{"id":1009,"date":"2012-06-05T18:57:35","date_gmt":"2012-06-05T18:57:35","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1009"},"modified":"2012-07-05T15:10:00","modified_gmt":"2012-07-05T15:10:00","slug":"hexdive-preview-of-a-new-tool-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/06\/05\/hexdive-preview-of-a-new-tool-2\/","title":{"rendered":"HexDive \u2013 Preview of a new tool (2)"},"content":{"rendered":"

I thought I will show some more output from the tool – these are malware-specific APIs only (tool outputs more stuff).<\/p>\n

atm it’s over 70,000 keywords searched using modified Aho-Corasick algorithm:<\/p>\n

Flame memory dump (partial)
\n<\/strong><\/p>\n

<\/strong>A|mal-api|-|NtQueryInformationProcess
\nA|mal-api|-|select
\nA|mal-api|-|bind
\nA|mal-api|-|WSAAccept
\nA|mal-api|-|WSAIoctl
\nA|mal-api|-|EnumProcesses
\nA|mal-api|-|OpenProcessToken
\nA|mal-api|-|OpenThreadToken
\nA|mal-api|-|LookupPrivilegeValueW
\nA|mal-api|-|AdjustTokenPrivileges
\nA|mal-api|-|CreateProcessAsUserW
\nA|mal-api|-|ImpersonateLoggedOnUser
\nA|mal-api|-|RegCloseKey
\nA|mal-api|-|RegSetValueExW
\nA|mal-api|-|RegSetValueExA
\nA|mal-api|-|GetUserNameA
\nA|mal-api|-|CreateProcessWithLogonW
\nA|mal-api|-|GetUserNameW
\nA|mal-api|-|RasEnumConnectionsW
\nA|mal-api|-|NdrClientCall2
\nA|mal-api|-|FindWindowA
\nA|mal-api|-|WSASend
\nA|mal-api|-|WSARecv
\nA|mal-api|-|CloseServiceHandle
\nA|mal-api|-|DeleteService
\nA|mal-api|-|CreateServiceA
\nA|mal-api|-|StartServiceA
\nA|mal-api|-|ControlService
\nA|mal-api|-|CreateThread
\nA|mal-api|-|CreateMutexA
\nA|mal-api|-|CreateMutexW
\nA|mal-api|-|SetEnvironmentVariableW
\nA|mal-api|-|VirtualAllocEx
\nA|mal-api|-|ReadProcessMemory
\nA|mal-api|-|OpenProcess
\nA|mal-api|-|Sleep
\nA|mal-api|-|WriteFile
\nA|mal-api|-|FindFirstFileW
\nA|mal-api|-|CreateFileW
\nA|mal-api|-|GetModuleHandleW
\nA|mal-api|-|GetModuleFileNameW
\nA|mal-api|-|GetModuleHandleA
\nA|mal-api|-|VirtualProtect
\nA|mal-api|-|GetVersion
\nA|mal-api|-|GetSystemDirectoryW
\nA|mal-api|-|ExitThread
\nA|mal-api|-|GetThreadTimes
\nA|mal-api|-|GetThreadContext
\nA|mal-api|-|OpenThread
\nA|mal-api|-|GetProcAddress
\nA|mal-api|-|SetThreadContext
\nA|mal-api|-|GetTempPathW
\nA|mal-api|-|GetTempFileNameW
\nA|mal-api|-|GetFileAttributesW
\nA|mal-api|-|LoadLibraryW
\nA|mal-api|-|CreateProcessW
\nA|mal-api|-|DeleteFileW
\nA|mal-api|-|MoveFileExW
\nA|mal-api|-|Thread32First
\nA|mal-api|-|Thread32Next
\nA|mal-api|-|CreateToolhelp32Snapshot
\nA|mal-api|-|GetTickCount
\nA|mal-api|-|FindNextFileW
\nA|mal-api|-|CreateNamedPipeW
\nA|mal-api|-|DisconnectNamedPipe
\nA|mal-api|-|CreateDirectoryW
\nA|mal-api|-|LockResource
\nA|mal-api|-|GetStartupInfoW
\nA|mal-api|-|PeekNamedPipe
\nA|mal-api|-|ExitProcess
\nA|mal-api|-|FindFirstFileA
\nA|mal-api|-|FindNextFileA
\nA|mal-api|-|GetComputerNameA
\nA|mal-api|-|GetEnvironmentVariableA
\nA|mal-api|-|GetTimeZoneInformation
\nA|mal-api|-|GetComputerNameW
\nA|mal-api|-|CreateNamedPipeA
\nA|mal-api|-|CreateProcessA
\nA|mal-api|-|GetModuleFileNameA
\nA|mal-api|-|GetCommandLineA
\nA|mal-api|-|IsDebuggerPresent
\nA|mal-api|-|DeleteFileA
\nA|mal-api|-|GetStartupInfoA
\nA|mal-api|-|FreeEnvironmentStringsA
\nA|mal-api|-|FreeEnvironmentStringsW
\nA|mal-api|-|GetFileAttributesA
\nA|mal-api|-|GetStringTypeA
\nA|mal-api|-|GetStringTypeW
\nA|mal-api|-|SetEnvironmentVariableA
\nA|mal-api|-|DeviceIoControl
\nA|mal-api|-|GetSystemDirectoryA
\nA|mal-api|-|GetDriveTypeA
\nA|mal-api|-|SetThreadPriority
\nA|mal-api|-|GetDiskFreeSpaceW
\nA|mal-api|-|GetDiskFreeSpaceA
\nA|mal-api|-|GetTempPathA
\nA|mal-api|-|GetDriveTypeW
\nA|mal-api|-|FindFirstChangeNotificationW
\nA|mal-api|-|FindNextChangeNotification
\nA|mal-api|-|FindFirstVolumeW
\nA|mal-api|-|ExitThread
\nA|mal-api|-|ExitThread
\nU|mal-api|-|SLEEP
\nU|mal-api|-|SLEEP
\nU|mal-api|-|connect
\nU|mal-api|-|LoadLibraryW
\nU|mal-api|-|GetComputerNameA
\nU|mal-api|-|GetComputerNameW
\nU|mal-api|-|GetUserNameA
\nU|mal-api|-|GetUserNameW
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|DeleteService
\nU|mal-api|-|connect
\nU|mal-api|-|DeleteService
\nU|mal-api|-|connect
\nU|mal-api|-|DeleteService
\nU|mal-api|-|connect
\nU|mal-api|-|DeleteService
\nU|mal-api|-|Connect
\nU|mal-api|-|connect
\nU|mal-api|-|Connect
\nU|mal-api|-|SLEEP
\nU|mal-api|-|Send
\nU|mal-api|-|Send
\nU|mal-api|-|Send
\nU|mal-api|-|Send
\nU|mal-api|-|Send
\nU|mal-api|-|Select
\nU|mal-api|-|SLEEP
\nU|mal-api|-|SLEEP
\nU|mal-api|-|SLEEP
\nU|mal-api|-|SLEEP
\nU|mal-api|-|SLEEP
\nU|mal-api|-|Connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|select
\nU|mal-api|-|NtQuerySystemInformation
\nU|mal-api|-|RegLoadKeyW
\nU|mal-api|-|CreateToolhelp32Snapshot
\nU|mal-api|-|Process32First
\nU|mal-api|-|Process32FirstW
\nU|mal-api|-|Process32Next
\nU|mal-api|-|Process32NextW
\nA|mal-api|-|ExitThread
\nA|mal-api|-|Sleep
\nA|mal-api|-|VirtualProtect
\nA|mal-api|-|GetProcAddress
\nA|mal-api|-|GetModuleHandleA
\nA|mal-api|-|CreateMutexW
\nA|mal-api|-|NtQueryInformationProcess
\nA|mal-api|-|LoadLibraryW
\nA|mal-api|-|CreateFileW
\nU|mal-api|-|GetProcAddress
\nU|mal-api|-|GetModuleHandleA
\nU|mal-api|-|OpenThread
\nU|mal-api|-|ExitThread
\nU|mal-api|-|ExitThread
\nU|mal-api|-|GetModuleHandleW
\nA|mal-api|-|URLDownloadToFileA
\nA|mal-api|-|ExitThread
\nA|mal-api|-|SELECT
\nA|mal-api|-|bind
\nA|mal-api|-|bind<\/p>\n

Random malware sample:<\/strong><\/p>\n

A|mal-api|-|CreateToolhelp32Snapshot
\nA|mal-api|-|Toolhelp32ReadProcessMemory
\nA|mal-api|-|Process32Next
\nA|mal-api|-|Process32FirstW
\nA|mal-api|-|Thread32First
\nA|mal-api|-|Thread32Next
\nA|mal-api|-|Module32First
\nA|mal-api|-|Module32Next
\nA|mal-api|-|Module32FirstW
\nA|mal-api|-|Module32NextW
\nA|mal-api|-|WSAStartup
\nA|mal-api|-|WSACleanup
\nA|mal-api|-|WSAASyncGetHostByName
\nA|mal-api|-|WSAASyncGetServByName
\nA|mal-api|-|bind
\nA|mal-api|-|listen
\nA|mal-api|-|connect
\nA|mal-api|-|WSACancelASyncRequest
\nA|mal-api|-|closesocket
\nA|mal-api|-|send
\nA|mal-api|-|recv
\nA|mal-api|-|WSACleanup
\nA|mal-api|-|accept
\nA|mal-api|-|bind
\nA|mal-api|-|closesocket
\nA|mal-api|-|connect
\nA|mal-api|-|ioctlsocket
\nA|mal-api|-|htonl
\nA|mal-api|-|htons
\nA|mal-api|-|inet_addr
\nA|mal-api|-|inet_ntoa
\nA|mal-api|-|listen
\nA|mal-api|-|ntohl
\nA|mal-api|-|ntohs
\nA|mal-api|-|recv
\nA|mal-api|-|recvfrom
\nA|mal-api|-|select
\nA|mal-api|-|send
\nA|mal-api|-|sendto
\nA|mal-api|-|setsockopt
\nA|mal-api|-|shutdown
\nA|mal-api|-|socket
\nA|mal-api|-|gethostbyaddr
\nA|mal-api|-|gethostbyname
\nA|mal-api|-|gethostname
\nA|mal-api|-|getservbyname
\nA|mal-api|-|WSASetLastError
\nA|mal-api|-|WSAAsyncGetServByName
\nA|mal-api|-|WSAAsyncGetServByPort
\nA|mal-api|-|WSAAsyncGetProtoByName
\nA|mal-api|-|WSAAsyncGetProtoByNumber
\nA|mal-api|-|WSAAsyncGetHostByName
\nA|mal-api|-|WSAAsyncGetHostByAddr
\nA|mal-api|-|WSACancelAsyncRequest
\nA|mal-api|-|WSAAsyncSelect
\nA|mal-api|-|__WSAFDIsSet
\nA|mal-api|-|WSAAccept
\nA|mal-api|-|WSACloseEvent
\nA|mal-api|-|WSAConnect
\nA|mal-api|-|WSACreateEvent
\nA|mal-api|-|WSAHtonl
\nA|mal-api|-|WSAHtons
\nA|mal-api|-|WSAIoctl
\nA|mal-api|-|WSANtohs
\nA|mal-api|-|WSARecv
\nA|mal-api|-|WSARecvFrom
\nA|mal-api|-|WSASend
\nA|mal-api|-|WSASendTo
\nA|mal-api|-|WSAWaitForMultipleEvents
\nA|mal-api|-|WSAProviderConfigChange
\nA|mal-api|-|AcceptEx
\nA|mal-api|-|WSARecvEx
\nA|mal-api|-|WSAStartup
\nA|mal-api|-|ZwQuerySystemInformation
\nA|mal-api|-|ZwOpenProcess
\nA|mal-api|-|ZwOpenSection
\nA|mal-api|-|ZwOpenFile
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|send
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|connect
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|shutdown
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|listen
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nU|mal-api|-|socket
\nA|mal-api|-|GetProcAddress
\nA|mal-api|-|GetModuleHandleA
\nA|mal-api|-|InternetReadFile
\nA|mal-api|-|StartServiceA
\nA|mal-api|-|WSACleanup
\nA|mal-api|-|WSAIoctl<\/p>\n","protected":false},"excerpt":{"rendered":"

I thought I will show some more output from the tool – these are malware-specific APIs only (tool outputs more stuff). atm it’s over 70,000 keywords searched using modified Aho-Corasick algorithm: Flame memory dump (partial) A|mal-api|-|NtQueryInformationProcess A|mal-api|-|select A|mal-api|-|bind A|mal-api|-|WSAAccept A|mal-api|-|WSAIoctl … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23,9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1009"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1009"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1009\/revisions"}],"predecessor-version":[{"id":1122,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1009\/revisions\/1122"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1009"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1009"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}