In our last blog post we have demonstrated some of the features of our new product Joe Sandbox X by analyzing the recent malware "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1). It has been extensively shown how the malware installs itself and that one of its core payload is a keylogger.
In this post, two new cool features are presented. In combination they allow the payload detection of the xslcmd malware:
As the signature summary outlines we have added a signature to detect keyloggers generically. Let's have a look how this works.
Beside the installer (PID 236, sample-cmd) and the launch agent process (PID 241, clipboardd), the startup section of the report also lists the TextEdit.app process (PID 253):
This is actually a process that was started by a Cookbook
. As you might already know, Cookbooks are a powerful technology that enables the customization of the analysis procedure in order to influence and change the malware's behaviour. Here is the Cookbook used for the current analysis:
After loading the sample with the _JBLoadProvidedBin, the text editor is opened with the _JBRunCmd. Then the Cookbook simulates some low-level keyboard strokes via _JBSimulateKeyboardStrokes. In this case, the keyboard numbers/letters "0deconinput0" are typed in. The screenshot reveals the launched text editor and the simulated user input:
By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:
So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:
We are aware that the signature can be evaded. However, due to the agility of Joe Sandbox X it is easy to quickly spot and detect new behaviours. The detection of key loggers is just one of many use cases of _JB Cookbook commands. _JBRunCmd allows the analyst to execute arbitrary (shell) commands which often helps to combat evasive malware.
Full analysis report for xslcmd: