Use Google to search for specific strings in malicious Samples
It is useful to search for specific strings in a malicious sample. For example, you may find malicious samples with similar code for different targets. This article will describe this point in detail.
In addition, it is used to find the original file that has been maliciously modified. In this article, "Unmasking Malfunctioning Malicious Documents" is described in detail.
0 × 01 string Extraction
You can extract these printable strings from sites such as malwr.com and hybrid-analysis.com:
0 × 02 extract strings using mawr.com
On the Malwr.com search page, you can use the search Syntax "string :... To search for strings in the sample.
For example, we can use this feature to search all MS office documents containing VBA Macros, because they all contain strings "VB_Nam ". This is because the VBA language requires that a command VBA_Name = "name" be included at the beginning of each module (see the MS-VBAL4.2 for details ). Therefore, this string "VB_Nam" is always automatically embedded as the First Command, and is not compressed and directly displayed in text format.
Now let's look at the result of searching VBA macro in Malwr.com:
Since the emergence of VBA macro virus in 2014, we can get a lot of malicious samples:
However, server erro problems often occur when searching with this feature, as if a single string is searched now.
For example, in my article "Unmasking Malfunctioning Malicious Documents", when I search for the string "DownloadDB403", malwr.com always displays server erro.
The current version of the hybrid-analysis.com does not provide this string search feature.
0 × 03 search strings using Google
@ PayloadSecurity teaches me another trick and is very useful: using well-known search engines such as Google, by limiting hybrid-analysis.com and malwr.com searches.
All analysis reports can be retrieved by search engines, including strings extracted from analysis files.
Search for "DownloadDB403" on Google and use the following syntax:
Site: malwr.com "DownloadDB403 ″
Site: hybrid-analysis.com "DownloadDB403 ″
Key point: to get more related results, it is necessary to include the omitted results into the repeated search.
Using the following syntax, it is possible to search for malwr.com and hybrid-analysis.com results at the same time:
Site: hybrid-analysis.com OR site: malwr.com)
Therefore, this method is used to easily search for malware samples containing specific strings.
0 × 04 use Google to search for multiple strings
Of course, it can be used in all search engines. First, several strings can be searched in the same sample.
1. malicious macro virus containing anti-analysis techniques
For example, we may find a malicious macro virus through "VB_Nam". The difference is that this sample uses anti-analysis techniques similar to VirtualBox detection. These macro viruses appeared in May 2015. The keyword is "VBOX ":
Ø "VBOX" "VB_Nam" (site: hybrid-analysis.com OR site: malwr.com)
The results show that all malicious samples using the same tricks are uploaded to malwr.com in February. It seems that this kind of trick will not be followed, or the authors of these malicious samples intentionally confuse these strings.
2. embed the RTF document of the OLE Package object
Another example is to look at the executable files contained in the RTF document. This technique is often used by the authors of malicious samples to release malicious payload, rather than being easily detected.
In this case, embedded files are often stored in OLE objects, especially OLE's "Package" objects.
Look at the string extracted from the sample. We can find the string "Package" and encode it in hexadecimal format, for example, "5061636b61676500 ". Structure of the OLE object header:
You can also see that the string "rtf1" and the keyword "objdata" are displayed in each RTF file, which indicates that the OLE object is embedded in the RTF.
In this case, the search syntax is:
Rtf1 objdata 5061636b61676500 (site: hybrid-analysis.com OR site: malwr.com)
As expected, many samples can be found using this method:
0 × 05 Summary
Thanks to malwr.com and the hybrid-analysis.com for giving us the possibility to access these malicious samples, if interested you can search for more strings of interest through the search engine.
In addition, we can make things easier through the custom search engine Google custom search engine-it can be searched directly on malwr.com and hybrid-analysis.com.