{"id":1746,"date":"2013-03-12T19:19:37","date_gmt":"2013-03-12T19:19:37","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1746"},"modified":"2013-03-15T05:23:53","modified_gmt":"2013-03-15T05:23:53","slug":"clustering-and-batch-analysis-of-apt1-sampleset-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/03\/12\/clustering-and-batch-analysis-of-apt1-sampleset-part-3\/","title":{"rendered":"Clustering and Batch Analysis of APT1 sampleset, part 3"},"content":{"rendered":"

Part 1<\/a>, Part 2<\/a>, Part 3<\/a><\/p>\n

In the last<\/a> three <\/a>posts <\/a>I talked about batch analysis, clustering and applying these techniques to APT sampleset.<\/p>\n

Batch processing is a step necessary for retrieving ‘clusterable’ data from samples in an automated fashion.<\/p>\n

Clustering is a way of putting these samples into buckets, potentially grouping them into some families.<\/p>\n

I want to see if w\/o using any assumption\/knowledge (retrieved from the white paper or other blogs) it is possible to cluster these samples in a reliable way. It is an interesting experiment and I am curious if I will ever get closer to already known clusters. Quite frankly, I don’t know yet. We shall see.<\/p>\n

The clustering I have done so far was focused on dynamic analysis and a little bit on the source code analysis. In this post I will exploit code analysis further – this time focusing on disassembled .asm files generated as usual by the IDA Pro<\/a>.<\/p>\n

The resulting assembly code is quite nice for parsing as each line contains only one line of code – this allows to group the code into blocks on function boundaries and for each call to API or to another subroutine (including calls via registers), we can extract a simplified code of the program procedures e.g.<\/p>\n

sub_401000\u00a0\u00a0 \u00a0proc near\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; CODE XREF: _main+20A\u0019p\r\n[...]\r\n\r\nlea\u00a0\u00a0 \u00a0ecx, [esp+310h+szLongPath]\r\npush\u00a0\u00a0 \u00a0104h\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; nSize\r\npush\u00a0\u00a0 \u00a0ecx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpFilename\r\npush\u00a0\u00a0 \u00a00\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; hModule\r\ncall\u00a0\u00a0 \u00a0ds:GetModuleFileNameA<\/strong><\/span>\r\n\r\nlea\u00a0\u00a0 \u00a0edx, [esp+310h+szLongPath]\r\npush\u00a0\u00a0 \u00a0104h\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; cchBuffer\r\nlea\u00a0\u00a0 \u00a0eax, [esp+314h+szLongPath]\r\npush\u00a0\u00a0 \u00a0edx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpszShortPath\r\npush\u00a0\u00a0 \u00a0eax\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpszLongPath\r\ncall\u00a0\u00a0 \u00a0ds:GetShortPathNameA<\/span><\/strong>\r\n\r\nlea\u00a0\u00a0 \u00a0ecx, [esp+310h+Parameters]\r\npush\u00a0\u00a0 \u00a0offset String2\u00a0\u00a0 \u00a0; \"\/c del \"\r\npush\u00a0\u00a0 \u00a0ecx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpString1\r\ncall\u00a0\u00a0 \u00a0ds:lstrcpyA<\/span><\/strong>\r\n\r\nmov\u00a0\u00a0 \u00a0esi, ds:lstrcatA\r\nlea\u00a0\u00a0 \u00a0edx, [esp+310h+szLongPath]\r\nlea\u00a0\u00a0 \u00a0eax, [esp+310h+Parameters]\r\npush\u00a0\u00a0 \u00a0edx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpString2\r\npush\u00a0\u00a0 \u00a0eax\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpString1\r\ncall\u00a0\u00a0 \u00a0esi ; lstrcatA<\/span><\/strong>\r\n\r\nlea\u00a0\u00a0 \u00a0ecx, [esp+310h+Parameters]\r\npush\u00a0\u00a0 \u00a0offset s->>>nul\u00a0\u00a0 \u00a0; \" >>NUL\"\r\npush\u00a0\u00a0 \u00a0ecx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpString1\r\ncall\u00a0\u00a0 \u00a0esi ; lstrcatA<\/span><\/strong>\r\n\r\nmov\u00a0\u00a0 \u00a0esi, ds:ShellExecuteA\r\npush\u00a0\u00a0 \u00a00\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; nShowCmd\r\npush\u00a0\u00a0 \u00a0offset Directory ; lpDirectory\r\nlea\u00a0\u00a0 \u00a0edx, [esp+318h+File]\r\npush\u00a0\u00a0 \u00a0offset Parameters ; \"\/c\u00a0\u00a0 \u00a0del wuauclt.exe\"\r\npush\u00a0\u00a0 \u00a0edx\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpFile\r\npush\u00a0\u00a0 \u00a0offset Operation ; \"open\"\r\npush\u00a0\u00a0 \u00a00\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; hwnd\r\ncall\u00a0\u00a0 \u00a0esi ; ShellExecuteA<\/span><\/strong>\r\n\r\npush\u00a0\u00a0 \u00a00\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; nShowCmd\r\npush\u00a0\u00a0 \u00a0offset Directory ; lpDirectory\r\nlea\u00a0\u00a0 \u00a0eax, [esp+318h+File]\r\npush\u00a0\u00a0 \u00a0offset s->CDelSvchost_exe ; \"\/c\u00a0\u00a0 \u00a0del svchost.exe\"\r\npush\u00a0\u00a0 \u00a0eax\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; lpFile\r\npush\u00a0\u00a0 \u00a0offset Operation ; \"open\"\r\npush\u00a0\u00a0 \u00a00\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0; hwnd\r\ncall\u00a0\u00a0 \u00a0esi ; ShellExecuteA\r\n<\/span><\/strong>\r\n[...]\r\nretn<\/span><\/span>sub_401000\u00a0\u00a0 \u00a0endp<\/span><\/span><\/strong><\/pre>\n
becomes<\/p>\n
GetModuleFileNameA<\/span><\/strong><\/pre>\n
GetShortPathNameA<\/span><\/strong><\/pre>\n
lstrcpyA<\/span><\/strong><\/pre>\n
lstrcatA<\/span><\/strong><\/pre>\n
lstrcatA<\/span><\/strong><\/pre>\n
ShellExecuteA<\/span><\/strong><\/pre>\n
ShellExecuteA<\/span><\/strong><\/pre>\n
ShellExecuteA<\/span><\/strong><\/pre>\n
and can be written as a single line of code<\/p>\n
GetModuleFileNameA|GetShortPathNameA|lstrcpyA|lstrcatA|lstrcatA|ShellExecuteA|ShellExecuteA|ShellExecuteA<\/span><\/strong><\/pre>\n
Applying such methodology on procedure boundaries and to each disassembled program I eventually came up with a shortened and flattened source code of each sample. I then built a histogram of the most common sequences of such code blocks across all the source code from all files and got the following stats:<\/p>\n
\u00a0\u00a0 5514 |sub\r\n\u00a0\u00a0 2507 |sub|sub\r\n\u00a0\u00a0 1332 |sub|sub|sub\r\n\u00a0\u00a0\u00a0 860 |sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 558 |__security_check_cookie(x)\r\n\u00a0\u00a0\u00a0 479 |__security_check_cookie(x)|__security_check_cookie(x)\r\n\u00a0\u00a0\u00a0 475 |sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 392 |sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 353 |operator delete(void *)\r\n\u00a0\u00a0\u00a0 276 |sub|operator delete(void *)\r\n\u00a0\u00a0\u00a0 269 |sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 235 |sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 185 |sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 168 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 165 |__alloca_probe|sub|sub\r\n\u00a0\u00a0\u00a0 137 |eax\r\n\u00a0\u00a0\u00a0 132 |sub|sub|ecx\r\n\u00a0\u00a0\u00a0 132 |__alloca_probe|sub\r\n\u00a0\u00a0\u00a0 130 |_atexit\r\n\u00a0\u00a0\u00a0 123 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0 110 |_chkstk|sub|sub\r\n\u00a0\u00a0\u00a0 108 |strlen|operator delete(void *)|operator new(uint)|strcpy\r\n\u00a0\u00a0\u00a0 106 |nullsub\r\n\u00a0\u00a0\u00a0 106 |__alloca_probe\r\n\u00a0\u00a0\u00a0 101 |_chkstk|sub\r\n\u00a0\u00a0\u00a0\u00a0 97 |eax|sub\r\n\u00a0\u00a0\u00a0\u00a0 92 |__alloca_probe|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 91 |__alloca_probe|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 88 |_chkstk|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 88 |__alloca_probe|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 85 |__alloca_probe|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 80 |exception const &)\r\n\u00a0\u00a0\u00a0\u00a0 75 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 73 |strlen\r\n\u00a0\u00a0\u00a0\u00a0 73 |_chkstk|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 72 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 71 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 71 |_Tidy(bool,uint)\r\n\u00a0\u00a0\u00a0\u00a0 69 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 68 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 68 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 68 |InternetCloseHandle|InternetCloseHandle|InternetCloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 67 |sub|eax\r\n\u00a0\u00a0\u00a0\u00a0 63 |_chkstk|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 62 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 62 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 61 |free\r\n\u00a0\u00a0\u00a0\u00a0 60 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 60 |allocator<char>>(char const *)|_atexit\r\n\u00a0\u00a0\u00a0\u00a0 59 |sub|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 56 |_CxxThrowException\r\n\u00a0\u00a0\u00a0\u00a0 56 |InternetReadFile\r\n\u00a0\u00a0\u00a0\u00a0 55 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 55 |_chkstk\r\n\u00a0\u00a0\u00a0\u00a0 55 |SetUnhandledExceptionFilter\r\n\u00a0\u00a0\u00a0\u00a0 52 |operator new(uint)|exception(char const * const &)|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 52 |operator delete(void *)|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 52 |_flsall\r\n\u00a0\u00a0\u00a0\u00a0 51 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 51 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 50 |_chkstk|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 49 |j_free\r\n\u00a0\u00a0\u00a0\u00a0 48 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 47 |sub|sub|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 47 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 45 |sub|sub|sub|sub|eax\r\n\u00a0\u00a0\u00a0\u00a0 44 |strchr|strchr\r\n\u00a0\u00a0\u00a0\u00a0 44 |malloc|sub|sub|free\r\n\u00a0\u00a0\u00a0\u00a0 43 |dword ptr [ecx+8]\r\n\u00a0\u00a0\u00a0\u00a0 42 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 40 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 40 |sub|_Split(void)|_wmemmove|sub|_Eos(uint)|_Split(void)|_Tidy(bool)|sub\r\n\u00a0\u00a0\u00a0\u00a0 40 |operator delete(void *)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 40 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 40 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 40 |ReadFile|_memcpy_0\r\n\u00a0\u00a0\u00a0\u00a0 39 |sub|_CxxThrowException\r\n\u00a0\u00a0\u00a0\u00a0 39 |GetModuleFileNameA|GetShortPathNameA|GetEnvironmentVariableA|lstrcpyA|lstrcatA|lstrcatA|GetCurrentProcess|SetPriorityClass|GetCurrentThread|SetThreadPriority|ShellExecuteExA|SetPriorityClass|SetProcessPriorityBoost|SHChangeNotify|GetCurrentProcess|SetPriorityClass|GetCurrentThread|SetThreadPriority\r\n\u00a0\u00a0\u00a0\u00a0 38 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 38 |_chkstk|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 37 |GetCurrentProcess|OpenProcessToken|LookupPrivilegeValueA|AdjustTokenPrivileges|CloseHandle|GetLastError\r\n\u00a0\u00a0\u00a0\u00a0 36 |sub|sub|dword ptr [eax]|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 36 |sub|ecx\r\n\u00a0\u00a0\u00a0\u00a0 36 |dword ptr [ecx+4]\r\n\u00a0\u00a0\u00a0\u00a0 36 |_memset|sub|__security_check_cookie(x)\r\n\u00a0\u00a0\u00a0\u00a0 35 |sub|sub|__security_check_cookie\r\n\u00a0\u00a0\u00a0\u00a0 35 |sub|operator delete(void *)|operator delete(void *)|operator delete(void *)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 35 |__invalid_parameter_noinfo\r\n\u00a0\u00a0\u00a0\u00a0 34 |operator new(uint)\r\n\u00a0\u00a0\u00a0\u00a0 34 |_free\r\n\u00a0\u00a0\u00a0\u00a0 34 |_LocaleUpdate(localeinfo_struct *)|___strgtold12_l|sub|__security_check_cookie(x)\r\n\u00a0\u00a0\u00a0\u00a0 33 |sub|sub|eax|sub\r\n\u00a0\u00a0\u00a0\u00a0 33 |sub|operator delete(void *)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 33 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 33 |__errno|__invalid_parameter\r\n\u00a0\u00a0\u00a0\u00a0 32 |operator delete(void *)|operator new(uint)\r\n\u00a0\u00a0\u00a0\u00a0 32 |memset\r\n\u00a0\u00a0\u00a0\u00a0 31 |operator new(uint)|sub\r\n\u00a0\u00a0\u00a0\u00a0 31 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 30 |eax|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 30 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 30 |__EH_prolog|_Tidy(bool)|_strlen|sub|sub|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 30 |SetServiceStatus\r\n\u00a0\u00a0\u00a0\u00a0 28 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 27 |sub|_Split(void)|_memcpy|sub|_Eos(uint)|_Split(void)|_Tidy(bool)|sub\r\n\u00a0\u00a0\u00a0\u00a0 27 |strlen|sub\r\n\u00a0\u00a0\u00a0\u00a0 27 |memcpy\r\n\u00a0\u00a0\u00a0\u00a0 27 |_strcmpi|memset|memset|CreateToolhelp32Snapshot|Process32First|sprintf|strcat|Process32Next|CloseHandle|_strcmpi|OpenSCManagerA|EnumServicesStatusExA|operator new(uint)|CloseServiceHandle|strcat|EnumServicesStatusExA|sprintf|strcat|operator delete(void *)|CloseServiceHandle|_strcmpi|GetLogicalDrives|sprintf|strcat|sprintf|strcat|lstrcatA|GetDriveTypeA|strcat|GetVolumeInformationA|strcat|strcat|sprintf|strcat\r\n\u00a0\u00a0\u00a0\u00a0 27 |_strcmpi|atoi|OpenProcess|TerminateProcess|CloseHandle|strcat|_strcmpi|OpenSCManagerA|OpenServiceA|GetLastError|strcat|CloseServiceHandle|ControlService|GetLastError|strcat|CloseServiceHandle|CloseServiceHandle\r\n\u00a0\u00a0\u00a0\u00a0 27 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 27 |GetProcAddress\r\n\u00a0\u00a0\u00a0\u00a0 27 |GetExitCodeProcess|PeekNamedPipe|Sleep|ReadFile|CloseHandle|CloseHandle|memset|strcpy|strlen\r\n\u00a0\u00a0\u00a0\u00a0 26 |sub|sub|sub|sub|_memcpy_s\r\n\u00a0\u00a0\u00a0\u00a0 26 |sub|eax|sub|eax|sub\r\n\u00a0\u00a0\u00a0\u00a0 26 |sub|_Tidy(bool)|_Tidy(bool)|sub\r\n\u00a0\u00a0\u00a0\u00a0 26 |strstr|strchr|operator new(uint)|strchr|strchr|strchr|strchr|strchr|strchr|strchr|strchr|strchr|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 26 |strlen|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 26 |sprintf|HttpAddRequestHeadersA|HttpSendRequestA|GetLastError|InternetQueryOptionA|InternetSetOptionA|sprintf\r\n\u00a0\u00a0\u00a0\u00a0 26 |__ld12cvt\r\n\u00a0\u00a0\u00a0\u00a0 26 |___strgtold12|sub\r\n\u00a0\u00a0\u00a0\u00a0 26 |__EH_prolog3|sub|sub|_CxxThrowException(x,x)\r\n\u00a0\u00a0\u00a0\u00a0 26 |InternetOpenA|InternetSetOptionA|InternetSetOptionA|InternetSetOptionA|InternetConnectA|HttpOpenRequestA|strlen|HttpAddRequestHeadersA\r\n\u00a0\u00a0\u00a0\u00a0 26 |$+5\r\n\u00a0\u00a0\u00a0\u00a0 25 |rand\r\n\u00a0\u00a0\u00a0\u00a0 25 |malloc|CreatePipe|CreatePipe|CloseHandle|CloseHandle|CloseHandle|CloseHandle|free|sub|CloseHandle|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 25 |_chkstk|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 25 |__invalid_parameter_noinfo|__invalid_parameter_noinfo\r\n\u00a0\u00a0\u00a0\u00a0 25 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 25 |URLDownloadToFileA|strcat\r\n\u00a0\u00a0\u00a0\u00a0 24 |sub|sub|sub|sub|sub|GetProcAddress|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 24 |sub|edx|sub\r\n\u00a0\u00a0\u00a0\u00a0 24 |sub|_Split(void)|_wmemmove|sub|_Eos(uint)|_Split(void)|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 24 |shutdown|closesocket\r\n\u00a0\u00a0\u00a0\u00a0 24 |send\r\n\u00a0\u00a0\u00a0\u00a0 24 |fopen|fseek|fread|fseek|ftell|fseek|fread|fclose|fclose|fread|fclose|sub\r\n\u00a0\u00a0\u00a0\u00a0 24 |edx\r\n\u00a0\u00a0\u00a0\u00a0 24 |dword ptr [eax+40h]\r\n\u00a0\u00a0\u00a0\u00a0 24 |_beginthreadex|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 24 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 24 |GetModuleHandleA|GetProcAddress\r\n\u00a0\u00a0\u00a0\u00a0 23 |unknown_libname_1\r\n\u00a0\u00a0\u00a0\u00a0 23 |sub|sub|sub|sub|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 23 |sub|OpenProcess|TerminateProcess|Sleep|CloseHandle|sub\r\n\u00a0\u00a0\u00a0\u00a0 23 |strlen|CreateFileA|strlen|operator new(uint)|memset|WriteConsoleInputA|operator delete(void *)|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 23 |strcat|sub|WaitForSingleObject|strcat|strcat|strlen|sub\r\n\u00a0\u00a0\u00a0\u00a0 23 |j_free|j_free\r\n\u00a0\u00a0\u00a0\u00a0 23 |j_free|_CxxThrowException\r\n\u00a0\u00a0\u00a0\u00a0 23 |LoadStringA|sub\r\n\u00a0\u00a0\u00a0\u00a0 23 |CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 22 |~type_info(void)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 22 |sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 22 |sub|operator new(unsigned __int64)|exception(char const * const &)|_CxxThrowException|sub|sub|j_free\r\n\u00a0\u00a0\u00a0\u00a0 22 |operator new(uint)|operator new(uint)|sub\r\n\u00a0\u00a0\u00a0\u00a0 22 |operator new(uint)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 22 |operator delete(void *)|operator delete(void *)|operator delete(void *)\r\n\u00a0\u00a0\u00a0\u00a0 22 |exception(char const * const &)\r\n\u00a0\u00a0\u00a0\u00a0 22 |eax|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 22 |GetCurrentProcess|GetCurrentProcess|DuplicateHandle|CreateProcessA|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 22 |CompareStringA\r\n\u00a0\u00a0\u00a0\u00a0 22 |$+5|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |sub|_wcslen|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |sprintf|sprintf|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |malloc|recv|sub|sub|_strnicmp|WriteFile|recv|free|ExitThread|SetEvent|free|ExitThread\r\n\u00a0\u00a0\u00a0\u00a0 21 |malloc|PeekNamedPipe|ReadFile|sub|sub|_itoa|send|sub|Sleep|PeekNamedPipe|free|ExitThread\r\n\u00a0\u00a0\u00a0\u00a0 21 |_strcmpi|memset|CreateProcessA|strcat|CloseHandle|_strcmpi|OpenSCManagerA|strcat|OpenServiceA|GetLastError|strcat|CloseServiceHandle|StartServiceA|GetLastError|strcat|CloseServiceHandle|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 21 |__get_sse2_info\r\n\u00a0\u00a0\u00a0\u00a0 21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |__alloca_probe|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub|sub\r\n\u00a0\u00a0\u00a0\u00a0 21 |GetCurrentProcess|OpenProcess|GetLastError|sprintf|strcat|OpenProcessToken|memset|sprintf|CreateProcessAsUserA|strcat|CloseHandle|CloseHandle|GetLastError|sprintf|strcat|CloseHandle|GetLastError|sprintf|strcat|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 21 |CreateEventA|CreateEventA|sub|WaitForSingleObject|CloseHandle\r\n\u00a0\u00a0\u00a0\u00a0 21 |$+5|sub<\/pre>\n
Using these shortened procedures for cluster generations gives some promising results e.g.:<\/p>\n
sub<\/span><\/strong>\r\nDeleteFileW<\/span><\/strong>\r\nDeleteFileA<\/span><\/strong>\r\n\r\n1328eaceb140a3863951d18661b097af.asm\r\n31e5e58dbdfad05175613e795298ebb5.asm\r\n6f9992c486195edcf0bf2f6ee6c3ec74.asm\r\nc99fa835350aa9e2427ce69323b061a9.asm\r\ne476e4a24f8b4ff4c8a0b260aa35fc9f.asm\r\nea1b44094ae4d8e2b63a1771a3e61fd5.asm\r\nfc1937c1aa536b3744ebdfb1716fd54d.asm<\/pre>\n
LoadLibraryA<\/span><\/strong>\r\nGetProcAddress<\/span><\/strong>\r\nGetProcAddress<\/span><\/strong>\r\nGetProcAddress<\/span><\/strong>\r\n\r\n3f8682ab074a097ebbaadbf26dfff560.asm\r\n4b19a2a6d40a5825e868c6ef25ae445e.asm\r\n54d5d171a482278cc8eacf08d9175fd7.asm\r\n56de2854ef64d869b5df7af5e4effe3e.asm\r\n75dad1ccabae8adeb5bae899d0c630f8.asm\r\n8462a62f13f92c34e4b89a7d13a185ad.asm<\/pre>\n
htons<\/strong><\/span>\r\nsocket<\/strong><\/span>\r\nconnect<\/strong><\/span>\r\nclosesocket<\/strong><\/span>\r\n\r\n468ff2c12cffc7e5b2fe0ee6bb3b239e.asm\r\n727a6800991eead454e53e8af164a99c.asm\r\nbd8b082b7711bc980252f988bb0ca936.asm\r\ndb05df0498b59b42a8e493cf3c10c578.asm\r\ne1b6940985a23e5639450f8391820655.asm<\/pre>\n
ecx<\/strong><\/span>\r\neax<\/strong><\/span>\r\ndword ptr [esi+10h]<\/strong><\/span>\r\nsub<\/strong><\/span>\r\necx<\/strong><\/span>\r\neax<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\n\r\n12f25ce81596aeb19e75cc7ef08f3a38.asm\r\n268eef019bf65b2987e945afaf29643f.asm\r\n468ff2c12cffc7e5b2fe0ee6bb3b239e.asm\r\n4c6bddcca2695d6202df38708e14fc7e.asm\r\n5a728cb9ce56763dccb32b5298d0f050.asm\r\n727a6800991eead454e53e8af164a99c.asm\r\n8e8622c393d7e832d39e620ead5d3b49.asm\r\nbd8b082b7711bc980252f988bb0ca936.asm\r\nc6a4bb1a4e4f69ec71855d70d6960859.asm\r\ndb05df0498b59b42a8e493cf3c10c578.asm\r\ne1b6940985a23e5639450f8391820655.asm\r\nef8e0fb20e7228c7492ccdc59d87c690.asm<\/pre>\n
LoadLibraryA<\/strong><\/span>\r\nGetProcAddress<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nstrstr<\/strong><\/span>\r\nstrchr<\/strong><\/span>\r\nGetSystemDirectoryA<\/strong><\/span>\r\ntime<\/strong><\/span>\r\nsrand<\/strong><\/span>\r\nmalloc<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nstrncmp<\/strong><\/span>\r\nSleep<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nSleep<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nSleep<\/strong><\/span>\r\nCreatePipe<\/strong><\/span>\r\nCreatePipe<\/strong><\/span>\r\nGetStartupInfoA<\/strong><\/span>\r\nCreateProcessA<\/strong><\/span>\r\nGetLastError<\/strong><\/span>\r\n_snprintf<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nCreateProcessA<\/strong><\/span>\r\nCreateThread<\/strong><\/span>\r\nCreateThread<\/strong><\/span>\r\nWaitForMultipleObjects<\/strong><\/span>\r\nGetExitCodeThread<\/strong><\/span>\r\nTerminateThread<\/strong><\/span>\r\nGetExitCodeThread<\/strong><\/span>\r\nTerminateThread<\/strong><\/span>\r\nGetExitCodeProcess<\/strong><\/span>\r\nTerminateProcess<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nGetLastError<\/strong><\/span>\r\n_snprintf<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nCloseHandle<\/strong><\/span>\r\nCloseHandle<\/strong><\/span>\r\nCloseHandle<\/strong><\/span>\r\nCloseHandle<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nsub<\/strong><\/span>\r\nSleep<\/strong><\/span>\r\nPeekNamedPipe<\/strong><\/span>\r\nReadFile<\/strong><\/span>\r\nsub<\/strong><\/span><\/pre>\n
0dd3677594632ce270bcf8af94819caf.asm\r\n270d42f292105951ee81e4085ea45054.asm\r\n523f56515221161579ee6090c962e5b1.asm<\/pre>\n
Notably, the disassembled code – after some selective processing and normalization – can be treated in a same way as student source code submissions for their assessments at uni and… be checked for plagiarism. The most common technique used for this purpose relies on measuring the\u00a0 cosine similarity<\/a>. I am currently playing with it and will write more about my findings in another post.<\/p>\n
Thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"
Part 1, Part 2, Part 3 In the last three posts I talked about batch analysis, clustering and applying these techniques to APT sampleset. Batch processing is a step necessary for retrieving ‘clusterable’ data from samples in an automated fashion. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1746"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1746"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1746\/revisions"}],"predecessor-version":[{"id":1775,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1746\/revisions\/1775"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}