banner("STEP 6 — IOC hunting in the deobfuscated strings")
PATTERNS = [
("URL", re.compile(r"https?://[^\s\"<>]+")),
("IP", re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b")),
("PE/script", re.compile(r"[A-Za-z0-9_]+\.(?:exe|dll|sys|ps1|bat)\b", re.I)),
("Win32 API", re.compile(r"\b(?:Reg(?:Open|Set|Create|Delete)Key(?:Ex)?A?|VirtualAlloc(?:Ex)?|CreateRemoteThread|WinExec|LoadLibraryA?|GetProcAddress|InternetOpenA?)\b")),
("Registry", re.compile(r"SOFTWARE\\\\?[A-Za-z0-9_\\\\]+", re.I)),
("Base64-like", re.compile(r"\b[A-Za-z0-9+/]{24,}={0,2}\b")),
]
hits = []
for kind, items in buckets.items():
for e in items:
s = e.get("string","")
for label, pat in PATTERNS:
if pat.search(s): hits.append((kind, label, s))
if hits:
print(f"{'BUCKET':<10}{'IOC':<14}STRING")
print("-"*72)
for kind,lbl,s in hits[:40]:
print(f"{kind:<10}{lbl:<14}{s[:80]}")
print(f"\n→ {len(hits)} IOC hits total. Note: most are inside the 'decoded' bucket")
print(" — those would be invisible to plain `strings`!")
else:
print("(no IOC pattern matches)")
banner("STEP 7 — Visualize string-type counts and length distribution")
import matplotlib.pyplot as plt
fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(13, 4.5))
labels = list(buckets); counts = [len(v) for v in buckets.values()]
bars = ax1.bar(labels, counts, color=["#5fa8d3","#62b6cb","#cae9ff","#ff7b7b"])
ax1.set_title("FLOSS strings by type"); ax1.set_ylabel("count")
for b,n in zip(bars,counts): ax1.text(b.get_x()+b.get_width()/2, n, str(n), ha="center", va="bottom")
for kind, items in buckets.items():
lens = [len(e.get("string","")) for e in items]
if lens: ax2.hist(lens, bins=30, alpha=0.55, label=f"{kind} (n={len(lens)})")
ax2.set_title("String-length distribution"); ax2.set_xlabel("characters")
ax2.set_ylabel("frequency (log)"); ax2.set_yscale("log"); ax2.legend()
plt.tight_layout(); plt.savefig("floss_summary.png", dpi=110); plt.show()
print("\n✓ Tutorial complete.")
print(f" Artifacts: {WORK/'sample.exe'}, {WORK/'floss.json'}, {WORK/'floss_summary.png'}")Credit: Source link
