Joe Security's Blog

We recently we came across an interesting sample on Joe Sandbox Cloud Basic:


The sample has been detected as malicious, yet this is mainly due to Antivirus signatures hits:


When looking closely at the Behavior Graph, one discovers something interesting:



The main sample is unpacking itself to facture_1398665.tmp. This process then creates a whole bunch of temporary PE files which are then renamed in the next step:

Hostile Firefox loading LOL

Among the PE files is a file called firefox.exe. Firefox.exe is indeed a legit copy of the famous Internet browser:



This is interesting because Firefox is used to load some of the malicious Dlls, including LOL_Dll.dll. Likey this bypasses some end-point protection tools and Antivirus:



Right after the LOL_DLL has been launched Firefox then crashes with some COM loading error:

GetKeyBoardLayout 0xC

So what is causing this crash? When carefully examining every detail of LOL_Dll.dll, it reveals the following code (LOL_Dll is not obfuscated or packed at all):


The corresponding code for that execution graph part is shown below. The code calls the Windows API GetKeyboardLayout and then performs some checks. The keyboard layout is language dependent. A US computer user has a different layout than a Swiss PC. By checking the layout, we realized it serves as a way to target the malware to specific users:


0Ch is matching French layouts:


As a result, the sample either executes its payloads or crashes, depending on the target machine keyboard.

Custom Keyboard Layout

Thanks to Cookbooks - a tiny script which fully defines the malware analysis procedure - we can easily change the default keyboard layout in a fully automated manner to what is required by the code:


The change of the layout is done via the control panel intl.cpl.

The cookbook is submitted together with the sample to Joe Sandbox. The resulting analysis is much richer and contains many IOCs.

Final Words