{"id":1084,"date":"2012-06-30T06:58:00","date_gmt":"2012-06-30T06:58:00","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1084"},"modified":"2012-10-14T23:47:36","modified_gmt":"2012-10-14T23:47:36","slug":"random-stats-from-300k-malicious-samples","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/06\/30\/random-stats-from-300k-malicious-samples\/","title":{"rendered":"Random stats from 300k malicious samples"},"content":{"rendered":"<p>Playing around with strings extracted from 300K unique samples gave me a top 100 strings (as usual with statistics, don&#8217;t trust it too much as my sampleset is obviously biased)<\/p>\n<p>-in any case,\u00a0 as you can see, code snippets (&#8216;SVWU&#8217;), Borland strings and a few DLL\/API names are highly prevalent:<\/p>\n<pre>4521498 SVWU\r\n4008104 Left\r\n3858393 Width\r\n3849138 Height\r\n3651737 SVW3\r\n34282840 ZYYd\r\n2631375 QSVW\r\n1599950 OnClick\r\n1494950 TImage\r\n1470032 ParentFont\r\n1446438 ffffff\r\n1445277 TabOrder\r\n1418101 Font.Color\r\n1418071 Font.Style\r\n1418037 Font.Name\r\n1417970 Font.Height\r\n1416432 Font.Charset\r\n1209103 Z]_^[\r\n1208133 TObject\r\n1110345 SVWUQ\r\n1105144 Sender\r\n1102700 Cursor\r\n1093772 crHandPoint\r\n\u00a0975848 SVWQ\r\n\u00a0965275 Integer\r\n\u00a0913541 Caption\r\n\u00a0879263 BorderStyle\r\n\u00a0863747 ANSI_CHARSET\r\n\u00a0863173 Z_^[\r\n\u00a0845681 MaxLength\r\n\u00a0838228 TEdit\r\n\u00a0830785 clWindowText\r\n\u00a0829954 bsNone\r\n\u00a0820032 TLabel\r\n\u00a0701264 Color\r\n\u00a0692145 fsBold\r\n\u00a0685461 AutoSize\r\n\u00a0682814 OnChange\r\n\u00a0637873 Self\r\n\u00a0636857 YZ]_^[\r\n\u00a0629787 YZ^[\r\n\u00a0588869 Transparent\r\n\u00a0586796 Boolean\r\n\u00a0584700 DEFAULT_CHARSET\r\n\u00a0561879 Verdana\r\n\u00a0536738 fffffffff\r\n\u00a0516176 Controls\r\n\u00a0503455 MS Sans Serif\r\n\u00a0494892 Graphics\r\n\u00a0491681 OnKeyPress\r\n\u00a0476489 YZ_^[\r\n\u00a0475843 kernel32.dll\r\n\u00a0463060 Classes\r\n\u00a0443913 Forms\r\n\u00a0392601 Visible\r\n\u00a0379947 clBlack\r\n\u00a0349269 ffffffffffff\r\n\u00a0345758 GetProcAddress\r\n\u00a0341988 PasswordChar\r\n\u00a0323528 bvNone\r\n\u00a0320939 GetModuleHandleA\r\n\u00a0303360 ParentColor\r\n\u00a0301265 OnMouseDown\r\n\u00a0299551 clWhite\r\n\u00a0295778 Y_^[\r\n\u00a0294468 Picture.Data\r\n\u00a0288858 JFIF\r\n\u00a0287837 BevelOuter\r\n\u00a0287467 BevelKind\r\n\u00a0287029 LoadLibraryA\r\n\u00a0278017 SUVW\r\n\u00a0272626 bkFlat\r\n\u00a0269891 GWgw\r\n\u00a0260838 QQQQSV\r\n\u00a0254750 SSSSS\r\n\u00a0252854 user32.dll\r\n\u00a0249821 ExitProcess\r\n\u00a0244095 CloseHandle\r\n\u00a0243855 WriteFile\r\n\u00a0243140 GetModuleFileNameA\r\n\u00a0239566 VVVVV\r\n\u00a0236286 rdf:Description&gt;\r\n\u00a0231692 Enabled\r\n\u00a0231218 Menus\r\n\u00a0229567 XYZ\r\n\u00a0225944 RegCloseKey\r\n\u00a0225145 UUUUUU\r\n\u00a0223352 Alignment\r\n\u00a0220329 rdf:Description rdf:about=\"\"\r\n\u00a0219210 MessageBoxA\r\n\u00a0216162 String\r\n\u00a0215643 fffffffffffffff\r\n\u00a0213682 CreateFileA\r\n\u00a0211018 Sleep\r\n\u00a0210632 advapi32.dll\r\n\u00a0209798 VirtualAlloc\r\n\u00a0207239 Arial\r\n\u00a0206138 KERNEL32.DLL\r\n\u00a0202769 RegQueryValueExA\r\n\u00a0200100 Ctl3D<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Playing around with strings extracted from 300K unique samples gave me a top 100 strings (as usual with statistics, don&#8217;t trust it too much as my sampleset is obviously biased) -in any case,\u00a0 as you can see, code snippets (&#8216;SVWU&#8217;), &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/06\/30\/random-stats-from-300k-malicious-samples\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1084"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1084"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions"}],"predecessor-version":[{"id":1088,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions\/1088"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}