A list of ‘known clean’ that could be a foundation for a more advanced version of Least Frequency Occurrence (LFO) analysis.
Of course, URLs are always a good source for downloads, and directories and paths, as well as registry entries and process/service list handy for generating statistics on which paths are normal and which are not. There are many legitimate ones and it’s nice to be able to query them all and put them together on a ‘clean’ list. Another interesting list of artifacts is rundll32.exe invocations. If a given, specific CLSID was found, it was quite easy to ID the sample association or at least, some of its features. There are plenty of uses for the collected data - one of the handy ones back then was a comprehensive list of CLSIDs - knowing these, you could incorporate these into a simple binary/string signature and search for them inside analyzed samples. Each session would end up with a file like this: In order to collect as many logs as possible, I wrote a simple crawler that would google around for very specific keywords, collect the results, then visit the pages, download them to a file, and parse the result. And since HijackThis Log has a very specific ‘look and feel’, it was pretty easy to parse it. At a certain point in history, lots of people were using it and were posting its logs on forums – for hobbyist malware analysts to review. Antivirus companies, and later sandbox companies had tones of such metadata, but an average Joe could only dream about it.
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.
0 kommentar(er)
