A Coding Implementation to Recover Hidden Malware IOCs with FLARE-FLOSS Beyond Classic Strings Analysis
AI Tools

A Coding Implementation to Recover Hidden Malware IOCs with FLARE-FLOSS Beyond Classic Strings Analysis

thedigitalsolutioncentre@gmail.com 


banner("STEP 6 — IOC hunting in the deobfuscated strings")
PATTERNS = [
   ("URL",          re.compile(r"https?://[^\s\"<>]+")),
   ("IP",           re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b")),
   ("PE/script",    re.compile(r"[A-Za-z0-9_]+\.(?:exe|dll|sys|ps1|bat)\b", re.I)),
   ("Win32 API",    re.compile(r"\b(?:Reg(?:Open|Set|Create|Delete)Key(?:Ex)?A?|VirtualAlloc(?:Ex)?|CreateRemoteThread|WinExec|LoadLibraryA?|GetProcAddress|InternetOpenA?)\b")),
   ("Registry",     re.compile(r"SOFTWARE\\\\?[A-Za-z0-9_\\\\]+", re.I)),
   ("Base64-like",  re.compile(r"\b[A-Za-z0-9+/]{24,}={0,2}\b")),
]
hits = []
for kind, items in buckets.items():
   for e in items:
       s = e.get("string","")
       for label, pat in PATTERNS:
           if pat.search(s): hits.append((kind, label, s))


if hits:
   print(f"{'BUCKET':<10}{'IOC':<14}STRING")
   print("-"*72)
   for kind,lbl,s in hits[:40]:
       print(f"{kind:<10}{lbl:<14}{s[:80]}")
   print(f"\n→ {len(hits)} IOC hits total. Note: most are inside the 'decoded' bucket")
   print("  — those would be invisible to plain `strings`!")
else:
   print("(no IOC pattern matches)")


banner("STEP 7 — Visualize string-type counts and length distribution")
import matplotlib.pyplot as plt
fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(13, 4.5))


labels = list(buckets); counts = [len(v) for v in buckets.values()]
bars = ax1.bar(labels, counts, color=["#5fa8d3","#62b6cb","#cae9ff","#ff7b7b"])
ax1.set_title("FLOSS strings by type"); ax1.set_ylabel("count")
for b,n in zip(bars,counts): ax1.text(b.get_x()+b.get_width()/2, n, str(n), ha="center", va="bottom")


for kind, items in buckets.items():
   lens = [len(e.get("string","")) for e in items]
   if lens: ax2.hist(lens, bins=30, alpha=0.55, label=f"{kind} (n={len(lens)})")
ax2.set_title("String-length distribution"); ax2.set_xlabel("characters")
ax2.set_ylabel("frequency (log)"); ax2.set_yscale("log"); ax2.legend()
plt.tight_layout(); plt.savefig("floss_summary.png", dpi=110); plt.show()


print("\n✓ Tutorial complete.")
print(f"   Artifacts: {WORK/'sample.exe'}, {WORK/'floss.json'}, {WORK/'floss_summary.png'}")



Source link