windows,security,reverse-engineering,pe,malware-detection , Determining the country of origin for an exe/dll file


Determining the country of origin for an exe/dll file

Question:

Tag: windows,security,reverse-engineering,pe,malware-detection

I have a doubt, as to how does one come to the conclusion that an exe/dll is from a specific country? Is there a field in the PE structure that saves this information?

I know that such information(timestamp etc.) can be overwritten and there is no way that one can be 100% sure but still... There is always a statement in most analysis reports of malicious samples saying something like "This sample seems to have originated from xyz country".

I would love an answer which doesn't have a tool as a solution.


Answer:

There are no fields or metadata within the PE/COFF format which gives away any indication of a program's country of origin. The PE specification is available here: http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx - it does contain a timestamp field which should be set by the compiler, but this is easily forged.

I understand (though am uncertain) that the country-of-origin of malware is determined via the same means that biological epidemiology works: by tracing the infections back to the source, and given how the Internet works, it's very hard. Often infections spread via HTTP (for example) can be examined via the webserver logfiles which would have the source IP address, which can then be geolocated.

Other times malware contains direct clues as to its origin - with the old-school malware (think: ILOVEYOU) the hubris of the author is their downfall, in the ILOVEYOU case, the author actually put "by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines" directly in the VBScript source code that the virus was written in.

For viruses ostensibly written in China or North Korea (which you're probably aluding to - considering the recent news of the Sony Pictures attack), it's possible they're making an educated guess based on strings contained within the program that are in Chinese or Korean script/characters.

...the problem with relying on these kinds of heuristics is that it's easy to "frame" a country and throw someone off your trail. If I were lacking in the moral department I could conceivably commit a false-flag operation by composing a virus such that it contained foreign language strings and used Tor or some other network to launch the attack from within another country, leaving no hint as to its true origins.

In short, I don't believe anyone can really know for certain - most times it's guesses based on the target and who hates the target the most - or cases where entities inadvertently reveal that they wrote it (e.g. Israel and Stuxnet).


Related:


ffmpeg: wmv files generated on Mac can't be played in Windows


windows,osx,ffmpeg,file-conversion,wmv
On Mac OS X 10.6.8, I converted a animated gif to a video file in wmv (a requested file format) by using ffmpeg -i File.gif -s 400x400 NewFile.wmv The video file played fine using VLC on Mac. The file can't be played on a Windows 7 machine using the Windows...

Reverse ^ operator for decryption


c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Hide sensitive information from git changes


git,security
Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods


java,security,authentication,x509
I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Automate MySQL backup @localhost with mysqldump in Windows 8


mysql,windows,operating-system,scheduled-tasks,mysqldump
I'm trying to set up a task in Windows 8 to automate my localhost db dump. I've created the task to run daily with the following command line: C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqldump.exe and parameters: --user=root --password=donttellya --result-file=dumped.sql mydb It works but doesn't terminate (running in the tasks list). Also, I'd...

Batch script ends after for loop


windows,batch-file
I've got a batch file that executes a program along with sequential (numbered) macros and calls another batch file that monitors when it is finished before it begins the next iteration. I can't use Start /wait or other "ordering" commands when launching the program because it is started with a...

Increment Serial Number using EXIF


windows,powershell,command-line,exif,exiftool
I am using ExifTool to change the camera body serial number to be a unique serial number for each image in a group of images numbering several hundred. The camera body serial number is being used as a second place, in addition to where the serial number for the image...

Parsing the text file line-by-line using batch script (batch file)


windows,batch-file,scripting,cmd
So, I am programming in the batch script and I came across this issue. The following code will take yourwords.txt file and parse it. The existedWord variable will have the last word of the text file. So, everytime when I run this program it will only compare the user's input...

how to change Text to Speech voice and how to insert characters into char array


c++,arrays,windows,winapi,text-to-speech
I need to change the voie of the Text To Speech engine. when a menu is selected ID_SPEAK_PLAY I get the text of an edit box and simply read it. my situation can be solved in two ways : insert the XML code at the begining of ptrData without using...

How to execute four queries once and then check success or failure?


vb.net,windows,visual-studio-2010,ms-access
I need to execute four queries and then if there is success must return true otherwise false. The queries affect the database but the function returns false Private Function save_to_data() Dim success As Boolean = False Dim conn As OleDbConnection = GetDbConnection() Dim total_due As Decimal = sanitize(txt_total_due.Text) Dim amount_paid...

How to send Ctrl+S through SendKeys.Send() method to save a file(save as dialog)


c#,.net,windows,sendkeys
I need to save a file which is in an External application using SendKeys.Send() method. The keys needed to be sent are Ctrl+S. I wrote the below code, but its not working: SendKeys.SendWait("^%s?"); // to get the Save As dialog Thread.Sleep(5000); SetForegroundWindow(FindWindow(null, "Save As")); Thread.Sleep(5000); SendKeys.SendWait("xyz"); // Sending FileName ...

Suppressing system command called from awk script


windows,awk,system
I am currently running this script in Windows 7. So, I have a program that is meant to color-code output from another command (mkmk) and tally up varying numbers of errors and other notable stats, etc. So right now, it starts as a batch file which Turns off echo Sets...

String parsing with batch scripting


windows,string,parsing,batch-file,xml-parsing
I have a file called pictures.xml and it contains some pictures information like: <ResourcePicture Name="a.jpg"> <GeneratedPicture Name="b.jpg"/> <GeneratedPicture Name="c.jpg"/> </ResourcePicture> <ResourcePicture Name="z1.jpg"> <GeneratedPicture Name="z2.jpg"/> <GeneratedPicture Name="z3.jpg"/> <GeneratedPicture Name="z4.jpg"/> </ResourcePicture> What I want do do is to get each line in for loop and print the names of the pictures. Sample...

Batch file to open multiple instances of cmd and run Ruby script in each instance


ruby,windows,batch-file,cmd,watir-webdriver
I'm trying to open multiple instances of cmd up which each run a ruby script at the same time. For background into the scripts, each of these ruby scripts run watir-webdriver and spawn new browser instances. All of this should happen instantaneously. Here's what I've tried: start cmd /k cd...

Execute a batch file before executing in a shortcut (.lnk)


windows,batch-file,lnk
I have multiple versions of a program called Siemens NX. NX uses environmental variables for configuration. I need NX 10.0 to use a different set of environmental variables than my NX 7.5 which uses the system environmental variables. Therefore, I have written a batch file that setups the environmental variables...

Placing secure data in Java web application


java,security,tomcat
The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

Code fails for decrypting without salt or iv in Java


java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Java read bytes from Socket on Linux


linux,windows,sockets,network-programming,raspberry-pi
I'm trying to send a file from my Windows machine to my Raspberry-Pi 2, and I have a client and a server. The client should be able to send a zip file over the network to my server on my linux machine. I know my client and server work on...

Batch - Comparing two txt files


windows,batch-file,text,comparison
I have some difficulties comparing two txt files with batch. I used the "findstr" function with many option matchings but none works (for example FINDSTR /I /V /B /G:file1.txt file2.txt). I have a first txt file as following: File1.txt Object 1 Argument 50 Object 2 Argument 10 Object 3 Argument...

String manipulation with batch scripting


windows,string,batch-file,space
I need to save the variable in %%c temporarily which comes from a for loop. But when I try to do that, the content changes unexpectedly. Some space characters appear at the end of the string. The content of %%c is a.jpg by the way. echo %%ca REM prints a.jpga...

UAC error while installing Xampp 1.8.35 on windows 8


windows,xampp,localhost
I am trying to install xampp but before installation it gives me the following error: I have disabled UAC and it gives me this error.When I press ok and install the thing anyway it still won't let start apache and my sql up. Also installation was done in Program file...

Should I use different WSAOVERLAPPED struct for WSASend and WSARecv?


windows,sockets,winsock,winsock2
I'm developing a server-client application using WinSock. Does using the same WSAOVERLAPPED with both WSASend and WSARecv works well? Should I use different WSAOVERLAPPED struct for WSASend and WSARecv?...

Listing directories by content size using C# [closed]


c#,.net,windows,linq
I'm trying to list all folders of my c drive excluding the document folder which i do not seem to have access to. This first seemed rather simple to me but i found myself still struggling with it despite the seemingly rich .net library. I can't post any code as...

Role concept in the authorization


java,security,authorization
I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

Override .gitattributes text=auto in Windows


windows,git,gitattributes,core.autocrlf
This is pretty unintuitive: C:\python-tdl\examples\termbox>git config core.autocrlf false C:\python-tdl\examples\termbox>git commit termbox.py warning: LF will be replaced by CRLF in examples/termbox/termbox.py. The file will have its original line endings in your working directory. warning: LF will be replaced by CRLF in examples/termbox/termbox.py. The file will have its original line endings in...

Apache - finding configuration file path


windows,apache,server
I have to migrate another apache instance from 2.2 to 2.4 but I have one problem. In Apache monitor I see multiple services running but I don't really know where apache .conf files are stored. In previous migrations from 2.2 to 2.4 I had them somewhere within conf folder. Apache...

sys.argv in a windows environment


python,windows,python-3.x
I'm attempting to learn python using the book 'a byte of python'. The code: import sys print('the command line arguments are:') for i in sys.argv: print(i) print('\n\nThe PYTHONPATH is', sys.path, '\n') outputs: the command line arguments are: C:/Users/user/PycharmProjects/helloWorld/module_using_sys.py The PYTHONPATH is ['C:\\Users\\user\\PycharmProjects\\helloWorld', 'C:\\Users\\user\\PycharmProjects\\helloWorld', 'C:\\Python34\\python34.zip', 'C:\\Python34\\DLLs', 'C:\\Python34\\lib', 'C:\\Python34', 'C:\\Python34\\lib\\site-packages']...

Bottle.py not reloading


python,windows,bottle
So... trying to follow along the Bottle To-Do list tutorial, using WinPython 3.4.3. Basically, I was having fits with the script not reloading, despite having run(host='localhost', port=8080, reloader=True, debug=True) set at the end of the file. After trying the same tutorial @ home with no problems (using Linux), I figured...

PHP parse int wrong in XAMPP windows


php,windows,xampp,parseint
demo $code = '40001042901'; echo (int)$code; //intval($code) //same I test on linux (Ubuntu) that result is 40001042901 but on windows result is 2147483647, what wrong with that? XAMPP 1.8.3, PHP 5.5.15, Apache 2.4.10 (Win32)...

Is client-side java intrinsically less secure than javascript?


java,javascript,security
Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

Application is missing required files


c#,.net,windows,winforms,sharpdevelop
Pic of Error: http://s23.postimg.org/7uj6qcxtn/9708083373e57a9ec91e4296e302f88e.png Cannot Download the Application. The Application is missing required Files. Contact Application Vendor For Assistance. So I'm building a windows form application using SharpDevelop 5.2 and I'm trying to make a standalone/version someone else would be able to use on another machine. In sharpdevelop (and visual...

Recording the time of the start of a screen touch in PsychoPy on Windows


python,windows,touchscreen,psychopy
I'm helping to implement an experiment using PsychoPy on a Windows 8 tablet. It doesn't seem to be possible to get direct access to touch events through either PsychoPy, or the pyglet or PyGame interfaces. Most other sources I've found have referred to using mouse move events in place of...

Android encryption and decryption of text fails


android,security,encryption,encryption-symmetric
I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Run server in cmd in Windows


php,windows,wamp
I created a simple client server codes in PHP and I run it through Wamp server localhost in browser. It works but when I run it in cmd, the output looks like this : c:\wamp\www\Converter>php testserver.php PHP Fatal error: Call to undefined function socket_create() in C:\wamp\www\Converter\testserver.php on line 15 PHP...

Would using Vagrant be overkill? [on hold]


python,windows,ubuntu,vagrant,virtualbox
I'm a developer-hobbyist running Windows 8.1 on a Yoga 2 Pro. I mostly do Python/Django work but I think I'm gonna pick up Ruby soon. The thing is, Windows always seems to be the limiting factor for any project I want to pick up. Last time I tried to install...

How to secure configuration file containing database username and password


php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

How to use the contents of a text file(tab delimited format) to rename files in a folder?


c,windows,string,rename
I'm trying to make e-certificates to distribute for one of my college events. I used Photoshop to generate batch certificates with different names and roll nos. Now the files are named core_01Data Set 1.jpg, core_02Data Set 2.jpg, etc. In order to distribute them online, they need to renamed and sorted...

bat file script to check if string contains other string


windows,batch-file,cmd
I need to write a batch file that will check if a variable contains specific value. I tried to do the following: If "%%a"=="%%a:%pattern%" ( echo Yes ) else ( echo No ) input example: %%a="bob binson" %patern%="binson" I never get Yes printed! can anyone please tell what i missed...

How to restrict file copying shared using Content Provider in Android?


android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Why doesn't “go get gopkg.in/…” work while “go get github.com/…” OK?


windows,git,powershell,github,go
I try to use go get gopkg.in/fatih/pool.v2 to install pool according to Readme.md, but can't success: C:\Users\xiaona\Documents\GitHub> go get -v gopkg.in/fatih/pool.v2 Fetching https://gopkg.in/fatih/pool.v2?go-get=1 https fetch failed. Fetching http://gopkg.in/fatih/pool.v2?go-get=1 import "gopkg.in/fatih/pool.v2": http/https fetch: Get http://gopkg.in/fatih/poo l.v2?go-get=1: dial tcp 107.178.216.236:80: ConnectEx tcp: A connection attempt failed because the connected party did not...

JQuery Add expiration to authentication token stored with HTML5 localStorage?


php,jquery,mysql,security,authentication
I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Why does Windows Server 2008 think Italy should be in W. European Time?


java,windows,timezone
Why does MS Windows (specifically server 2008 here) consider Italy to be in W. European Time when (I think) it should be in Central European Time according to every other source I can find? TZUtil /g gives: W. Europe Standard Time The control panel shows: (UTC+01:00) Amsterdam, Berlin, Bern, Rome,...

What is the max length of a share path in windows?


c#,windows
As I read in the MSDN site, for example, the maximum path on drive D is "D:\some 256-character path string" where "" represents the invisible terminating null character for the current system codepage. But when I was created a share with a long path (more than 100 symbols) they trim...

If exist and errorlevels in a batch (.bat) file


windows,batch-file,command-line
I'm trying to run a delete command on the result of an SQL command but only if it returns an error code of 0. Below is my code: SqlCmd command... REM if SqlCmd command is successful run the below if exist statement if errorlevel 0 ( REM if the file...

Iterate over all links/sub-links with Scrapy run from script


python,windows,python-2.7,web-scraping,scrapy
I want to run Scrapy Spider from my script, but it works only for 1 request. I cannot execute the procedure self.parse_product from scrapy.http.Request(product_url, callback=self.parse_product). I guess it's being due the command crawler.signals.connect(callback, signal=signals.spider_closed). Please advise how correctly go over all links and sub-links. Whole script is shown below. import...

Unable to edit netbeans.conf


java,windows,netbeans
I am trying to modify 'netbeans.conf' located at following path: C:\Program Files\NetBeans 8.0.2\etc When i modify the file; add -J-Dfile.encoding=UTF-8 In Notepad, it is not allowing me to save the original file. In Notepad++, it says 'please echeck if this file is opened in another program'. Netbeans is installed in...

Programmatically close Windows console application c++


c++,windows,mutex,handle
I need my windows console application to be run only in one instance (i.e. Only one instance of the application can be run at a time). Here's what I have: int _tmain(int argc, _TCHAR* argv[]) { PCTSTR Name = TEXT("AnyName"); HANDLE h = CreateMutex(NULL, FALSE, Name); if (GetLastError() == ERROR_ALREADY_EXISTS)...

I cannot use the msg command in cmd (or batch for that matter). How can I fix this?


windows,batch-file
While in cmd or making a batch file, I cannot use the command msg. When I try to use it, it returns the error msg is not recognized as an internal or external command, operable program or batch file." I'm pretty sure the error is that im missing a msg.exe...

How to set the classpath in Windows Command Line correctly


java,windows,command-line,classnotfoundexception
I have made many attempts to enter a command to run a JAR file correctly from the terminal, and I am 100% sure that all the JAR files and such are in the given paths, but I keep getting a ClassDefNotFoundException. Does it have anything to do with the way...

Error when adding VideosLibrary capability in app's manifest file


c#,windows,windows-phone,windows-10,windows-10-mobile
According to the documentation, capabilities must be declared when an application requires programmatic access to certain user resources such as the Videos Library. This page of the documentation also states: All Windows Phone capabilities are not available for apps being developed specifically for Windows 10 Insider Preview. I am building...