EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationstringsflossstatic-analysis

String Analysis

Extracting intelligence from embedded strings — the strings command, FLOSS for stack strings and XOR-decoded content, and what to look for in the output to build a rapid behavioural profile.

Ashish Revar12 May 202614 min read2 views
Quick Bite

⚡ Quick Bite · 30s

String Analysis: Beyond the Strings Command

Extracting hidden intelligence from embedded stack strings and obfuscated code. FLOSS vs strings, grepping for network/file/registry IOCs, and PDB path and Mutex attribution.

Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Why Strings Matter

Before running a single tool beyond a text extractor, strings embedded in a binary can reveal: the C2 server address, the ransom note text, the registry persistence key, the mutex name, the dropped file path, the user-agent string, the debug build path, and the developer's error messages.

Strings are the analyst's first intelligence layer. They cost almost nothing to extract and frequently provide enough to identify the malware family and write detection rules before any dynamic analysis.

The Basic strings Tool

The strings command (available on Linux and in FlareVM) extracts printable ASCII sequences of four or more characters from a binary.

strings -n 6 suspicious.exe          # minimum length 6 chars
strings -e l suspicious.exe          # Unicode (UTF-16LE) strings
strings -n 6 suspicious.exe | grep -iE "(http|ftp|cmd|powershell|reg|pass)"

Limitation: strings only finds plaintext sequences already present in the binary. Stack-constructed strings, XOR-encoded strings, and strings assembled at runtime are invisible to it.

FLOSS — FLARE Obfuscated String Solver

FLOSS (Mandiant) goes beyond strings by emulating short function sequences in the binary and capturing decoded string values at runtime — without executing the full binary.

floss suspicious.exe                  # run full analysis
floss --no-static suspicious.exe      # skip plain strings, show decoded only
floss -o results.txt suspicious.exe   # save output

FLOSS recovers three categories that strings misses:

CategoryDescriptionExample
Stack stringsCharacters pushed onto the stack one at a time and assembledhttp://c2.evil.com/gate.php built byte by byte
Tight loop XORSingle-byte or multi-byte XOR decoding loopC2 URL XORed with key 0x55
Obfuscated sequencesAny short function that produces a stringBase64 decode, character substitution

What to Search For in String Output

After running FLOSS, search the output systematically:

Network indicators

grep -iE "(https?://|ftp://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" floss_output.txt

Look for: C2 URLs, hardcoded IP addresses, domain names, port numbers.

File system indicators

grep -iE "(%temp%|%appdata%|system32|\.exe|\.dll|\.bat|\.ps1)" floss_output.txt

Look for: dropped file paths, persistence locations, payload names.

Registry indicators

grep -iE "(HKEY|CurrentVersion\\\\Run|Software\\\\Microsoft)" floss_output.txt

Look for: persistence keys, configuration storage locations.

Anti-analysis indicators

grep -iE "(vmware|virtualbox|sandbox|wireshark|procmon|ollydbg)" floss_output.txt

Look for: VM detection strings, analysis tool names the malware checks for.

Debug and attribution strings

grep -iE "(\\.pdb|\\\\src\\\\|\\\\project\\\\|error|exception|failed)" floss_output.txt

Look for: PDB file paths (reveal developer directory structure), error messages (reveal programming language and coding style).

A Real Example: What Strings Reveal

From a Ryuk ransomware sample, FLOSS recovered:

C:\Windows\System32\cmd.exe
/c vssadmin delete shadows /all /quiet
/c wmic shadowcopy delete
SOFTWARE\Microsoft\Windows NT\CurrentVersion
RyukReadMe.txt
UNIQUE_ID_DO_NOT_REMOVE

From these strings alone, before any dynamic analysis:

  • Confirmed ransomware — shadow copy deletion is the giveaway
  • Persistence mechanism — registry key path visible
  • Ransom note filename — RyukReadMe.txt
  • Campaign marker — UNIQUE_ID_DO_NOT_REMOVE

Each string becomes an IOC. The vssadmin delete shadows command alone is enough to write a Procmon alert and an EDR detection rule.

Mutex Names

Malware creates a named mutex on startup to prevent multiple instances from running simultaneously. The mutex name is typically hardcoded and unique to the malware family.

strings output includes: "Global\\MicrosoftUpdateService3"

A mutex name in the strings output is a high-confidence IOC. Search VirusTotal for the mutex string — if it matches a known family, identification is complete.

PDB Paths

Debug builds of Windows executables contain a path to the Program Database (PDB) file:

C:\Users\developer\Desktop\malware_project\Release\payload.pdb

This is an attribution gold mine: username, directory structure, project name, language (MSVC if .pdb present). Even release builds sometimes retain the PDB path in the binary.

String Analysis Workflow

1. Run: floss suspicious.exe > strings_output.txt
2. Search for network IOCs (URLs, IPs, domains)
3. Search for file system IOCs (paths, dropped filenames)
4. Search for registry IOCs (Run keys, configuration paths)
5. Search for mutex names
6. Search for PDB paths (attribution)
7. Search for anti-analysis strings (VM names, tool names)
8. Record all findings — these become your static IOC list
9. Use this list to confirm or extend findings from dynamic analysis

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

FLOSS — FLARE Obfuscated String Solver

Download FLOSS from Mandiant GitHub. Included in FlareVM. Run on any PE to recover stack strings and decoded content.

tool
VirusTotal — Search by String or Mutex

Use VirusTotal Intelligence (content: search) to find samples containing a specific mutex name, PDB path, or C2 URL.

tool
More articlesTest your knowledge