Joe Security's Blog

In our last blog post we have demonstrated some of the features of our new product Joe Sandbox X by analyzing the recent malware "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1). It has been extensively shown how the malware installs itself and that one of its core payload is a keylogger.

In this post, two new cool features are presented. In combination they allow the payload detection of the xslcmd malware:



This is actually a process that was started by a Cookbook. As you might already know, Cookbooks are a powerful technology that enables the customization of the analysis procedure in order to influence and change the malware's behaviour. Here is the Cookbook used for the current analysis:

After loading the sample with the _JBLoadProvidedBin, the text editor is opened with the _JBRunCmd. Then the Cookbook simulates some low-level keyboard strokes via _JBSimulateKeyboardStrokes. In this case, the keyboard numbers/letters "0deconinput0" are typed in. The screenshot reveals the launched text editor and the simulated user input:


By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:


So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:

We are aware that the signature can be evaded. However, due to the agility of Joe Sandbox X it is easy to quickly spot and detect new behaviours. The detection of key loggers is just one of many use cases of _JB Cookbook commands. _JBRunCmd allows the analyst to execute arbitrary (shell) commands which often helps to combat evasive malware. 

Full analysis report for xslcmd:

•  Joe Sandbox X 1.0.0 Analysis Report of xslcmd