Analyze a file with strings

Executable files often have strings of text embedded in them. You can use the strings utility to look at those strings. (Yeah, that makes sense, right?) Depending on your distro, strings might or might not already be installed. It's already on CentOS, but to get it on Ubuntu, you'll need to install the binutils package, like so:

sudo apt install binutils

As an example, let's look at this Your File Is Ready To Download_2285169994.exe file that was automatically downloaded from a cryptocoin faucet site. (If you want to play with this yourself, you'll find this in the code file that you can download from the Packt Publishing website.) To examine the file, do the following:

strings "Your File Is Ready To Download_2285169994.exe" > output.txt
vim output.txt

I saved the output to a text file that I can open in vim so that I can view the line numbers. To see the line numbers, use :set number at the bottom of the vim screen. (In vim parlance, we're using the last line mode.)

It's hard to say exactly what to search for, so you'll just need to browse through until you see something interesting. In this case, look at what I've found starting at line 386:

386 The Setup program accepts optional command line parameters.
387 /HELP, /?
388 Shows this information.
389 /SP-
390 Disables the This will install... Do you wish to continue? prompt at the beginning of Setup.
391 /SILENT, /VERYSILENT
392 Instructs Setup to be silent or very silent.
393 /SUPPRESSMSGBOXES
394 Instructs Setup to suppress message boxes.
. . .
399 /NOCANCEL
400 Prevents the user from cancelling during the installation process.
. . .

It's saying that the installation process of this program can be made to run in SILENT mode, without popping up any dialog boxes. It can also be made to run in such a way that the user can't cancel the installation. Of course, the line at the top says that these are optional command line parameters. But, are they really optional, or are they hard coded in as the default? It's not clear, but in my mind, any installer that can be made to run in SILENT mode and that can't be canceled looks a bit suspicious, even if we're talking about optional parameters.

Okay, so you're probably wondering, What is a cryptocoin faucet? Well, it's a website where you can go to claim a small amount of cryptocoin, such as Bitcoin, Ethereum, or Monero, in exchange for viewing the advertising and solving some sort of CAPTCHA puzzle. Most faucet operators are honest, but the advertising they allow on their sites often isn't and is often laden with malware, scams, and Not-Safe-For-Work images.

Now, this little trick works fine sometimes, but not always. More sophisticated malware might not contain any text strings that can give you any type of a clue. So, let's look at another little quick trick for malware analysis.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.213.128