Extract strings

PE, Rokrat, Strings
About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

Extracting strings is an important step in malware analysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. You can download Rokrat (MD5: b441d9a75c60b222e3c9fd50c0d14c5b) from VirusTotal / VirusBay / ANY.RUN.

Why do we need to do this?

  • Guess the malware functionality based on the strings.
  • If we google some of the strings, we may find some related articles/hashes online.
  • Guess file type, compiler info, packer etc.


  • Windows: Sysinternals Strings
  • Linux: Install binutils e.g. sudo apt install binutils for GNU strings utility
  • macOS: Inbuilt strings tool doesn’t cover the Unicode strings, it only extract the ASCII strings so we need to install GNU strings using brew install binutils

How to extract?

For Linux/macOS, if you use GNU strings then use following command and default minimum length is 4
strings -a malware.exe. --> ASCII strings
strings -a -el malware.exe --> Unicode Strings

For Windows, I use strings from Sysinternals and default minimum length is 3
strings malware.exe --> ASCII and Unicode strings

Sysinternals Strings tool search for ASCII and Unicode strings in binary images.After you execute the tool without any parameter it will show you different options.

Sysinternal strings help

When strings is executed without any option it will extract Unicode and ascii strings with default string length of 3.

  1. strings <file_path> > output.txt
  2. Open output.txt in your favourite editor

Packed Dummy Rokrat strings

strings -nobanner rokrat_dummy.sample > packed_strings.txt

Packed Rokrat strings

Note: If you feel there is a lot of noise generated then you can change the minimum length to 6 using cmd mentioned below. But you may lose some important strings.

strings -nobanner -n 6 rokrat_dummy.sample > packed_strings.txt

It generated around 5014 strings, please go through the strings output(i.e. packed_strings.txt) before reading further and try to guess the usage.

Some observations from extracted strings
Section names
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
Strings related to library code
Some of the strings are not useful, you can ignore them
API name
Few important strings
StringsGuess (or comments)
cmd.exeMaybe it is using cmd.exe to execute some program?
Maybe looking for this process name?
d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb
PDB Path: After googling, you may find related samples/articles
Adobe Photoshop CC 2017 (Windows)
2017:09:29 23:17:46
Adobe Photoshop CC 2017

photo.jpg file embedded in the file?
Made by Adobe photoshop CC ?
2017:09:29 23:17:46 May be creation date?

Unpacked Rokrat strings

I have unpacked the b441d9a75c60b222e3c9fd50c0d14c5b sample and extracted the unpacked strings with minimum length 6.
strings -nobanner -n 6 unpacked_rokrat.sample > rokrat_unpacked_strings.txt

Few important strings
StringsGuess (or comments)
Used as CC?
System manufacturer
(Low Profile Desktop)
(Mini Tower)
Collecting systeminfo and sending this info to CC ?
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
Anti-analysis techniques

What to look for?

  • Domain names/IP address(or CC)
  • Registry keys
  • Network request pattern
  • PDB path
  • Directory/File path or name
  • List of application names e.g Chrome, Firefox, Skype, FTP application etc.
  • Malware analysis tools
  • Any other unique strings

When will it fail?

  • File is packed
  • Strings are encrypted/encoded
  • Maybe the file is just a downloader and CC are encrypted?
  • Many others…..

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.

1 Comment. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts