Category Archives: Batch Analysis

Random stats from 300k malicious samples – Borland Libraries

Posted on by

Quick & dirty script for pulling info out of the Borland samples helped to provide the following statistics for libraries being used by malware:

  29458 SysInit
  29068 System
  28330 Windows
  24572 Types
  20368 Messages
  17403 ActiveX
  16312 SysUtils
  15845 SysConst
  15516 ShellAPI
  14179 WinInet
  13267 UrlMon
  12689 Classes
  12594 TypInfo
  11574 Variants
  11574 VarUtils
  10892 WinSock
  10836 Consts
  10801 Registry
  10745 RTLConsts
  10704 ShlObj
  10704 RegStr
  10662 IniFiles
  10515 Graphics
  10358 Imm
  10273 CommDlg
  10256 Math
  10037 WinSpool
  10033 Forms
  10032 Controls
  10031 Printers
  10031 Menus
  10025 StdCtrls
  10007 ExtCtrls
   9933 Dlgs
   9907 Dialogs
   9704 Clipbrd
   9647 CommCtrl
   9632 ImgList
   9632 FlatSB
   9631 StdActns
   9630 ActnList
   9626 MultiMon
   9344 Contnrs
   8858 SyncObjs
   8799 StrUtils
   8751 RichEdit
   8739 TlHelp32
   8441 Buttons
   8376 HelpIntfs
   8090 ComCtrls
   8086 ToolWin
   8086 ComStrs
   7792 WinHelpViewer
   7276 Mapi
   7261 ListActns
   7257 ExtDlgs
   7165 ExtActns
   7074 Themes
   7071 UxTheme
   6270
   5086 WinSvc
   5063 IdResourceStrings
   5063 IdException
   5061 IdGlobal
   5043 IdStackConsts
   5043 IdStack
   5042 IdBaseComponent
   5028 IdAntiFreezeBase
   5013 IdComponent
   5001 IdSocketHandle
   4964 IdURI
   4898 IdTCPClient
   4871 IdIntercept
   4870 IdTCPConnection
   4866 IdSocks
   4783 IdStackWindows
   4666 IdAssignedNumbers
   4648 IdStream
   4645 IdIOHandler
   4644 IdIOHandlerSocket
   4642 IdWinSock2
   4392 MMSystem
   4364 jpeg
   4222 IdTCPStream
   4155 IdRFCReply
   4103 Unit1
   3997 ComObj
   3931 ComConst
   3868 JConsts
   3177 ScktComp
   3092 IdCoder
   3071 IdHeaderList
   2906 IdCoder3to4
   2903 IdCoderMIME
   2880 Reg
   2706 Project1
   2679 Main
   2641 IdStrings
   2619 ImageHlp
   2509 WinSvcEx

Random stats from 300k malicious samples

Posted on by

Playing around with strings extracted from 300K unique samples gave me a top 100 strings (as usual with statistics, don’t trust it too much as my sampleset is obviously biased)

-in any case,  as you can see, code snippets (‘SVWU’), Borland strings and a few DLL/API names are highly prevalent:

4521498 SVWU
4008104 Left
3858393 Width
3849138 Height
3651737 SVW3
34282840 ZYYd
2631375 QSVW
1599950 OnClick
1494950 TImage
1470032 ParentFont
1446438 ffffff
1445277 TabOrder
1418101 Font.Color
1418071 Font.Style
1418037 Font.Name
1417970 Font.Height
1416432 Font.Charset
1209103 Z]_^[
1208133 TObject
1110345 SVWUQ
1105144 Sender
1102700 Cursor
1093772 crHandPoint
 975848 SVWQ
 965275 Integer
 913541 Caption
 879263 BorderStyle
 863747 ANSI_CHARSET
 863173 Z_^[
 845681 MaxLength
 838228 TEdit
 830785 clWindowText
 829954 bsNone
 820032 TLabel
 701264 Color
 692145 fsBold
 685461 AutoSize
 682814 OnChange
 637873 Self
 636857 YZ]_^[
 629787 YZ^[
 588869 Transparent
 586796 Boolean
 584700 DEFAULT_CHARSET
 561879 Verdana
 536738 fffffffff
 516176 Controls
 503455 MS Sans Serif
 494892 Graphics
 491681 OnKeyPress
 476489 YZ_^[
 475843 kernel32.dll
 463060 Classes
 443913 Forms
 392601 Visible
 379947 clBlack
 349269 ffffffffffff
 345758 GetProcAddress
 341988 PasswordChar
 323528 bvNone
 320939 GetModuleHandleA
 303360 ParentColor
 301265 OnMouseDown
 299551 clWhite
 295778 Y_^[
 294468 Picture.Data
 288858 JFIF
 287837 BevelOuter
 287467 BevelKind
 287029 LoadLibraryA
 278017 SUVW
 272626 bkFlat
 269891 GWgw
 260838 QQQQSV
 254750 SSSSS
 252854 user32.dll
 249821 ExitProcess
 244095 CloseHandle
 243855 WriteFile
 243140 GetModuleFileNameA
 239566 VVVVV
 236286 rdf:Description>
 231692 Enabled
 231218 Menus
 229567 XYZ
 225944 RegCloseKey
 225145 UUUUUU
 223352 Alignment
 220329 rdf:Description rdf:about=""
 219210 MessageBoxA
 216162 String
 215643 fffffffffffffff
 213682 CreateFileA
 211018 Sleep
 210632 advapi32.dll
 209798 VirtualAlloc
 207239 Arial
 206138 KERNEL32.DLL
 202769 RegQueryValueExA
 200100 Ctl3D