{"id":3457,"date":"2015-12-22T17:53:23","date_gmt":"2015-12-22T17:53:23","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3457"},"modified":"2015-12-22T17:54:21","modified_gmt":"2015-12-22T17:54:21","slug":"the-art-of-stuffing-and-dressing-of-application-data-folder","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/22\/the-art-of-stuffing-and-dressing-of-application-data-folder\/","title":{"rendered":"The art of Stuffing and Dressing of Application Data folder"},"content":{"rendered":"<p>Application data folder is a very popular destination for malware. The files are typically dropped either directly inside it, or into subdirectories that are either randomized, leverage existing OS subdirectories, or sometimes malware creates their own &#8211; often mimicking the well-known applications&#8217; folders (f.ex. Mozilla).<\/p>\n<p>The <a href=\"https:\/\/www.hexacorn.com\/examples\/2015-12-22_applicationdata_exes.txt\">attached list<\/a> contains over 7000 file names for files that are &#8216;dropped&#8217; inside the application data folder. The file names are extracted from a large set of sandbox reports.<\/p>\n<p>Once stuffed in the folder, the malware often dresses itself impersonating popular applications f.ex.:<\/p>\n<p><strong>chrome.exe<\/strong><\/p>\n<ul>\n<li>\\Application Data\\23405d2\\Chrome.exe<\/li>\n<li>\\Application Data\\4236aa7\\Chrome.exe<\/li>\n<li>\\Application Data\\cchrome.exe<\/li>\n<li>\\Application Data\\Chrome.exe<\/li>\n<li>\\Application Data\\Directory\\Chrome.exe<\/li>\n<li>\\Application Data\\Google\\Chrome\\Application\\chrome.exe<\/li>\n<li>\\Application Data\\GoogleChrome.exe<\/li>\n<li>\\Application Data\\Orbitum\\Application\\chrome.exe<\/li>\n<li>\\Application Data\\qChrome\\chrome.exe<\/li>\n<li>\\APPLICATION DATA\\SVCHOST\\CHROME.EXE<\/li>\n<li>\\Application Data\\temp\\chrome.exe<\/li>\n<li>\\APPLIC~1\\chrome.exe<\/li>\n<\/ul>\n<p><strong>firefox.exe<\/strong><\/p>\n<ul>\n<li>\\Application Data\\firefox.com<\/li>\n<li>\\Application Data\\firefox.exe<\/li>\n<li>\\Application Data\\firefox32.exe<\/li>\n<li>\\Application Data\\firefox32\\fox32.exe<\/li>\n<li>\\Application Data\\Mozilla\\Firefox\\firefox.exe<\/li>\n<li>\\APPLIC~1\\Firefox.exe<\/li>\n<\/ul>\n<p><strong>java.exe<\/strong><\/p>\n<ul>\n<li>\\Application Data\\google\\java.exe<\/li>\n<li>\\Application Data\\Java.exe<\/li>\n<li>\\Application Data\\java\\java.exe<\/li>\n<li>\\Application Data\\logjava.exe<\/li>\n<li>\\application data\\sys\\jre\\bin\\java.exe<\/li>\n<li>\\application data\\x10flasher_lib\\jre\\bin\\java.exe<\/li>\n<li>\\application data\\x10flasher_lib\\winjre32\\bin\\java.exe<\/li>\n<li>\\application data\\x10flasher_lib\\winjre32\\jre\\bin\\java.exe<\/li>\n<\/ul>\n<p><strong>smss.exe<\/strong><\/p>\n<ul>\n<li>\\Application Data\\CDWD\\ntsmss.exe<\/li>\n<li>\\Application Data\\GHGF\\ntsmss.exe<\/li>\n<li>\\Application Data\\ipseol32\\rtcssmss.exe<\/li>\n<li>\\Application Data\\Microsoft\\smss.exe<\/li>\n<li>\\Application Data\\Microsoft\\Windows\\smss.exe<\/li>\n<li>\\Application Data\\secetupn\\mqsvsmss.exe<\/li>\n<li>\\Application Data\\smss.exe<\/li>\n<li>\\Application Data\\sys\\smss.exe<\/li>\n<li>\\Application Data\\sysdrivers\\smss.exe<\/li>\n<li>\\Application Data\\syssmss.exe<\/li>\n<li>\\Application Data\\System\\Oracle\\smss.exe<\/li>\n<li>\\Application Data\\WINDOWS\\SMSS.EXE<\/li>\n<li>\\Application Data\\winhelp\\smss.exe<\/li>\n<li>\\Application Data\\zbwpukwyg\\smss.exe<\/li>\n<li>\\APPLIC~1\\smss.exe<\/li>\n<\/ul>\n<p>and so on and so forth including some ridiculous Corporate hybrids like these:<\/p>\n<ul>\n<li>\\Application Data\\\\Application Data\\Google\\hkcmd.exe<\/li>\n<li>\\Application Data\\google\\java.exe<\/li>\n<li>\\Application Data\\Google\\MicrosoftSecurity64.exe<\/li>\n<li>\\Application Data\\Google\\svchost.exe<\/li>\n<li>\\Application Data\\GOOGLE\\winlogon.exe<\/li>\n<li>\\Application Data\\install\\csrss.exe<\/li>\n<li>\\APPLICATION DATA\\INSTALL\\EXPLORER.EXE<\/li>\n<li>\\APPLICATION DATA\\INSTALL\\IEXPLORER.EXE<\/li>\n<li>\\Application Data\\Java\\svchost.exe<\/li>\n<li>\\Application Data\\MicOffice\\MicOffice.scr<\/li>\n<li>\\Application Data\\Microsoft\\Adbeflashplugin.exe<\/li>\n<li>\\Application Data\\Microsoft\\GoogleToolbarNotifier.exe<\/li>\n<li>\\Application Data\\Microsoft\\Micromedia\\winconime.exe<\/li>\n<li>\\Application Data\\Microsoft\\SystemCertificates\\LeapFTP.exe<\/li>\n<li>\\Application Data\\Microsoft\\SystemCertificates\\My\\CRLs\\Flashfxp.exe<\/li>\n<\/ul>\n<p>or AV impersonators:<\/p>\n<ul>\n<li>\\Application Data\\Karpesky.exe<\/li>\n<li>\\Application Data\\KASPERANTIVIRUS.EXE<\/li>\n<li>\\Application Data\\KasperskyAV.exe<\/li>\n<li>\\Application Data\\MCAFEEANTIVIRUS.EXE<\/li>\n<li>\\Application Data\\MCAFEEAV32.EXE<\/li>\n<li>\\Application Data\\NOD32KERNELS.EXE<\/li>\n<li>\\Application Data\\NOD64.EXE<\/li>\n<li>\\Application Data\\NORMANANTIVIRUS.EXE<\/li>\n<li>\\Application Data\\NortonLive.exe<\/li>\n<li>\\Application Data\\SYMANTECAV.EXE<\/li>\n<li>\\Application Data\\SYMANTECAV2.EXE<\/li>\n<\/ul>\n<p>Since it&#8217;s a blacklist, it can be applied to hunting and file list analysis. FPs are definitely there, so you have been warned \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Application data folder is a very popular destination for malware. The files are typically dropped either directly inside it, or into subdirectories that are either randomized, leverage existing OS subdirectories, or sometimes malware creates their own &#8211; often mimicking the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/22\/the-art-of-stuffing-and-dressing-of-application-data-folder\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,19,46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3457"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3457"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3457\/revisions"}],"predecessor-version":[{"id":3460,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3457\/revisions\/3460"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}