Skip to content

Lab 3: Strings

Overview

The purpose of this lab is to practice examining embedded strings inside malware, and understanding some of the limitations of this approach.

Getting Started

To view the embedded strings in a file you can use the sysinternals strings command. The syntax is fairly straight forward: strings <options> <file>. Some commonly used options:

  • -a only search for ASCII strings (default is both unicode and ASCII)
  • -u only search for unicode strings (default is both unicode and ASCII)
  • -n <len> show strings of at least len consecutive printable characters (default is 3)
  • -s recurse into sub directories
  • -o print file offset where string was found

For most of these exercises, you can run strings and redirect the output to a file. Then open the file using notepad. For example:

c:\> strings file.exe > file.txt
c:\> notepad file.txt

Part 1: Avzhan

For this exercise examine the strings in the avzhan malware (found at c:\malware\avzhan\avzhan.exe)

Question 1.1

Can you find a host avzhan might try to connect to?

Hint

Look for something that looks like it has a domain name (e.g., a .com, .net, .org, etc.)

Answer

Yes, it is in the strings output

Question 1.2

Can you find the name of the file(s) it copied itself to? Why or why not?

Answer

No, because it is randomly generated each time.

Part 2: Wannacry

For this exercise examine the strings in the wannacry malware (found at c:\malware\wannacry\wanncry.exe).

Question 2.1

Can you find the name of the single letter files?

Answer

Yes, except for f.wnry

Question 2.2

Do you see any IP addresses wannacry might connect to? Can you guess why or why not?

Answer

No, possibly because the IP addresses are represented as a 32-bit number instead of an ASCII string. It's also possible the IP addresses are ASCII strings, but obfuscated somehow.

Question 2.3

Can you find the name of the file with "_Read_Me" in it?

Answer

No

Question 2.4

Can you find any references to Tor?

Answer

No

Question 2.5

Examine the strings in the file u.wnry (found at c:\malware\wannacry2\u.wnry) and answer the following questions:

  • Can you find the name of the read me file
  • Can you find any references to Tor?
  • Why do you think you could find the strings in u.wnry that you couldn't otherwise?
Answer
  • Yes
  • Yes
  • The file u.wnry, which was dropped by WannaCry was compressed, encrypted, or somehow obfuscated.