Most of the times, malware authors use simple string obfuscation techniques to avoid detection. In such cases, those obfuscated strings will not show up in the strings utility and other string extraction tools. FireEye Labs Obfuscated String Solver (FLOSS) is a tool designed to identify and extract obfuscated strings from malware automatically. It can help you determine the strings that malware authors want to hide from string extraction tools. FLOSS can also be used just like the strings utility to extract human-readable strings (ASCII and Unicode). You can download FLOSS for Windows or Linux from https://github.com/fireeye/flare-floss.

In the following example, running a FLOSS standalone binary on a malware specimen not only extracted the human-readable strings but also decoded the obfuscated strings and extracted stack strings missed by the strings utility and other string extraction tools. The following output shows reference to an executable, Excel file, and Run registry key:

$ chmod +x floss
$ ./floss 5340.exe
FLOSS static ASCII strings
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
[..removed..]

FLOSS decoded 15 strings
kb71271.log
R6002
- floating point not loaded
Microsoft
winlogdate.exe
~tasyd3.xls
[....REMOVED....]

FLOSS extracted 13 stack strings
BINARY
ka4a8213.log
afjlfjsskjfslkfjsdlkf
'Clt
~tasyd3.xls
"%s"="%s"
regedit /s %s
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
[.....REMOVED......]