos.org
org.ru
pastorsrest.com
pcs157.com
purpledaily.com
rbaparts.com
sektori.org
slowblog.com
smilecare.com
spmiller.org
teamattire.com
tfxdccssl.net
thecrownsgolf.org
toh.info
usnewssite.com
uszzcs.com
vwrm.com
woodagency.com
yahoodaily.com
X:\command.com
admin.datastorage01.org
adobeflash.info.tm
asa.bigish.net
aspjk07@hotmail.com
att.infosupports.com
augle.com
bigdepression.net
bluecoate.com
businessus.org
canadatvsite.com
cas.ibooks.tk
cas.m-e.org.ru
code.mcafeepaying.com
colville.com
command.com
competrip.com
conference.ddns.us
content.ie
crz.dnsweb.org
ctcs.bigdepression.net
ctcs.earthsolution.org
ctx.comrepair.net
deebeedesigns.ca
dev.teamattire.com
dns.progammerli.com
dove.blackcake.net
drgeorges.com
e.canoedaily.com
eclipsecti.infobusinessus.org
eds1.infosupports.com
erence.ddns.us
essformars.com
exactearth.info.tm
fasa.arrowservice.net
fasa.bigish.net
fasa.newsonet.net
fbrshop.com
fetch.py
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
fni.bigish.net
freelanceindy.com
gateway.messenger.hotmail.com
gobroadreach.com
gro.sepng.su
h.lk
h:mm:ss.tt
help.purpledaily.com
hint.happyforever.com
hojutsu.co
hojutsu.com
hotmail.com
safety.canadatvsite.com
www.microsoft.com
admin.datastorage01.org
adobeflash.info.tm
cas.ibooks.tk
cas.m-e.org.ru
colville.com
conference.ddns.us
dev.teamattire.com
hint.happyforever.com
hojutsu.com
japan.yahoodaily.com
jimnaugle.com
media.finanstalk.ru
meeting.toh.info
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
portal.itsaol.com
public.ddns.us
report.crabdance.com
safety.canadatvsite.com
share.canoedaily.com
sports.canoedaily.com
tcw.homier.com
thecrownsgolf.org
time.mediaxsds.net
ttl.tfxdccssl.net
update.dnepr.com
update.sektori.org
update.slowblog.com
us.gnpes.org
wikileaks.ddns.us
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.net
www.newsesport.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net
johnford985.appspot.com/fetch.py
code.mcafeepaying.com
ctcs.bigdepression.net
flash.aoldaily.com
flash.aunewsonline.com
flash.cnndaily.com
flash.mcafeepaying.com
flash.usnewssite.com
johnford985.appspot.com
ks.cnndaily.com
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
stratos.aoldaily.com
stratos.mcafeepaying.com
ic.ddns.us
ice.net
ille.com
ily.com
ing.toh.info
japan.yahoodaily.com
jimnaugle.com
johnford985.appspot.com
k.ca
kayauto.net
keenathomas.com
ks.aoldaily.com
ks.cnndaily.com
ks.jaimeastorga.mx
ks.manguvaljak.ee
ks.petrotdl.com.ar
ks.utworld.ch
m.ms
media.finanstalk.ru
meeting.toh.info
messenger.hotmail.com
microsoft.com
micyuisyahooapis.com
moc.yliadnnc.sk
moto.purpledaily.com
moto1.newsonet.net
moto2.earthsolution.org
mountainvalley.americanunfinished.com
msn.com
msnhome.org
mwa.net
n.datastorage01.org
n.linuxd.org
n.yahoodaily.com
news.canadatvsite.com
news.micyuisyahooapis.com
news.msnhome.org
nexus.passport.com
ni.bigish.net
nic.safalife.com
ntdetect.com
olmusic100.com
omegalogos.org
owservice.ne
pastorsrest.com
portal.itsaol.com
public.ddns.us
purpledaily.com
qhun-mons.businessformars.com
qusc12.infosupports.com
rbaparts.com
report.crabdance.com
rownsgolf.org
s.org
safety.canadatvsite.com
share.canoedaily.com
smilecare.com
sonet.net
sports.canoedaily.com
sra.blackcake.net
sra.infosupports.com
ssus.org
stratos.aoldaily.com
stratos.mcafeepaying.com
tcw.homier.com
te.dnepr.com
teamattire.com
thecrownsgolf.org
time.mediaxsds.net
tsu.com
ttl.tfxdccssl.net
ty.canadatvsite.com
un.linuxd.org
update.dnepr.com
update.mcafeepaying.com
update.sektori.org
update.slowblog.com
us.gnpes.org
usc12.blackcake.net
vop.earthsolution.org
vwrm.com
w.com
us.gn
wikileaks.ddns.us
woodagency.com
ww.bigish.net
www.BusinessForMars.com
www.bigish.net
www.bluecoate.com
www.businessformars.com
www.competrip.com
www.cvba.com
www.deebeedesigns.ca
www.doversolutions.co.in
www.drgeorges.com
www.dsds.co.kr
www.fbrshop.com
www.freelanceindy.com
www.gobroadreach.com
www.heliospartners.com
www.holdent.com.au
www.inkscape.org
www.jiangmin.com.tw
www.kayauto.net
www.keenathomas.com
www.microsoft.com
www.mountainvalley.americanunfinished.com
www.mwa.ne
www.mwa.net
www.newsesport.com
www.olmusic100.com
www.omegalogos.org
www.pastorsrest.com
www.pcs157.com
www.rbaparts.com
www.smilecare.com
www.spmiller.org
www.uszzcs.com
www.vwrm.com
www.woodagency.com
zh.lksoftvc.net

HTTP Requests:

CONNECT HTTP/1.0
CONNECT /index.asp HTTP/1.1
GET HTTP/1.1
GET /1.asp?rands=FXMJVXGOJJ&acc=&str=select id from tab_online where regcode = ‘FXMJVXGOJJ’ HTTP/1.0
GET /197.1.16.3_7.html HTTP/1.1
GET /2011/n325423.shtml?pvid=fAAAACIkAOyJMGjxiYadwRyN9buY2MAeOtQPGgD7e0CsZAFTwA8txDliAAA= HTTP/1.0
GET /2651.asp HTTP/1.1
GET /3491.asp HTTP/1.1
GET /4823.asp HTTP/1.1
GET /4981.asp HTTP/1.1
GET /5310.asp HTTP/1.1
GET /5712.html HTTP/1.1
GET /6212.html HTTP/1.1
GET /6958.html HTTP/1.1
GET /_borders/top.htm HTTP/1.1
GET /A2/front/lm/mini/noborder/?AQB=1&ndh=1&t=480&lv=VDipXNKF&pageName=About&ss=ipWHkqSl&g=Council&cid=225&v1=c25&hp=N&tal=&AQE=1 HTTP/1.0
GET /aboutus_ohs.html HTTP/1.1
GET /adobe.html HTTP/1.1
GET /api/get_attention_num/adfshow?slot=7cLLvm4e&p=F&may=128&g=4363&n=0&i=Home HTTP/1.0
GET /aspnet_client/system_web/1_0_3705_0/SmartNav.jpg HTTP/1.1
GET /attachments/C262-240.jpg HTTP/1.1
GET /bbs/db/1.asp?rands=KKIJLONGAP&acc=&str=select id from tab_online where regcode = ‘KKIJLONGAP’ order by id asc HTTP/1.0
GET /bbs/db/1.asp?rands=SEXGJLSSXM&acc=&str=select id from tab_online where regcode = ‘SEXGJLSSXM’ order by id asc HTTP/1.0
GET /BerwickFire/rental.html HTTP/1.1
GET /css/about.htm HTTP/1.1
GET /css/style.html HTTP/1.1
GET /Default.aspx?INDEX=CGPEHQURTR HTTP/1.1
GET /Default.aspx?INDEX=EIGHIZHOMM HTTP/1.1
GET /Default.aspx?INDEX=EYZALCJEKE HTTP/1.1
GET /Default.aspx?INDEX=GIOJJREGBY HTTP/1.1
GET /Default.aspx?INDEX=IHPSYRANKA HTTP/1.1
GET /Default.aspx?INDEX=IPESEDUTED HTTP/1.1
GET /Default.aspx?INDEX=JBVUQETDVA HTTP/1.1
GET /Default.aspx?INDEX=MAJVUXJDAQ HTTP/1.1
GET /Default.aspx?INDEX=QFBMPJCWAL HTTP/1.1
GET /Default.aspx?INDEX=XMDOFYNHDY HTTP/1.1
GET /default.htm HTTP/1.1
GET /default.html HTTP/1.1
GET /download.htm HTTP/1.1
GET /download/confere.html HTTP/1.1
GET /download/device_ad.asp?device_t=2928269924&key=dxrqdgct&device_id=ad&cv=dxrqdgctnynmgjjfn HTTP/1.0
GET /downloadsoft.htm HTTP/1.1
GET /fax.html HTTP/1.1
GET /file/yahootemp.html HTTP/1.1
GET /Gallery/Winterfest/2.jpg HTTP/1.1
GET /html/proe_tcp.html HTTP/1.1
GET /images/1.asp?rands=HOWBTFQLOZ&acc=&str=select id from tab_online where regcode = ‘HOWBTFQLOZ’ order by id asc HTTP/1.0
GET /images/_vti_img/index.asp HTTP/1.1
GET /images/bs.gif HTTP/1.1
GET /images/btn_info.jpg HTTP/1.1
GET /images/button.jpg HTTP/1.1
GET /images/colt_defense.jpg HTTP/1.1
GET /images/db/1.asp?rands=BWFIMNAJEE&acc=&str=select id from tab_online where regcode = ‘BWFIMNAJEE’ order by id asc HTTP/1.0
GET /images/device_index.asp?device_t=5962704463&key=odnnmvgr&device_id=index&cv=odnnmvgrmftvujsyg HTTP/1.0
GET /images/error.jpg HTTP/1.1
GET /images/head_left.jpg HTTP/1.1
GET /images/icons/3224?meth=gc&tid=2005614&cqe=3884550&inif=tLu3v8eD3Lu+vqjHy8PI1MvMwtTCytTLycnct7uosceUkZzXgNy1qarHz9TL3LK+qbTHy8+fnw==&syun=250 HTTP/1.1
GET /images/index_0_02.jpg HTTP/1.1
GET /images/leftnav_prog_bg.jpg HTTP/1.1
GET /images/li.gif HTTP/1.1
GET /images/logo.png HTTP/1.1
GET /images/reach1.jpg HTTP/1.1
GET /images/record.asp?device_t=3134688572&key=ywbyftdd&device_id=index&cv=ywbyftddoirafvbak&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A50%3A15%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
GET /images/title.png HTTP/1.1
GET /index.htm HTTP/1.1
GET /index.html HTTP/1.1
GET /index.html HTTP/1.1
GET /index/default.htm HTTP/1.1
GET /index01.htm HTTP/1.1
GET /info/2013.html?1361695580 HTTP/1.0
GET /info/2013.html?1361695600 HTTP/1.0
GET /info/sh1/search.asp HTTP/1.1
GET /info/sh3/search.asp HTTP/1.1
GET /java/careers.html HTTP/1.1
GET /loa/database3/sun.html?a=1317&b=10043&typ=ntWVDtQM&user=home_page|homepage_2nd_banner_820x90&pagei=/8LfwOjw&border=0&local=yes&psi=170&f=1&form=&h=&i=100 HTTP/1.0
GET /logo.html HTTP/1.1
GET /logs/login.asp HTTP/1.1
GET /M&A_alliances.htm HTTP/1.1
GET /main/1.asp?rands=TGPJQNYBQY&acc=&str=select id from tab_online where regcode = ‘TGPJQNYBQY’ order by id asc HTTP/1.0
GET /marq.htm HTTP/1.1
GET /NET/kappa.jpg HTTP/1.1
GET /order.htm HTTP/1.1
GET /Ouo4f045.asp HTTP/1.1
GET /pop.htm HTTP/1.1
GET /postinfo.html?1361694906 HTTP/1.0
GET /postinfo.html HTTP/1.1
GET /pp/core/cgi/wor.asp?category=qiu&ace=i9t2&newText=&amer=160&eur=&mm=love HTTP/1.0
GET /public.html HTTP/1.1
GET /report/news.html HTTP/1.1
GET /Resource/device_Tr.asp?device_t=1626586307&key=wuagysqk&device_id=Tr&cv=wuagysqkptijnsayv HTTP/1.0
GET /Resource/record.asp?device_t=2620185844&key=majccsyr&device_id=Tr&cv=majccsyrufwyqrdkg&result=no%20command%0D%0A%0D%0ANext%3ASun%20Feb%2024%2009%3A57%3A53%202013%0Adelay%3A3600%20sec%0D%0A HTTP/1.0
GET /Rossini.jpg HTTP/1.1
GET /s/asp?XAAAANoRA_U9K_o8YmGncEcjfW7mNjAHjrUDxoA8sgB_SAA=p=1 HTTP/1.0
GET /safe/1.asp?rands=LYWWLWYPSW&acc=&str=select id from tab_online where regcode = ‘LYWWLWYPSW’ order by id asc HTTP/1.0
GET /saler.gif HTTP/1.1
GET /staff.htm HTTP/1.1
GET /study.htm HTTP/1.1
GET /sun/moto.htm HTTP/1.1
GET /top.htm HTTP/1.1
GET /uc/myshow/blog/misc/gif/show.asp?a=mmRCP0L&p=2Fregion2F&u=n5vh8rmrnlopo1ec&b=vY6HjJ2C&n=0&c=233&x=400&y=4153&e=&wt=30q00dn00ei76hc9 HTTP/1.0
GET /update.jpg HTTP/1.1
GET /update.jpg HTTP/1.1
GET /update.png HTTP/1.1
GET /uwire/index.html HTTP/1.1
GET /windows.html HTTP/1.1
GET /word/display.asp HTTP/1.1
GET /worlda.html HTTP/1.1
GET /worldb.html HTTP/1.1
GET /Y/ HTTP/1.1
GET Default.asp HTTP/1.1
GET Default.asp?uid=86893&do=friend&view=41&_lgmode=pri&from=bkT7i2 HTTP/1.1
GET Default.asp?uid=86893&do=friend&view=toms HTTP/1.1
GET index.html HTTP/1.1
GET HTTP/1.1
POST /fetch.py HTTP/1.1
POST 404error.asp HTTP/1.1
POST aspnet_client/report.asp HTTP/1.1
POST aspnet_client/system_web/1_0_3705_0/addCats.asp HTTP/1.1
POST index.asp HTTP/1.1

User Agents:

08:52:09+[HOSTNAME]
08:52:27+[HOSTNAME]
10:03:44+[HOSTNAME]
10:04:02+[HOSTNAME]
5.1 04:15 [HOSTNAME]\[USERNAME]
5.1 04:19 [HOSTNAME]\[USERNAME]
5.1 04:45 [HOSTNAME]\[USERNAME]
5.1 04:46 [HOSTNAME]\[USERNAME]
5.1 04:47 [HOSTNAME]\[USERNAME]
5.1 07:43 [HOSTNAME]\[USERNAME]
5.1 09:35 [HOSTNAME]\[USERNAME]
5.1 09:36 [HOSTNAME]\[USERNAME]
5.1 09:38 [HOSTNAME]\[USERNAME]
5.1 09:39 [HOSTNAME]\[USERNAME]
Google+page
HTTP 1.1
HTTP Mozilla/5.0(compatible+MSIE
IPHONE8.5(host:[HOSTNAME],ip:[IP]
IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:20 2013
IPHONE8.5(host:[HOSTNAME],ip:[IP]ct:Sun Feb 24 08:46:40 2013
Internet SurfBear
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer Exelon [HOSTNAME]
Mozilla/4.0 (compatible;
Mozilla/4.0 (compatible; MSIE 6.0; Win32
Mozilla/4.0 (compatible; MSIE 6.0; Win32–[HOSTNAME]
Mozilla/4.0 (compatible; MSIE 6.0; Win32;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Ali;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Fly;
Mozilla/4.0 (compatible; MSIE 6.0; Win32;Google;
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1
Mozilla/4.0 (compatible; MSIE 8.0; Win32
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWCN
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.BMWUS
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Cxdp.NSF
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.004:48
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:36
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:37
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:47
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.008:48
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:07
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:13
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:27
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.009:50
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; [HOSTNAME];Trident/4.010:19
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0
Mozilla/4.0 (compatible; MSIE7.0; Windows NT 5.1
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0
Mozilla/4.0
Mozilla/5.0 (compatible; MSIE 7.1; Windows NT 5.1; SV1
Mozilla/5.0 (compatible; MSIE 8.0; Win32
Mozilla/5.0
Win32
[HOSTNAME]+Mozilla/4.0 (compatible; MSIE 8.0; Win32
[HOSTNAME]
yahoo html

Delays in ms

100
1000
2000
3000
4000
5000
6000
10000
30000
60000
100000
120000
127000
300000
600000
900000
1500000
1620000
174000
1740000
1800000
2100000

Compilation timestamps:

2001-07-17 00:22:56 Tuesday 995329376
2003-08-06 18:34:23 Wednesday 1060194863
2003-10-16 03:41:02 Thursday 1066275662
2004-01-23 23:39:42 Friday 1074901182
2004-05-15 01:06:23 Saturday 1084583183
2004-07-07 02:17:12 Wednesday 1089166632
2004-08-04 06:02:53 Wednesday 1091599373
2004-08-04 06:10:04 Wednesday 1091599804
2004-08-04 06:14:22 Wednesday 1091600062
2004-08-04 06:14:38 Wednesday 1091600078
2004-08-04 07:56:01 Wednesday 1091606161
2004-08-04 07:56:07 Wednesday 1091606167
2004-08-04 07:56:21 Wednesday 1091606181
2004-08-04 07:56:23 Wednesday 1091606183
2004-08-04 07:56:26 Wednesday 1091606186
2004-08-04 07:56:30 Wednesday 1091606190
2004-08-04 07:56:36 Wednesday 1091606196
2004-08-04 07:56:37 Wednesday 1091606197
2004-08-04 07:56:39 Wednesday 1091606199
2004-08-04 07:56:40 Wednesday 1091606200
2004-08-04 07:56:42 Wednesday 1091606202
2004-08-04 07:56:44 Wednesday 1091606204
2004-08-04 07:56:58 Wednesday 1091606218
2004-08-04 07:57:08 Wednesday 1091606228
2004-08-04 07:57:38 Wednesday 1091606258
2004-08-04 07:59:14 Wednesday 1091606354
2006-08-03 12:45:02 Thursday 1154609102
2006-09-13 18:20:18 Wednesday 1158171618
2006-09-14 02:28:46 Thursday 1158200926
2007-06-29 15:18:22 Friday 1183130302
2007-07-25 17:44:33 Wednesday 1185385473
2007-08-08 03:16:50 Wednesday 1186543010
2007-09-17 09:21:03 Monday 1190020863
2007-11-18 23:50:13 Sunday 1195429813
2008-03-12 12:39:30 Wednesday 1205325570
2008-04-13 19:14:55 Sunday 1208114095
2008-06-17 01:20:04 Tuesday 1213665604
2008-07-30 03:25:13 Wednesday 1217388313
2008-08-22 00:43:16 Friday 1219365796
2008-08-27 08:41:19 Wednesday 1219826479
2008-09-16 08:40:03 Tuesday 1221554403
2008-09-16 08:42:05 Tuesday 1221554525
2008-09-16 09:20:31 Tuesday 1221556831
2008-10-22 00:12:21 Wednesday 1224634341
2008-10-27 02:18:16 Monday 1225073896
2008-10-27 08:31:43 Monday 1225096303
2008-10-27 13:48:37 Monday 1225115317
2008-11-10 08:29:48 Monday 1226305788
2008-11-10 08:30:00 Monday 1226305800
2008-11-21 07:46:32 Friday 1227253592
2009-01-07 08:09:33 Wednesday 1231315773
2009-01-15 03:30:11 Thursday 1231990211
2009-02-05 07:14:01 Thursday 1233818041
2009-02-05 07:16:28 Thursday 1233818188
2009-02-05 07:20:22 Thursday 1233818422
2009-02-17 09:40:38 Tuesday 1234863638
2009-03-02 09:52:20 Monday 1235987540
2009-03-06 14:10:18 Friday 1236348618
2009-03-16 13:30:51 Monday 1237210251
2009-03-17 03:34:24 Tuesday 1237260864
2009-03-17 13:21:25 Tuesday 1237296085
2009-03-25 13:11:56 Wednesday 1237986716
2009-04-12 09:14:38 Sunday 1239527678
2009-05-14 17:12:40 Thursday 1242321160
2009-05-26 07:37:57 Tuesday 1243323477
2009-06-08 10:17:38 Monday 1244456258
2009-07-08 13:30:46 Wednesday 1247059846
2009-07-16 15:04:29 Thursday 1247756669
2009-07-20 08:33:01 Monday 1248078781
2009-07-20 09:02:46 Monday 1248080566
2009-07-25 03:44:04 Saturday 1248493444
2009-07-29 14:34:24 Wednesday 1248878064
2009-07-30 09:20:04 Thursday 1248945604
2009-08-03 08:29:29 Monday 1249288169
2009-08-11 08:38:40 Tuesday 1249979920
2009-08-16 11:05:43 Sunday 1250420743
2009-08-24 13:16:23 Monday 1251119783
2009-08-28 02:17:30 Friday 1251425850
2009-11-11 06:33:02 Wednesday 1257921182
2009-11-17 22:13:19 Tuesday 1258495999
2009-12-01 00:40:09 Tuesday 1259628009
2009-12-21 01:39:02 Monday 1261359542
2010-01-15 17:20:56 Friday 1263576056
2010-02-03 08:22:33 Wednesday 1265185353
2010-02-03 08:22:50 Wednesday 1265185370
2010-02-09 08:29:43 Tuesday 1265704183
2010-02-11 03:27:04 Thursday 1265858824
2010-02-11 06:44:46 Thursday 1265870686
2010-02-25 00:49:53 Thursday 1267058993
2010-03-15 06:27:58 Monday 1268634478
2010-04-12 09:09:29 Monday 1271063369
2010-04-14 17:18:20 Wednesday 1271265500
2010-04-20 03:39:27 Tuesday 1271734767
2010-04-23 07:51:28 Friday 1272009088
2010-05-20 07:01:21 Thursday 1274338881
2010-06-23 01:24:31 Wednesday 1277256271
2010-06-25 09:26:47 Friday 1277458007
2010-06-29 00:31:41 Tuesday 1277771501
2010-08-23 02:17:20 Monday 1282529840
2010-09-19 08:34:11 Sunday 1284885251
2010-09-27 02:06:31 Monday 1285553191
2010-09-28 01:00:25 Tuesday 1285635625
2010-09-28 08:09:41 Tuesday 1285661381
2010-10-19 08:15:54 Tuesday 1287476154
2010-10-21 06:51:09 Thursday 1287643869
2010-10-29 06:50:40 Friday 1288335040
2010-10-29 06:51:08 Friday 1288335068
2010-11-02 08:35:56 Tuesday 1288686956
2010-11-04 06:07:11 Thursday 1288850831
2010-11-06 08:08:37 Saturday 1289030917
2010-11-17 13:37:00 Wednesday 1290001020
2010-11-18 01:54:57 Thursday 1290045297
2010-12-02 08:05:26 Thursday 1291277126
2010-12-16 03:14:07 Thursday 1292469247
2010-12-16 03:16:48 Thursday 1292469408
2010-12-18 08:10:11 Saturday 1292659811
2010-12-22 08:02:25 Wednesday 1293004945
2011-01-11 02:12:48 Tuesday 1294711968
2011-01-11 02:24:30 Tuesday 1294712670
2011-01-11 03:22:02 Tuesday 1294716122
2011-03-02 07:40:24 Wednesday 1299051624
2011-03-03 13:41:14 Thursday 1299159674
2011-03-07 09:42:59 Monday 1299490979
2011-03-08 02:36:50 Tuesday 1299551810
2011-03-16 19:26:23 Wednesday 1300303583
2011-03-22 12:59:55 Tuesday 1300798795
2011-03-23 14:34:10 Wednesday 1300890850
2011-03-23 14:36:19 Wednesday 1300890979
2011-03-28 13:35:35 Monday 1301319335
2011-03-29 08:40:16 Tuesday 1301388016
2011-04-02 09:07:51 Saturday 1301735271
2011-04-08 08:04:50 Friday 1302249890
2011-04-20 13:13:08 Wednesday 1303305188
2011-04-21 07:16:51 Thursday 1303370211
2011-04-21 07:51:21 Thursday 1303372281
2011-04-26 01:53:58 Tuesday 1303782838
2011-04-28 01:22:03 Thursday 1303953723
2011-05-17 07:45:35 Tuesday 1305618335
2011-05-17 12:37:22 Tuesday 1305635842
2011-05-20 01:14:53 Friday 1305854093
2011-05-30 08:29:29 Monday 1306744169
2011-06-28 22:39:19 Tuesday 1309300759
2011-07-11 03:38:22 Monday 1310355502
2011-07-18 03:10:56 Monday 1310958656
2011-07-19 01:55:13 Tuesday 1311040513
2011-07-28 04:50:57 Thursday 1311828657
2011-07-28 14:49:46 Thursday 1311864586
2011-07-29 07:10:31 Friday 1311923431
2011-08-09 08:15:29 Tuesday 1312877729
2011-08-11 13:15:49 Thursday 1313068549
2011-08-19 02:34:16 Friday 1313721256
2011-08-19 03:07:37 Friday 1313723257
2011-09-20 03:40:51 Tuesday 1316490051
2011-09-20 03:50:48 Tuesday 1316490648
2011-09-25 13:42:51 Sunday 1316958171
2011-09-25 13:43:28 Sunday 1316958208
2011-09-27 13:07:55 Tuesday 1317128875
2011-09-27 13:09:16 Tuesday 1317128956
2011-10-10 14:16:57 Monday 1318256217
2011-10-11 13:02:38 Tuesday 1318338158
2011-10-12 01:58:10 Wednesday 1318384690
2011-10-13 08:47:13 Thursday 1318495633
2011-10-14 08:42:16 Friday 1318581736
2011-10-14 11:58:04 Friday 1318593484
2011-10-18 00:58:17 Tuesday 1318899497
2011-10-19 09:16:10 Wednesday 1319015770
2011-10-19 09:17:10 Wednesday 1319015830
2011-10-19 09:19:09 Wednesday 1319015949
2011-10-24 08:19:05 Monday 1319444345
2011-11-01 02:43:26 Tuesday 1320115406
2011-11-05 09:27:34 Saturday 1320485254
2011-11-07 14:59:20 Monday 1320677960
2011-11-17 07:22:44 Thursday 1321514564
2011-11-21 12:36:14 Monday 1321878974
2011-11-21 12:36:51 Monday 1321879011
2011-11-22 01:15:22 Tuesday 1321924522
2011-11-28 12:32:07 Monday 1322483527
2011-12-12 03:28:15 Monday 1323660495
2011-12-20 02:23:38 Tuesday 1324347818
2012-01-19 00:50:11 Thursday 1326934211
2012-01-20 03:14:28 Friday 1327029268
2012-02-09 00:47:28 Thursday 1328748448
2012-02-09 00:47:52 Thursday 1328748472
2012-02-16 08:22:06 Thursday 1329380526
2012-02-17 14:55:21 Friday 1329490521
2012-02-23 07:20:31 Thursday 1329981631
2012-02-28 11:48:43 Tuesday 1330429723
2012-02-28 15:35:51 Tuesday 1330443351
2012-03-02 06:27:21 Friday 1330669641
2012-03-02 07:20:27 Friday 1330672827
2012-03-02 08:45:11 Friday 1330677911
2012-03-07 08:41:30 Wednesday 1331109690
2012-03-12 01:34:56 Monday 1331516096
2012-03-13 02:21:54 Tuesday 1331605314
2012-03-13 03:47:57 Tuesday 1331610477
2012-03-16 07:10:50 Friday 1331881850
2012-03-20 09:24:33 Tuesday 1332235473
2012-03-22 08:45:38 Thursday 1332405938
2012-03-28 15:39:00 Wednesday 1332949140
2012-04-12 15:02:26 Thursday 1334242946
2012-04-17 08:29:00 Tuesday 1334651340
2012-04-17 08:30:01 Tuesday 1334651401
2012-04-17 09:32:54 Tuesday 1334655174
2012-04-24 08:24:45 Tuesday 1335255885
2012-05-07 03:19:17 Monday 1336360757
2012-05-14 14:16:53 Monday 1337005013
2012-05-28 08:12:40 Monday 1338192760
2012-05-29 14:39:47 Tuesday 1338302387
2012-06-04 12:57:35 Monday 1338814655
2012-06-09 13:19:49 Saturday 1339247989
2012-06-09 13:19:53 Saturday 1339247993
2012-06-11 12:37:20 Monday 1339418240
2012-06-26 03:30:05 Tuesday 1340681405
2012-08-08 23:27:53 Wednesday 1344468473
2012-08-10 02:10:53 Friday 1344564653
2012-08-16 07:53:11 Thursday 1345103591
2012-08-20 12:56:12 Monday 1345467372
2012-08-20 12:59:08 Monday 1345467548
2012-08-20 14:06:56 Monday 1345471616
2012-08-20 15:16:12 Monday 1345475772
2012-08-21 13:46:15 Tuesday 1345556775
2012-08-22 15:50:16 Wednesday 1345650616
2012-08-28 07:34:32 Tuesday 1346139272
2012-08-28 13:40:13 Tuesday 1346161213
2012-08-30 13:06:09 Thursday 1346331969
2012-09-06 15:34:30 Thursday 1346945670
2012-09-10 14:25:34 Monday 1347287134
2012-11-07 14:12:48 Wednesday 1352297568
2012-11-13 14:55:39 Tuesday 1352818539
2012-11-14 07:58:27 Wednesday 1352879907
2012-11-16 07:35:22 Friday 1353051322
2012-12-06 13:09:40 Thursday 1354799380
2012-12-25 13:07:50 Tuesday 1356440870

The sampleset – clustering

Quite frankly, there is not so much to write about it here.

I do not find obvious distribution or significant spikes of specific patterns and the results are not very presentable – to provide a few specific examples – out of 285 samples:

The following samples use DES:

0CF9E999C574EC89595263446978DC9F
24259AE8B0018B0CE9992FB1D9B69E2A
468FF2C12CFFC7E5B2FE0EE6BB3B239E
476FEA8761A03BEF16E322996C2F6666
7AECB34616245EB6B2906358151BE55B
7F1A4BC267ACE340A5AA7A0B79CBF349
8E8622C393D7E832D39E620EAD5D3B49
929802A27737CEBC59D19DA724FDF30A
C04C796EF126AD7429BE7D55720FE392
CF9C2D5A8FBDD1C5ADC20CFC5E663C21
D0D5A20C5A6C4FDDAB4D43B85632B6A9
D34E357461C55D90C52309C1FF952B4C
DD21D1EA2146861A4219B1CBDAEFE59B

The following files run runinfo.exe:

09531F851EF74A7238685FD287A395BD
0CA6E2AD69826C8E3287FC8576112814
C3E5603A38E700274D1AB30CE93D08B9

The following samples use mutex !@ADS@#$

6B3D19CC86D82B06F5DB3AE9D5BA8A5F
831A67DC75E2D4505180888747BC8EA9

The following samples connect to 69.28.168.10:443

1F2EB7B090018D975E6D9B40868C94CA
D9FBF759F527AF373E34673DC3ACA462

The conclusion?

Diplomatically speaking – my clustering efforts are far from being actionable at this stage :-).

Sandboxing samples provides a good data for toying around, but w/o some normalization of this data and w/o ability to establish links between smaller clusters, it’s hard to draw any significant conclusion.

Sad, but watch this space 🙂

Hexacorn

Hexacorn

Category Archives: Batch Analysis

Clustering and Batch Analysis of APT1 sampleset