Lately we have seen an interesting word document (Original Name: Problem Feedback.doc, Virustotal Result 6/44, Date 15.11.2012) been analyzed with Joe Sandbox 7.0.0 in our cloud service Joe Sandbox Web. As one of the major extensions we have added a Static Code Analysis Engine (SCAE) to Joe Sandbox which enables to understand in detail code functions executed or not executed by the sample under analysis. The code analysis engine is feed by memory and "ret" dumps dynamically created by Joe Sandbox's Thread Analysis Engine (TAE) .
A good start for analyzing office documents is using our cookbook for exploit analysis. The cookbook uses the new command _JBEnableRetMemDumping(). By enabling "return dumping" the TAE captures and stores for each function / system call the code areas where the call has been started from. Because shellcode is often placed in the heap and only available for a short time "return dumps" are perfect for capturing any code fragments executed. With traditional memory dumping tools which only take a dump at a predefine timepoint one would not be able to catch shellcodes in general.
Below you find the process startup / signature part of the Joe Sandbox report generated by using the exploit analysis cookbook:
As the picture outlines we have develop generic signatures to identify document exploits and shellcode artifacts (Joe DD
demonstrates how good these signature work to identify any document exploit no matter if the exploit is know / unknown / a zero day). Navigation of the top menu bar leads to the disassembly section of the report:
SCAE has identified successfully some shellcode function as well as strings. Most interesting is function 26F002A:
The API calls executed by the shellcode have been identified by SCAE altough calls are hidden and based on stack data (e.g. ebp+24h). All xrefs and targets are click-able, enabling smooth browsing through the code function data. Function 26F002A contains the key functionality of the shellcode which is basically the extraction of a PE file located in the world document itself:
One of the big features of the SCAE output is that all code function are linked with dynamic behavior information. Thus an analyst can easily navigate from dynamic to static information. The picture above shows the PE file which is dropped / extract.
The complete Joe Sandbox exploit analysis report is available at: report-46e6a921eef3dafb97bf041147244f76
Beside the shellcode analysis the Joe Sandbox report reveals the following interesting facts:
- The name of the initial dropped file is dw20.exe. The file name dw20.exe is also used by Microsofts Application Error Reporting tool. It is launched by Word if a malformed document has been opened. However for this analysis dw20.exe is dropped / malicious file. We think using the name dw20.exe as a dropped file name is smart way to bypass exploit detect systems which blacklist child processes of Word by names.
- Dw20.exe drops the file fxsst.dll in C:\windows and then terminates.
- Fxsst.dll looks to be loaded once winlogon.exe starts due to dll hijacking trick (
Full Joe Sandbox exploit analysis report with SCAE analysis for DW20.exe: http://www.joesecurity.org/reports/report-46e6a921eef3dafb97bf041147244f761.html
Some more Joe Sandbox reports demonstrating the shellcode analysis feature (checkout the nop-sled detection signature):