{"id":4309,"date":"2017-09-22T23:05:40","date_gmt":"2017-09-22T23:05:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4309"},"modified":"2017-09-22T23:09:47","modified_gmt":"2017-09-22T23:09:47","slug":"enter-sandbox-part-15-the-muddy-heavy-water-world-of-atomic-formats","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/09\/22\/enter-sandbox-part-15-the-muddy-heavy-water-world-of-atomic-formats\/","title":{"rendered":"Enter Sandbox \u2013 part 15: The muddy, heavy water world of atomic formats&#8230;"},"content":{"rendered":"<p>Sample analysis process typically covers looking at the most common forensic suspects including <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/12\/23\/santas-bag-full-of-mutants\/\">mutexes<\/a>, <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/04\/05\/the-easter-bunny-comes-with-a-bag-full-of-events\/\">event names<\/a>, and <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/02\/19\/year-of-sheep-starts-with-a-bag-full-of-atoms\/\">atoms<\/a>. However, there is one more sub-artifact <a href=\"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/20150319-00\/?p=44433\">sitting on the same bench<\/a> with the last one I have listed&#8230; one that often escapes the scrutiny of sandboxes and malware analysts &#8211; the clipboard format.<\/p>\n<p>The clipboard format is registered using the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms649049(v=vs.85).aspx\">RegisterClipboardFormat<\/a> function &#8211; it allows applications to interchange data as long as they understand the format. The registration is implemented with the use of atoms as <a href=\"http:\/\/mista.nu\/research\/smashing_the_atom.pdf\">explained in this presentation<\/a>.<\/p>\n<p>Sandboxes and analysts inspecting the calls to RegisterClipboardFormat can use the received data in many ways. It can help to determine a file type of the sample, its modules, detect a family of a malware\/adware, or perhaps a programming framework, and in some cases heuristically detect capabilities of the tested sample. I have listed a few example clipboard formats below. If you look at it one set that immediately stands out are Delphi clipboard formats:<\/p>\n<ul>\n<li>Delphi Picture<\/li>\n<li>Delphi Component<\/li>\n<li>ControlOfs&lt;HEX-STRING&gt; (f.ex. ControlOfs00400000000007A8)<\/li>\n<\/ul>\n<p>Finding these in the API calls or even in memory is a good indication that there is a Delphi application running.<\/p>\n<p>The same goes for <a href=\"http:\/\/www.369o.com\/data\/books\/atl\/0321159624\/ch12lev1sec2.html\">ATL<\/a> samples:<\/p>\n<ul>\n<li>WM_ATLGETCONTROL<\/li>\n<li>WM_ATLGETHOST<\/li>\n<\/ul>\n<p>There are also malware-adware-specific formats e.g.:<\/p>\n<ul>\n<li>AmInst__Runing<\/li>\n<li>yimomotoTec Picture<\/li>\n<li>yimomotoTec Component<\/li>\n<li>PowerSpider<\/li>\n<li>RinLoggerInstance<\/li>\n<li>SatoriWM_SetNetworkShareableFlag<\/li>\n<li>Transfer_File_Success_Doyo<\/li>\n<li>180StartDownload<\/li>\n<\/ul>\n<p>&#8230; RAT-related formats:<\/p>\n<ul>\n<li>WinVNC.Update.Mouse<\/li>\n<li>WinVNC.Update.DrawRect<\/li>\n<li>WinVNC.Update.CopyRect<\/li>\n<li>WinVNC.AddClient.Message<\/li>\n<li>UltraVNC.Viewer.FileTransferSendPacketMessage<\/li>\n<\/ul>\n<p>&#8230; test formats:<\/p>\n<ul>\n<li>Hey, this is unicough single instance test<\/li>\n<li>UWM_GAMETESTCMD_{75AEED17-2310-4171-94C6-08AC4438E814}_MSG<\/li>\n<li>Message.My.Super.Puper.Test.Program.XXX<\/li>\n<li>KSDB_TEST: Message communciation between Agent and its TEST host client.<\/li>\n<li>FONT-TEST<\/li>\n<\/ul>\n<p>&#8230; various functionality-related formats:<\/p>\n<ul>\n<li>WM_HTML_GETOBJECT<\/li>\n<li>RasDialEvent<\/li>\n<li>EXPLORER.EXEIsDebuggerPresentExEdLl<\/li>\n<li>winmm_devicechange<\/li>\n<li>WM_HOOKEX_RK<\/li>\n<li>UWM_KEYHOOK_MSG-968C3043-1128-43dc-83A9-55122C8D87C1<\/li>\n<li>Transfer_File_Success_Doyo<\/li>\n<li>3rdeye_tb_hacking_dll<\/li>\n<li>keyhook_msg<\/li>\n<\/ul>\n<p>&#8230; P2P programs formats:<\/p>\n<ul>\n<li>EMULE-{4EADC6FC-516F-4b7c-9066-97D893649570}<\/li>\n<li>KazaaNewSearch<\/li>\n<\/ul>\n<p>&#8230; possible hints on programmer&#8217;s mother tongue:<\/p>\n<ul>\n<li>Karte ziehen<\/li>\n<li>querodarmeucu<\/li>\n<\/ul>\n<p>&#8230;random:<\/p>\n<ul>\n<li>trhgtehgfsgrfgtrwegtre<\/li>\n<li>frgjbfdkbnfsdjbvofsjfrfre<\/li>\n<li>hgtrfsgfrsgfgregtregtr<\/li>\n<li>gsegtsrgrefsfsfsgrsgrt<\/li>\n<\/ul>\n<p>A short list of top 30 formats I collected from my sampleset:<\/p>\n<pre>\u00a046894 TaskbarCreated\r\n 30020 commdlg_FindReplace\r\n 27886 Delphi Picture\r\n 27886 Delphi Component\r\n 27491 commdlg_help\r\n 13920 WM_ATLGETCONTROL\r\n 13914 WM_ATLGETHOST\r\n 11000 3\r\n  8395 commctrl_DragListMsg\r\n  7445 1\r\n  6909 WM_GETCONTROLNAME\r\n  5475 FileName\r\n  5020 Embedded Object\r\n  4899 Link Source\r\n  4885 Rich Text Format\r\n  4787 Object Descriptor\r\n  4652 commdlg_ColorOK\r\n  4576 OwnerLink\r\n  4574 Embed Source\r\n  4569 Link Source Descriptor<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Sample analysis process typically covers looking at the most common forensic suspects including mutexes, event names, and atoms. However, there is one more sub-artifact sitting on the same bench with the last one I have listed&#8230; one that often escapes &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/09\/22\/enter-sandbox-part-15-the-muddy-heavy-water-world-of-atomic-formats\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,9,44,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4309"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4309"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions"}],"predecessor-version":[{"id":4312,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4309\/revisions\/4312"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}