Extracting intelligence from embedded strings — the strings command, FLOSS for stack strings and XOR-decoded content, and what to look for in the output to build a rapid behavioural profile.
⚡ Quick Bite · 30s
Extracting hidden intelligence from embedded stack strings and obfuscated code. FLOSS vs strings, grepping for network/file/registry IOCs, and PDB path and Mutex attribution.
Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
Before running a single tool beyond a text extractor, strings embedded in a binary can reveal: the C2 server address, the ransom note text, the registry persistence key, the mutex name, the dropped file path, the user-agent string, the debug build path, and the developer's error messages.
Strings are the analyst's first intelligence layer. They cost almost nothing to extract and frequently provide enough to identify the malware family and write detection rules before any dynamic analysis.
strings ToolThe strings command (available on Linux and in FlareVM) extracts printable ASCII sequences of four or more characters from a binary.
strings -n 6 suspicious.exe # minimum length 6 chars
strings -e l suspicious.exe # Unicode (UTF-16LE) strings
strings -n 6 suspicious.exe | grep -iE "(http|ftp|cmd|powershell|reg|pass)"
Limitation: strings only finds plaintext sequences already present in the binary. Stack-constructed strings, XOR-encoded strings, and strings assembled at runtime are invisible to it.
FLOSS (Mandiant) goes beyond strings by emulating short function sequences in the binary and capturing decoded string values at runtime — without executing the full binary.
floss suspicious.exe # run full analysis
floss --no-static suspicious.exe # skip plain strings, show decoded only
floss -o results.txt suspicious.exe # save output
FLOSS recovers three categories that strings misses:
| Category | Description | Example |
|---|---|---|
| Stack strings | Characters pushed onto the stack one at a time and assembled | http://c2.evil.com/gate.php built byte by byte |
| Tight loop XOR | Single-byte or multi-byte XOR decoding loop | C2 URL XORed with key 0x55 |
| Obfuscated sequences | Any short function that produces a string | Base64 decode, character substitution |
After running FLOSS, search the output systematically:
grep -iE "(https?://|ftp://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" floss_output.txt
Look for: C2 URLs, hardcoded IP addresses, domain names, port numbers.
grep -iE "(%temp%|%appdata%|system32|\.exe|\.dll|\.bat|\.ps1)" floss_output.txt
Look for: dropped file paths, persistence locations, payload names.
grep -iE "(HKEY|CurrentVersion\\\\Run|Software\\\\Microsoft)" floss_output.txt
Look for: persistence keys, configuration storage locations.
grep -iE "(vmware|virtualbox|sandbox|wireshark|procmon|ollydbg)" floss_output.txt
Look for: VM detection strings, analysis tool names the malware checks for.
grep -iE "(\\.pdb|\\\\src\\\\|\\\\project\\\\|error|exception|failed)" floss_output.txt
Look for: PDB file paths (reveal developer directory structure), error messages (reveal programming language and coding style).
From a Ryuk ransomware sample, FLOSS recovered:
C:\Windows\System32\cmd.exe
/c vssadmin delete shadows /all /quiet
/c wmic shadowcopy delete
SOFTWARE\Microsoft\Windows NT\CurrentVersion
RyukReadMe.txt
UNIQUE_ID_DO_NOT_REMOVE
From these strings alone, before any dynamic analysis:
RyukReadMe.txtUNIQUE_ID_DO_NOT_REMOVEEach string becomes an IOC. The vssadmin delete shadows command alone is enough to write a Procmon alert and an EDR detection rule.
Malware creates a named mutex on startup to prevent multiple instances from running simultaneously. The mutex name is typically hardcoded and unique to the malware family.
strings output includes: "Global\\MicrosoftUpdateService3"
A mutex name in the strings output is a high-confidence IOC. Search VirusTotal for the mutex string — if it matches a known family, identification is complete.
Debug builds of Windows executables contain a path to the Program Database (PDB) file:
C:\Users\developer\Desktop\malware_project\Release\payload.pdb
This is an attribution gold mine: username, directory structure, project name, language (MSVC if .pdb present). Even release builds sometimes retain the PDB path in the binary.
1. Run: floss suspicious.exe > strings_output.txt
2. Search for network IOCs (URLs, IPs, domains)
3. Search for file system IOCs (paths, dropped filenames)
4. Search for registry IOCs (Run keys, configuration paths)
5. Search for mutex names
6. Search for PDB paths (attribution)
7. Search for anti-analysis strings (VM names, tool names)
8. Record all findings — these become your static IOC list
9. Use this list to confirm or extend findings from dynamic analysis
Sign in to mark this article as read and track your progress.