paul/flow-hugo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updating bad analysis

Browse Source
This commit is contained in:
paul
2025-08-24 22:50:28 -04:00
parent 7e27faef70
commit 9630a14124
6 changed files with 46 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
content/posts/bad-malware-analysis-string-size-ratio.md
View File

@@ -4,15 +4,15 @@ date: 2021-03-08T20:20:31Z
draft: false
---
# Introduction
## Introduction
Next up in bad malware analysis is comparing the size of a file to the output of of the command strings. The idea here is that malware may contain less strings per KB than benign binaries. This would make logical sense as many malware samples are packed, encrypted, and/or stored in the data section of the binary, to be extracted later. This is done to help obfuscate them from hash signatures.
# Samples
## Samples
There are around 500 malware samples, coming from two sources: [theZoo](https://thezoo.morirt.com/) and [dasMalwerk](https://dasmalwerk.eu/). For samples of benign software I grabbed 200 libraries from C:/Windows directory.
# Calculations
## Calculations
Using python I wrote a quick script to count the number of strings returned (separated by a newline) and compared it to the size (in KB) to the file. I performed this using strings of min size 2, 3, 4, 5, and 6. Why those numbers ... because that is where I decided to stop. The average strings per KB was then calculated.
@@ -24,7 +24,7 @@ Using python I wrote a quick script to count the number of strings returned (sep
| 5 | 5.59 | 5.58 | 0.18 % |
| 6 | 4.32 | 3.96 | 8.33 % |
# Results
## Results
The results are kinda in line with what I thought. Most of the malicious binaries have less strings per KB than the benign. Surprisingly looking at a minimum string length of two and five, the benign and malicious binaries have about the same number of strings per KB. The string length of two makes sense as a lot of stings that small come down to random bytes in the binary looking like strings.
@@ -34,7 +34,7 @@ It appears the sweet spot for comparing malicious to benign binaries is four. At
Overall the results were in line with what I expected, however they were a lot closer than I thought they would be.
# Future Work
## Future Work
If this were not bad malware analysis I would continue to look at the individual strings for patterns ... oh wait that was in previous bad malware analysis.