{"id":6753,"date":"2019-09-07T00:33:44","date_gmt":"2019-09-07T00:33:44","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6753"},"modified":"2019-09-07T00:33:46","modified_gmt":"2019-09-07T00:33:46","slug":"appended-data-goodware","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/09\/07\/appended-data-goodware\/","title":{"rendered":"Appended data &#8212; goodware"},"content":{"rendered":"\n<p>When you take a look at large corpora of <code>appended data<\/code> &#8212; the data that is a part of many PE files, but is not loaded as a part of PE image loading into memory (when a program starts) &#8212; patterns emerge. <\/p>\n\n\n\n<p>For malware, this usually means an abuse of a popular installer. <\/p>\n\n\n\n<p>For goodware, it&#8217;s a business as usual.<\/p>\n\n\n\n<p>Using the state machine script I <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/06\/state-machine-vs-regex\/\">discussed<\/a> in my other post today, I extracted 4 top hexadecimal values from the appended data of many goodware installers.<\/p>\n\n\n\n<p>There are no surprises there &#8212; many of appended data blobs are typically in a format utilized by popular and &#8216;genuine&#8217; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/04\/30\/file-formats-zoo-installers\/\">installer<\/a> packages (stub+appended data):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> 181472 00 00 00 00 \n 131876 4D 53 43 46 - CAB file\n  36369 2E 66 69 6C - .file\n  36359 7A 6C 62 1A - Inno Setup\n  31960 13 00 00 00 \n  27981 3B 21 40 49 - 7z SFX\n  24883 50 4B 03 04 - Zip\n  21721 40 55 41 46 - AMI Flash Utility\n  13896 01 00 00 00 \n   9489 A3 61 4A 6A \n   9470 5C 73 65 6C -  \\self\\bin\\x86\\msvcp60.pdb. \n   8021 52 61 72 21 - Rar!\n   7077 0E 00 00 00 \n   6855 5F 45 4E 5F - _EN_CODE.BIN<\/code><\/pre>\n\n\n\n<p>There is an appended that is a CAB, ZIP, RAR file, as well as some proprietary appended data file formats as well. <\/p>\n\n\n\n<p>How can we utilize it from a detection perspective?<\/p>\n\n\n\n<p>Some of them that are not popular among malware samples could become exclusions. <\/p>\n\n\n\n<p>Outliers are a perfect test bed for any PE parser testing. Yes&#8230; Does your parser parse every PE file structures properly? While analyzing data for this blog post I have spotted many badly parsed PE files. This is quite a slap in my face. My parser has grown organically over many years and I was quite confident that it &#8216;handles&#8217; many outliers. I know now that I have to improve it. A humble lesson for any sample collector really&#8230;<\/p>\n\n\n\n<p>Finally, knowing what types of installers are being used by a goodware, you can use it as a hint on how to craft your red team tools not to stand out. It may sound silly, but if &#8216;next gen&#8217;\/AI\/ML algos really exist and they train on a crazily large corpora of samples&#8230; chances are that they will learn to ignore many of these popular file setups&#8230; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you take a look at large corpora of appended data &#8212; the data that is a part of many PE files, but is not loaded as a part of PE image loading into memory (when a program starts) &#8212; &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/09\/07\/appended-data-goodware\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,21],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6753"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6753"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6753\/revisions"}],"predecessor-version":[{"id":6754,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6753\/revisions\/6754"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}