Thursday, October 3, 2024
HomeInfosec- ResourcesFLASHMINGO - Free Threat Intelligence Tool for Malware Analysts' to Analyse Flash...

FLASHMINGO – Free Threat Intelligence Tool for Malware Analysts’ to Analyse Flash Exploits

Published on

FireEye released a Free automated analysis tool FLASHMINGO, which enables malware analysts to detect suspicious flash samples and to investigate them.

The tool integrates various analysis workflows as a stand-alone application or as a powerful library and it can be extended via Python plug-ins.

Adobe flash remains as the most exploited software by attackers, it has more than one thousand CVEs assigned till date and almost nine hundred of these vulnerabilities have CVSS score near of nine or higher.

- Advertisement - EHA

“We must find a compromise between the need to analyze Flash samples and the correct amount of resources to be spent on a declining product. To this end, we developed FLASHMINGO, a framework to automate the analysis of SWF files,” read FireEye blog post.

https://twitter.com/FireEye/status/1117839324366692356

FLASHMINGO leverages the open source framework SWIFFAS to parse the Flash files. With FLASHMINGO all the binary data and bytecode are parsed and stored as SWFObject.

The SWFObject contains a list of tags that include information about all methods, strings, constants and embedded binary data, to name a few.

The tool is a collection of plug-ins that cover a wide range of common analysis that operates SWFObject and extracts the following information.

  • Find suspicious method names. Many samples contain method names used during development, like “run_shell” or “find_virtualprotect”. This plug-in flags samples with methods containing suspicious substrings.
  • Find suspicious constants. The presence of certain constant values in the bytecode may point to malicious or suspicious code. For example, code containing the constant value 0x5A4D may be shellcode searching for an MZ header.
  • Find suspicious loops. Malicious activity often happens within loops. This includes encoding, decoding, and heap spraying. This plug-in flags method containing loops with interesting operations such as XOR or bitwise AND. It is a simple heuristic that effectively detects most encoding and decoding operations, and otherwise, the interesting code to further analyse.
  • Retrieve all embedded binary data.
  • A decompiler plug-in that uses the FFDEC Flash Decompiler. This decompiler engine, written in Java, can be used as a stand-alone library. Since FLASHMINGO is written in Python, using this plug-in requires Jython to interoperate between these two languages.

FLASHMINGO can be extended by adding your own plug-in, it has all the plug-ins listed under the plug-ins directory, you can copy your plugin to the template directory, rename it, and edit its manifest and code.

“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while.”

FLASHMINGO offers malware analysts a flexible framework to deal with Flash samples, you can download the tool from the GitHub Repository.

Course: Learn Malware Analysis – Advance Malware Analyst Bundle

Other Relevant Tools

FileTSAR – A Free all-in-one Forensic Toolkit for Law Enforcement Agencies

Cynet Offers a Free Threat Assessment for Mid-Sized and Large Organizations – Take a Free Ride Now

Commando VM – Windows-based Distribution for Penetration Testers Like Kali Linux

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...

Microsoft Copilot for Security: AI tool to Help Security and IT professionals

Microsoft Copilot for security was a generative AI solution that can help security and...