3M samples – random stats

It’s been a while since I published some stats on a substantial corpora of samples, so here’s a quickie – re-visiting the compilation timestamp.

Three things to note:

  • these stats are biased (I don’t have all the malware under the Sun)
  • many samples in 2015-2016 show traces of compilation tampering so compilation timestamp is no longer reliable
  • many malware samples are Delphi samples and their timestamps are wrong

Still… quasi-scientific pictures are always nice to look at 😉

  • 3M samples, excluding non-sensical timestamps (I may investigate that spike in July 2015 one day):

3m

  • 3M samples, compilation time by the day of the month (end of the month = time to wrap it up and procrastinate):
    3m_dayofthemonth
  • 3M samples, compilation time by the day of the week (weekends are defo a thing for everyone):
    3m_dayoftheweek
  • 3M samples, compilation time by the hour (Europe is a malware cradle, apparently):
    3m_hour
  • 3M samples, compilation time by the hour:minute (I have no idea what it shows):
    3m_hour_minute_condensed

Introducing filighting and the future of DFIR tools, part 3 – more examples

I have been toying around with the script trying it on various folders and the results are quite promising.

Here is a bunch of examples – screenshots + interactive demos. Note that some JSON files may take a long time to load so please be patient.

  • Opera 26
    • Quite a nice graph – all files had at least one reference

cluster_opera26

  • Firefox 35
    • Quite a nice graph as well – all files had at least one reference

cluster_firefox

  • Office 15
    • There is so many files that it is not very readable
    • BUT out of 3K+ files, only 17 didn’t have any reference!

cluster_office15

  • Notepad ++
    • Probably the worst case I have seen so far – lots of clusters and orphaned files

cluster_notepadplus

  • VMWare 11
    • Not too bad, lot of files are referenced, just a few stand out

cluster_vmware