In our last blog postwe have demonstrated some of the features of our new product Joe Sandbox Xby analyzing the recent malware "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1). It has been extensively shown how the malware installs itself and that one of its core payload isa keylogger.
In this post, two new cool features are presented. In combination they allow the payload detectionof the xslcmd malware:
![]()
![]()
This is actually a process that was started by a Cookbook. As you might already know, Cookbooks are a powerful technology that enables the customization of the analysis procedure in order to influence and change the malware's behaviour. Here is the Cookbook used for the current analysis:
![]()
After loading the sample with the _JBLoadProvidedBin, the text editor is opened with the _JBRunCmd. Then the Cookbook simulates some low-level keyboard strokes via _JBSimulateKeyboardStrokes. In this case, the keyboard numbers/letters "0deconinput0" are typed in. The screenshot reveals the launched text editor and the simulated user input:
![]()
By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:
![]()
So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:
![]()
We are aware that the signature can be evaded. However, due to the agility of Joe Sandbox X it is easy to quickly spot and detect new behaviours. The detection of key loggers is just one of many use cases of _JB Cookbook commands. _JBRunCmd allows the analyst to execute arbitrary (shell) commands which often helps to combat evasive malware.
Full analysis report for xslcmd:
In this post, two new cool features are presented. In combination they allow the payload detectionof the xslcmd malware:
As the signature summary outlines we have added a signature to detect keyloggers generically. Let's have a look how this works.
Beside the installer (PID 236, sample-cmd) and the launch agent process (PID 241, clipboardd), the startup section of the report also lists the TextEdit.app process (PID 253):
By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:
So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:
Full analysis report for xslcmd: