Thursday, July 14, 2016

Document Malware XOR distribution or dial M for Malware

We took a sampling of 5448 recent malware documents with an XOR encoded executable detected by Cryptam. Normally we spend most our time looking at APT samples with 256 byte keys, so the recent results which include quite a bit more crimeware lately were surprising.

26% of samples where encoded with the 1 byte key 0x77, followed by 11.6% 0xFD, and 6.5% 0x6A. In total 59% of samples had a one byte key.
We tried to look into the significance of this high a rate of 0x77. In ASCII, 0x77 translates to a lowercase 'w'. 7 is the country code for Russia, and decimal 77 would be an M in ASCII. According to Wikipedia, during World War II in Sweden at the border with Norway, "77" was used as a password, because the tricky pronunciation in Swedish made it easy to instantly discern whether the speaker was native Swedish, Norwegian, or German.
7.6% of samples were encoded with variants of 0xCAFEBABE, 0xBAFECABE, and 0xFECABEBA. 10% of samples were 4 byte keys.
Only 21% were 256 byte keys. Of those, 42% are an incrementing pattern 000102030405... And 16% are the opposite decreasing pattern FFFEFDFCFB...

As always, you can submit your suspicious documents for analysis with Cryptam here.