Hexacorn

Hexacorn

3M samples – random stats

Posted on 2016-11-26 by adam

It’s been a while since I published some stats on a substantial corpora of samples, so here’s a quickie – re-visiting the compilation timestamp.

Three things to note:

these stats are biased (I don’t have all the malware under the Sun)
many samples in 2015-2016 show traces of compilation tampering so compilation timestamp is no longer reliable
many malware samples are Delphi samples and their timestamps are wrong

Still… quasi-scientific pictures are always nice to look at 😉

3M samples, excluding non-sensical timestamps (I may investigate that spike in July 2015 one day):

3M samples, compilation time by the day of the month (end of the month = time to wrap it up and procrastinate):
3M samples, compilation time by the day of the week (weekends are defo a thing for everyone):
3M samples, compilation time by the hour (Europe is a malware cradle, apparently):
3M samples, compilation time by the hour:minute (I have no idea what it shows):

Introducing filighting and the future of DFIR tools, part 3 – more examples

Posted on 2015-04-11 by adam

I have been toying around with the script trying it on various folders and the results are quite promising.

Here is a bunch of examples – screenshots + interactive demos. Note that some JSON files may take a long time to load so please be patient.

Opera 26
- Quite a nice graph – all files had at least one reference

Firefox 35
- Quite a nice graph as well – all files had at least one reference

Office 15
- There is so many files that it is not very readable
- BUT out of 3K+ files, only 17 didn’t have any reference!

Notepad ++
- Probably the worst case I have seen so far – lots of clusters and orphaned files

VMWare 11
- Not too bad, lot of files are referenced, just a few stand out