Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility that we commonly use during basic static analysis.

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

flare-floss theory and algorithm

Quick Run

To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/fireeye/flare-floss/releases

For a detailed description of installing FLOSS, review the documention here.

Standalone nightly builds:

Windows 64bit: here
Windows 32bit: here
Linux: here
OSX: here

Usage

Extract obfuscated strings from a malware binary:

floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

./floss -h

Github page

%d bloggers like this: