This week we've updated the malware configurations in UnpacMe giving you the option to download all decrypted strings as a JSON formatted file. The new strings download button can be found in the top right corner of the Decrypted Strings table, as shown below.
The JSON file uses a simple structure consisting of an array of key/value pairs which represent the string offset and the decrypted value. An example of a downloaded file is shown below.
New IDA Plugin: StrAnnotate
To help analysts use the decrypted string data, we've released a simple plugin for IDA. The plugin will will read a downloaded JSON file and add a comment at each offset with the decrypted string value. An example of the annotated strings for RaccoonStealer malware is shown below.
Additionally, the plugin will work with malware that uses a strings table. An example of an annotated Qakbot sample is shown below.
As always if you have any feedback please let us know.