Generative AI

Encrypted Malware IOC Recovery Code Generation with FLARE-FLOSS Beyond Classic Strings Analysis

Photo of nimda nimda Send an email 2 hours ago
0 1 1 minute read
Encrypted Malware IOC Recovery Code Generation with FLARE-FLOSS Beyond Classic Strings Analysis

banner("STEP 6 — IOC hunting in the deobfuscated strings")
PATTERNS = [
   ("URL",          re.compile(r"https?://[^s"<>]+")),
   ("IP",           re.compile(r"b(?:d{1,3}.){3}d{1,3}b")),
   ("PE/script",    re.compile(r"[A-Za-z0-9_]+.(?:exe|dll|sys|ps1|bat)b", re.I)),
   ("Win32 API",    re.compile(r"b(?:Reg(?:Open|Set|Create|Delete)Key(?:Ex)?A?|VirtualAlloc(?:Ex)?|CreateRemoteThread|WinExec|LoadLibraryA?|GetProcAddress|InternetOpenA?)b")),
   ("Registry",     re.compile(r"SOFTWARE\\?[A-Za-z0-9_\\]+", re.I)),
   ("Base64-like",  re.compile(r"b[A-Za-z0-9+/]{24,}={0,2}b")),
]
hits = []
for kind, items in buckets.items():
   for e in items:
       s = e.get("string","")
       for label, pat in PATTERNS:
           if pat.search(s): hits.append((kind, label, s))


if hits:
   print(f"{'BUCKET':<10}{'IOC':<14}STRING")
   print("-"*72)
   for kind,lbl,s in hits[:40]:
       print(f"{kind:<10}{lbl:<14}{s[:80]}")
   print(f"n→ {len(hits)} IOC hits total. Note: most are inside the 'decoded' bucket")
   print("  — those would be invisible to plain `strings`!")
else:
   print("(no IOC pattern matches)")


banner("STEP 7 — Visualize string-type counts and length distribution")
import matplotlib.pyplot as plt
fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(13, 4.5))


labels = list(buckets); counts = [len(v) for v in buckets.values()]
bars = ax1.bar(labels, counts, color=["#5fa8d3","#62b6cb","#cae9ff","#ff7b7b"])
ax1.set_title("FLOSS strings by type"); ax1.set_ylabel("count")
for b,n in zip(bars,counts): ax1.text(b.get_x()+b.get_width()/2, n, str(n), ha="center", va="bottom")


for kind, items in buckets.items():
   lens = [len(e.get("string","")) for e in items]
   if lens: ax2.hist(lens, bins=30, alpha=0.55, label=f"{kind} (n={len(lens)})")
ax2.set_title("String-length distribution"); ax2.set_xlabel("characters")
ax2.set_ylabel("frequency (log)"); ax2.set_yscale("log"); ax2.legend()
plt.tight_layout(); plt.savefig("floss_summary.png", dpi=110); plt.show()


print("n✓ Tutorial complete.")
print(f"   Artifacts: {WORK/'sample.exe'}, {WORK/'floss.json'}, {WORK/'floss_summary.png'}")

Source link

Photo of nimda nimda Send an email 2 hours ago
0 1 1 minute read
Photo of nimda

nimda

Related Articles

I-NVIDIA AI Ikhipha I-Star Elastic: Indawo Yokuhlola Eyodwa Equkethe 30B, 23B, kanye ne-12B Amamodeli Okubonisana Anokusikela I-Zero-Shot

I-NVIDIA AI Ikhipha I-Star Elastic: Indawo Yokuhlola Eyodwa Equkethe 30B, 23B, kanye ne-12B Amamodeli Okubonisana Anokusikela I-Zero-Shot

5 hours ago
9 Amathuluzi Angcono Kakhulu we-AI Okuthuthukiswa Okushayelwa Ngokukhethekile ngo-2026: I-Kiro, i-BMAD, i-GSD, kanye nokunye Qhathanisa

9 Amathuluzi Angcono Kakhulu we-AI Okuthuthukiswa Okushayelwa Ngokukhethekile ngo-2026: I-Kiro, i-BMAD, i-GSD, kanye nokunye Qhathanisa

22 hours ago
Meet GitHub Spec-Kit: An Open Source Toolkit for Spec-Driven Development with AI Coding Agents

Meet GitHub Spec-Kit: An Open Source Toolkit for Spec-Driven Development with AI Coding Agents

24 hours ago
OpenAI Adds Chrome Extension to Codex, Lets Its AI Agent Access LinkedIn, Salesforce, Gmail, and Internal Tools During Login Sessions

OpenAI Adds Chrome Extension to Codex, Lets Its AI Agent Access LinkedIn, Salesforce, Gmail, and Internal Tools During Login Sessions

1 day ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button