By Sean Wilson — Sep 28, 2022

UnpacMe Weekly: Strings!

This week we've updated the malware configurations in UnpacMe giving you the option to download all decrypted strings as a JSON formatted file.

This week we've updated the malware configurations in UnpacMe giving you the option to download all decrypted strings as a JSON formatted file. The new strings download button can be found in the top right corner of the Decrypted Strings table, as shown below.

Example of Decrypted Strings in Malware Configuration

The JSON file uses a simple structure consisting of an array of key/value pairs which represent the string offset and the decrypted value. An example of a downloaded file is shown below.

New IDA Plugin: StrAnnotate

To help analysts use the decrypted string data, we've released a simple plugin for IDA. The plugin will will read a downloaded JSON file and add a comment at each offset with the decrypted string value. An example of the annotated strings for RaccoonStealer malware is shown below.

Example of Decrypted String Data Added to File

Additionally, the plugin will work with malware that uses a strings table. An example of an annotated Qakbot sample is shown below.

Example of Qakbot annotated Strings Table

As always if you have any feedback please let us know.

Happy Unpacking!