Writing your own sandbox has many advantages – the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into coding patterns and one of them is a simple laziness of coders who are often leveraging OS programs/commands to achieve their goals. Today, with the EDR all over the place, many sandboxing services available online, and a admirable tendency of everyone to finally share this data openly it only makes sense to make my obsolete data public.

Here’s a snapshot of some of the malicious commands I ‘logged’ in the past.

This series got a bit delayed, because I got sick last week.

—

This is a bit counter-intuitive – why would you want to collect strings related to games?

First, there was a time when games were targeted by malware authors a lot. Secondly, if you have a good list of games-related strings, you can quickly classify many samples. If you find these specific strings inside an executable it’s either a part of a game, or a crack for the game, or a malware targeting a game, or some 3rd party software dealing with games in bulk. Not too many options…

Today there are many resources listing various game names, their executable names, etc. so instead of giving you the answer on the plate, I will list two decent sources I used in the past:

• GameUXLegacyGDFs.dll – Microsoft library, contains a large database of games inside its resources

• fingerprint.db – Nvidia’s file listing many games and collections of file names, and other interesting artifacts