Quick Overview: Static Analysis Tool Floss for Malware Analysis

Floss (FLARE Obfuscated Stringer Solver) is a static analysis tool for malware analysis. This tool was developed by Mandiant.

This tool basically helps security researchers extract strings from malware samples.

This blog provides you with a brief functionality and usage of the tool Floss.

Overview of tool Floss

Malware authors use different obfuscation techniques to hide sensitive resources to extend the life of malware. Floss tool helps in extracting obfuscated strings from malware samples.

Floss is an automation tool that combines manual reverse engineering techniques for string decoding.

Algorithm of tool Floss

1) Identify decoding functions in a malware sample by using heuristics

2) Extract cross reference and arguments of decoding functions

3) Emulation of decoder functions using extracted arguments

4) Compare (Diff) memory state before and after emulation of decoder

5) Print human-readable strings

Installation - Method 1 - Using Python

Floss tool can be installed on both Windows and Linux-based systems. Please ensure the system has Python >=3.8

Step 1: Install Floss

$ pip install flare-floss

Step 2: Use Floss from a Python script

#!/usr/env/python
import floss
print(dir(floss))

Installation - Method 2 - Standalone

Just download from the link: https://github.com/mandiant/flare-floss/releases/tag/v2.3.0

After downloading, you can use Floss without any installation as all required source code, Python interpreter and other resources are available.

Usage of Floss

To extract all strings from a malware sample

floss malware-sample.exe

to extract specific types of strings

floss malware-sample.exe --only tight decoded

To highlight obfuscated strings

floss malware-sample.exe --no static

Verbose output

floss -v malware-sample.exe

Load results of Floss

floss -l results.json

Quiet mode - to suppress the output

floss -q malware-sample.exe

Shellcode option

floss -f sc32 malware-sample.raw32
floss -f sc64 malware-sample.raw64