flare-floss v2.0 releases: Automatically extract obfuscated strings from malware

FireEye Labs Obfuscated String Solver

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plain text in the output of the strings.exe utility that we commonly use during basic static analysis.

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

Please review the theory behind FLOSS here.

Changelog v2.0

This major update brings many new features and improvements. FLOSS now handles an additional string obfuscation technique that we call “tight strings”. For details on tight strings and the additional changes please see our FLOSS Version 2.0 release blog post.

New Features

• extract tight strings
• library function recognition via FLIRT signatures
• improved logging and results output
• enhanced decoding and extraction of stackstrings and encoded strings
• shortcut emulation if no results identified
• reduce false positive strings output
• load and render existing results document

Breaking Changes

• simplified usage via improved command-line arguments
• changed many internal functions and the FLOSS API
• FLOSS supports Python 3 only now
• all output is based on JSON results document now
• revamped function identification mechanism and removed old plugin system
• more and enhanced API emulation hooks

Other Updates

• new logo and icon
• updated CI to use GitHub Actions

Download flare-floss

• Windows 64bit: here
• Windows 32bit: here
• Linux: here
• OSX: here

Usage

Extract obfuscated strings from a malware binary:

$ floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

$ ./floss -h

For a detailed description of using FLOSS, review the documentation here.

For a detailed description of testing FLOSS, review the documentation here.

Example output

$ floss malware.bin
FLOSS static ASCII strings
!This program cannot be run in DOS mode.
_YY
RichYY
MdfQ
.text
`.rdata
@.data
.idata
.didat
.reloc
U  F
?;}
A@;E
_^[
HttHt-H
'9U
WS2_32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
Sleep
GetLastError
DeleteFileA
WriteFile
[..snip...]

FLOSS static UTF-16 strings
,%d

FLOSS decoded 4 strings
WinSta0\Default
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer

FLOSS extracted 81 stack strings
WinSta0\Default
'%s' executed.
ERR '%s' error[%d].
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer
wininet.dll
InternetOpenA
0\A4
InternetSetOptionA
InternetConnectA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
-ERR
FILE(%s) wrote(%d).
Invalid ojbect.
SetFilepoint error[%d].
b64_ntop error[%d].
GetFileSize error[%d].
Creates file error[%d].
KCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]

You can use FLOSS just like you’d use strings.exe: to extract human-readable strings from binary data. The enhancement that FLOSS provides is that it statically analyzes executable files and decodes obfuscated strings. These include strings encrypted in global memory, deobfuscated onto the heap, or manually created on the stack (stackstrings). Since FLOSS also extracts static strings (like strings.exe), you should consider replacing strings.exe with FLOSS within your analysis workflow.

Copyright (C) 2017 Mandiant, Inc.

Source: https://github.com/mandiant/