Malware Files Collected By Nepenthes - Imported Symbols Relation

Malware Files Collected By Nepenthes - Imported Symbols Relation

With several binaries collected by nepenthes I have correlate the imported symbols with python module pefile and generate an interesting graph.

CSV:
...
...
b02a18d2dca59219b86354a442a95b0e,USER32.DLL
146d61fca77d748f5a5ecff53afd30e4,KERNEL32.DLL
146d61fca77d748f5a5ecff53afd30e4,COMCTL32.DLL
95a7a3e5ea764eed286b53623f9521ab,KERNEL32.DLL
2059abe419dfeca527b7cf5b53bbee6f,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,ADVAPI32.DLL
005472c686a5f84ad8e2dea597f50e1d,MPR.DLL
005472c686a5f84ad8e2dea597f50e1d,OLEAUT32.DLL
...
...

Regards

bigger graph

Could you post a link to the original graph size ?
Here we hardly see what is what.

Thanks.

Bigger Graph and parser

Hi, you can see a larger graph here:
http://www.aitsec.com/import.gif

And the parser:

import pefile
import os
import sys
import string

list = os.listdir("../binaries/")
for file in list:
try:
pe = pefile.PE("../binaries/" + file, fast_load=False)
ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print file + "," + string.upper(entry.dll)
except:
pass