Search for revealing strings in Intezer Analyze

Written by Or Fridman

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Accelerate your file investigations with new and improved string reuse capabilities in Intezer Analyze

    Users of Intezer Analyze may have noticed new and improved strings features in the platform. These string reuse capabilities make it even easier to investigate suspicious files using Genetic Malware Analysis.

    1. Search for relevant strings that can provide additional context about the nature of a threat
    2. Filter by tags (network artifact, file path), family type (malware, admin tool, packer, library) and specific malware family (Lazarus, TrickBot)
    3. Pivot between related samples that contain the same strings

    What can strings reveal about the nature of a file?
    Unlike binary code, strings are typically easier to explicate. Extracting relevant strings can provide context about the program functionality and indicators associated with a suspect binary. Strings can be references to filenames, domain names, URLs, IP addresses, attack commands, registry keys and more. Although they do not always paint a clear picture of the purpose or capability of a file, certain strings can provide a hint about what a malware is capable of doing (via Packt>).

    Search for revealing strings
    Relevant strings — such as a filename or domain name — can strengthen a security analyst’s conclusion about the intention of a file. In some cases, strings can also help to classify a malware.

    In Intezer Analyze, you can now search for specific text instead of having to review each string line by line. Try it now by searching for “ransom” in the below analysis of DeathRansom.

    Two results show further indicating a ransomware attack. This information can be used to accelerate the investigation and allow more time for the organization to decide how they will respond to the attack.

    Filter strings by tags and malware family
    Filter strings by tags, such as path and network artifact. You can also filter between malware families that share strings (like Major Ransomware, DCRTR and DeathRansom in the below example).

    Pivot between related samples
    In addition to viewing related samples based on shared code, users can now pivot between malware samples that share strings. This can be used to broaden an investigation and gain additional intel about a potential incident or targeted attack against your organization. To view the related samples based on string reuse, just click on “related samples” on the far right.

    Intezer Analyze is not only for experts
    Do you have a suspicious file that requires investigation? Upload it to Intezer Analyze to find out if it contains malicious code. Try it now for free

    Explore the Intezer Analyze endpoint analysis feature while working from home
    Search for code similarities within every bit of executable code running in your device’s memory to detect malicious code injections, fileless malware and other threats. Try it now for free in the community edition.

    Or Fridman

    Or has 10 years of experience working in technology development and product management. As director of product at Intezer he oversees the development and execution of the company's product roadmap. Or began his career in cybersecurity through a programming course in the Israeli Defense Force (IDF) and later served as a developer and product manager for the unit. Prior to joining Intezer Or was a product manager at CyberArk

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt