FireEye released a Free automated analysis tool FLASHMINGO, which enables malware analysts to detect suspicious flash samples and to investigate them.
The tool integrates various analysis workflows as a stand-alone application or as a powerful library and it can be extended via Python plug-ins.
Adobe flash remains as the most exploited software by attackers, it has more than one thousand CVEs assigned till date and almost nine hundred of these vulnerabilities have CVSS score near of nine or higher.
“We must find a compromise between the need to analyze Flash samples and the correct amount of resources to be spent on a declining product. To this end, we developed FLASHMINGO, a framework to automate the analysis of SWF files,” read FireEye blog post.
FLASHMINGO leverages the open source framework SWIFFAS to parse the Flash files. With FLASHMINGO all the binary data and bytecode are parsed and stored as SWFObject.
The SWFObject contains a list of tags that include information about all methods, strings, constants and embedded binary data, to name a few.
The tool is a collection of plug-ins that cover a wide range of common analysis that operates SWFObject and extracts the following information.
- Find suspicious method names. Many samples contain method names used during development, like “run_shell” or “find_virtualprotect”. This plug-in flags samples with methods containing suspicious substrings.
- Find suspicious constants. The presence of certain constant values in the bytecode may point to malicious or suspicious code. For example, code containing the constant value 0x5A4D may be shellcode searching for an MZ header.
- Find suspicious loops. Malicious activity often happens within loops. This includes encoding, decoding, and heap spraying. This plug-in flags method containing loops with interesting operations such as XOR or bitwise AND. It is a simple heuristic that effectively detects most encoding and decoding operations, and otherwise, the interesting code to further analyse.
- Retrieve all embedded binary data.
- A decompiler plug-in that uses the FFDEC Flash Decompiler. This decompiler engine, written in Java, can be used as a stand-alone library. Since FLASHMINGO is written in Python, using this plug-in requires Jython to interoperate between these two languages.
FLASHMINGO can be extended by adding your own plug-in, it has all the plug-ins listed under the plug-ins directory, you can copy your plugin to the template directory, rename it, and edit its manifest and code.
“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while.”
FLASHMINGO offers malware analysts a flexible framework to deal with Flash samples, you can download the tool from the GitHub Repository.