Strings are ASCII and Unicode-printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary. For example, if a malware creates a file, the filenameis stored as a string in the binary. Or, if a malware resolves a domain name controlled by the attacker, then the domain name is stored as a string. Strings extracted from the binary can contain references to filenames, URLs, domain names, IP addresses, attack commands, registry keys, and so on. So, it gives an brief idea od what the malware is trying to doThe NetUserEnum function retrieves information about all user accounts on a specified remote server or the local computer
Strings Analysis - This is the process of extracting readable characters and words from the malware.
Strings can give us valuable information about the malware functionality.
Malware will usually contain useful strings and other random strings, also known as garbage strings.
Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to extract during analysis, as some tools only extract ASCII)
The types of strings we are looking for are:
File names
URL’s (Domains the malware connects to, basically looking for how the malware is communicating with command and control centres(C&C) or how malware is communicating with the attacker)
IP Addresses
Registry Keys (like its setting up assistance or uninstalling or causing damage to any particular registries)
Attackers may also include fake strings to disrupt our analysis.
Note: Strings give us a glimpse of what the malware can do. We will use windows command line utility “strings” to extract strings
Код:
Скопировать в буфер обмена
.\\strings64.exe -a -n 7 D:\\MALWARE\\dc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000 > "C:\\Users\\JohnDoe\\Desktop\\Strings.txt”
A String.txt file is created in Desktop
For fetching unicode strings :
strings64.exe -u -n 6 D:\\MALWARE\\dc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000 >"C:\\Users\\JohnDoe\\Desktop\\strings1.txt”
We can also use pestudio for viewing strings
--------------------------------------This is very basic of viewing strings---------------------------