top of page
Search
Writer's pictureVlad
May 7, 20184 min read

Malware Analysis - Looping through binary strings



A program is a set of instructions created by the developer to do the required tasks and functionalities. Each tasks and functionalities applies the concept of binary; either if its for good or bad. Either way a program is set on what is it set to do.


Microsoft has strings(link below for download) as a program to 'extract' the text content of an application. With the extraction, you can gather and search through strings that the binary has. Such action is a simple way to get hints on how a program works.


During the basic malware analysis phase, finding string indicators is one of a must-do. We can gather a lot of sufficient data that would give us a big lift on our debugging. But relying on this phase would not be enough for malware authors or app developer found a way and are trying to deter your analysis.


Packing or obfuscation is the malware author's secret ingredient to make their files more difficult to examine. Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed.


Finding meaningful strings in an application is like finding artifacts to uncover the real history and create an analysis on the functions and capabilities. In this blog, I will show you how analyzing an extracted strings will sure help a forensic analyst decode the hidden mystery behind a certain malware, and an attacker cracked the application he wanted to compromised. I will also discuss how I integrated Fireeye's FLOSS and blend it with my tool . And lastly, an introduction and discussion on phase 1 of my new project.


FLOSS

The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that is released under Apache License 2.0. It automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable files. FLOSS is extremely easy to use and works against the malware horizons.

> How does FLOSS works? This tool automatically decodes functions and recover obfuscated string. Thus,

* It analyze program that diagnose its data structures.

* Use plugins that defines heuristics. Heuristics like, functions containing non-zeroing XOR operations and code cross-references to a function.

* Emulate code paths that vivisect's CPU and memory modules for x86 instruction.

* [in bold]Extract human-readable strings that are in ASCII and UTF-16LE format.


Part 1- Strings Exraction

As I am ongoing with my new project, which I guess you already have a glimpse of ideas of what can this be about, so I have decided to first show you the first phase, extracting strings on malware.


I have integrated FLOSS on this part of my project for it does have a great job extracting ,detecting and decoding obfuscated strings in Windows PE files. Output from the exectuble will give user just the things he would need. With all those good stuff, I have installed the FLOSS package that will surely aid me with this project.


After the installation, I have then brainstormed on the algorithm and design, let's keep it simple for now and here's how it goes..


>User will provide the directory of the file to be analyze.

Input file: [dir of file]


> Program will read on the input and validates if the file exist on dir specified.

> Will execute on FLOSS, time for string extraction...

> Extracted strings will be saved on floss_output.txt same dir the file analysed lies on.

> Then with string search and investigation. Program will prompt if user wants to search on some 'key' strings.


while decision == true:

(1)Do you want o search on some strings?y/n

If user types 'y':

..user will be prompted to input the strings to be look on to..

If found:

...program will output the entire line the string is found...

else:

...do nothing, go back to (1)...

else if user types 'n':

call some_search()

..program_exit...


*** Function some_search is a default lookup from user's default list search_key_inp.txt. User will input on the list of default key search that would be utilized by the program and would be set as standard for every program diagnostics. Example of this is search on '.exe' or '.dll' that would mean a certain program executable or dll has been set to launch.


>RUN<

Let's go and run this program!


In this test run, I will set my beta Spyder tool executable as the one we'll investigate.



The program prompt for input of the file to be analyzed. An indication of Output file modified only means that extracted strings are already on the output file. Let's then check the file...





We can see some meaningful hint on what this program is capable of floss_output.txt will be available below, for further reference.


Once the strings has been extracted, investigation will now start. User will be prompted if we wan to perform some key search. If we input 'y', we are then prompted to input on the keys we like to search.


Examples:


If inp == 'y',


1. Let's see if the program contains some 'Get' process. Below is the result of the input.




There are lots of 'Get' request that has been processed on this application. We identified the 'Get' processed utilized and some of these request failed to connect with a python resources. Hmm, we have now some hints..


2. Then, we check on keyword 'run', and see if we can find some execs and processes run by this application.



We got some meaningful results,


a. Program does not run in DOS mode - Possible that the binary is another executable living in the resource section.

b. Mingw-w64 runtime failure - resource that requires gcc failed to run for it cannot find any GCC compiler from the environment.

c. Utilized unittest.runner(, function present in a library..


3. Check if there's some created process, by 'create' and 'Create' input



We managed to get some Create API present on the app. We then found some error regarding a failure to create a temporary directory.



If inp == 'n'


If we input on no, the program will then seek on the user's default key search. This key search came from the mentioned input file, search_key_input.txt. I have set 3 key-checks to show you as of this moment, you may refer from below.







And below would be the search results...


We are then convinced that searching on strings would really help us on forensics. Informations that we gathered in this phase of investigation would then be useful on the next Static or Advanced Dynamic Analysis.


Reference:

> FLOSS features-> https://www.fireeye.com/blog/threat-research/2016/06/automatically-extracting-obfuscated-strings.html

> Spyder walkthrough -

Version 1- https://kenciceron45.wixsite.com/krontek/main/spyder-beta

Version 2- https://kenciceron45.wixsite.com/krontek/main/spyder-version2-walkthrough



Krontek> halt



81 views0 comments

Comments

LET'S TAKE IT TO THE NEXT LEVEL!

bottom of page