Interesting strings for the win!

Extracting strings from a captured sample is a standard part of malware analysis that Stairwell automates for every file/object ingested. Typically this can result in a tedious process of searching through thousands of lines of text to find something interesting.

How do you know what is interesting if you haven't already seen everything that was extracted from the file? Many researchers have built a library of strings they have encountered that may point to areas of interest but this may miss out on novel new techniques or clues that could rapidly move an investigation forward... surely there is a better way right? Hopefully you know the answer is a resounding yes!

When investigating a potentially malicious object, navigate over to the "Strings" tab and take a peek. In this case we are using a sample of Akira Ransomware that contains 11,626 lines extracted from the file.

Ok, let's just establish that no one has the time to read through 11,626 lines of text, much of which is useless to our investigation. It would be great if Stairwell could just tell me "Hey this looks interesting, check it out!"

Click the drop down menu on the right and select "View:Interesting" This sorts the lines of strings from most interesting to least interesting.

Oh my... first line at the top is part of the ransom note, scrolling down you find more of it as well as some of the code used.

In the event this is a bonafide security incident, you just got right to the heart of what this file's purpose is in mere seconds rather than hours and in this case, seconds could make all the difference in the world.

Try it out yourself, you will no doubt find some oddly interesting bits about files very quickly.