1

I was wondering when people compile malware and use the compiled files for engagements or nefarious purposes, what evidence do they leave behind in the compiled Windows executables? I have heard that the OS usernames of the compilers can be disclosed upon analysis of the executable. Is it true? Is the evidence left behind the same both for .NET and native applications?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Vilius Povilaika
  • 972
  • 8
  • 20
  • Like you said, this is going to depend on the type of executable, the compiler, the OS used to compile, and other factors. Have you used a compiler before or are you asking without having used a compiler? – schroeder Aug 02 '20 at 07:52
  • @schroeder Thank you for your response. I am fairly familiar with using compilers. Regarding the factors, question was aimed at native and managed EXEs compiled on Windows OS. – Vilius Povilaika Aug 02 '20 at 07:55

1 Answers1

3

Yes it is true.

Both .Net and native applications (atleast those compiled by Visual Studio) contain an absolute path to a .pdb (Program Database) file when compiled in debug mode (which is usually the default). Since paths in Windows are usually of the form C:\Users\UserName\..., the path also reveals the malware author's OS username along with some information about the directory structure on their computer. It could also be possible to use it to deduce something about your nationality and/or locality. For example, if the path contains Chinese characters, it would be safe to say that the author is Chinese (and might live in China).

Portable executable headers also contain a TimeDateStamp which indicates the time at which the file was created/compiled. This could be used to roughly infer the possible time zone(s) in which the malware author resides (atleast for professional malware developers who can be expected to work during normal working hours. Amateur developers probably work at unpredictable hours).

nobody
  • 11,251
  • 1
  • 41
  • 60
  • “Professional” malware developers probably would have the sense to strip the executable of this information. Also, I don’t see how you would gain any information about their time zone. Even if the developer does leave it behind, the time stamp could mean anywhere from 9:00 tot 18:00 local time, so without knowing which end of the spectrum, you are looking at an 18 hour (9 hours before, 9 hours after) time window already. – 11684 Aug 02 '20 at 10:57
  • @11684 True, they usually would have the sense. But being humans, sometimes they forget. I do remember reading about timestamps being used (in addition to other indicators) for attribution of malware to specific APT groups. I'll see if I can find any references. – nobody Aug 02 '20 at 11:05
  • @11684 The timestamp from one sample would give a wide range, but if you have the timestamp from, say, 32 different samples of a malware family, and they all fall into the same range, then you can narrow things down – nobody Aug 02 '20 at 11:07
  • Ah, that makes sense. I didn’t consider the case of having more than one sample. Thanks! – 11684 Aug 02 '20 at 11:11
  • 1
    @11684 As far as *professional* malware devs are concerned, seems as if even Stuxnet's devs [left the timestamp intact](https://securelist.com/stuxnet-zero-victims/67483/) – nobody Aug 02 '20 at 11:13
  • 1
    Malwares devs make this mistake more often than you think,i remember reading one such case where the execuatable had the complete the path and the path contained his full name in it. – yeah_well Aug 02 '20 at 12:20