banner("STEP 6 — IOC searching within the deobfuscated strings")
PATTERNS = [
("URL", re.compile(r"https?://[^s"<>]+")),
("IP", re.compile(r"b(?:d{1,3}.){3}d{1,3}b")),
("PE/script", re.compile(r"[A-Za-z0-9_]+.(?:exe|dll|sys|ps1|bat)b", re.I)),
("Win32 API", re.compile(r"b(?:Reg(?:Open|Set|Create|Delete)Key(?:Ex)?A?|VirtualAlloc(?:Ex)?|CreateRemoteThread|WinExec|LoadLibraryA?|GetProcAddress|InternetOpenA?)b")),
("Registry", re.compile(r"SOFTWARE?[A-Za-z0-9_]+", re.I)),
("Base64-like", re.compile(r"b[A-Za-z0-9+/]{24,}={0,2}b")),
]
hits = []
for form, gadgets in buckets.gadgets():
for e in gadgets:
s = e.get("string","")
for label, pat in PATTERNS:
if pat.search(s): hits.append((form, label, s))
if hits:
print(f"{'BUCKET':<10}{'IOC':<14}STRING")
print("-"*72)
for form,lbl,s in hits[:40]:
print(f"{form:<10}{lbl:<14}{s[:80]}")
print(f"n→ {len(hits)} IOC hits complete. Word: most are contained in the 'decoded' bucket")
print(" — these can be invisible to plain `strings`!")
else:
print("(no IOC sample matches)")
banner("STEP 7 — Visualize string-type counts and size distribution")
import matplotlib.pyplot as plt
fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(13, 4.5))
labels = record(buckets); counts = [len(v) for v in buckets.values()]
bars = ax1.bar(labels, counts, coloration=["#5fa8d3","#62b6cb","#cae9ff","#ff7b7b"])
ax1.set_title("FLOSS strings by sort"); ax1.set_ylabel("rely")
for b,n in zip(bars,counts): ax1.textual content(b.get_x()+b.get_width()/2, n, str(n), ha="heart", va="backside")
for form, gadgets in buckets.gadgets():
lens = [len(e.get("string","")) for e in items]
if lens: ax2.hist(lens, bins=30, alpha=0.55, label=f"{form} (n={len(lens)})")
ax2.set_title("String-length distribution"); ax2.set_xlabel("characters")
ax2.set_ylabel("frequency (log)"); ax2.set_yscale("log"); ax2.legend()
plt.tight_layout(); plt.savefig("floss_summary.png", dpi=110); plt.present()
print("n✓ Tutorial full.")
print(f" Artifacts: {WORK/'pattern.exe'}, {WORK/'floss.json'}, {WORK/'floss_summary.png'}")