In this post, two new cool features are presented. In combination they allow the payload detection of the xslcmd malware:
As the signature summary outlines we have added a signature to detect keyloggers generically. Let's have a look how this works.
Beside the installer (PID 236, sample-cmd) and the launch agent process (PID 241, clipboardd), the startup section of the report also lists the TextEdit.app process (PID 253):
By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:
So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:
We are aware that the signature can be evaded. However, due to the agility of Joe Sandbox X it is easy to quickly spot and detect new behaviours. The detection of key loggers is just one of many use cases of _JB Cookbook commands. _JBRunCmd allows the analyst to execute arbitrary (shell) commands which often helps to combat evasive malware.
Full analysis report for xslcmd: