mandiant/flare-floss

Stars
3,036
Rank 14,324 (Top 0.3 %)
Language
Python
License
Apache License 2.0
Created about 8 years ago
Updated 25 days ago

mandiant/flare-floss

mandiant

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

FLARE Obfuscated String Solver

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in the output of the strings.exe utility that we commonly use during basic static analysis.

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance the basic static analysis of unknown binaries.

FLOSS extracts all the following string types:

static strings: "regular" ASCII and UTF-16LE strings
stack strings: strings constructed on the stack at run-time
tight strings: a special form of stack strings, decoded on the stack
decoded strings: strings decoded in a function

Please review the theory behind FLOSS here.

Our blog post talks more about the motivation behind FLOSS and details how the tool works.

FLOSS version 2.0 updates are detailed in this blog post.

Quick Run

To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/mandiant/flare-floss/releases

For a detailed description of installing FLOSS, review the documentation here.

Usage

Extract obfuscated strings from a malware binary:

$ floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

$ floss -h

For a detailed description of using FLOSS, review the documentation here.

For a detailed description of testing FLOSS, review the documentation here.

Scripts

FLOSS also contains additional Python scripts in the scripts folder which can be used to load its output into other tools such as Binary Ninja or IDA Pro. For detailed description of these scripts review the documentation here.

commando-vm

Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]

flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

capa

The FLARE team's open-source tool to identify capabilities in executable files.

red_team_tool_countermeasures

flare-ida

IDA Pro utilities from FLARE team

flare-fakenet-ng

FakeNet-NG - Next Generation Dynamic Network Analysis Tool

speakeasy

Windows kernel and user mode emulation.

SharPersist

ThreatPursuit-VM

Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.

gocrack

GoCrack is a management frontend for password cracking tools written in Go

flare-emu

SilkETW

stringsifter

A machine learning tool that ranks strings based on their relevance for malware analysis.

Mandiant-Azure-AD-Investigator

Azure_Workshop

sunburst_countermeasures

Ghidrathon

The FLARE team's open-source extension to add Python 3 scripting to Ghidra.

ReelPhish

capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs

iocs

FireEye Publicly Shared Indicators of Compromise (IOCs)

DueDLLigence

FIDL

A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research

flare-wmi

GoReSym

Go symbol recovery tool

rvmi

rVMI - A New Paradigm For Full System Analysis

PwnAuth

idawasm

IDA Pro loader and processor modules for WebAssembly

ADFSpoof

SimplifyGraph

IDA Pro plugin to assist with complex graphs

STrace

A DTrace on Windows Reimplementation

ShimCacheParser

OfficePurge

msi-search

ioc_writer

macos-UnifiedLogs

GeoLogonalyzer

GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.

flare-kscldr

FLARE Kernel Shellcode Loader

Vulnerability-Disclosures

flare-qdb

Command-line and Python debugger for instrumenting and modifying native software behavior on Windows and Linux.

flare-dbg

flare-dbg is a project meant to aid malware reverse engineers in rapidly developing debugger scripts.

thiri-notebook

The Threat Hunting In Rapid Iterations (THIRI) Jupyter notebook is designed as a research aide to let you rapidly prototype threat hunting rules.

route-sixty-sink

Link sources to sinks in C# applications.

heyserial

Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types

dncil

The FLARE team's open-source library to disassemble Common Intermediate Language (CIL) instructions.

flashmingo

Automatic analysis of SWF files based on some heuristics. Extensible via plugins.

VM-Packages

Reversing

ioc-scanner-CVE-2019-19781

Indicator of Compromise Scanner for CVE-2019-19781

flare-bytecode_graph

gocrack-ui

The User Interface for GoCrack

Volatility-Plugins

unicorn-libemu-shim

libemu shim layer and win32 environment for Unicorn Engine

citrix-ioc-scanner-cve-2023-3519

AuditParser

remote_lookup

Resolves DLL API entrypoints for a process w/ remote query capabilities.

synfulknock

SSSDKCMExtractor

jitm

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.

goauditparser

tf_rl_tutorial

Tutorial: Statistical Relational Learning with Google TensorFlow

Jupyter Notebook

macOS-tools

apooxml

Generate YARA rules for OOXML documents.

gootloader

Collection of scripts used to deobfuscate GOOTLOADER malware samples.

capa-testfiles

Data to test capa's code and rules.

pycommands

PyCommand Scripts for Immunity Debugger

vocab_scraper

Vocabulary Scraper script used in FLARE's analysis of Russian-language Carbanak source code

ARDvark

ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.

rvmi-rekall

Rekall Forensics and Incident Response Framework with rVMI extensions

gocat

Provides access to libhashcat

ics_mem_collect

rvmi-qemu

QEMU with rVMI extensions

IDA_Pro_VoiceAttack_profile

pulsesecure_exploitation_countermeasures

win10_auto

rvmi-kvm

Linux-KVM with rVMI extensions

pivy-report

Poison Ivy Appendix/Extras

siglib

vbScript_deobfuscator

Help deobfuscate VBScript

flare-gsoc-2023

Supporting resources and documentation for FLARE @ Google Summer of Code 2023

DFUR-Splunk-App

The "DFUR" Splunk application and data that was presented at the 2020 SANS DFIR Summit.

rpdebug_qnx

mandiant_managed_hunting

Azure Deployment Templates for Mandiant Managed Huning

flare-floss-testfiles

Resources for testing FLOSS by the FLARE team.