{"id":7116,"date":"2020-04-12T00:02:45","date_gmt":"2020-04-12T00:02:45","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7116"},"modified":"2024-08-07T23:04:26","modified_gmt":"2024-08-07T23:04:26","slug":"pdbs-from-the-the-good-sauce","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/04\/12\/pdbs-from-the-the-good-sauce\/","title":{"rendered":"PDBs… from the the good sauce…"},"content":{"rendered":"\n

One of the early public sample clustering attempts I have ever made was a search for the username that was the most prevalent<\/a> among the PDB paths extracted from my malware repository circa … 2013. Long time ago. Yup. The winner account was (unsurprisingly): ‘Administrator’.<\/p>\n\n\n\n

7 years later we are seeing more PDB path research and Steve Miller<\/a> at FireEye did a lot work in this space. Nick, who is one of my fav malware researchers, chipped in on the Twitter thread<\/a> related to Steve’s research and pointed readers to my old blog posts, so I felt somehow obliged to follow up.<\/p>\n\n\n\n

How?<\/p>\n\n\n\n

By looking at PDBs from the goodware.<\/p>\n\n\n\n

What?<\/p>\n\n\n\n

Yup.<\/p>\n\n\n\n

Not only malware embeds the PDB paths, but also lots of goodware, that is…. drivers, installers, do-something files from your favorite or not so favorite vendor (aka it’s often a vendor that happens to be supporting your video, audio cards, as well as vendors installing lots of OEM software crappe on your laptops with a lot software pre-installed ‘out of the box’).<\/p>\n\n\n\n

Still interested?<\/p>\n\n\n\n

You should be… A list of good PDB paths can be easily turned into a ‘Good Yara’ repo. And that means.. you can exclude many of clean samples early as they come in by just looking at their PDB paths.<\/p>\n\n\n\n

So… how these ‘good’ PDB paths look like?<\/p>\n\n\n\n

Here are some stats….<\/p>\n\n\n\n

D:\\binaries.x86fre\\SCP_WPA\t50766\ne:\\SourceCode\\AsMultiLang\\AsMultiLang\\release\t37478\nc:\\CCView$\\jmerchan_view_ASE_Installers\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Release\t34064\nc:\\CCView\\jgonz2x_Staging_view\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Debug\t25642\nc:\\share\\anarayan_latest_main\\gfx_Development\\SourceCUI2\\igfx\\TvWizIns\\TVconfig\\Resource\\NEW_SRC\t22776\nc:\\ccviews\\atjes_L10N_ASE_Staging\\ASE_Installers\\Iif2\\Installer\\Chipset\\Resource\\Src\\Debug\t21446\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudbus\\azalia\\objfre_wnet_x86\\i386\t18614\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudio\\objfre_wnet_x86\\i386\t18614\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudpropshortcut\\objfre_wnet_x86\\i386\t18614\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudprop\\objfre_wnet_x86\\i386\t18614\nE:\\projects 2009\\DLL\\AsAcpi\\AsAcpi\\Release\t15693\nc:\\ccview\\jgonz2_RCR1022521_view\\ASE_Installers\\IIF2\\Installer\\HDMI\\Resource\\SRC\\Debug\t15044\ne:\\Code\\Eddy\\AI Suite II\\Source\\AI-Suite II\t11434\nV:\\TPMCLIENT\\Bin\\Win32\\Release\t10689\no:\\BTW\\btw1.2\\bin\\amd64\t10246\nG:\\binaries.x86fre\\SCP_WPA\t10227\ny:\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Release\t9940\nc:\\documents and settings\\administrator\\my documents\\projects\\dll\\pngio\\release\t9856\nC:\\Symbols\\Release\t9674\n<\/code><\/pre>\n\n\n\n
This is just a top 20, and one can definitely build some Yara sigs around these. If you want the whole list DM me. <\/p>\n\n\n\n
Is there a risk malware guys will re-use these? Absolutely. This is why I only publish the top 20.<\/p>\n\n\n\n
What about the usernames?<\/p>\n\n\n\n
Looking at the stats I can pinpoint the following user accounts:<\/p>\n\n\n\n
Chunyung\t40752\ncc4build\t10161\nchunyung\t7822\ntest\t5945\nreleng\t5120\nchunyung.RTDOMAIN\t3905\ndnandy\t3520\nnewport10gc\t3505\nkarl\t2993\nDEV\t2811\ntachun.cmedia\t2667\nSW\t2618\ncvcctest\t2575\nTest\t2422\nws\t2385\nrkosana\t2119\nAdministrator\t2103\nvyeh\t1993\njim\t1837\ncelitc\t1799\n<\/code><\/pre>\n\n\n\n
Yes, it doesn’t tell us much other than indicating my ‘good’ sampleset is somehow biased toward productions of the mystical ‘Chunyung’. I have to work it out and add more diversity to this corpora… In the meantime… whatever doesn’t match these ‘good’ PDB paths is probably… a bad guy. So yeah… if you want to build some ‘goodware’ sigs out of it, please DM me and I will share the full PDB dataset with you.<\/p>\n\n\n\n
In terms of the directories, the stats show us this:<\/p>\n\n\n\n
D:\\binaries.x86fre\\SCP_WPA\\\t82596\ne:\\SourceCode\\AsMultiLang\\AsMultiLang\\release\\\t69012\nc:\\ccviews\\atjes_L10N_ASE_Staging\\ASE_Installers\\Iif2\\Installer\\Chipset\\Resource\\Src\\Debug\\\t66753\nc:\\CCView$\\jmerchan_view_ASE_Installers\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Release\\\t59019\nc:\\CCView\\jgonz2x_Staging_view\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Debug\\\t52848\nc:\\ccview\\jgonz2_RCR1022521_view\\ASE_Installers\\IIF2\\Installer\\HDMI\\Resource\\SRC\\Debug\\\t51078\nc:\\share\\anarayan_latest_main\\gfx_Development\\SourceCUI2\\igfx\\TvWizIns\\TVconfig\\Resource\\NEW_SRC\\\t45916\nV:\\TPMCLIENT\\Bin\\Win32\\Release\\\t32175\nE:\\8168\\vc98\\self\\bin\\x86\\\t29523\nE:\\projects 2009\\DLL\\AsAcpi\\AsAcpi\\Release\\\t28525\nE:\\8665\\vc98\\mfc\\mfc.bbt\\src\\\t27055\nE:\\8972\\vc98\\self\\bin\\x86\\\t25890\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudbus\\azalia\\objfre_wnet_x86\\i386\\\t25555\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudpropshortcut\\objfre_wnet_x86\\i386\\\t25554\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudprop\\objfre_wnet_x86\\i386\\\t25554\ne:\\hdaudio\\srv03\\source\\drivers\\oem\\src\\wdm\\audio\\drivers\\hdaudio\\hdaudio\\objfre_wnet_x86\\i386\\\t25554\ny:\\ASE_Installers\\Iif2\\Installer\\Hdmi\\Resource\\Src\\Release\\\t24840\nC:\\Symbols\\Release\\\t23829\nT:\\__test_sys\\__outputs\\NNT-SNB32-W86_andmitri\\mediasdk_tags_Win7_MFTs_15.31_promoted_53672\\samples\\_build\\Win32\\Release\\\t21504\nE:\\8447\\vc98\\mfc\\mfc.bbt\\src\\\t20980\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
One of the early public sample clustering attempts I have ever made was a search for the username that was the most prevalent among the PDB paths extracted from my malware repository circa … 2013. Long time ago. Yup. The … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[90,88],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7116"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7116"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7116\/revisions"}],"predecessor-version":[{"id":9358,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7116\/revisions\/9358"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}