Extract strings

, ,

Extracting strings is important step in malware anlaysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware.

Why we need to do this?

  • Guess the malware functionality based on the strings.
  • If we google some of the strings, we may find some related articles/hashes online.
  • Guess file type, compiler info, packer etc.

Tools

Sample

If you have access to any of the following website, then you can download Rokrat from VirusTotal / VirusBay / Hybrid Analysis

If you can’t download, you can use this Dummy Rokrat sample.
I have edited the above file and removed the actual payload present in rsrc section. But I will recommend to use VM with no network connection for analyzing this sample.

How to extract?

I prefer to use cmdline tools but you can use different tool. This tool search for ANSI and Unicode strings in binary images.
After you execute the tool without any parameter it will show you different options.

Sysinternal strings help

When strings is executed without any option it will extract Unicode and ascii strings with default string length of 3.

Steps
  1. strings <file_path> > output.txt
  2. Open output.txt in your favourite editor

Packed Dummy Rokrat strings

strings -nobanner rokrat_dummy.sample > packed_strings.txt

Packed Rokrat strings
grade

Note: If you feel there is lot of noise generated then you can change the minimum length to 6 using cmd mentioned below. But you may loose some important strings.

strings -nobanner -n 6 rokrat_dummy.sample > packed_strings.txt

It generated around 5014 strings, please go through the strings output(i.e. packed_strings.txt) before reading further and try to guess the usage.

Some observations from extracted strings
StringsComments
.text
`.rdata
@.data
.rsrc
@.reloc
Section names
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
Strings related to library code
>@|
3@|
K@|
&@|
#@}
Some of the strings are not useful, you can ignore them
GetTempPathW
VirtualAllocEx
LockResource
WriteProcessMemory
API name
Few important strings
StringsGuess (or comments)
cmd.exeMay be it using cmd.exe to execute some program?
May be looking for this process name?
d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb
PDB Path: After googling, you may find related samples/articles
PST
PDT
photo.jpg
Exif
Adobe Photoshop CC 2017 (Windows)
2017:09:29 23:17:46
Adobe Photoshop CC 2017

photo.jpg file embedded in the file?
Made by Adobe photoshop CC ?
2017:09:29 23:17:46 May be creation date?

Unpacked Rokrat strings

I have unpacked the b441d9a75c60b222e3c9fd50c0d14c5b sample and extracted the strings with minimum length 6.
strings -nobanner -n 6 unpacked_rokrat.sample > rokrat_unpacked_strings.txt

Few important strings
StringsGuess (or comments)
https://api.box.com/oauth2/token
https://account.box.com/api/oauth2/authorize
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
...
Used as CC?
System manufacturer
(Other)
(Unknown)
(Desktop)
(Low Profile Desktop)
(Mini Tower)
....
Collecting systeminfo and sending this info to CC ?
SbieDll.dll
api_log.dll
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
.....
Anti-analysis techniques

What to look for?

  • Domain names/IP address(or CC)
  • Registry keys
  • Network request pattern
  • PDB path
  • Directory/File path or name
  • List of application name e.g Chrome, Firefox, Skype, FTP application etc.
  • Malware analysis tools
  • Any other unique strings

When it will fail?

  • File is packed
  • Strings are encrypted/encoded
  • May be file is just downloader and CC are encrypted?
  • Many others…..

Hope you enjoyed the post, please comment if you have any suggestions/feedbacks….

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu