Unique strings in executable files

When performing basic static analysis of malware, the file’s strings can provide helpful indicators, including filenames, registry keys, and URLs. The strings can additionally hint at a program’s capabilities and its intended use. Identifying unique strings in malware is also a great way to pivot to related samples. Searching private and public databases for unique strings may lead you to existing analysis results and (leaked) source code. In this blog post I define the term unique string, explain how to leverage unique strings, look at common issues when dealing with unique strings, and provide a solution to automatically extract them.

Continue reading “Unique strings in executable files”