Pure Innovation: Hybrid Decompilation with Joe Sandbox DEC

September 30, 2015, 6:42 am

≫ Next: Introducing Behavior Graphs in Joe Sandbox 13

≪ Previous: Meet Joe Security at IT-SA Security Expo 6. - 9. October in Nürnberg

Joe Security is proud to announce its latest innovative technology - Hybrid Decompilation (HDC). This unique new feature builds upon Hybrid Code Analysis (HCA) to empower the malware analyst with extensive code analysis capabilities. Existing Joe Sandbox reports already include a hybrid low-level disassembly for each relevant function found during the analysis, which combines information from both static and dynamic analyses. Thanks to the Joe Sandbox DEC plugin implementing HDC, Joe Sandbox reports can now also display an equivalent C high-level source code representation for each function, which constitutes a huge boost to the process of reverse engineering.

Here is a very simple report extract to illustrate the purpose of this Hybrid Decompilation feature.
Suppose we have the following disassembly for a function in a Joe Sandbox report:

Joe Sandbox DEC will generate the following corresponding C source code:

E00406D20(CHAR* _a4) {
 long _t4;
 void* _t6;

 _t6 = CreateMutexA(0, 1, _a4);
 _t4 = GetLastError();
 if(_t4 == 0xb7) {
  ExitProcess(0);
 }
 if(_t6 != 0) {
  return ReleaseMutex(_t6);
 }
 return _t4;
}

As seen in this example, the source code highlights the function parameters and local variables, and makes its control structures and function calls much more explicit.

Decompilation 101

The process of translating machine or assembly code to source code is called decompilation. From a high-level perspective, decompilation is the reverse of compilation: it starts with low-level machine code and builds a higher-level representation in several incremental stages. Decompilation is usually much more efficient and gives better results if it can use symbolic information found in the binary file or in associated debug files.
Decompilation can also be seen as a natural extension to disassembly, and indeed the first stage of a decompilation engine is a disassembler. But besides the usual difficulty of code and data separation during disassembly, the decompilation process must also solve the following issues:

Rebuild function prototypes and infer local variables while getting rid of register and stack references.
Generate high-level control structures (if, switch/case, do/while/for loops) from basic jumps and compares, discovering calls to known APIs and libraries (such as PE file imports).
Retrieve high-level type information (including compound types such as structures and unions).
Assign the correct arguments to function calls.

This schema presents the global architecture of a generic decompilation engine:

Decompilation builds on techniques developed initially for compilation, such as control and data-flow analyses, register allocation, loop transformation and alias analyses. But decompilation has its own challenges and it is usually considered extremely difficult to automatically decompile an arbitrary machine code, and even more so for obfuscated malware code for which no symbolic information is available. Keeping this in mind, the goal of Joe Sandbox DEC is to provide the user with a fast decompilation of the most relevant functions found in the analyzed sample, together with a measurement of the quality of the decompilation.

Hybrid Decompilation

Compared to a generic decompilation engine, Hybrid Decompilation introduces three powerful features:

Instead of running on the initial PE file, which may be packed or contain hidden code, HDC runs on PE files generated from dynamic memory snapshots which give an accurate picture of the code which is actually executed.
HCA provides input information to HDC such as known Windows API function calls, discovered used string values and statement execution status. This is akin to retrieving symbolic information and is very useful for achieving better decompilation results.
HDC has an extensive knowledge of Windows API types and function prototypes, thus enabling the use of high-level types in the output source code files.

These features make HDC a big improvement over a purely static decompilation engine:

"Better decompilation code coverage": all function entry points discovered by the powerful heuristics of HCA are made available as decompilation entry points.
"Better decompilation quality": in particular, knowledge of indirect call targets as provided by HCA makes decompilation both faster and more precise.
"Decompiled source code commenting": observed runtime information such as statement execution status and variable value can be added to the decompiled source code in the form of comments.

Some Hybrid Decompilation Source Code Outputs

Let us now have a look at some actual examples of HDC-generated C source codes to get a taste of the power of Hybrid Decompilation.
The first decompiled source code is extracted from the sample studied in blog post http://joe4security.blogspot.ch/2015/04/the-power-of-execution-graphs-part-13.html.

E0040912A(void* __edi, void* __eflags, long _a4) {
 long _v8;
 long _v12;
 long _v16;
 struct _SYSTEMTIME _v32;
 void* _t13;
 void* _t17;
 void* _t28;
 signed int _t29;
 void* _t30;
 void* _t32;
 CHAR* _t35;

 _t32 = __edi;
 _t35 = _a4;
 E00406DB0(_t35);
 _pop(_t29);
 GetSystemTime( &_v32);
 if(_v32.wMonth >= 0xb && _v32.wYear >= 0x7da) {
  ExitProcess(0); // executed
 }
 _t13 = E004070C0();
 _t40 = _t13;
 if(_t13 != 0) {
  E00408A06(_t29, __eflags, _t35);
  _pop(_t29);
 } else {
  E00406E00();
 }
 E004084F7(_t29, _t40, _t35);
 _t41 =  *0x4011e8 - 1;
 _pop(_t30);
 if( *0x4011e8 == 1) {
  E00409900();
 }
 E00409029(_t28, _t30, _t32, _t41);
 _push(_t35);
 _t17 = E00408220();
 if(_t17 != 0) {
  return _t17;
 } else {
  _push(_t32);
  if(_v32.wMonth >= 7 && _v32.wYear >= 0x7da) {
   CreateThread(0, 0, E004098A0, 0, 0,  &_a4);
   CreateThread(0, 0, E00407180, 0, 0,  &_v8);
   CreateThread(0, 0, E00407230, 0, 0,  &_v12);
   if( *0x4011dc == 1) {
    CreateThread(0, 0, E00407A80, 0, 0,  &_v16);
   }
  }
  L14:
  Sleep(0x3ab0);
  goto L14;
 }
}

The source code really highlights the condition on the system time under which the sample immediately terminates (see lines 18 to 20). Thanks to HDC, the comment of line 20 gives us the information that the evasive behavior has been triggered for the analyzed sample’s run. Still, the static component of Hybrid Decompilation gives information about what occurs in the non-evasive case. In particular, several thread creations may occur at lines 44-48, and the corresponding calls to CreateThread have explicit call arguments including the reference to the function executed by the new thread.
Our second decompiled source sample is a function belonging to a PE file dropped by the Rombertik malware (see analysis http://www.joesecurity.org/reports/report-f504ef6e9a269e354de802872dc5e209.html)

E00401960() {
 void _v5;
 void _v6;
 void _v7;
 int _v12;
 int _v16;
 char _v280;
 long _v292;
 long _v308;
 void* _v316;
 char _v572;
 char _v828;
 char* _t36;
 char* _t39;
 void* _t42;
 intOrPtr* _t44;
 int _t46;
 intOrPtr* _t47;
 intOrPtr* _t51;
 int _t54;
 void* _t59;
 _Unknown_base(*)()* _t62;
 void* _t69;
 void* _t71;
 void* _t74;
 int _t77;
 int _t79;
 long _t82;
 void* _t94;
 void* _t98;
 void* _t99;
 void* _t100;

 _v316 = 0x128;
 _t77 = 0x100;
 _t36 =  &_v828;
 goto L1;
 L4:
 _t79 = 0x100;
 _t39 =  &_v572;
 do {
   *_t39 = 0;
  _t39 = _t39 + 1;
  _t79 = _t79 - 1;
 } while (_t79 != 0);
 _v12 = 0x100;
 CryptStringToBinaryA("aWV4cGxvcmUuZXhl", 0x10, 1,  &_v572,  &_v12, 0, 0);
 while(1) {
  _t42 = CreateToolhelp32Snapshot(2, 0); // executed
  _v12 = _t42;
  Process32First(_t42,  &_v316); // executed
  do {
   _t44 = "chrome.exe";
   do {
    _t44 = _t44 + 1;
   } while ( *_t44 != 0);
   _t46 = StrCmpNA( &_v280, "chrome.exe", _t44 - "chrome.exe"); // executed
   if(_t46 != 0) {
    _t47 =  &_v572;
    if(_v572 == 0) {
     L20:
     if(StrCmpNA( &_v280,  &_v572, _t47 -  &_v572) != 0) {
      _t51 = "firefox.exe";
      do {
       _t51 = _t51 + 1;
      } while ( *_t51 != 0);
      if(StrCmpNA( &_v280, "firefox.exe", _t51 - "firefox.exe") != 0) {
       goto L39;
      }
      _t99 = OpenProcess(0x1fffff, 0, _v308);
      if(_t99 == 0) {
       goto L39;
      }
      _t59 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateFileW");
      if(_t59 == 0) {
       L38:
       CloseHandle(_t99);
       goto L39;
      }
      _v6 = 0;
      if(ReadProcessMemory(_t99, _t59,  &_v6, 1, 0) != 0 && _v6 != 0xe9) {
       _push(_t99);
       _push(E004018E0);
       L35:
       _t62 = E00402690();
       _t100 = _t100 + 8;
       if(_t62 != 0) {
        _t94 = CreateRemoteThread(_t99, 0, 0, _t62, 0, 0, 0);
        if(_t94 != 0) {
         WaitForSingleObject(_t94, 0xffffffff);
         CloseHandle(_t94);
        }
       }
      }
      goto L38;
     }
     if(E00402AE0( &_v828) == _v292) {
      goto L39;
     }
     _t99 = OpenProcess(0x1fffff, 0, _v308);
     if(_t99 == 0) {
      goto L39;
     }
     _t69 = GetProcAddress(LoadLibraryA("Wininet.dll"), "HttpSendRequestW");
     if(_t69 == 0) {
      goto L38;
     }
     _v5 = 0;
     if(ReadProcessMemory(_t99, _t69,  &_v5, 1, 0) == 0 || _v5 == 0xe9) {
      goto L38;
     } else {
      _push(_t99);
      _push(E00402040);
      goto L35;
     }
    }
    do {
     _t47 = _t47 + 1;
    } while ( *_t47 != 0);
    goto L20;
   }
   _t71 = E00402AE0( &_v828);
   _t82 = _v292;
   if(_t71 == _t82) {
    goto L39;
   }
   _t99 = OpenProcess(0x1fffff, 0, _t82);
   if(_t99 == 0) {
    goto L39;
   }
   _t74 = GetProcAddress(LoadLibraryA("Ws2_32.dll"), "WSASend");
   if(_t74 == 0) {
    goto L38;
   }
   _v7 = 0;
   if(ReadProcessMemory(_t99, _t74,  &_v7, 1, 0) == 0 || _v7 == 0xe9) {
    goto L38;
   } else {
    _push(_t99);
    _push(E004012A0);
    goto L35;
   }
   L39:
   _t98 = _v12;
   _t54 = Process32Next(_t98,  &_v316); // executed
  } while (_t54 != 0);
  if(_t98 != 0) {
   CloseHandle(_t98); // executed
  }
  Sleep(0x1388); // executed
 }
 L1:
  *_t36 = 0;
 _t36 = _t36 + 1;
 _t77 = _t77 - 1;
 if(_t77 != 0) {
  goto L1;
 } else {
  _v16 = 0x100;
  if(CryptStringToBinaryA("ZXhwbG9yZXIuZXhl", 0x10, 1,  &_v828,  &_v16, 0, 0) == 0) {
   _v16 = 0;
  }
  goto L4;
 }
}

The decompiled source code makes it clear that this function is in charge of enumerating all processes (infinite while loop starting at line 48), and to look for browser names such as “iexplore.exe” (call to StrmCmpNA at line 62, the browser name is Base64 encoded using the call to CryptStringToBinaryA on "aWV4cGxvcmUuZXhl"at line 47), “chrome.exe” (line 57), “firefox.exe” (line 67). Once a process corresponding to a particular browser is found, the function tries to create a hook in the browser memory loaded DLLs: different functions starting addresses are used for that purpose (CreateFileW for Firefox at line 74, HttpSendRequestW for Internet Explorer at line 104, and WsaSend for Chrome at line 131). Once a suitable address has been found for the hook (calls to ReadProcessMemory at lines 81, 109 and 136), the actual hook injection is performed with a call to CreateRemoteThread at line 88.

Our last decompiled source code example is extracted from the Dyre Banking Trojan. This malware achieves persistence by registering as the “Google Update” system service using the following function:

E00402900(short* _a4) {
 signed int _t2;
 void* _t5;
 int _t13;
 void* _t20;
 void* _t25;

 _t2 = OpenSCManagerW(0, 0, 2);
 _t20 = _t2;
 if(_t20 != 0) {
  WriteConsoleW(0, 0, 0, 0, 0);
  while(1) {
   _t5 = CreateServiceW(_t20, L"googleupdate", L"Google Update Service", 0xf01ff, 0x10, 
                        2, 1, _a4, 0, 0, 0, 0, 0);
   if(_t5 != 0) {
    break;
   }
   if(RtlGetLastWin32Error() != 0x431) {
    L7:
    return CloseServiceHandle(_t20) | 0xffffffff;
   } else {
    _t25 = OpenServiceW(_t20, L"googleupdate", 0xf01ff);
    if(_t25 == 0) {
     goto L7;
    } else {
     _t13 = DeleteService(_t25);
     CloseServiceHandle(_t25);
     if(_t13 != 0) {
      continue;
     } else {
      goto L7;
     }
    }
   }
   goto L9;
  }
  CloseServiceHandle(_t5);
  CloseServiceHandle(_t20);
  return 0;
 } else {
  return _t2 | 0xffffffff;
 }
 L9:
}

Once a handle to the service manager is obtained (lines 8-10), the sample tries to create a “Google Update Service” (line 13) in a loop starting at line 12. If it manages to do so, it exists the loop (line 16), otherwise it checks whether the service creation of line 13 fails with a ERROR_SERVICE_EXISTS error code 0x431 (line 18). If this is the case, it tries to delete the existing service (lines 22 to 27) then loops to restart the malicious service creation (line 29).

Conclusion

Thanks to its Hybrid Decompilation technology, Joe Sandbox DEC outputs a decompiled function which is much more readable than the associated disassembly, and thus gives a quick and precise insight about the function's functionalities. As a whole, the process of retro-engineering a complex malware is made more efficient by pinpointing hard to decompile functions and let the analyst concentrate on their study by falling back on the still available disassembly code only when necessary.

↧

Introducing Behavior Graphs in Joe Sandbox 13

November 16, 2015, 1:07 am

≫ Next: Happy New Year!

≪ Previous: Pure Innovation: Hybrid Decompilation with Joe Sandbox DEC

We are proud to release today Joe Sandbox 13! The 13 release includes a couple of very cool new features, including:

Support for Windows 10
70 new behavior signatures
Analysis advice signatures
Static unpackers for VBE and SWF
Live system performance statistics in the web interface
COM Analysis
String analysis in compressed files
Static file analysis for Flash
Static PE file analysis for dropped / downloaded files
New tricks to prevent VM-detection
ASN detection for IPs
Code obfuscation detection for Hybrid Code Analysis (HCA)
Behavior graphs
Hybrid Decompilation (HDC) Plugin
Big performance improvements

Beside of the Hybrid Decompilation (DEC) Technology we have also developed a new feature called Behavior graphs. Behavior graphs are new graphs which display the behavior of a sample. They show processes, IPs, domains, dropped files as well as behavior signatures in a connected graph. The graph coloring is very simple and intuitive while the format is clean and well structured.

We also invested lot of brain power into shrinking and compressing the graph so that it stays small and clear.

Below you find several behavior graphs with the corresponding Joe Sandbox analysis report:

Joe Sandbox 13 Analysis for a44d377b7916cd7a08240d1d0fc4ba32

Joe Sandbox 13 Analysis for f1af3fc4d59d1245889811b7ed7d2cec

Joe Sandbox 13 Analysis for 51365B90CD5E3671852E5C28EAB20A63

↧

Happy New Year!

December 28, 2015, 11:52 pm

≫ Next: Spider charts, Deep OLE, 950+ and more

≪ Previous: Introducing Behavior Graphs in Joe Sandbox 13

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2016!

↧

Spider charts, Deep OLE, 950+ and more

February 1, 2016, 5:22 am

≫ Next: HydraCrypt the badass Ransomware

≪ Previous: Happy New Year!

Over the last couple of weeks, we have been very busy and have added new features to Joe Sandbox. In this post, we are going to show you our favorites. These features cross the complete space of malware analysis analysis and include new visualizations, analysis and more.

Generic Classification

In order to quickly determine the malicious payload we have added a spider chart visualization to the analysis report:

Joe Sandbox also generates a new classification label:

All classification figures are available in the Joe Sandbox reports (XML, JSON) as raw formats. The complete classification algorithm is open and therefore enables customized tuning. Our spider charts help to quickly determine the type of the malware without requiring any in-depth technical understanding of the malware. By clicking on the malware icons you can get a detailed description. Besides the spider chart, we also introduced new pie charts for many analysis data as well as for the famous behavior graphs:

Example report:

Joe Sandbox 13 Analysis 439bee4cbe16605193aa73e7bb75b731

Deep Static Analysis of OLE files

The static analysis includes code analysis and deobfuscation for VB macros. Documents with VB macros have become a common way to deliver payload to the end user system. With the new static code analysis deep analysis and detection of such malware is possible.

WMI Analysis

WMI is an extensive interface on Windows to query information about the system. It is also difficult to intercept and analysis. Therefore, it is often used by malware to detect and fingerprint the analysis system. With the latest release of Joe Sandbox all WMI activity is captured.

Inspection of HTTPS Traffic

Full HTTPS traffic inspection has been added to Joe Sandbox Cloud. HTTPS analysis is also possible for URL analysis with IE.

950+ Behavior Signatures

We have developed many new behavior signatures. Our complete set has currently over 950 signatures. Many of the new signatures are highly advanced:

USB Fake Drive

Want to see if malware infects USB drives? Want to see if malware spreads via network shares? No problem! We have functionality to create a USB fake drive:

Network shares are simulated with our Adaptive Internet Simulation Technology:

The features outlined are just a selection. There are various other extensions and improvements which were developed. We have also planned some great new features for 2016! So watch out!

↧

HydraCrypt the badass Ransomware

February 4, 2016, 12:49 am

≫ Next: Nymaim - evading Sandboxes with API hammering

≪ Previous: Spider charts, Deep OLE, 950+ and more

2015 was definitely the year of ransomwares and it seems 2016 is no different. Yesterday we came across a new ransomware called HydraCrypt:

Hydra is no different than other ransomware like Cryptowall or Teslascrpy. However there is one big exception. So far seen ransomware will encrypt your documents (PDF and Office) and pictures. Hydra instead will also encrypt your application settings and database. In detail, Hydra encrypts a huge number of additional files:

.3dm .3ds .3g2 .3gp .7z .ab4 .accdb .accde .accdr .accdt .ach .act .adb .ads .ai .ait .al .apj .arw .asf .asm .asp .asx .avi .back .bank .bay .bgt .bik .bkf .bk .blend .bpw .c .cdb .cdf .cdr .cdx .ce1 .ce2 .cer .cfp .cgm .class .cls .cmt .cnv .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .csv .dac .db .db3 .dbf .dbr .dbs .c2 .dcr .dcs .dcx .ddd .ddoc .dds .der .des .design .dgc .djvu .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .ebd .edb .eml .eps .er .exf .fdb .ffd .fff .fh .fhd .fla .flac .flv .fm .fp7 .fpx .fxg .gdb .gray .grey .grw .gry .h .hbk .hpp .ibd .idx .iif .indd .java .jpe .jpeg .jpg .kdbx .kdc .ke .laccdb .lua .m .m4v .maf .mam .maq .mar .maw .max .mdb .mdc .mde .mdf .mdt .mef .mfw .mmw .mos .mov .mp3 .mp4 .mpg .mpp .mrw .mso .myd .ndd .nef .nk2 .nrw .ns2 .s3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx1 .nx2 .nyf .obj .odb .odc . .odf .odg .odm .odp .ods .odt .oil .one .orf .otg .oth .otp .ots .ott .p12 .p7b .p7c .pages .pas .at .pbo .pcd .pct .pdd .pdf .pef .pem .pfx .php .pip .pl .plc .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .pu .puz .py .qba .qbw .r3d .raf .rar .rat .raw .rdb .rm .rtf .rwz .sas7bdat .say .sd0 .sda .sdf .snp .sql .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .st .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .txt .vob .vsd .vsx .vtx .wav .wb2 .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xll .lm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .m4a .wma .d3dbsp .xlw .xpp .xsn .yuv .zip .zip .sie .unrec .scan .sum .t13 .t12 .qdf .tax .pkpass .bc6 .bc7 .sdn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .map .wmo .itm .sb .fos .mov .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blb .esm .vcf .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .dba .rfl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .lbf .slm .epk .rgss3a .pak .big .wallet .wotreplay .xxx .desc .m3u .js .css .rb .png .w2 .rwl .mrwref .3fr .xf .pst .dx .tiff .bd .tar .gz .mkv .bmp .dot .xml .xmlx .dat .html .gif .mcl .ini .mte .cfg .mp3 .qbi .qbr .cnt .v30 .qbo .lgb .qwc .qbp .af .qby .1pa .qpd .set .nd .rtp .qbwin .log .qbbackup .tmp .temp1234 .qbt .qbsdk .syncmanagerlogger .ecml .qsm .qss .qst .fx0 .fx1 .mx0 .fpx .fxr .fim .3DM .3DS .3G2 .3GP .7Z .AB4 .ACCDB .ACCDE .ACCDR .ACCDT .ACH .ACT .ADB .ADS .AI .AIT .AL .APJ .ARW .ASF .ASM .ASP .ASX .AVI .BACK .BANK .BAY .BGT .BIK .BKF .BK .BLEND .BPW .C .CDB .CDF .CDR .CDX .CE1 .CE2 .CER .CFP .CGM .CLASS .CLS .CMT .CNV .CPI .CPP .CR2 .CRAW .CRT .CRW .CS .CSH .CSL .CSV .DAC .DB .DB3 .DBF .DBR .DBS .C2 .DCR .DCS .DCX .DDD .DDOC .DDS .DER .DES .DESIGN .DGC .DJVU .DNG .DOC .DOCM .DOCX .DOT .DOTM .DOTX .DRF .DRW .DTD .DWG .DXB .DXF .DXG .EBD .EDB .EML .EPS .ER .EXF .FDB .FFD .FFF .FH .FHD .FLA .FLAC .FLV .FM .FP7 .FPX .FXG .GDB .GRAY .GREY .GRW .GRY .H .HBK .HPP .IBD .IDX .IIF .INDD .JAVA .JPE .JPEG .JPG .KDBX .KDC .KE .LACCDB .LUA .M .M4V .MAF .MAM .MAQ .MAR .MAW .MAX .MDB .MDC .MDE .MDF .MDT .MEF .MFW .MMW .MOS .MOV .MP3 .MP4 .MPG .MPP .MRW .MSO .MYD .NDD .NEF .NK2 .NRW .NS2 .S3 .NS4 .NSD .NSF .NSG .NSH .NWB .NX1 .NX2 .NYF .OBJ .ODB .ODC . .ODF .ODG .ODM .ODP .ODS .ODT .OIL .ONE .ORF .OTG .OTH .OTP .OTS .OTT .P12 .P7B .P7C .PAGES .PAS .AT .PBO .PCD .PCT .PDD .PDF .PEF .PEM .PFX .PHP .PIP .PL .PLC .POT .POTM .POTX .PPAM .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PRF .PS .PSAFE3 .PSD .PSPIMAGE .PTX .PU .PUZ .PY .QBA .QBW .R3D .RAF .RAR .RAT .RAW .RDB .RM .RTF .RWZ .SAS7BDAT .SAY .SD0 .SDA .SDF .SNP .SQL .SR2 .SRF .SRT .SRW .ST4 .ST5 .ST6 .ST7 .ST8 .STC .STD .ST .STW .STX .SVG .SWF .SXC .SXD .SXG .SXI .SXM .SXW .TEX .TGA .THM .TXT .VOB .VSD .VSX .VTX .WAV .WB2 .WDB .WLL .WMV .WPD .WPS .X11 .X3F .XLA .XLAM .XLB .XLC .XLL .LM .XLR .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .M4A .WMA .D3DBSP .XLW .XPP .XSN .YUV .ZIP .ZIP .SIE .UNREC .SCAN .SUM .T13 .T12 .QDF .TAX .PKPASS .BC6 .BC7 .SDN .SIDD .MDDATA .ITL .ITDB .ICXS .HVPL .HPLG .HKDB .MDBACKUP .SYNCDB .GHO .CAS .MAP .WMO .ITM .SB .FOS .MOV .VDF .ZTMP .SIS .SID .NCF .MENU .LAYOUT .DMP .BLB .ESM .VCF .VTF .DAZIP .FPK .MLX .KF .IWD .VPK .TOR .PSK .RIM .W3X .FSH .NTL .ARCH00 .LVL .SNX .CFR .FF .VPP_PC .LRF .M2 .MCMETA .VFS0 .MPQGE .KDB .DB0 .DBA .RFL .HKX .BAR .UPK .DAS .IWI .LITEMOD .ASSET .FORGE .LTX .BSA .APK .RE4 .LBF .SLM .EPK .RGSS3A .PAK .BIG .WALLET .WOTREPLAY .XXX .DESC .M3U .JS .CSS .RB .PNG .W2 .RWL .MRWREF .3FR .XF .PST .DX .TIFF .BD .TAR .GZ .MKV .BMP .DOT .XML .XMLX .DAT .HTML .GIF .MCL .INI .MTE .CFG .MP3 .QBI .QBR .CNT .V30 .QBO .LGB .QWC .QBP .AF .QBY .1PA .QPD .SET .ND .RTP .QBWIN .LOG .QBBACKUP .TMP .TEMP1234 .QBT .QBSDK .SYNCMANAGERLOGGER .ECML .QSM .QSS .QST .FX0 .FX1 .MX0 .FPX .FXR .FIM .$$$ .$DB .001 .002 .003 .113 .73B .__A .__B .AB .ABA .ABBU .ABF .ABK .ACP .ACR .ADI .AEA .AFI .ARC .AS4 .ASD .ASHBAK .ASV .ASVX .ATE .ATI .BAC .BACKUP .BACKUPB .BAK2 .BAK3 .BAKX .BAK~ .BBB .BBZ .BCK .BCKP .BCM .BDB .BFF .BIF .BIFX .BK1 .BKC .BKUP .BKZ .BLEND1 .BLEND2 .BM3 .BMK .BPA .BPB .BPM .BPN .BPS .BUP .CAA .CBKCBS .CBU .CK9 .CMF .CRDS .CSD .CSM .DA0 .DASH .DBK .DIM .DIY .DNA .DOV .DPB .DSB .FBC .FBF .FBK .FBU .FBW .FH .FHF .FLKA .FLKB .FPSX .FTMB .FUL .FWBACKUP .FZAFZB .GB1 .GB2 .GBP .GHS .IBK .ICBU .ICF .INPROGRESS .IPD .IV2I .JBK .JDC .KB2 .LCB .LLX .MBF .MBK .MBW .MDINFO .MEM .MIG .MPB .MV_ .NB7 .NBA .NBAK .NBD .NBF .NI .NBK .NBS .NBU .NCO .NDA .NFB .NFC .NPF .NPS .NRBAK .NRS .NWBAK .OBK .OEB .OLD .ONEPKG .ORI .ORIG .OYX .PAQ .PBA .PBB .PBD .PBF .PBJ .PBX5SCRIPT .PBXSCRIPTPDB .PQB .PQB-BACKUP .PRV .PSA .PTB .PVC .PVHD .QBB .QBK .QBM .QBMB .QBMD .QBX .QIC .QSF .QUALSOFTCODE .QUICKEN2015BACKUP .QUICKENBACKUP .QV~ .RBC .RBFRBK .RBS .RDB .RGMB .RMBAK .RRR .SAV .SBB .SBS .SBU .SDC .SIM .SKB .SME .SN1 .SN2 .SNA .SNS .SPF .SPG .SPI .SPS .SQB .SRR .STG .SV$ .SV2I .TBK .TDB .TIBKP .TIG .IS .TLG .TMP .TMR .TRN .TTBK .UCI .V2I .VBK .VBM .VBOX-PREV .VPCBACKUP .VRB .WBB .WBCAT .WBK .WIN .WJF .WPB .WSPAK .XBK .XLK .YRCBCK .~CW .QBI .QBR .CNT .DESv30 .QBO .LGB .QWC .QBP .AIF .QBA .TLG .QBY .1PA .QPD .SET .IIF .ND .RTP .TLG .WAV .Qbwin .log .QBBackup .tmp .Temp1234 .qbt .QBSDK .log .QWC .log .SyncManagrLogger .log .ECML .QSM .QSS .QST .Fx0 .Fx1 .Mx0 .FPx .FXR .FIM .$$$ .$db .001 .002 .003 .113 .73b .__a .__b .ab .aba .abbu .abf .abk .acp .acr .adi .aea .afi .arc .as4 .asd .ashbak .asv .asvx .ate .ati .bac .backup .backupb .bak2 .bak3 .bakx .bak~ .bbb .bbz .bck .bckp .bcm .bdb .bff .bif .bifx .bk1 .bkc .bkup .bkz .blend1 .blend2 .bm3 .bmk .bpa .bpb .bpm .bpn .bps .bup .caa .cbkcbs .cbu .ck9 .cmf .crds .csd .csm .da0 .dash .dbk .dim .diy .dna .dov .dpb .dsb .fbc .fbf .fbk .fbu .fbw .fh .fhf .flka .flkb .fpsx .ftmb .ful .fwbackup .fzafzb .gb1 .gb2 .gbp .ghs .ibk .icbu .icf .inprogress .ipd .iv2i .jbk .jdc .kb2 .lcb .llx .mbf .mbk .mbw .mdinfo .mem .mig .mpb .mv_ .nb7 .nba .nbak .nbd .nbf .ni .nbk .nbs .nbu .nco .nda .nfb .nfc .npf .nps .nrbak .nrs .nwbak .obk .oeb .old .onepkg .ori .orig .oyx .paq .pba .pbb .pbd .pbf .pbj .pbx5script .pbxscriptpdb .pqb .pqb-backup .prv .psa .ptb .pvc .pvhd .qbb .qbk .qbm .qbmb .qbmd .qbx .qic .qsf .qualsoftcode .quicken2015backup .quickenbackup .qv~ .rbc .rbfrbk .rbs .rdb .rgmb .rmbak .rrr .sav .sbb .sbs .sbu .sdc .sim .skb .sme .sn1 .sn2 .sna .sns .spf .spg .spi .sps .sqb .srr .stg .sv$ .sv2i .tbk .tdb .tibkp .tig .is .tlg .tmp .tmr .trn .ttbk .uci .v2i .vbk .vbm .vbox-prev .vpcbackup .vrb .wbb .wbcat .wbk .win .wjf .wpb .wspak .xbk .xlk .yrcbck .~cw

The list includes e.g. *.db, *.ini or *.dat. So what does that mean? It means that all your application settings are gone. Same for. stored password and login for e.g. Firefox:

Besides it will also encrypt files in your Recycle Bin and your System Restore folder. This is bad ass and makes your computer nearly useless. Of course it also comes with all the other functionality of traditional ransomware:

Full Joe Sandbox 13 analysis:

Hydra Ransomware 5f2d13576e4906501c91b8bf400e0890

Update 1:

Malware Traffic Analysis is a nice analysis of the threat from a network level: kudos, http://malware-traffic-analysis.net/2016/02/03/index2.html

↧

Nymaim - evading Sandboxes with API hammering

April 21, 2016, 6:08 am

≫ Next: Adaptive Internet Simulation

≪ Previous: HydraCrypt the badass Ransomware

Recently we were investigating interesting piece of malware that was generating quite huge workload in the sandboxed environment. To introduce proper countermeasures we had to fully reverse it. It turned out that the file belongs to the Nymaim family, which is active at least since 2013 [1]. This particular file consists of few layers, first one is meant to slowdown / timeout various sandboxes / replicators / emulators, the last layer hinders static analysis and debugging, layers in the middle are just responsible for decompression and decryption.

There are many different methods of introducing slowdowns in sandboxed environments, some of them are more effective some of them are not effective at all. Nymaim uses Win32 API hammering, which means that it constantly calls benign Win32 API functions in the loop. It's clearly visible on the WinMain function graph (glued side by side, since the function is way too big):

Readers familiar with IDA function graphs should notice unusual length of the code.There is a lot of loops and a lot of various API calls:

API Name	Number of calls
KERNEL32.dll.GetLastError	49739
USER32.dll.GetDlgItem	34446
KERNEL32.dll.TlsGetValue	34434
KERNEL32.dll.SetLastError	34434
dbghelp.dll.SymCleanup	30608
USER32.dll.ShowWindow	30608
KERNEL32.dll.GetCurrentProcess	30608
KERNEL32.dll.LeaveCriticalSection	15306
KERNEL32.dll.EnterCriticalSection	15306
KERNEL32.dll.CloseHandle	15305
USER32.dll.FindWindowExA	15304
GDI32.dll.MoveToEx	15304
USER32.dll.GetClassNameA	15304
PSAPI.DLL.GetPerformanceInfo	15304
USER32.dll.SetWindowPlacement	15304
KERNEL32.dll.GlobalMemoryStatusEx	15304
USER32.dll.PostMessageA	15304
PSAPI.DLL.EnumProcesses	15304
KERNEL32.dll.GetVersionExA	15304
dbghelp.dll.SymInitialize	15304
ACTIVEDS.dll.ord_9	15304
dbghelp.dll.SymEnumSymbols	15304
GDI32.dll.Rectangle	15304
USER32.dll.GetWindowPlacement	15304
dbghelp.dll.SymLoadModuleEx	15304
ADVAPI32.dll.OpenProcessToken	15304
USER32.dll.EnumDisplaySettingsA	7652
USER32.dll.SendDlgItemMessageA	7652
OLEAUT32.dll.ord_4	7652
USER32.dll.GetDC	3839
KERNEL32.dll.GetProcAddress	3828
KERNEL32.dll.lstrlenA	3828
KERNEL32.dll.GetModuleHandleA	3827
KERNEL32.dll.WideCharToMultiByte	3826
GDI32.dll.ChoosePixelFormat	3826
OLEAUT32.dll.ord_8	3826
KERNEL32.dll.MultiByteToWideChar	3826
GDI32.dll.SetPixelFormat	3826
OPENGL32.dll.wglCreateContext	3826

Without any monitoring tools, execution of WinMain takes around 46 seconds. Now if any of the above APIs triggers some event that is (or should be) monitored in the sandboxed environment you can imagine what would happen to those 46 seconds. So far we have not seen any sandbox able to analyze the malware successfully. During the analysis we were able to identify one unwelcome side effect of the USER32.dll.EnumDisplaySettingsA function call, namely it loads and unloads the vga.dll kernel library during the call:

ChildEBP RetAddr
890136f8 828563ef nt!DbgLoadImageSymbols+0x47
89013714 82a05b21 nt!DbgLoadImageSymbolsUnicode+0x23
89013750 82a02531 nt!MiDriverLoadSucceeded+0x183
890137d0 82a8ccf8 nt!MmLoadSystemImage+0x720
8901391c 8287a8c6 nt!NtSetSystemInformation+0x967
8901391c 82879969 nt!KiSystemServicePostCall
890139a0 907a895a nt!ZwSetSystemInformation+0x11
89013b1c 907a858b win32k!ldevLoadImage+0x215
89013b54 907a2b9a win32k!ldevLoadDriver+0x78
89013b70 907aaec4 win32k!ldevGetDriverModes+0x1c
89013b9c 90806eb6 win32k!DrvBuildDevmodeList+0x134
89013bfc 90806aea win32k!DrvEnumDisplaySettings+0x3b9
89013c1c 8287a8c6 win32k!NtUserEnumDisplaySettings+0x27
89013c1c 772270f4 nt!KiSystemServicePostCall
001241d0 762f13c4 ntdll!KiFastSystemCallRet
001241d4 763065c1 USER32!NtUserEnumDisplaySettings+0xc
00124214 76306502 USER32!EnumDisplaySettingsExA+0xbc
0012422c 004023d4 USER32!EnumDisplaySettingsA+0x23
0012fef8 0040698f 885+0x23d4
0012ff88 760eee1c 885+0x698f
0012ff94 772437eb kernel32!BaseThreadInitThunk+0xe
0012ffd4 772437be ntdll!__RtlUserThreadStart+0x70
0012ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

This of course triggers driver analysis (in case the sandbox offers it)... 7652 times and the only thing that separates good analysis and total failure is a proper filtering of collected data.

Second stage of the malware is executed through the callback from EnumResourceTypesA, it decompress and decrypts the final stage, which is heavily obfuscated. Entry point of the final stage suggests that it can be run from within both x86 and x64 processes. It uses simple trick to detect bitness of the process [2] and it contains both x86 and x64 payloads.

After deobfuscation we were able to identify another simple check to evade analysis, mentioned sample uses GetSystemTime API to verify expiration date, and does not execute after 8th of April 2016. We can easily handle such cases in Joe Sandbox through our Cookbooks system [3], whole operation boils down to adding below line to the Cookbook:

_SetDate(06, 04, 2016)

It's always good to re-run the analysis with the different dates to verify if the sample doesn't expire or if it isn't activating in the near future. Usually it's safe to assume the day when the sample was received as the initial date, timestamp from the PE header should work as well (in this case it is GMT Tue Apr 05 22:31:47 2016).

Last but not least, link to the full Joe Sandbox report (click the picture to open):

Nymaim proves that it is very important to have a flexible malware analysis system which enables analysts to easily change settings on the analysis machine. Joe Sandbox features an extensive technology called cookbooks. Cookbooks enable to completely define the analysis and allow to change OS settings, simulate user behavior and more. Further Joe Sandbox analyzes malware on physical machines (bare metal) defeating any VM evasions.

References:
[1]http://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/
[2]http://www.ragestorm.net/blogs/?p=376
[3] https://www.joesecurity.org/joe-sandbox-technology#cookbooks

↧

Adaptive Internet Simulation

May 10, 2016, 7:35 am

≫ Next: Black Hat USA 2016

≪ Previous: Nymaim - evading Sandboxes with API hammering

Nearly any malware today uses the Internet for communication. Often to download second stage malware, to register at its command and control server, or to spread and propagate. By capturing and analyzing suspicious Internet traffic during the execution, a malware analysis system can detect various interesting artifacts such as domains or IPs used to host malicious content. However allowing Internet access for a malware analysis sandbox also has a big drawback: fingerprinting.

How does fingerprinting work? Check out the chart below:

The bad guys start by submitting an info collector program to the target sandboxes. The info collector will enumerate all system settings, hardware ids, serial, tokens, etc., and will report back all the data via Internet.
A new malware is then created which embeds the previously collected unique hardware ids and checks for them early during its execution. If some of the ids match, the malware sample will not exhibit any malicious behavior. This approach is very simple to implement and does not require many resources. Even if the bad guys do not have direct access to a particular sandbox, the fingerprinting can still succeed due to the global sharing of malware samples.

Today fingerprinting is used a lot and poses a big problem for malware analysis systems. There was even a public online tracking page (http://blog.kleissner.org/?p=588) showing IP addresses, user names, etc., of online sandboxes:

We also found various info collectors (e.g. 26b79a7370720b0822bb786043b86448) over the last months:

Adaptive Internet Simulation

To solve the problem of fingerprinting, sandbox vendors lately introduced randomization. Randomization will generate random values for all ids and serial numbers. However randomization has several shortcomings. First not all serials and ids can be randomized. Many ids are used by the license verification of the operating system, and changing them will trigger the verification check. Next the number of unique ids, names and settings is enormous, and various tokens influence the system. Finally randomization today is done during the installation of the sandbox. This means that a system is randomized once and then will stay the same for months: more than enough time to do fingerprinting.

We have come up with a different idea to solve the problem which we call Adaptive Internet Simulation (AIS). AIS is a full network proxy which sits between the sandbox and the Internet:

The networks proxy has two main goals:

Prevent leaks such as hardware ids and serials.
Simulate where appropriate.

To achieve both goals, we developed a port independent protocol identification engine, a flexible configuration syntax to define what traffic is considered a leak, and a generic simulation framework.

An info collector running on Joe Sandbox with AIS will not be able to leak the collected sensitive data anymore, however it still runs as if it were connected directly to the Internet. So AIS is nearly transparent.

Extensive tests have shown that AIS works very well without any impact on the behavior of the malware.

Besides preventing fingerprinting, AIS has a number of additional nice features:

Block "noise traffic" from the OS, such as updates or notifications.
Simulation in cases where an IP or a domain is not available anymore.
Simulation in cases where resources (e.g. files) are no longer available.

AIS is currently available as a plugin for various Joe Sandbox products.

Example reports (sample source Threatwave):

↧

Black Hat USA 2016

June 2, 2016, 7:13 am

≫ Next: Summary of recent Anti-Sandbox Tricks

≪ Previous: Adaptive Internet Simulation

Good news! Joe Security will be at Black Hat USA 2016. Meet the Joe Security team at booth IC32 - Innovation City from August 3-4 and get a personal presentation of the Joe Sandbox 15!

↧

Summary of recent Anti-Sandbox Tricks

June 16, 2016, 5:25 am

≫ Next: Rise of VBS Scripts evading Sandboxes

≪ Previous: Black Hat USA 2016

Regardless of the technology being used maintaining an efficient sandbox requires to continuously monitor new malware samples in order to effectively cope with new evasion techniques. Today we want to share some of the techniques that we have spotted during the last couple of months. We mentioned some of these already briefly on our Twitter feed.

COM/DirectShow Audio device checks

One of the TeslaCrypt variants utilize the COM-based DirectShow audio related piece of code shown below to avoid sandboxes and emulators:

The code above is intended not only to check the presence of an audio device, but it also verifies if the API is fully operational (probably in order to filter out poor API emulation). Let's go through the code to see what exactly it does:

Code	Description
CoCreateInstance(CLSID_FilterGraph, IID_IGraphBuilder)	Standard DirectShow initialization, error code is not checked
E_POINTER != pGraph->AddFilter(NULL, filterName)	First anti-emulation check: If AddFilter is called with NULL as a first argument it should return the E_POINTER error code. Some emulators may implement unknown COM interfaces in a generic way, so they will probably fail here.
CoCreateInstance(CLSID_AudioRender, IID_IBaseFilter)	Initializes a simple Audio Renderer, error code is not checked, but pBaseFilter will be set to NULL upon failure and the code will eventually fail later.
pGraph->AddFilter(pBaseFilter, filterName)	Adds the previously created Audio Renderer to the Filter Graph, no error checks
pGraph->FindFilterByName(filterName, &pBaseFilter2)	Tries to find the filter that was just added; in case of any previously not checked error (or wrong emulation) this function won't find the filter and the sandbox/emulator will be successfully detected.
pBaseFilter2->QueryFilterInfo(&info)	Checks if info.achName is equal to the previously added filterName, if not - poor API emulation
pBaseFilter2->GetSyncSource(&pClock)	Checks if the API sets a proper IReferenceClock pointer
pBaseFilter2->GetClassID(&clsID)	Checks if CLSID is different from 0
pBaseFilter2->EnumPins(&pEnum)	Just checks if the call was successful
pBaseFilter2->AddRef()	The reference count returned by AddRef has to be higher than 0

These are just some random checks to ensure that the malware is executed on a real system. A sandbox here would be considered a real system only if it has an audio device installed. Most emulators will fail since it is close to impossible to implement proper support for every COM interface that is present in modern operating systems.

Office Recent Files & GeoIP checks

A recent batch of Dridex embedded in MS Office documents utilizes two different tricks to avoid execution in sandboxed environments. At first, it checks for the number of Recent Files opened by one of the Office apps on the target machine:

If the number is lower than 3 malware simply stops execution. The second method checks if the ISP/Organization that the machine IP belongs to is on the list below:

To get this information, this particular malware family abuses the MaxMind GeoIP online database:

The above snippets are a deobfuscated version of the VBA script that is embedded in the original Office documents. More detailed analysis can be found on the Zscaler blog.

OS Locale check

It is a common technique to check the system locale and execute (or not) payload only in some countries. Usually the check is made with GetSystemDefaultLangID Win32 API, which returns a 16-bit value that identifies the OS language (Language Identifiers). Since it is a numerical ID, it is very easy to feed the malware with the correct ID value, so it will believe that it is being executed in the language region of its choice. Recently we came across a sample that uses VerLanguageNameW in addition to the GetSystemDefaultLangID API to get the textual version of the language identifier:

The results are then compared to the string that is hard-coded in the executable:

The trick here is that if the OS locale was artificially changed the returned string will be in the language of the original Windows installation. So in case of an English OS it will be Portuguese (Brazil) instead of Português (Brasil). Game over.

Command line switches

Sometimes it happens that we need to replicate some file, but the original dropper is missing and the sample does not really do anything meaningful. In some cases, the solution is as simple as a missing command line argument. Recently we have added a new signature that detects command line switches and shows them in the final report, so that the user has the ability to re-run the analysis with a proper argument set through a cookbook (The example cookbook is called "Execute binary with arguments"). In such cases the analysis report contains results similar to the one below:

Expiration date

This trick is not new, but due to recent Nymaim activity we are getting many queries regarding it. We have already described best practices for such samples in the post describing API hammering, so we will just quote it here to have everything in one place:

"It is always good to re-run the analysis with different dates to verify if the sample does not expire or if it is not activating in the near future. Usually it is safe to assume the day when the sample was received as the initial date, timestamp from the PE header should work as well. (...) We can easily handle such cases in Joe Sandbox through our Cookbooks technology, whole operation boils down to adding below line to the Cookbook: _SetDate(06, 04, 2016)"

Final words

Thanks to the agility and flexibility of Joe Sandbox we can very quickly react to new evasion techniques. This is what we call Agile Malware Analysis. We continuously monitor the latest threats for evasions. Once we find an evasion we write a signature to detect it, and create Anti-Evasions. The concept of Agile Malware Analysis is also adopted by many of our customers. Many of our technologies such as Cookbooks, Hybrid Code Analysis and Execution Graph analysis are extremely helpful for this process. When compared to other approaches Agile Malware Analysis has proven to be by far the most successful concept in the long term.

↧

Rise of VBS Scripts evading Sandboxes

July 7, 2016, 7:40 am

≫ Next: Will it blend? This is the Question, new Macro based Evasions spotted

≪ Previous: Summary of recent Anti-Sandbox Tricks

We recently experienced new waves of malicious e-mails which use some cool trick to evade Sandboxes. In this blog post we are going to outline shortly our analysis. The e-Mails look like this:

Triage

VirusTotal Score:

The attachment is actually not a real RTF but rather a DOCX. RTF might be used to evade simple AV or other mail scanners:

The document includes Macros which are embedded as OLE stream:

The VBA Macro code is heavily obfuscated. This is done to bypass static analysis:

Recent malicious macros include many comments with legit words. Again this is done to make static detection more difficult.

Dynamic Analysis

The initial Joe Sandbox analysis shows that Winword.exe spawns cmd.exe with a long command line:

Although the code is obfuscated we can see that it creates a new VBS script on the disc which is then started by the Windows Scripting Host (wscript.exe):

Once again the VBS file is heavily obfuscated. However we see that it has network related functionality:

Unfortunately if we check the behavior no network traffic has been captured:

Timer based Sleep Evasion

Therefore we dig deeper and deobfuscated the VBS script which revealed the following code:

It is traditional sleep evasion which waits 540 seconds before it downloads and executed the main payload. What is special is that it uses the timer() function of VBA to control the sleep duration. The payload is actually an image with a PE file appended:

The payload dropped is the Cerber Ransomware:

In order to to analyze this threat we have written a new Cookbook (checkout our Cookbook technology):

The cookbook accelerates the local system time and simulates 30 minutes time shift in 30 seconds. Since the VBA timer is based on the local system time this will bypass this evasion:

Full Joe Sandbox Analysis Report:

Document Analysis: www.joesecurity.org/reports/report-58258b89e076c4d378436f3b03682402.html
Cerber Analysis (Executive Report): www.joesecurity.org/reports/executivereport-c14274959c93ed652dd5fcea69565e7e.html

Conclusion

Joe Sandbox is a very flexible and open framework to do malware analysis. In contrast to others Joe Sandbox offers an adaptive tool which enables Cyber Security Professionals to fight malware no matter what evasion is used. Given the power of cookbook together with the in-depth analysis of Joe Sandbox you can detect evasion and bypass it very quickly. In addition malware can be analyzed on any device include bare metal laptops, PCs and phones.

Call us for a presentation or in-depth demo!

↧

Will it blend? This is the Question, new Macro based Evasions spotted

September 7, 2016, 7:08 am

≫ Next: New Release: Joe Sandbox 16 out!

≪ Previous: Rise of VBS Scripts evading Sandboxes

Do you remember the "Will it blend?" YouTube series, where a guy tries to blend anything possible with his magic blender? If not here is a nice example:

Today I often feel like being asked "Will it execute" or "Why doesn't it execute" or "This should execute". As many other vendors of malware analysis systems we see an increase of sophisticated evasions to prevent dynamic analysis.

This is especially true for Macro malware. Malware embedded in Office documents today is not only used to infect home users but also corporate machines. VBA obfuscation techniques used in both scenarios are usually very similar: string encryption, variable/function names randomization and code redundancy. Since VBA is a full-fledged programming language, it is possible to do practically anything from inside Word, Excel or any other VBA-enabled MS Office application (like recent Locky variants distributed through MS Publisher files). Today I would like to briefly present two interesting samples that recently came through our lab.

Powershell, InkPicture_Painted & Zone.Identifier

The first sample is a DOCX and basically just a simple trojan downloader with a very small footprint. After deobfuscation there are only few lines left but some of them are quite interesting. The first evasion abuses the :Zone.Identifier alternate data stream (ADS) to verify if the file was indeed downloaded from the internet (or received by e-mail):

The :Zone.Identifier check is used to bypass sandboxes that do not propagate the ADS to the submitted files. ADS is a feature of the Windows NTFS file system and most sandboxes are based on Linux with an EXT file system. EXT does not support ADS and therefore any alternate data stream is simply omitted if samples are copied.

The second evasion is probably used to bypass some tools that rely on the fact that the payload is usually executed from the AutoOpen() or Document_Open() function. In contrast, this sample starts its execution inside the InkPicture.Painted event:

It is interesting that InkPicutre.Painted also works on Powerpoint where no AutoOpen() or Document_Open() function exists. Likely we are going to see more Powerpoint based macro malware in the near future.

Apart from that, the sample also checks for the number of recently opened files (Application.RecentFiles.Count < 3), an evasion technique which was already seen a few times in the last months. The main payload is downloaded by a PowerShell snippet executed through the WScript.Shell.Run command:

The full Joe Sandbox 16 report from the above sample is available below (click the graph to open):

PartOfDomain, No-Admin and Steganography

Another sample we received (thank you for sharing to John Lambert) is a bit more complicated and targets corporate users. There are at least 2 indicators to back-up this statement. Both are visible in the snippet below:

The result returned from mekzvij() function is used to determine if the VBA macro should further proceed with the infection process (if greater than 2, stop execution). It is clearly visible that the PartOfDomain field from Win32_ComputerSystem WMI class has a really big weight (100). Not being part of a domain effectively prevents this sample from running. The second indicator is more trivial, the UserName field shall not contain the "admin" substring, this is not necessarily a "corporate environment" indicator but may be just a detection of some specific sandboxes (another lookup for "malfind" suggests the latter). mekzvij() function contains some more WMI-based evasions that are often used by many different malware families:

If all checks are passed, the script drops a DLL into "%APPDATA%\Adobe\AIR\azgyrfhy.dat" and runs it during DocumentBeforeClose event:

The DLL is just a second stage downloader and has a hardcoded URL pointing to a PNG image:

After successful download (it's never stored to the disk), the DLL de-crypts a second DLL that is hidden inside the PNG chunks (which is the most simple variant of PNG steganography) by using a modified TEA cipher. It's decrypted and manually mapped into the process address space, later it communicates with another host which seems to be dead by now as we received only "504 Gateway Time-out". More details about this particular threat can be found in the Joe Sandbox 16 Report (click the graph to open):

joesecurity.org/reports/report-af0e156bd39be48edd884578616ab153.html

Final words

While the :Zone.Identifier evasion is easy to bypass for sandbox vendors, the PartOfDomain evasion is not. Especially in the last weeks we have seen the use of more complex evasions. Of course the more targeted a piece of malware is, the more likely a complex evasion is being used.

What really helps the most to fight evasions are two things: first, Deep Malware Analysis which enables you to spot the evasion and second, an open platform to quickly act to prevent the evasions. For many years we at Joe Security strive to improve these two main features of dynamic malware analysis systems.

Will it blend? This is the question. As for Joe Sandbox we can say yes, the malware executes and shows its real behavior!

Update 1:

The second mentioned sample is actually part of the Dukes/APT29 targeted attacks.

↧

New Release: Joe Sandbox 16 out!

September 19, 2016, 3:49 am

≫ Next: Pafish for Office Macro

≪ Previous: Will it blend? This is the Question, new Macro based Evasions spotted

We are proud to release Joe Sandbox 16 today. The release includes Joe Sandbox Mobile 5.0.0 and Joe Sandbox X 2.2.0.

Since our last release in June we have been working on many different field to make Joe Sandbox stronger. Here you find a list of the most important features :

More than 52 new behavior signatures. Behavior signatures classify and rate the behavior being captured during execution. This increases our signature database to a total of 1144 signatures. Many of the signatures reveal evasive behavior, e.g. like the Locky evasions:

Support for Windows 10 x64. You can now execute malware on the latest Windows 10 x64 operation system. This increases the support of Windows operating system to: XP, W7, W7x64, W8, W10, W10 x64, both as virtual machines (VMs) as well as physical machines. Furthermore Joe Sandbox X now supports analysis on El Capitan (10.11)

Support for bare metal analysis on Android. Joe Sandbox 16 enables to execute and analyze APKs on real Android phones. In contrast to emulators or VMs Android phones features all sensors and hardware devices. Therefore many APKs show their full behavior on a real phone only.

Full Joe Sandbox 16 Analysis Report

Many new anti-evasions. We have improved the stealth of the VMs as well as the simulations on bare metal analysis machines. Checkout our previous blog post to learn more about some of the latest versions:

Support for many new file extensions. Joe Sandbox 16 newly supports: PUB, VSD, MPP, JTD, HWP, ACE, LZH and GZ files

WEB Interface improvements: Full WEB API Python implementation, tagging, brand new analysis download design, new executive report, SHA1 and SHA256 search:

New Cookbook commands: _JBActivateOfficeActiveX, automatically clicks on ActiveX elements inside Word or Excel documents:

Full Joe Sandbox 16 Analysis Report (drops Retefe)

In addition we have added the following small features:

Multi DEX static analysis for Mobile
Fast update
New cookbook: accelerate system clock
Wscript sleep override
New detection status unknown
IDA Pro Bridge Plugin for Linux

While Joe Sandbox 16 was small major release, we are planning for Joe Sandbox 17 (planned release in the end of October) big major release with many new analysis features!!! Stay tuned.

↧

Pafish for Office Macro

October 5, 2016, 5:58 am

≫ Next: Introducing Joe Sandbox I – Deep iOS Malware Analysis

≪ Previous: New Release: Joe Sandbox 16 out!

We always have been fans of the famous Pafish tool by Alberto Ortega. Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox. Moreover it enables to fully study the evasive code. We know that Pafish helped and still helps to improve sandboxes.

With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:

We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github today:

You can download the "Pafish Macro" document here as well.

We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!

↧

Introducing Joe Sandbox I – Deep iOS Malware Analysis

November 1, 2016, 7:29 am

≫ Next: Generic VBA Instrumentation for Microsoft Office Documents

≪ Previous: Pafish for Office Macro

We are proud to present today Joe Sandbox I– the first automated malware analysis system for iOS that combines dynamic and static analysis for deep malware forensics. Joe Sandbox is now able to analyze malware on all major desktop and mobile platforms, namely Windows, OS X, Android, and now iOS.

The number of malware targeting Mac iOS devices is constantly growing, and their complexity is challenging security experts worldwide. The impact of these attacks is considerably high due to the exfiltration of sensitive information like private contacts and confidential emails. We have seen how XcodeGhost malware managed to sneak malicious code into tens of apps without their developers knowing. For these reasons, we at Joe Security think that it is very important to provide malware analysts with the right solution, capable of analyzing iOS apps deeply and swiftly.

In order to have a clearer vision of the technology and the product, let’s take a deeper dive into Joe Sandbox I capabilities by analyzing a malicious iOS app. It’s worth mentioning that as with all our products, the analyzed application will be executed in a controlled environment.

In Joe Sandbox I, the analyst has the possibility to submit apps either as a file (bundle IPA) or by bundle ID. When submitting a file, the app is directly installed on the bare-metal device, in our case an iPhone. In case of a bundle ID submission, Joe Sandbox I will automatically download the app from the AppStore and install it on the phone by itself. Then, a two steps analysis is initialized, first the apps Mach-O is statically analyzed and secondly it is being executed and dynamically analyzed.

After monitoring its behavior for suspicious activities, the collected information is then compiled into a comprehensive and extensive analysis report. The big advantage of analyzing an app on a bare-metal phone in contrast to emulation or virtualization is avoiding the app to check if it’s being scanned and therefore, applying anti-sandbox tricks.

To give you more insight of the interesting features of Joe Sandbox I, we have analyzed a recent malware sample dubbed as „YiSpecter" (NoIcon IPA, MD5: fbf92317ca8a7d5c243ab62624701050). The sample was executed on an iPhone 4 running iOS 7.1.2:

Dynamic Analysis

As mentioned before, Joe Sandbox I can install apps directly from the AppStore without any user interaction. Since the YiSpecter sample was submitted by uploading a file, we have recorded a movie from another analysis that shows the way an app from the AppStore is installed and executed:

As can be seen, a daemon will try to click itself in a smart way through the apps buttons and dialogs. By simulating user behavior, the app is exhibiting more behavior, leading to better results of the dynamic analysis than just merely opening and closing the app.

Besides automated clicking, Joe Sandbox I also takes periodically screenshots during the apps analysis. However, since the currently presented sample just shows a black screen, we have added below a screenshot from another sample of the YiSpecter family (AdPage IPA, MD5: 62c6f0e3615b0771c0d189d3a7c50477):

Behavioral artifacts, i.e. interesting function calls of the apps execution are presented within the report as done similarly in the Joe Sandbox Desktop or X reports. In our case, the sample has opened some files, but as well requested sysctls and URLs:

And as for all sandboxing solutions, network capturing is a must have. Here we can see that the IMEI number is being leaked:

Static Analysis

In addition to dynamic analysis, the sample is statically analyzed too. This has the benefit that if the sample may not execute for some reason, certain functionalities can be inferred from the code in order rate them by signatures. Joe Sandbox I extracts all functions of the apps Mach-O and presents the ARM code as well as the meta data (if available) within the report:

This code excerpt for instance shows that the app can query for installed apps:

This functionality is as well ratedby a signature:

Or look at this code part:

This code excerpt shows thatthe app can check if the phone is jailbreaked.

But not only the ARM code is of interest, also the Mach-O segments and commands, or other files within the bundle IPA file (ZIP) or embedded within the Mach-O itself:

One known embedded file is the entitlements.plist. In this sample it reveals that the app has the permission to install and remove other apps:

Another embedded file that may exist is the apps enterprise certificate:

This is an indication that the app can install additional apps that were signed with this certificate and were therefore not code reviewed by Apple.

Behavior Signatures

Joe Sandbox I has an increasing set of around 100 behavior signatures which rate and classify the behavior. The signature summary of this sample for instance shows a nice overview of the key behavior and functionalities of YiSpecter:

Behavior signatures gives the malware analyst the possibility to classify behavior into good or bad, and in the end allowing to efficiently get a good overview of the app without deep understanding of the analyzed app itself.

To summarize:

Joe Sandbox I is the first publicly presented automated iOS malware analysis system. With this product, malware analysts using Joe Sandbox can now analyze potential malware on all major desktop and mobile operating systems.
The dynamic analysis of apps are performed on bare-metal phones. This is in contrast to emulation or virtualization a big advantage, since malicious apps will have a harder time in detecting the presence of a sandbox solution. Furthermore, by simulating user clicks the app under analysis will exhibit more behavior leading to better results of the overall dynamic analysis.
In addition to dynamic analysis, static analysis of the app can be used to infer functionalities from the code. This is very beneficial if the sample is not executed, because we can still rate the app by the signatures.

As this blog post has outlined, Joe Sandbox I enables to quickly understand and detect threats which target iOS systems. We continuously work to increase the number of signatures and improve the overall dynamic and static analysis of Joe Sandbox I, now part of Joe Sandbox Cloud.

For more information about the product or a demo request, feel free to contact us through our website at www.joesecurity.org.

Full analysis report for YiSpecter:

↧

Generic VBA Instrumentation for Microsoft Office Documents

November 16, 2016, 6:35 am

≫ Next: Joe Sandbox 17

≪ Previous: Introducing Joe Sandbox I – Deep iOS Malware Analysis

For the last couple of months, we have witnessed a resurgence of Microsoft Office macro malware, cyber attackers leveraging once again macros for evil. Macros are a very efficient set of VBA’s (Visual Basic Applications) codes, used by organizations to automate frequently performed tasks in Microsoft Office. Although their time-saving potential, macros can also be used perfidiously, allowing attackers to run malicious software on someone's computer.

What we have also seen, is how state sponsored APT groups were using MS Office documents as an initial attack vector to infect and damage state critical infrastructure. This was possible not only because of VBA's ease of use, but also because of exploitation potential. Most notable examples from this year:

Opening not trusted documents in a sandboxed environment slowly becomes a standard in security-aware companies. At Joe Security, we are constantly improving and quickly adapting, to be at the leading-edge of innovation, so we can offer our customers the broadest possible protection. The method proposed by Kacper Szurek in his latest research on VBA macro analysis (https://github.com/eset/vba-dynamic-hook), was a great source of inspiration. Therefore we decided that similar approach will be a interesting addition to Joe Sandbox.

The initial idea was to insert instrumentation code into the APIs called from the VBA script and log arguments, which at this point were not encrypted. The outcome of this instrumentation would be bypassing string encryption and facilitating further analysis. This would also allow us making a better detection, based on accessed host-names or strings used as a process blacklist. This initial plan quickly evolved into something bigger, so today we can proudly present VBA instrumentation with the following set of features:

Arguments and return value logging for predefined set of VBA APIs - the list of supported functions can be easily extended in our On-Premise products. Below you can see a interesting output of the instrumentation (part of the Joe Sandbox Reports):

Local functions execution mark - all user defined functions are logged once during script execution, so we can later divide functions to the executed / non-executed groups, this data is also shown as a colored execution graph:

Heuristic detection of string encryption function - if our algorithm properly recognizes the string encryption function, the final output will be enriched with the additional information that match encrypted and decrypted strings. String encryption function has also separate color in the execution graph (red node above):

Custom user defined Pre / PostVBA API hooks (available only in the On-Premise products for now) - this is really powerful feature that can be used to bypass various evasion techniques. Basically the customer can define VBA code that will be executed before and after certain VBA APIs. Defined hook can access and modify API arguments and return value.

Bypassing MaxMind IP check with user defined hooks

Checking properties of the IP number with help of the online GeoIP services is a quite popular evasion trick. Usually a malicious scrip checks:

the IP location/country code - used to target specific countries
ISP/Organization name - mostly used for blacklisting purposes (VPN providers, security companies, TOR nodes). Such lists sometimes are quite long:

It can be also easily circumvented with the custom VBA hooks. In the screenshot below, we can see the behavior of the original IP check function:

Meta Information column contains every information that we need, so we don't even have to read the original VBA code. WinHttpRequest.Status() call returned status 403 (Forbidden). Probably MaxMind GeoIP service introduced stricter checks and it refuses to return proper data. The above macro verifies if the returned status code is 200 and if not, it will return default String value (empty string). This is the first API call that we need to bypass. We can define simple Post hook for Status() function:

Analysis can be re-run with the new hook, and the actual results will looks like this:

WinHttpRequest.Status() now returns 200 and the JBWQC() function returns the content of the WinHttpRequest.ResponseText. Returned HTML is fully visible in the Meta Information column of the report. The sample still doesn't execute the final payload, so we need to check where the returned HTML content is used. This can be done just by looking at the VBA Call Graph:

IP-checking function is named JBWQC() and it is reached only from mtUBxZ(). We can easily navigate to this function just by clicking on the specific graph node.

Here we can see, that the returned HTML content is passed to the WjUJV() function which is just a wrapper for the VBA InStr API. The second argument seems to be an encrypted string, luckily we have heuristic detection of string encryption functions and in this case it properly logged the decrypted value. It is visible above the VBA function: "xINsEBWARZWSLGTDqR" - "SWITZERLAND". So, the ResponseText have to contain string "SWITZERLAND", this is our second VBA Post hook:

After re-running analysis we can further inspect the instrumented VBA code, or just look at the rest of the report, since the macro successfully executed the final payload:

Final words

Being able to quickly act has become a major strategy to fight evasion. With Joe Sandbox security teams (CERTs, CIRTs, SOCs, etc.) get an extensive analysis tool which allows them to fight evasions within minutes. Our newly introduced VBA instrumentation engine is a perfect example. While dealing with a new macro based Office evasion, analyst can easily identify it via the dynamic data visible in the "Meta information" column of the VBA report. Next they can detect the evasion by writing a behavior signature, and finally bypass it by adding a new Pre or Post hook.

VBA Instrumentation is available in Joe Sandbox 17.

Sample analysis with VBA instrumentation turned on:
http://joesecurity.org/reports/report-58258b89e076c4d378436f3b03682402_2.html#vba-code
http://joesecurity.org/reports/report-43b8cc7dc3ff1987354e974d77216b1b_2.html#vba-code
http://joesecurity.org/reports/report-2e374756930bee59c371d98ff88572a8.html#vba-code

↧

Joe Sandbox 17

November 30, 2016, 4:57 am

≫ Next: Detecting malicious e-Mails with Joe Sandbox Mail

≪ Previous: Generic VBA Instrumentation for Microsoft Office Documents

We are proud to release Joe Sandbox 17 today. Below you will find some of the most important features and improvements being added:

Generic VBA Instrumentation

VBA instrumentation captures runtime information such as API and method calls for Macro code embedded in Microsoft Office files. With VBA instrumentation cyber security pros can understand VBA code much faster.

Further we added a call graph for the traced VBA code:

The call graph enables security experts to easily spot decryption routines and offers them fast navigation. VBA instrumentation is fully generic, meaning that our customers can add their own instrumentation like, e.g. fake IP addresses (Maxmind checks) or bypass other evasions.

User Automation for Microsoft Office ActiveX and PDF links

Microsoft Office documents with clickable ActiveX objects really have become a major delivery mechanism. Joe Sandbox 17 includes a new cookbook command_JBActivateOfficeActiveX. The command intelligently clicks on ActiveX objects:

Similarly we added new click command _JBClickPDFLinks which clicks on links embedded in PDF files:

On top, we've added a new signature which directly extracts URL links from PDF documents (even from compressed streams).

User Automation for Joe Sandbox X

For the new Joe Sandbox X and Ultimate version we developed a new cookbook command which clicks on buttons (_JBStartAutoInstaller). This fully automates the installation of malware embedded in installers:

Support for Android 6.0 Marshmallow

Joe Sandbox Mobile and Ultimate are now supporting analysis on latest Android 6.0:

Redesigned Web Interface

The web sample submission page of Joe Sandbox 17 has been fully redesigned. We focused 100% on usability. As a result, submitting samples to Joe Sandbox has become very easy:

Besides the submission page, we have also fully redesigned the analysis details view, and added options for bulk Yara uploads.

Behavior Signature Set Increase

Joe Sandbox 17 includes over 40 new behavior signatures. This increases the total signature set to over 1217. Below you can find a non-exhaustive list of new signatures:

Detect latest Locky variants
Detect many new evasions (e.g. Word document only with p-code)
Detect malicious Microsoft Office documents based on VBA instrumentation data
Detect malicious Microsoft Office documents contain ActiveX objects
Detect new powershell attacks
Detect malicious links in PDF documents
Generic detection for Mac OS X malware

Finally, another major improvement in Joe Sandbox 17 is the optimization of FPs.

Happy analysis!

↧

Detecting malicious e-Mails with Joe Sandbox Mail

December 14, 2016, 4:44 am

≫ Next: Happy New Year!

≪ Previous: Joe Sandbox 17

Nowadays, e-mails have become a defacto standard way to deliver malware to endpoints, infections through the web browser becoming seldom. Attackers are now crafting more sophisticated malware embedded in e-mails that are hard to detect as the example below demonstrates:

Here are some interesting facts about this e-mail:

It is sent directly to the target person
It spells the target persons name correctly
The text is well written
Sender address is valid and looks benign
Company looks benign
The attachment is a document, not zip or exe
We get lot of invoices by e-mail today, so this seems usual

From looking at the e-mail, it is very difficult to determine if the attachment is safe to open or not. What happens if you open the document? Very likely your PC will be infected with ransomware encrypting all your files:

In order to help end users to determine if an e-mail has malicious attachments, we have developed Joe Sandbox Mail. Joe Sandbox Mail integrates seamlessly into Microsoft Outlook and comes as a Windows installer package (MSI):

With just one click you can submit e-mail attachments to Joe Sandbox Cloud, Desktop, Complete or Ultimate for in-depth analysis & detection:

After analyzing the attachment, an alert informs you about the threat and flags the e-mail as malicious:

Joe Sandbox Mail is simple to use, does not require any technical expertise and uses the power of Joe Sandbox for malware detection.

Contact Joe Security if you would like to try Joe Sandbox Mail.

↧

Happy New Year!

December 31, 2016, 2:21 am

≫ Next: New Sandbox Evasion Tricks spot with Joe Sandbox 10.5

≪ Previous: Detecting malicious e-Mails with Joe Sandbox Mail

The Joe Security Team wishes you all the best in 2017!

↧

New Sandbox Evasion Tricks spot with Joe Sandbox 10.5

December 17, 2014, 9:23 am

≫ Next: Deep Analysis of Android Ransom Charger

≪ Previous: Happy New Year!

Recently we came accross an interesting sample equipped with new tricks to evade sandboxes and other dynamic analysis systems:

In pseude code:

The sample sleeps until there is a mouse and foreground window change. Since most malware analysis system only simulate mouse changes they miss to analyze the real malicious payload. With the Cookbook technology of Joe Security one can easily simulate any activites:

However this is not enough. The sample includes an additional evasion trick:

Basically the disk is queried for IOCTL_DISK_GET_DRIVE_GEOMETRY_EX. The structure contains information like the media type, sector per track and the number of cylinders of the hard disk. After the query the number of cylinders is compared to value 5000. If there are less than 5000 cylinders the sample simple terminates. Since Joe Sandbox runs on any device including virtual, simulated and native systems one can quickly analyze the malware on real system:

↧

Deep Analysis of Android Ransom Charger

January 27, 2017, 3:22 am

≫ Next: OEM'ing Joe Sandbox

≪ Previous: New Sandbox Evasion Tricks spot with Joe Sandbox 10.5

A couple of days ago, Checkpoint discovered a nice new Android malware (MD5: 2b83bd1d97eb911e9d53765edb5ea79e), you can find the full blog post here. While the find is interesting, their analysis lacks depth, important details being left out. That’s why we thought giving it a shot and analyze it with Joe Sandbox Mobile to share more technical details that will help us better understand the malware's behavior. We will focus here on the technical aspect rather than talk about the "Charger" app itself.

Our initial analysis shows that the sample was detected as bad with a strong chance to be related to ransomware:

From the signature overview we can see that the method names are obfuscated and often uses reflection:

What is Reflection?

Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.

To be more precise, with Reflection you can dynamically call Android methods (including APIs). Thus during static analysis it's not clear what method is being called, making static analysis very difficult:

However thanks to dynamic analysis the APIs are executed (we call this technique resolving reflective invocations) are becoming visible:

Looking at all the reflective invokes, we realize that there are many file system related APIs, like getDir, getAbsolutePath etc. Thus a look at the created file section is advisable:

As we can see, two files have been dropped, a dex file plus a jar file. Those files are part of the initial APK but are encrypted, the decryption will occur only during runtime. How are the files loaded? Dynamically loading dex files on Android requires access to the class loader:

Access to the class loader is often used for detection, therefore it is hidden again via Reflection.

Since the app loads new parts it is key to focus now on the newly loaded code:

Looking closer at the new code it reveals the following behavior:

Anti Analysis techniques and getting device admin status has become standard for malicious Android applications. This malware tries to get device administrator rights very intrusively. If you click "Cancel" it will just ask you again (endless).

Finally we also spot the following strings in the new code:

Is this really RANSOMWARE or just a scam? It is really ransomware and accesses your:

Phone number
All your stored SMS
Location (GPS)
Photos
Emails

What is also interesting is that the app has "Camera permission" and contains code to take photos (check method onPictureTaken). So even if you do not have sensitive photos on your phone the app still makes one for you (silently):

Or even several photos:

Curious to find out more? Then check-out the full analysis report of Android Ransom Charger:

Joe Sandbox 18 Analysis Report 2b83bd1d97eb911e9d53765edb5ea79e

Dropped files (pw: infected):

qodnigsofy.jar 911384c7a5dcf7687a5648d9a44b65e3, qodnigsofy.dex, e0163df3b6badbe1cc8ef9dbda66c419

↧