{"id":1143,"date":"2012-07-19T15:46:15","date_gmt":"2012-07-19T15:46:15","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1143"},"modified":"2012-10-14T23:47:35","modified_gmt":"2012-10-14T23:47:35","slug":"random-stats-from-1m-samples-strings-apis","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/07\/19\/random-stats-from-1m-samples-strings-apis\/","title":{"rendered":"Random Stats from 1M samples – strings & APIs"},"content":{"rendered":"

Thanks to VirusShare<\/a> (thanks!!!), I recently doubled my malware collection and once I got the samples, I ran the same stats as I did with 300K samples<\/p>\n

The results are not very surprising, but for the benefit of all, here they are – top 100 strings and APIs:<\/p>\n

71683194 ZYYd\r\n\u00a09614600 SVWU\r\n\u00a08510696 SVW3\r\n\u00a05945175 QSVW\r\n\u00a05146615 Self\r\n\u00a05097074 Left\r\n\u00a04901592 Width\r\n\u00a04866679 Height\r\n\u00a02661888 Y_^[\r\n\u00a02610729 Z]_^[\r\n\u00a02603363 TObject\r\n\u00a02500401 Sender\r\n\u00a02427775 SVWUQ\r\n\u00a02221590 SVWQ\r\n\u00a02098892 Integer\r\n\u00a02041679 SSSSS\r\n\u00a02004524 OnClick\r\n\u00a01959797 TabOrder\r\n\u00a01869961 ffffff\r\n\u00a01839874 ParentFont\r\n\u00a01799717 Z_^[\r\n\u00a01685639 Font.Style\r\n\u00a01685400 Font.Color\r\n\u00a01684559 Font.Name\r\n\u00a01679994 Font.Charset\r\n\u00a01677779 Font.Height\r\n\u00a01675337 TImage\r\n\u00a01533562 Caption\r\n\u00a01532251 SUVW\r\n\u00a01523722 VVVVV\r\n\u00a01330863 YZ^[\r\n\u00a01330718 YZ]_^[\r\n\u00a01289920 Boolean\r\n\u00a01272777 Cursor\r\n\u00a01245718 crHandPoint\r\n\u00a01176021 Controls\r\n\u00a01119964 kernel32.dll\r\n\u00a01067711 Classes\r\n\u00a01066917 TLabel\r\n\u00a01057670 BorderStyle\r\n\u00a01054490 Graphics\r\n\u00a01044623 YZ_^[\r\n\u00a01025276 clWindowText\r\n\u00a01012871 Color\r\n\u00a0 986327 ANSI_CHARSET\r\n\u00a0 982837 TEdit\r\n\u00a0 982375 QCCe\r\n\u00a0 971709 MaxLength\r\n\u00a0 967265 Forms\r\n\u00a0 958946 bsNone\r\n\u00a0 944070 GetProcAddress\r\n\u00a0 915245 WWWWW\r\n\u00a0 908645 GetModuleHandleA\r\n\u00a0 890753 AutoSize\r\n\u00a0 873797 OnChange\r\n\u00a0 835864 D$ P\r\n\u00a0 819162 fsBold\r\n\u00a0 798371 IGGc\r\n\u00a0 776076 LoadLibraryA\r\n\u00a0 773533 DEFAULT_CHARSET\r\n\u00a0 748235 Transparent\r\n\u00a0 735901 MS Sans Serif\r\n\u00a0 717404 CloseHandle\r\n\u00a0 698784 Y_^][\r\n\u00a0 685014 Visible\r\n\u00a0 680888 ExitProcess\r\n\u00a0 664088 GetModuleFileNameA\r\n\u00a0 652008 WriteFile\r\n\u00a0 640725 fffffffff\r\n\u00a0 638676 VirtualAlloc\r\n\u00a0 632279 user32.dll\r\n\u00a0 627775 MessageBoxA\r\n\u00a0 625640 Verdana\r\n\u00a0 625252 OnKeyPress\r\n\u00a0 621739 D$$P\r\n\u00a0 605312 RegCloseKey\r\n\u00a0 587883 CreateFileA\r\n\u00a0 585205 D$(P\r\n\u00a0 583562 Sleep\r\n\u00a0 580111 GetLastError\r\n\u00a0 575028 BBBB\r\n\u00a0 548097 FreeLibrary\r\n\u00a0 542390 VirtualFree\r\n\u00a0 540328 D$,P\r\n\u00a0 531015 SVWj\r\n\u00a0 527326 PPPPP\r\n\u00a0 526237 Create\r\n\u00a0 520984 IKKe\r\n\u00a0 512493 ReadFile\r\n\u00a0 512283 RegQueryValueExA\r\n\u00a0 503601 D$0P\r\n\u00a0 499179 Menus\r\n\u00a0 494051 SetFilePointer\r\n\u00a0 491272 GetCurrentThreadId\r\n\u00a0 486630 advapi32.dll\r\n\u00a0 485213 RegOpenKeyExA\r\n\u00a0 478247 FCCr\r\n\u00a0 477028 OHHi\r\n\u00a0 470003 L$ Q\r\n\u00a0 469449 Enabled\r\n\u00a0\r\nand APIs\r\n\r\n944070\u00a0\u00a0 \u00a0GetProcAddress\r\n908645\u00a0\u00a0 \u00a0GetModuleHandleA\r\n776076\u00a0\u00a0 \u00a0LoadLibraryA\r\n717404\u00a0\u00a0 \u00a0CloseHandle\r\n680888\u00a0\u00a0 \u00a0ExitProcess\r\n664088\u00a0\u00a0 \u00a0GetModuleFileNameA\r\n652008\u00a0\u00a0 \u00a0WriteFile\r\n638676\u00a0\u00a0 \u00a0VirtualAlloc\r\n627775\u00a0\u00a0 \u00a0MessageBoxA\r\n605312\u00a0\u00a0 \u00a0RegCloseKey\r\n587883\u00a0\u00a0 \u00a0CreateFileA\r\n583562\u00a0\u00a0 \u00a0Sleep\r\n580111\u00a0\u00a0 \u00a0GetLastError\r\n548097\u00a0\u00a0 \u00a0FreeLibrary\r\n542390\u00a0\u00a0 \u00a0VirtualFree\r\n512493\u00a0\u00a0 \u00a0ReadFile\r\n512283\u00a0\u00a0 \u00a0RegQueryValueExA\r\n494051\u00a0\u00a0 \u00a0SetFilePointer\r\n491272\u00a0\u00a0 \u00a0GetCurrentThreadId\r\n485213\u00a0\u00a0 \u00a0RegOpenKeyExA\r\n463534\u00a0\u00a0 \u00a0GetStdHandle\r\n435175\u00a0\u00a0 \u00a0EnterCriticalSection\r\n433130\u00a0\u00a0 \u00a0LeaveCriticalSection\r\n431887\u00a0\u00a0 \u00a0MultiByteToWideChar\r\n428780\u00a0\u00a0 \u00a0GetCommandLineA\r\n426579\u00a0\u00a0 \u00a0LocalAlloc\r\n426383\u00a0\u00a0 \u00a0GetTickCount\r\n424661\u00a0\u00a0 \u00a0DeleteCriticalSection\r\n416464\u00a0\u00a0 \u00a0InitializeCriticalSection\r\n415052\u00a0\u00a0 \u00a0GetStartupInfoA\r\n403254\u00a0\u00a0 \u00a0FindClose\r\n399632\u00a0\u00a0 \u00a0GetCurrentProcess\r\n391872\u00a0\u00a0 \u00a0GetFileSize\r\n387944\u00a0\u00a0 \u00a0GetLocaleInfoA\r\n386549\u00a0\u00a0 \u00a0WideCharToMultiByte\r\n376113\u00a0\u00a0 \u00a0FindFirstFileA\r\n368695\u00a0\u00a0 \u00a0CreateThread\r\n355701\u00a0\u00a0 \u00a0lstrlenA\r\n349823\u00a0\u00a0 \u00a0RtlUnwind\r\n347012\u00a0\u00a0 \u00a0WaitForSingleObject\r\n333669\u00a0\u00a0 \u00a0UnhandledExceptionFilter\r\n329287\u00a0\u00a0 \u00a0GetSystemMetrics\r\n327685\u00a0\u00a0 \u00a0DeleteFileA\r\n324716\u00a0\u00a0 \u00a0VirtualQuery\r\n323620\u00a0\u00a0 \u00a0GetVersion\r\n322321\u00a0\u00a0 \u00a0GetCurrentProcessId\r\n321928\u00a0\u00a0 \u00a0GetVersionExA\r\n320611\u00a0\u00a0 \u00a0SetEndOfFile\r\n314143\u00a0\u00a0 \u00a0RaiseException\r\n313811\u00a0\u00a0 \u00a0GetThreadLocale\r\n312354\u00a0\u00a0 \u00a0LocalFree\r\n310272\u00a0\u00a0 \u00a0TlsSetValue\r\n308747\u00a0\u00a0 \u00a0TlsGetValue\r\n306651\u00a0\u00a0 \u00a0CharNextA\r\n306325\u00a0\u00a0 \u00a0GetACP\r\n295599\u00a0\u00a0 \u00a0LoadStringA\r\n290795\u00a0\u00a0 \u00a0TerminateProcess\r\n285458\u00a0\u00a0 \u00a0GetCPInfo\r\n275774\u00a0\u00a0 \u00a0RegSetValueExA\r\n275053\u00a0\u00a0 \u00a0ShowWindow\r\n273978\u00a0\u00a0 \u00a0InterlockedDecrement\r\n273819\u00a0\u00a0 \u00a0GetDC\r\n273356\u00a0\u00a0 \u00a0InterlockedIncrement\r\n268980\u00a0\u00a0 \u00a0GetFileType\r\n261534\u00a0\u00a0 \u00a0DeleteObject\r\n258627\u00a0\u00a0 \u00a0SelectObject\r\n257670\u00a0\u00a0 \u00a0HeapAlloc\r\n257553\u00a0\u00a0 \u00a0GetActiveWindow\r\n250951\u00a0\u00a0 \u00a0CreateProcessA\r\n249336\u00a0\u00a0 \u00a0GlobalAlloc\r\n244183\u00a0\u00a0 \u00a0VirtualProtect\r\n238796\u00a0\u00a0 \u00a0SendMessageA\r\n237408\u00a0\u00a0 \u00a0GetDeviceCaps\r\n235324\u00a0\u00a0 \u00a0LoadLibraryExA\r\n231840\u00a0\u00a0 \u00a0GetLastActivePopup\r\n228711\u00a0\u00a0 \u00a0GlobalFree\r\n228678\u00a0\u00a0 \u00a0GetSystemDirectoryA\r\n228410\u00a0\u00a0 \u00a0DestroyWindow\r\n227835\u00a0\u00a0 \u00a0HeapFree\r\n224168\u00a0\u00a0 \u00a0GetTempPathA\r\n223629\u00a0\u00a0 \u00a0QueryPerformanceCounter\r\n223618\u00a0\u00a0 \u00a0DispatchMessageA\r\n223499\u00a0\u00a0 \u00a0wsprintfA\r\n223381\u00a0\u00a0 \u00a0SysFreeString\r\n221520\u00a0\u00a0 \u00a0LoadResource\r\n219417\u00a0\u00a0 \u00a0DeleteDC\r\n218877\u00a0\u00a0 \u00a0CreateWindowExA\r\n214804\u00a0\u00a0 \u00a0GetWindowRect\r\n213161\u00a0\u00a0 \u00a0lstrcpynA\r\n212451\u00a0\u00a0 \u00a0TranslateMessage\r\n208053\u00a0\u00a0 \u00a0ReleaseDC\r\n207416\u00a0\u00a0 \u00a0CompareStringA\r\n204825\u00a0\u00a0 \u00a0SetEvent\r\n203100\u00a0\u00a0 \u00a0RegCreateKeyExA\r\n202788\u00a0\u00a0 \u00a0SizeofResource\r\n202324\u00a0\u00a0 \u00a0GetClientRect\r\n201382\u00a0\u00a0 \u00a0GetLocalTime\r\n200791\u00a0\u00a0 \u00a0CreateEventA\r\n200663\u00a0\u00a0 \u00a0SetTextColor\r\n200383\u00a0\u00a0 \u00a0exit\r\n\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Thanks to VirusShare (thanks!!!), I recently doubled my malware collection and once I got the samples, I ran the same stats as I did with 300K samples The results are not very surprising, but for the benefit of all, here … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1143"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1143"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1143\/revisions"}],"predecessor-version":[{"id":1383,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1143\/revisions\/1383"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}