We recently we came across an interesting sample
on Joe Sandbox Cloud Basic:
The sample has been detected as malicious, yet this is mainly due to Antivirus signatures hits:
When looking closely at the Behavior Graph, one discovers something interesting:
The main sample is unpacking itself to facture_1398665.tmp. This process then creates a whole bunch of temporary PE files which are then renamed in the next step:
Hostile Firefox loading LOL
Among the PE files is a file called firefox.exe. Firefox.exe is indeed a legit copy of the famous Internet browser:
This is interesting because Firefox is used to load some of the malicious Dlls, including LOL_Dll.dll. Likey this bypasses some end-point protection tools and Antivirus:
Right after the LOL_DLL has been launched Firefox then crashes with some COM loading error:
GetKeyBoardLayout 0xC
So what is causing this crash? When carefully examining every detail of LOL_Dll.dll, it reveals the following code (LOL_Dll is not obfuscated or packed at all):
The corresponding code for that execution graph part is shown below. The code calls the Windows API GetKeyboardLayout and then performs some checks. The keyboard layout is language dependent. A US computer user has a different layout than a Swiss PC. By checking the layout, we realized it serves as a way to target the malware to specific users:
0Ch is matching French layouts:
As a result, the sample either executes its payloads or crashes, depending on the target machine keyboard.
Custom Keyboard Layout
Thanks to Cookbooks - a tiny script which fully defines the malware analysis procedure - we can easily change the default keyboard layout in a fully automated manner to what is required by the code:
The change of the layout is done via the control panel intl.cpl.
The cookbook is submitted together with the sample to Joe Sandbox. The resulting analysis is much richer and contains many IOCs.
Final Words
Joe Sandbox cannot be easily fooled by evasive malware. Thanks to hybrid code analysis, execution graph, and cookbooks, malware analysts have a powerful tool to analyze any malware.
This blog post is a very good example for that. Within minutes we are able to detect the evasive code and write a cookbook to analyze it.