More Hanayama (Chess Piece Puzzles)

I wrote about Hanayama puzzles before, so this is more a reminder than a long post. After I discovered these fantastic puzzles last year it pretty much became a norm now that anytime I visit Japan and have an occasion to visit Loft department store, of other similar shops selling variety and fun stuff I do so with a hope I will find some new sets. This is how I came across a relatively new set from Hanayama called Chess Puzzles (which apparently is a remake of a puzzle set made by the designer Marcel Gillen) and thought it will be a good moment to mention the company and their products again.

 

Here are my new babies:

hanayama

The Chess Puzzles turned out to be really easy and I went through them in no time. Luckily, there are still quite a few cast puzzles I have not cracked from the large collection I acquired last year.

Hanayama puzzles are of fantastic quality, have a great playability factor, and are a perfect gift for anyone who likes to crack problems.

I (again) highly recommend it.

The art of Stuffing and Dressing of Application Data folder

Application data folder is a very popular destination for malware. The files are typically dropped either directly inside it, or into subdirectories that are either randomized, leverage existing OS subdirectories, or sometimes malware creates their own – often mimicking the well-known applications’ folders (f.ex. Mozilla).

The attached list contains over 7000 file names for files that are ‘dropped’ inside the application data folder. The file names are extracted from a large set of sandbox reports.

Once stuffed in the folder, the malware often dresses itself impersonating popular applications f.ex.:

chrome.exe

  • \Application Data\23405d2\Chrome.exe
  • \Application Data\4236aa7\Chrome.exe
  • \Application Data\cchrome.exe
  • \Application Data\Chrome.exe
  • \Application Data\Directory\Chrome.exe
  • \Application Data\Google\Chrome\Application\chrome.exe
  • \Application Data\GoogleChrome.exe
  • \Application Data\Orbitum\Application\chrome.exe
  • \Application Data\qChrome\chrome.exe
  • \APPLICATION DATA\SVCHOST\CHROME.EXE
  • \Application Data\temp\chrome.exe
  • \APPLIC~1\chrome.exe

firefox.exe

  • \Application Data\firefox.com
  • \Application Data\firefox.exe
  • \Application Data\firefox32.exe
  • \Application Data\firefox32\fox32.exe
  • \Application Data\Mozilla\Firefox\firefox.exe
  • \APPLIC~1\Firefox.exe

java.exe

  • \Application Data\google\java.exe
  • \Application Data\Java.exe
  • \Application Data\java\java.exe
  • \Application Data\logjava.exe
  • \application data\sys\jre\bin\java.exe
  • \application data\x10flasher_lib\jre\bin\java.exe
  • \application data\x10flasher_lib\winjre32\bin\java.exe
  • \application data\x10flasher_lib\winjre32\jre\bin\java.exe

smss.exe

  • \Application Data\CDWD\ntsmss.exe
  • \Application Data\GHGF\ntsmss.exe
  • \Application Data\ipseol32\rtcssmss.exe
  • \Application Data\Microsoft\smss.exe
  • \Application Data\Microsoft\Windows\smss.exe
  • \Application Data\secetupn\mqsvsmss.exe
  • \Application Data\smss.exe
  • \Application Data\sys\smss.exe
  • \Application Data\sysdrivers\smss.exe
  • \Application Data\syssmss.exe
  • \Application Data\System\Oracle\smss.exe
  • \Application Data\WINDOWS\SMSS.EXE
  • \Application Data\winhelp\smss.exe
  • \Application Data\zbwpukwyg\smss.exe
  • \APPLIC~1\smss.exe

and so on and so forth including some ridiculous Corporate hybrids like these:

  • \Application Data\\Application Data\Google\hkcmd.exe
  • \Application Data\google\java.exe
  • \Application Data\Google\MicrosoftSecurity64.exe
  • \Application Data\Google\svchost.exe
  • \Application Data\GOOGLE\winlogon.exe
  • \Application Data\install\csrss.exe
  • \APPLICATION DATA\INSTALL\EXPLORER.EXE
  • \APPLICATION DATA\INSTALL\IEXPLORER.EXE
  • \Application Data\Java\svchost.exe
  • \Application Data\MicOffice\MicOffice.scr
  • \Application Data\Microsoft\Adbeflashplugin.exe
  • \Application Data\Microsoft\GoogleToolbarNotifier.exe
  • \Application Data\Microsoft\Micromedia\winconime.exe
  • \Application Data\Microsoft\SystemCertificates\LeapFTP.exe
  • \Application Data\Microsoft\SystemCertificates\My\CRLs\Flashfxp.exe

or AV impersonators:

  • \Application Data\Karpesky.exe
  • \Application Data\KASPERANTIVIRUS.EXE
  • \Application Data\KasperskyAV.exe
  • \Application Data\MCAFEEANTIVIRUS.EXE
  • \Application Data\MCAFEEAV32.EXE
  • \Application Data\NOD32KERNELS.EXE
  • \Application Data\NOD64.EXE
  • \Application Data\NORMANANTIVIRUS.EXE
  • \Application Data\NortonLive.exe
  • \Application Data\SYMANTECAV.EXE
  • \Application Data\SYMANTECAV2.EXE

Since it’s a blacklist, it can be applied to hunting and file list analysis. FPs are definitely there, so you have been warned 🙂