Malware analysis often relies on extracting strings from executable files to find clues about malicious activity. However, cyber threats become more sophisticated, hiding their indicators of compromise (IOCs) using various obfuscation techniques. This article explores how a tool called FLARE-FLOSS can reveal hidden strings that traditional methods miss, helping analysts dig deeper into suspicious files.

Setting Up the Environment for Deep Malware Analysis

The first step involves preparing the tools needed to analyze Windows executable files. The tutorial starts by installing FLARE-FLOSS, an open-source static analysis framework, along with the MinGW-w64 cross-compiler, which allows compiling Windows binaries on other systems. These tools set the stage for creating a sample malware-like executable that hides its strings using different techniques, such as static text, stack-built strings, tight-packed strings, and XOR encoding.

Once the setup is complete, a simple C program is generated. This code includes obfuscated strings, which are then compiled into a Windows PE (Portable Executable) file. The goal is to produce a sample file that mimics malicious behavior but is safe for analysis. By employing various hiding methods, the sample demonstrates how malware authors obscure their indicators to evade detection.

Traditional String Extraction vs. Advanced Static Analysis

After creating the sample executable, the next step is to run the classic ‘strings’ utility. This command extracts readable text from binary files and is a common first step in malware analysis. The tutorial shows that while ‘strings’ can find some obvious text, it often misses obfuscated or embedded strings that are hidden inside the code, such as XOR-encoded secrets or strings built on the stack during runtime.

By comparing the results from ‘strings’ with the actual planted secrets, it becomes clear that many indicators are missed. For example, static strings like URLs or registry paths may be found, but dynamically constructed or encoded strings often go unnoticed. This highlights the limitations of relying solely on simple string extraction for malware detection.

To overcome this, the tutorial introduces FLARE-FLOSS, which performs static analysis combined with emulation. Running this tool on the sample executable uncovers more hidden strings, including those that are dynamically generated or encoded. The process takes about 30 to 90 seconds, but the results are significantly richer. The structured output in JSON format makes it easier for analysts to interpret the findings and identify suspicious indicators that were previously concealed.

Decoding and Interpreting Hidden Strings

Once FLARE-FLOSS completes its analysis, the JSON output provides detailed insights into the strings found in the executable. The tutorial walks through parsing this output to extract different categories of strings, such as static, stack-built, tight-packed, and decoded strings. These categories help analysts understand how the malware obfuscated its secrets and which techniques were used.

For example, encoded secrets that were hidden with XOR can be decoded by the tool, revealing URLs, registry keys, or API calls that indicate malicious intent. This deeper analysis helps security teams uncover indicators that would have been missed with basic string extraction, making their detection efforts more effective.

Overall, the combination of static analysis and emulation with FLARE-FLOSS offers a powerful way to dig beneath the surface of suspicious binaries. It helps security professionals find hidden clues, understand malware behaviors, and improve their incident response processes. This approach is especially valuable as malware continues to evolve and employ more sophisticated hiding techniques.

Inspired by

• https://www.marktechpost.com/2026/05/09/a-coding-implementation-to-recover-hidden-malware-iocs-with-flare-floss-beyond-classic-strings-analysis/

Sources

• github.com
• github.com
• aidevsignals.com