Malware Analysis – Extracting Strings

Analyzing & Extracting Strings

  • Strings Analysis – This is the process of extracting readable characters and words from the malware.
  • Strings can give us valuable information about the malware functionality.
  • Malware will usually contain useful strings and other random strings, also known as garbage strings.
  • Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to extract during analysis, as some tools only extract ASCII.
  • The types of strings we are looking for are:
    • File names
    • URL’s (Domains the malware connects to)
    • IP Addresses
    • Registry Keys
  • Attackers may also include fake strings to disrupt our analysis.

Note: Strings give us a glimpse of what the malware can do.

Tools We Will Be Using

  • Strings command line utility.
  • Shell extensions
  • Pestudio
  • peid
Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

Malware Analysis – Creating YARA Rules

YARA Rules YARA rules are used to identify samples based on specific strings or binary data.   Structure of a YARA rule   rule <rule_name> { meta: description = “Sample YARA rule”   strings: $a = “example” $b = “example2”   condition: ($a or $b) } Our completed YARA rule looks like this: rule creds_ru […]

Share this post

Malware Analysis – Malware Classification And Identification

Malware Classification & Identification Malware classification is the process of classifying malware samples based on shared characteristics with previously analyzed samples. An example of these characteristics are: strings and binary code.   What’s wrong with hash-based identification/classification? The content of the samples are changed by attackers to evade hash based identification/classification. Cryptographic hashing is only […]

Share this post