FireEye released a free automatic analysis tool flashmingo, which can detect suspicious flash samples and conduct investigations. The tool integrates various analytics workflows into a single application and can be extended with Python plugins. Adobe Flash is the most exploited software by attackers. So far, it has more than 1000 CVEs, and nearly 900 of them have CVSS scores close to 9 or above.
Flashmingo uses the open source framework SWIFFAS to parse Flash files. All binary data and bytecode are parsed and stored as SWFObject. The SWFObject contains a list of tags that contain information about all method names, strings, constants, and embedded binary data. This tool covers common analysis methods, including manipulating SWFObject and extracting the following information.
- Find suspicious method names. Many samples contain method names used during development, like “run_shell” or “find_virtualprotect”. This plug-in flags samples with methods containing suspicious substrings.
- Find suspicious constants. The presence of certain constant values in the bytecode may point to malicious or suspicious code. For example, code containing the constant value 0x5A4D may be shellcode searching for an MZ header.
- Find suspicious loops. Malicious activity often happens within loops. This includes encoding, decoding, and heap spraying. This plug-in flags methods containing loops with interesting operations such as XOR or bitwise AND. It is a simple heuristic that effectively detects most encoding and decoding operations, and otherwise interesting code to further analyse.
- Retrieve all embedded binary data.
- A decompiler plug-in that uses the FFDEC Flash Decompiler. This decompiler engine, written in Java, can be used as a stand-alone library. Since FLASHMINGO is written in Python, using this plug-in requires Jython to interoperate between these two languages.
Flashmingo can be extended by adding your own plugins, which have all the plugins listed under the plugin directory, you can copy the plugins into the template directory, rename, and edit the manifests and code. Although Flash will stop updating at the end of 2020, and most development communities have stopped using it for a long time, Flash is likely to be used as an attack vector.
Flashmingo is available on Github.