Automated Malware Analysis

Here at Joe Security, we have a long tradition of doing OEM business. OEM stands for original equipment manufacturer and is kind of misleading term. Today OEM is often used to describe that company B can integrate, bundle or resell a product of company A.

Why do companies integrating dynamic malware analysis system (sandboxes) into their products? Well a sandbox enables your product to:

Detect unknown malware with high detection precision
Determine the payload and type of malware
Get IOC's and additional forensic artifacts about a thread

Looking at use-cases the following industries/vendors/tools can benefit from Sandbox integrations:

Secure Gateway & Firewall vendors

Secure Gateways and Firewalls can extract samples from the wire and send them to the sandbox. If the sandbox detects a sample as malicious the firewall can block the sample, IPs, domains, the endpoint and notify the SOC. In addition, IOCs and payloads can be provided to security operation teams. Due to sandbox integration samples passing the Gateway / Firewall are being detected.

Cloud & e-Mail Security providers

Similar to Firewalls secure e-Mail and Cloud products can scan e-Mail attachments and files with the sandbox. Malicious files can be blocked so that they do not reach the end user. With a Sandbox integration infection of end-user systems can be prevented.

Automated Incident Response Tools

Automated Incident Response Tools benefit from IOCs extracted by the sandbox. IOCs can be used to clean and remediate endpoints. Further C&Cs enable to separate and block infected devices. The Sandbox improves detection and delivers meaning full data for disinfection.

Threat Intelligence Platforms

A Sandbox nicely integrates into threat intelligence Platforms. The Sandbox generates additional IOCs and payload data which give "context" for domains, IPs, file names and hashes. Security teams using threat intelligence platform greatly benefit from additional behavior data about threats.

Next-Gen Endpoint Solutions

Next-Gen Endpoint Solutions upload suspicious files to the Cloud where they are analyzed by a Sandbox. On detection, the endpoint client solution is notified which then remediate the client, blocks processes as well as network connection. Thanks to the Sandbox more threats can be detected.

Why choosing Joe Sandbox for integration?

Here at Joe Security OEM integrations are one of our specialty. Integration with Joe Sandbox has the following benefits:

True cross-platform aware platform analyzing samples dynamically on Windows, Android, Mac OS X and iOS
Includes several top-notch technologies
Deep analysis
Open platform running on Linux with various interfaces for integration
High installation flexibility
High tuning flexibility
Flexible licensing options
Source Code ESCROW
Source Code licensing
Long term deals with long term run down periods
On-site training and installation
SLA
White label branding options
High confidentially due to Swiss legislation
Over 10 years experience in Sandbox development
Competitive pricing

Interested? Please contact us to schedule a presentation.

We are happy to announce the release of Joe Sandbox 18, our most advanced Deep Malware Analysis engine. In this blog post we will share some of the most interesting new features we have implemented.

VBA Macro Winapi Instrumentation

Samples using Winapi (native or normal ones) calls inside a Microsoft Office Macro are now instrumented and logged:

A malware family using Winapi calls in Macros is Hancitor.

SCAE Library Code Detection

We added library code detection to SCAE (Static Code Analysis Engine) and EGA (Execution Graph Analysis):

The EGA nodes are shown with a lower opacity, making it easier to distinguish between malware code and library code. Further, you can see the corresponding library function name:

Intelligent Submission

We saw an increase of malware samples dropping executable files which are not being started. In most of the cases, this is linked to the autostart functionality of the operating system. If the sandbox doesn't reboot the dropped file, it will be only analyzed statically and not also dynamically. This is not an issue for Joe Sandbox 18, which can automatically launch not executed, dropped PE files:

By the way, Joe Sandbox 18 successfully handles all kind of archives, including zip, 7zip, rar, tar, ace, bzip as well as saved e-mails like MSG and EML. It even handles recursively packed archives and emails, e.g. a zipped MSG with a rar attachment.

GitHub based Yara Rules

Tired of updating your Yara rules manually? No problem, just add a Github repository! Joe Sandbox will take care of the synchronization:

OCR Click Engine for latest HTML droppers

The use of HTML droppers is increasing and to be able to execute them, you have to fully automate Internet Explorer. Joe Sandbox includes an extensive OCR based Click Engine that will automatically click on strings identified by the OCR:

Confidence Score

Our engine now calculates a confidence score per sample:

This enables analysts to better understand the detection score. There is also a new detection status "Unknown" for samples the system cannot execute.

Deep OLE Analysis for Mac OS X

Joe Sandbox X now benefits from our massive signatures database to detect malicious OLE / Macros targeting Mac OS X users:

Static Analysis of dropped DEX on Android

Over the past months, Android malware dropping, loading and then executing the new code has been on the rise. To prevent being analyzed, the code is deleted right after it has been loaded. The latest Joe Sandbox Mobile version prevents the deletion and therefore enhances deep analysis of dynamically loaded DEX code:

Update Now!

Joe Sandbox Desktop 18.0.0, Joe Sandbox Complete 18.0.0, Joe Sandbox Ultimate 18.0.0, Joe Sandbox Mobile 6.5.0 and Joe Sandbox X 2.5.0 are ready for all our on-premise customers.

Needless to say, PowerShell has become an important means for Malware to do persistence. If you are interested in learning more about this topic, an excellent write-up about PowerShell & Malware has been published by Symantec THE INCREASED USE OF POWERSHELL IN ATTACKS. PowerShell has a lot of tricks which makes analysis harder, however, in PowerShell 5.0, Microsoft added some nice logging feature. In this blog post, we will show you how we take advantage of this logging feature in Joe Sandbox and how it helps us to analyze malware.

Intro

The malware we are analyzing is a WSF file (MD5: 2161f8cf7b6c1a1a3a6fdc41083566a5) coming from an email attachment (source: Treatwave):

The detection is malicious with a very high confidence:

The spider chart outlines that the malware is very likely related to ransomware:

The behavior graph shows a lot of activities:

Looking at it more closely it reveals that there are two interesting "subgraphs". The graph on the left drops various PE files via wscript, which further are started as a1.exe and a2.exe.

In the behavior signature overview we can see that this is Locky:

The file encryption routine can be found by clicking on the "Show sources" link:

However, what's the left graph about?

MSHTA.exe has started javascript command line:

Next MSHTA starts PowerShell by passing the IEX invoke expression followed by a shell variable. How can we figure out what this variable is and how can we understand what the IEX expression will execute?

PowerShell Logging

In PowerShell v5.0 Microsoft added some advanced new logging feature which enables us to capture most of the PowerShell's behavior. A good write-up about the logging feature can be found in the Windows PowerShell Blog.

There are two advanced logging features:

ScriptBlockLogging
Transcript Logging

How do you enable logging? Either by changing some group policies or easier by using the following reg file which will set required registry keys:

PS_logging_reg by Matthew Dunwoody

No reboot is required.

How do you query the logs? Use the Windows Events Command Line Util:

wevtutil qe Microsoft-Windows-PowerShell/Operational /c:1000 /rd:false

We fully integrated PowerShell logging into Joe Sandbox, and as a result, we can now easily understand what is happening:

$env:jxys is Base64 encoded string which is decoded during runtime:

Looking at the code reveals:

It is loading the InMemoryModule
It has some large bytecode like array
It tries to get the function address of CreateThread
It runs the bytecode

The code then injects additional code into regsrv32.exe:

Looking at some HCA function outlines that this code likely does something with click fraud:

Also, it checks for VMs:

Googling a bit for the behavior instantly reveals that this is the Konvter click fraud malware. Have a look at some nice articles on this topic:

Summary

PowerShell's logging functionality is really helpful to understand malware. The use is simple and does not require special technical skills.

Full Joe Sandbox 19 Analysis Report (USE CHROME TO OPEN IT)

Deep Konvter & Locky Analysis

Besides working on new and deep malware analysis features we also continuously improve and extend the visualizations. Visualizations help to understand complex data very quickly and also to separate noise from interesting data. So far Joe Sandbox generates the following visualizations:

Classification (Spider Chart)

Behavior Graphs

IP to Country World Map

CPU and Memory Statistics

Behavior Distribution

Execution Graphs

Recently have added some cool new features to the Behavior Graph. In this blog post, we outline some of them. The Behavior Graph is a directed graph where nodes are:

Processes
Connected IPs & Domains
Dropped PE files
Behavior Signature

For Behavior Graph's 2.0 we added to each node multiple attributes, including:

Malicious / Clean
Is dropped file / process
Programming language used
Number of created files
Number of created registry key
Domain active / down

The attributes help to understand the behavior and to spot the most interesting part of big graphs. Let us have a look at a recent Locky / Kovter sample graph (MD5 a362758c36bed10fb64823918ed90740):

The initial sample is a Javascript file which was run by wscript. Wscript is a Windows process (see the small Windows icon on the top right corner). Wscript created 15 files, indirectly started mshta.exe and performed various network activities:

It connected via the Port 80 / HTTP to at least 3 domains which have been detected as malicious (see red hazard icon on the right). Those domains are active and hosted in the US and Russia. Wscript also dropped at least 3 PE files, among those, one (exe1.exe) has been launched and detected as malicious. The two matching signatures are shown on the right. So what did Exe1.exe really accomplish? Check out the graph below:

Exe1.exe is written in C or C++ started rundll32.exe which itself dropped an executable file. Besides injecting exe1.exe into winlogon.exe, the code injected also winlogon.exe into explorer.exe. Therefore, Explorer.exe connected to a malicious domain hosted in the USA.

As you see by walking the graph down, you can fully understand the behavior of the sample. Also by using the node and edge attributes you get very helpful meta information.

Besides attributes, we also introduced to our graphs, flexible coloring based on data. If you look at the whole graph you instantly see that the wscript.exe node has one of the best visibility, while e.g. the powershell.exe node is less visible:

Again this helps to spot the most interesting behavior & parts of the graph.

Behavior Graph 2.0 and our other visualizations show how helpful they are to quickly understand complex threats and to find interesting data in large data sets.

What is next? We are working on some really cool additional visualizations, so stay tuned!

Full Analysis Report:

Joe Sandbox Cloud Pro 19.0.0 Locky & Kovter analysis

Last Friday, May 12th 2017 cyber criminals started to spread a new ransomware. The malicious code was not highly sophisticated, it was using a recently patched SMB bug (MS17-010 also known as ETERNALBLUE) to spread. The remotely exploitable SMB bug was part of an NSA leaks series and affected XP up to Windows Server 2012. Windows 10 is not affected.

We got the sample on Friday around 6 PM and the initial analysis has released the following facts:

Complex installation behavior

Multi-language support

Install and uses Tor for communication

Programmed in C / C++, also uses VBS for some tasks

Makes recovery impossible

Encrypts files with AES 2048-bit, file appendix is WNCRYT, encrypts files everywhere

Creates a mutex to prevent double infection, the mutex is MsWinZonesCacheCounterMutexA0

Registers autostart

Has a kill switch / anti sandbox trick to prevent spreading and encryption (left branch skip, right branch spreading + encryption), kill domain is http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Kill switch does not work with proxies. Kill switch was registered by the IT security blogger Malware Tech UK.

Does not use any anti-debugging or special anti-sandbox tricks

Full analysis data generated by Joe Sandbox 19:

Good news! You now can use Joe Sandbox in the Phantom: Security Automation and Orchestration Platform!

What is Phantom exactly? It is an awesome tool to intelligently combine and automate various security products to build a full incident response chain:

There are already a huge number of apps that use Phantom:

The configuration of the Joe Sandbox app is very simple. Just add your API key:

The aforementioned combination and automation is then done via so-called playbooks. Let us have a look at the Joe Sandbox playbook:

In the playbook you choose various actions (from start to end). Actions are directly related to the apps. The Joe Sandbox app currently supports the following actions:

test connectivity - Validate credentials provided for connectivity
detonate file - Run the file in Joe Sandbox and retrieve analysis results
detonate URL - Load URL in Joe Sandbox and retrieve analysis results
check status - Check status of sample (file or URL) submitted for analysis
get report - Download report of a completed analysis in Joe Sandbox and add it to vault
get PCAP - Download PCAP file of a completed analysis in Joe Sandbox and add it to vault
file reputation - Query Joe Sandbox for file reputation
URL reputation - Query Joe Sandbox for URL reputation

The Joe Sandbox playbook starts with the detonate file / URL action. Each action has a return value. In the case of detonate action an ID is returned. The ID is then fed into the check status action which will check if the analysis is already finished:

If the status is "finished" it will move to the next decision. Otherwise, it will loop. The second decision will check if the Joe Sandbox detection is malicious. If so, it will fetch a report. You can choose from various analysis reports and artifacts which include ratings, signatures, scores, IPs, dropped files etc.:

Finally, the report is passed to the investigate playbook which informs the IR team as an example.

The outlined Joe Sandbox playbook is just a simple example of how you can use our product in Phantom. Due to the power of Phantom combined with the Deep Analysis of Joe Sandbox you can easily achieve the following goals & use cases:

Detonate sample, if malicious, get report, extract malicious IP, block malicious IP (e.g. via firewall)
Detonate sample, if malicious, get report, extract dropped file hash, scan endpoints for hash
Detonate sample, if malicious, get report, extract Yara rules, scan endpoints

You can download the Joe Sandbox App here.

Thanks again to the Phantom team for the great integration work!

We have good news: Joe Sandbox version 19 is out! This is a big release with many improvements, enhancements, and new features. If you are an on-premise customer you can simply upgrade to Joe Sandbox 19 via:

mono joeboxserver --updatefast

In this blog post, we will outline some of the enhancements and new features of v19.

Phishing Detection

Phishing is a growing trend, and many products have very poor detection for it. Therefore we added a behavior based Phishing detection to v19. How does it work? Joe Sandbox will browse URLs in IE and then store the DOM. The same is done for iframes as well as links found on the page. The DOM array is then evaluated by using several new behavior signatures:

For more in-depth analysis, customers can also access the raw DOM data.

Joe Sandbox Uploader

With Joe Sandbox 19 you get a convenient desktop tool which enables you to easily upload files and URLs to Joe Sandbox from Windows and Mac OS systems:

.NET Decompilation

Over the last months, we saw a huge increase of malware & packers written in .NET (C# or Visual Basic .NET). Joe Sandbox v19 includes an extensive decompilation engine for .NET. All decompiled .NET samples are being uploaded to Joe Sandbox together with the dropped or downloaded files during execution. The decompiled code can be downloaded via the web interface:

.NET Decompilation also contributes to detection via behavior signatures:

Offline Snort / ET PCAP analysis

Are you a big fan of Emerging Threats rules and want to have them included in the Joe Sandbox behavior report? With v19 you get it:

Together with the Snort / ET PCAP analysis we also added detection of malicious files and IPs:

80 New Behavior Signatures

We added many new behavior signatures, in particular to detect new Mac Malware (e.g. Proton B and Snake aka Turla), Phishing, Ransomware and .NET Malware:

UI & User Automation

More and more samples require user automation. Microsoft Office documents are a good example. The same applies for Mac OS samples. We added several enhancements to our user automation to successfully handle the latest tricks:

Please note that Joe Sandbox uses an advanced OCR based clicking engine to detect some of the UI elements.

Minor Features

The following additional minor features are part of the v19 release:

Automated signatures update (hourly)
Password mask for encrypted office files
URL / Link analysis for mail archives (MSG and EML)
Powershell script block logging
ETW Powershell logging

Interested in Joe Sandbox v19? Let us know and we schedule an in-depth technical presentation and demo!

Want to see Joe Sandbox v19 live? Visit us at Blackhat USA Las Vegas booth IC69 Innovation City.

At Joe Security, innovation is in our genes. We have been working on an awesome new component which takes advantage of hardware virtualization to analyze and detect malware. We call this new product Joe Sandbox Hypervisor.

What is hardware virtualization? What technology do we use for introspection? How do we implement it and what are its benefits? Read this blog post to get answers to these questions.

Hardware Virtualization

Hardware virtualization is a general term for an instruction set, introduced by Intel (VT-x) and AMD (AMD-V) in 2005/2006. The instruction set supports running several operating systems simultaneously on the same CPU. To achieve that, it adds an additional feature for memory separation (e.g. via extended paging tables) as well as a new CPU ring/mode (often referred to as root mode or ring -1). The transition from the normal modes (ring 0-3) to root mode can be visualized like this:

For malware analysis, this transition is very interesting since it intercepts execution of the malware at specific events, extracts additional information and then returns/continues execution. This enables fine grained interception as well as tracking detailed runtime information. Another great benefit of hardware virtualization is stealthiness, making it very difficult for malware to detect.

Kernel mode Hooking

Since hardware virtualization is relatively new, Joe Sandbox currently uses a pure kernel mode (ring 0) driver which intercepts various system events such as system calls, kernel calls, memory events etc. So is there something to fear of? Not really: Using hooking/function interception in kernel mode works perfectly for 99% of all malware out there. The only problem are rootkits which run in kernel mode themselves. However, rootkits have all but disappeared during the last years:

AV-Test Statistics

There are multiple reasons for this. First, Microsoft introduced driver signing, so only signed drivers are allowed to be loaded into kernel space. Second, additional features have been introduced to Windows which make abusing and exploiting kernel mode more tricky (PatchGuard is a good example).

Besides rootkits, a much bigger issue for kernel mode introspection is the inability to intercept events from user mode. A good example is the API GetSystemTime. This API does not reach kernel mode and therefore cannot be tracked from the.

Here is where hardware virtualization has its benefit as it can also intercept any user mode function.

Derived and Custom Hypervisor

So how does Joe Sandbox use hardware virtualization and how is it implemented?
If you implement hardware virtualization there are two options:

Implement introspection in an existing type 1 or 2 hypervisor (KVM and XEN are two good examples). In both cases, you would modify and extend the existing GPL code to get callbacks on the interesting guest to host transitions. The introspection code will be always part of the virtualization solution and therefore the malware is always run inside a VM. Analysis on a bare metal machine is not possible.

A second option for the Type 1 model is to develop your own custom hypervisor. The custom hypervisor is a full implementation which does not derive from existing hypervisor code and just provides the inspection functionality. With this architecture, malware can be run directly on physical machines (laptops, PCs, servers etc), and no VM is required. Alternatively, it can also run nested, inside a VM (hypervisor in hypervisor).

It is very important to note that, exactly the same introspection capabilities exist for custom and derived hypervisors. However, one of the biggest differences is the flexibility of the analysis target. With a custom hypervisor, analysis is not bound to the virtualization solutions. Introspection can be done on real as well as virtual hardware. Why is this so important? Analyzing on real devices is king since it is _ the _ target for malware. A virtual machine is very different compared to a real device and those differences are trivial to spot by malware. Thus by detecting those differences malware can easily evade analysis.

Since the custom hypervisor runs on real hardware, there are no dissimilarities for malware to exploit. Thus the custom hypervisor has a big advantage over the derived hypervisor since it is harder to detect.

Some may argue that in the next five years all our operating systems will run on virtual machines. However, for Joe Security, it is important to protect our customers right now and not eventually in five years.

Joe Sandbox Hypervisor has been implemented as a custom hypervisor to benefit from the outlined advantages.

Deep and stealthy Introspection

Joe Sandbox Hypervisor captures and extracts the following data:

System calls

Kernel calls
User mode calls
Access to user mode memory areas (e.g. PEB)
Access to performance counters
Execution of specific instructions (e.g. CPUID) by kernel and user code

This whole new range of dynamic information will be extremely beneficial for our malware detection and deep malware analysis engine.

Please note that hypervisor-based inspection is just one of many technologies offered by Joe Sandbox. We strongly believe in a multi-technology platform. Besides Hypervisor, Joe Sandbox employs the following techniques:

Generic Instrumentation (e.g. Office Macro Code, Android, and Javascript)

Simulation (Internet traffic, Cookbook)
Hybrid Code Analysis (Analysis of non-executed code branches)
Execution Graph Analysis (Analysis of the malware with graph analytics)

Are you excited about this new feature and curious to see it in action? Come and visit us at Blackhat booth #IC69 in Innovation City area and we will give you a demo of some of the great features of our hypervisor implementation!

Join Joe Security at Black Hat USA 2017 in Las Vegas from July 22nd to July 27th to get the very latest information about security research, development, and trends.

We will have the pleasure to welcoming you on level 2 on Wednesday July 26th and Thursday, July 27th, at the booth IC69 in the Innovation City area.

Meet with our team to learn more about Joe Sandbox's latest innovations, like Joe Sandbox Hypervisor, and enjoy some delicious Swiss chocolate. Register using the following code* vrLioD11 and get 25% discount on your briefing pass. Looking forward to meeting you!

* limited number, first come first served.

Hunting for similar or associated threats is a key task for SOCs, CERTs, CIRTS and IR teams. If you are testing threat search engines, you will find many allowing searching for a very small set of IOCs, mostly:

File hashes (MD5, SHA1 etc)
IPs
Domains
Names of dropped files

What if you want to search for more detailed, deeper and low-level information? Well, you reach a dead end, but fortunately, there is a solution now - Joe Sandbox View.

Joe Sandbox View explained

Joe Sandbox View is a search engine based on Elasticsearch, that is fed by Joe Sandbox Cloud Pro (customers can opt-in to share their analyses) as well as Joe Sandbox Cloud Basic.

The average amount of data added per report is 20 MB.
Data populating Elasticsearch includes:

Detection status

Score, Confidence, Label

Full static file information

PE, APK, MACHO, IPA, DOCX, OLE, etc.

Full behavior signatures information

Spreading, evasions, phishing, exploiting, Trojan activities, spyware activities, banking, spamming, etc.

Full system behavior

Created, modified, written, read, deleted files
Created, modified, read registry keys
Created, stopped processes
Allocated, written and read memory
Created mutexes
Connected, bound sockets
Loaded modules
Created, modified, terminated, delayed threads
Etc

Full network analysis

HTTP gets, posts with raw & encoded bytes
FTP
SMTP
DNS
ICMP
IRC
TCP & UDP connection data
Inspected HTTPS
HTTPS certificates

Code manipulations

IAT, EAT, SSDT, IDT, DKOM, inline hooks etc

Performance statistics

CPU, Memory

Hybrid Code Analysis data

Executed functions
Non executed functions
All APIs, instructions, strings per function

Antivirus detections

Virustotal and Metadefender
For dropped files, domains, initial sample

Yara detections

For dropped files, PCAP, initial sample and memory dumps

The information is rich and enables users to do very advanced searches. The above list is just for analysis on Windows. However, also data from Android APK analysis and Apple Mach-O analysis are fed into Joe Sandbox View.

Joe Sandbox View Interface

Joe Sandbox View is very simple to use. If you log in, you can either choose one of the predefined searches or you construct your own query:

If you want to construct your own query, click on Add Filter. You can then select one of 1,500 identifiers or fields (compare this number to other threat/intelligence searches) :

For each field you can select from various comparison operators:

The operators vary on the search field type, as an example, for numbers, operators such as =, >, < are available.

What if you want to search for contextual data?
For example, let's assume you want to search for all samples where there is a process called "explorer.exe" which created an EXE file in the temp directory.
This can be done via nested queries. To do so, select the "process" node (nodes are tinted blue):

Then a new filter level opens. It displays the nodes and fields you can select from within the same process context. Of course, multiple nesting is possible as well, as shown here:

Another very interesting feature is that Joe Sandbox View also provides context information for each search so that you can see e.g. what the MD5 hash of the created file is. To view or download the full analysis report, just click on the icons on the right.

Joe Sandbox View Example Searches

Given the abundant data & the nice and simple search interface one can easily do very complex queries:

Generic Locky query, based API calls and strings in a disassembly function context

List all Office Documents, sample calling PowerShell in VBA Macro code based on dynamic VBA data extracted via VBA instrumentation

List all samples trying to detect VMware (Red Pill), based on disassembly instructions

Listing all malicious OpenXML Office document samples which connect to Russia, based on OLE extraction and network analysis

As the examples show the number of searches & combinations is unlimited.

Joe Sandbox View Context for Joe Sandbox

Joe Sandbox View not only has a UI but also an API. Via the API Joe Sandbox enriches its analysis reports with additional context information. It creates lists of all associated samples based on:

IPs
ASN (Autonomous System Number)
Domains
Dropped files

Hereby incident responders get a quick overview of associated or similar samples. Let us have a look at the recent analysis of a malicious Javascript file (MD50b185422af3ce8629a384d497e1c3c33). From the behavior graph we see the sample connected to IP 47.91.93.208 which has been registered by AlibabaChinaTechnologyCoLtd:

With the View integration one can now easily see all other/associated samples which also connected to an IP from AlibabaChinaTechnologyCoLtd:

For each find correlated data is shown. For ASN this is the IP, for Domain the IP and for IP it is an HTTP URL:

Conclusion

With Joe Sandbox View we make the massive amount of behavior captured by Joe Sandbox searchable. Searching is easy since the interface is simple and intuitive. Very advanced searches are possible for over 1,500 different values/fields. Via the API Joe Sandbox directly benefits from the threat intelligence data of View.

Joe Sandbox View is available in Joe Sandbox Cloud Pro since January 2017.

Having Internet access when dynamically analyzing malware is a key. Nearly all malware you get today (first stage) are droppers having as the main goal to download second stage malware. Droppers are often heavily obfuscated and contain evasive behavior to detect malware analysis systems.

One of such behavior is doing checks for the public IP, which belongs to the malware analysis system. A dropper can check for the registration of the IP, the geolocation (e.g. country), the registration time, etc:

Infamous AVTracker services: https://web.archive.org/web/20140816001420/http://avtracker.info/

Details for an IP identified by AVTracker

We have seen an increase in the number of samples (targeted and non-targeted) using IP details to detect malware analysis system. Here is an example which uses Maxmind and an extensive list of known security companies (for full details see our blog post Generic VBA Instrumentation for Microsoft Office Documents):

To deal with such evasions, one can obviously use TOR. All traffic from the analysis machine is routed via TOR transparent proxy, which provides a high anonymity level, but the following three issues still need to be solved:

Detection, TOR can be detected e.g. via exit node black list
Randomness, TOR exit nodes are randomly selected. There is no way to only select exit nodes in the USA, Japan or Denmark.
Stability & performance, TOR sometimes is slow and unstable

To solve those problems, we have created a new feature called "Localized Internet Anonymization". LIA has the following features:

Hard to detect
Exit nodes can be selected by Country
Good stability & high performance

LIA has been integrated into Joe Sandbox Cloud:

Joe Sandbox Cloud customers can choose from various countries:

With LIA cyber security analysts are able to:

Analyze targeted malware which uses advanced IP / Geolocation checks/evasions
Choose from various countries
Profit from a stable & anonymized Internet connection

Interested and like to get a trial for Joe Sandbox Cloud Pro? Register here.

Today we’re very proud to announce the launch of the fully redesigned Joe Sandbox Cloud Basic website.

Over the past years, we have constantly collected a lot of information and received extremely helpful feedback from our users that helped us build a FREE, unified and community driven automated malware analysis platform.
With today's release we made some major improvements to our community platform, among them:

File, Document, URL, Mobile and Mail Analyzer are now regrouped under one unified platform, matching 1:1 that of Joe Sandbox Cloud Pro.

The users are now able to submit any sample type or URL on Windows, as well as APK's on Android operating systems.

The users have now the possibility to download reports as HTML (complete, executive), PDF, incident XML, plus PCAP data for your analysis.

All the analyses machines are up to date (Windows 7 with various software installed, Android 6.0).

All Joe Sandbox Cloud Basic users have now full access to Joe Sandbox View with more than 15,000 reports for context search.

With the new Joe Sandbox Cloud Basic, everyone can benefit from the power of our automated malware analysis engine and get a feel for the advanced features Joe Sandbox Cloud Pro has to offer.

Attackers are constantly changing their tactics and procedures in order to find new containers to deliver and execute code on end-points. Beside VBA in Microsoft Office Documents, Javascript files are a very popular infection vector:

Why? In contrast to VBA, Javascript offers many constructs for advanced obfuscation:

Obfuscation often includes eval() on a string, representing the code obtained through complex computations that are extremely hard to follow statically. As javascript runs in the browser, endpoint protection solutions have to be careful, each FP could have a big impact. Given the complexity, it's hard to correctly detect malicious JS files.

Javascript files are often just droppers which will download a second stage malware. However, we have recently seen an increase of evasive Javascript files, crafted to prevent analysis and execution in Sandboxes.

JS Instrumentation

To better fight this type of evasion, we have added JS instrumentation to Joe Sandbox v20 (our upcoming release). What is instrumentation? Instrumentation is a technique to modify a program before runtime, by inserting logging and trace code:

Instrumentation is extremely powerful since it features the following benefits:

Trace of any variable such as strings, integers etc.
Trace of any function call, including full parameters
Trace of any API call, including full parameters
Modification of any variable, function call or function arguments

Finally, this allows us to detect and bypass evasions! Please note that full system emulation or inter-modular call tracing is not able to provide such insights. Only instrumentation covers that fine-grained access and tracing.

So how does Javascript instrumentation work internally? We have developed a full Javascript parser (this is complex). The parser understands all semantics of the code and generates an abstract syntax tree (AST). The AST allows inserting new code while making sure the newly generated code is still working correctly.

The Javascript instrumentation can be easily enabled / disabled on Joe Sandbox's submission page:

Detecting Dropper Behavior

Let us have a look at the sample 12PO #927476.js (MD5: b5b90ef6266f34b0eb4f9d3a9878a21e, full report):

In the report, you find the Javascript Instrumentation data in the Disassembly section:

An annotated call graph visualizes what code parts have been executed:

Right below you find the Javascript code on the left side. On the right side you find the dynamic data:

The main purpose of the anonymous function on line 10 is to return the string Wscrip.Shell. We can easily find URLs, domains and IPs in the output:

The sample checks if vbc.exe (Visual Basic Command Line Compiler) is installed, as well as which Antivirus software is installed:

Additionally, it also checks the serial number of the primary disk:

Finally, the Javascript file is copied to the user startup directory. Each time the system reboots the payload gets executed.

Detecting Evasive Behavior

Let us have a look at sample mal.js (SHA256: 206a351c718ae5e7737f6cc3866505e5de3cf10b44636a451b1506b0742d75d8, full report):

Mal3.js was uploaded to Joe Sandbox Cloud Basic and analyzed without Javascript instrumentation. The detection was "clean" and no interesting behavior has been found:

Let's turn on Javascript instrumentation and analyze the sample again (full analysis report):

The sample is now detected as malicious. If we navigate to "Malware Analysis System Evasion" we find a detection for time-based evasions:

The execution coverage is very low (orange = executed):

For each signature, we can easily navigate to the data which triggered the signature:

Which jumps to:

This sample executes its payload only before 2017-09-28 09:52:05.

Final Words

With Javascript instrumentation Security Analysts and Incident Responders get a unique and powerful technology to deeply analyze malicious Javascript. In addition, Javascript instrumentation enables Joe Sandbox to detect and circumvent evasions which other platforms miss. Javascript instrumentation offers very fine-grained tracing and access that full system emulation and intermodular tracing cannot provide.

Have you known that we also have instrumentation for Macro / VBA Code in Microsoft Office documents? If not, check out our blog post about Generic VBA Instrumentation.

Looking to test Javascript instrumentation? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Happy Release Day!!! A new Joe Sandbox version is out! This is our twentieth release, what a number!

Version 20 is a big release with many improvements, enhancements, and new features. If you have an on-premise installation you can simply upgrade to Joe Sandbox 20 via:

mono joeboxserver --updatefast

In this blog post, we will show some of the enhancements and features of the new release.

74 New Behavior Signatures

We have added a record number of 74 new signatures to Joe Sandbox Desktop, Mobile, X, Complete and Ultimate. Well, the last months have indeed been very busy with WannaCry, Petya, WireX, CVE-2017-8759 and CCleaner. Our signature set currently includes over 1,414 individual written rules!

Generic Javascript instrumentation

Javascript instrumentation allows to trace, analyze and detect any Javascript method, argument, API call or string. With Javascript instrumentation Joe Sandbox deobfuscates Javascript files and detects hidden evasions:

Javascript instrumentation is the only known technique which covers such fine-grained tracing. Full system emulation or inter-modular call tracing is not able to provide such insights. For more details on the instrumentation engine have a look at our blog post: Generic Javascript Instrumentation.

LIA - Localized Internet Anonymization

Targeted malware often checks for IP geolocation information. For instance, malware targeting a US corporation might check that the IP belongs to a Internet provider in the US. Further, the IP owner can be compared to known blacklists:

To circumvent geolocation checks we added Localized Internet Anonymization (LIA) to Joe Sandbox v20. With LIA Joe Sandbox users can choose from various countries when they submit a sample:

Reboot & Scheduler Simulation

We see more and more payloads which only execute on reboot or on specific days. To analyze those payloads Joe Sandbox v20 comes with an advanced reboot and scheduler simulation:

Please note that Joe Sandbox simulates a reboot in seconds. So the analysis machine is not really rebooted. Other solutions perform a full reboot which takes several minutes.

Web API v2

We completely redesigned our Web API. API v2 has consistent JSON output, excellent error handling, support for Python > 2.7 and is much easier to use. We also rewrote the Python wrapper. You find a complete Python web API implementation in our Github Repository.

Collider Navigation

Thanks to Deep Malware Analysis, Joe Sandbox analysis reports contain a wealth of information. Sometimes it is difficult to navigate inside that massive data. To make navigation easier we added a new control - the collider. The collider is accessible via the top menu bar:

Since the report data is structured hierarchically one can easily move from broad overview to details, e.g. from behavior signatures to behavior groups, or from dropped files to Yara overview. One can also easily jump from network to execution graphs or processes.

Android Device Admin Automation

Android malware often requests device administrator privileges. So far Joe Sandbox could not grant device admin privileges to APK. With v20 this is now possible. We added automation code that clicks through the dialogs:

As a result, the analysis contains more behavior, better detection, and more runtime information.

Threat Intelligence

Joe Sandbox v20 profits from threat intelligence via Joe Sandbox View. Joe Sandbox View is a search engine backed by a collection of high-value IOCs and threat indicators shared by Joe Sandbox Cloud users. Context information is available in a new section in the Joe Sandbox v20 Report:

Final Words

In this blog post we demonstrated some of the big major features, but Joe Sandbox 20 contains many more new features in addition, such as:

New Yara section in reports
Yara scanning of unpacked PE files
A new load balancing script
IDA Pro Bridge Plugin support for x64 dumps
Support for CRT files
Randomization of sample names
Dropped file preservation for Android in reflective calls
Icons for process startup
New cookbook commands for fake printer, fake bookmarks, and fake documents
Cookbooks parameters

What is next? We have an amazing pipeline of new technologies and features! Stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Joe Sandbox enables analysts to execute and analyze malware on Bare Metal machines. What is Bare Metal and why does it matter? No, it is not the cool Bare Metal hot rod above, but it has a similar performance!

Dynamic malware analysis systems (so-called sandboxes) execute malware samples on a segregated machine and capture the runtime of the behavior. Sandbox vendors use different types of analysis machines:

Virtual Machines

Virtual Machines (VMs) are the most common. They run inside VirtualBox, VMware, KVM or Xen - the top four virtualization solutions. VMs typically run on hardware with hardware virtualization. Hardware virtualization helps to run multiple operating systems efficient and secure on the same physical machine. Although a VM can run hardware virtualized it is not equal to Bare Metal.

Qemu (Full System Emulation)

Qemu is machine emulator. The hardware has been fully implemented in software, including the CPU, disk, video card etc.

Bare Metal

Bare Metal is referring to using a physical device for analysis, e.g. a laptop or PC directly purchased from the local hardware store.

Bare Metal is King

So does it matter if a malware is executed on a VM, Qemu or Bare Metal? It does a lot! The "normal" execution environment of malware is always on Bare Metal. Your employee laptop does not run on a VM or Qemu. Malware exploits that fact by checking if it is running on Bare Metal. If it is not running on Bare Metal it simply does not show any malicious behavior. As a result, the sandbox will not detect any malicious activities, plus will wrongly classify the file as clean:

How difficult is it for malware to detect a VM or Qemu? Very simple. How hard is it to make a VM or Qemu look like a Bare Metal machine? Practically not feasible. There are some scripts around to remove some of the vendor brands and strings, however, that is just the tip of the iceberg.

To prove that let us execute tool HWInfo (displays the hardware configuration of the machine) on a KVM VM and Bare Metal machine:

KVM

Full HWInfo report on KVM available here.

Bare Metal

We have summarized some of the outliers below:

As you see there are many differences. The table just lists some outliers for hardware devices. However, malware could also check and compare the performance of the machines, e.g. the GPU.

KVM

Bare Metal

Again there are big differences. Again making the KVM VM equal to Bare Metal is practically not feasible.

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you in analyzing malware on any particular virtualization solution or device. You are free on which machine you analyze:

Modern Bare Metal Laptop
Modern Bare Metal PC
Mac Mini
Mac Book Pro
Bare Metal Android Phone (e.g. Motorola 6G)
iPhone

If you use Bare Metal machines you leave malware no change for any detection. Detections for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. So if you already have a sandbox or are looking to get one, then ask your self: is Bare Metal analysis supported? Is the sandbox based on KVM, VirtualBox, Qemu or Xen?

Golden Image - Golden Hardware

With Joe Sandbox you are not only free to choose the target analysis machine but also the operating system, its configuration and installed applications. Again there is no restriction, you can install any software.

With Joe Sandbox you get the ability to analyze malware on a Golden Image on Golden Hardware!

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Yesterday, Russia and Ukraine have been targeted by the Bad Rabbit Ransomware, distributed via drive by.

The sample named install_flash_player.exe, sha256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da has some very strong similarities to NotPetya, the ransomware spreading via EternalBlue SMB exploit in June.

There are many behaviors based similarities, such as started processes:

NotPetya

Bad Rabbit

But there are also many code based similarities. Multiple companies already blogged about the differences (1,2), however, what we found very interesting is also that the ransomware kept the kill switch. Not the one which was domain based and activated by @Malwaretech for NotPetya but rather the local machine based, which once set prevents infection. If one looks at function 807E8E we can see that Bad Rabbit checks for the file C:\Windows\cscc.dat. If it exists the process will exit:

So, to get protected just create the file C:\Windows\cscc.dat and you are good!

Full analysis + sample available at Joe Sandbox Cloud Basic.

Password Fishing (Phishing) has become the Number One vector of cybersecurity incidents and data breaches. According to a recent SANS Institute report, 95% of all incidents start with phishing attacks targeting any size of companies, from small family-owned businesses to large multinational corporations.

Generating Phishing pages is very easy and can be automated easily. Detecting the attack is the difficult part. Under these circumstances, security professionals have to rely on advanced sandbox solutions to detect the attack, but many dynamic analysis products don't even offer Phishing detection.

A standard Phishing attack starts with an email, designed to trick users by making them believe it is legitimate and contains very urgent/good news:

Or that something is wrong and their action is needed:

When the victim clicks on the embedded link, the web browser will be redirected to a page similar to Google, Amazon etc. On that page they will be asked to divulge sensitive personal information like passwords, usernames, credit card numbers, etc:

In v19 of Joe Sandbox we added a powerful new feature, the Phishing detection. When you submit a URL to Joe Sandbox, the analysis engine will automatically open Internet Explorer and navigate to the link. Even more, all links on the page are clicked upon in order to get the full behavioral picture. On each page Joe Sandbox checks for various artifacts:

Is there a password login and no HTTPS?
Are there non-working links?
Does the page header match the URL?
How many links are on the page?
Where is the password sent to?
etc...

Adopting this methodology, Joe Sandbox is able to do a first good classification. However, it is more and more common that Phishing pages do not show any bad or suspicious characteristics. They use HTTPS, have working links and everything looks legit. To detect those tough cases we have developed a new technology, called template matching.

Template matching is a known image problem where the challenge is to find a smaller image in a bigger one. A good example is detecting a person on an image when we only have the pass photo of that person:

Template

The same problem & solution can be applied to the Phishing detection case:

Given a web page which has a password login
Check if a known logo is present on the page
If a match is found, check if the URL is correct

Let's take as an example the Yahoo Phishing sample above. In this case, we start with checking the existence of the Yahoo logo or various other logos on the webpage:

Template

If there is a match, we could then check if the URL belongs to Yahoo or not. By default, this works very well. But what if the scale, color, and size of the image vary? Well, we can change the picture to grayscale, detect edges and compare the images with various scales.

In Joe Sandbox v21, we implemented a full-blown logo template matching engine to detect Phishing:

The full analysis report is available here:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Lately, we came across a new Retefe version which uses some nice trick to bypass sandboxes (Retefe is a well know and sophisticated e-banking trojan). The initial analysis looks quite normal, there is no suspicious behavior, no dropped files, domains requests etc.

One interesting fact though is the WMI query:

If we extract the memory strings (strings taken from memory dumps) we detect a fully VBA script:

The interesting function performing the WMI query is called "CheckTest":

The function enumerates the MUI languages, which basically is a list of all installed languages for the Windows interface (MUI stands for Multiple User Interface). If only one language is installed, and this language is en-US then Retefe will not execute any payload.

Within 2 working days we added a new VM to Joe Sandbox Cloud which has several language packs installed:

Executing Retefe on that multi MUI language machine reveals all the IOCS & payloads:

Have a look at the full Retefe analysis report:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Recently we came across an interesting sample: MD5: 52540f430c060a7e5753c999891514a1. A first look at the analysis revealed the following characteristics:

Besides a small spike in the classification chart towards Evader, the sample does not show any interesting behavior. It becomes more intriguing when we look at the slideshow, there we can see that the executable crashes on launch.

If we dig in further and look at the process we find some interesting sleeps:

The sample sleeps twelve times 0.1 seconds and one time 30 seconds. Thanks to Hybrid Decompilation we can easily understand the goal of the two delays:

This is the entry point of the sample. It first initializes a variable named _v8 and then creates a thread and passes _v8 by reference. Right after it sleeps for 30 seconds (0x4e20 >> 1 + 0x4e20 = 30'000). Finally, it uses the variable _v8 to calculate a function address which is added to 0x40b917. This function address is also called (passing _v12 as an argument).

Let us now have a look at the thread entry point, function 408B56:

The function is very simple. It is an endless loop that increases _a4, which is the address of _v8. For each increase, it sleeps for 0.1 seconds. When Sleep in the main function ends, _v8 is equal to 300 because the Sleep was for 30 seconds and the thread function increases _v8 by one for every 0.1 seconds.

As we saw at the beginning, the sample crashes, so the calculation of function address and _v8 must be wrong. But why?

Sleep evasions are a common trick to evade sandboxes. The simplest trick is just a sleep which delays execution of the payload. The delay usually is greater then the time the sandbox executes the sample. As a result, the payload is never executed during analysis.

To tackle this evasion, sandboxes automatically modify sleep values. In Joe Sandbox this can be defined by the user:

Let us assume we used the command _JBShortenSleepsGreaterThan(20000, 100) in the analysis above. With this setting, all sleeps greater than 20 seconds are shortened to 0.1s.

What is the effect on the code above? Well, the sleep in line 11 does not take 30 seconds anymore but rather 0.1s:

Due to that, the thread function 408B56 only runs for 0.1 seconds and _v8 is equal to 1. Therefore the function address called in line 12 is wrong and the sample crashes.

To summarize, the sample exploits the fact that sandboxes shorten sleeps/delays based on a threshold.

Full Joe Sandbox Report (with evasion working) below:

By changing _JBShortenSleepsGreaterThan we can easily bypass the evasion and see that sample is a ransomware:

Full Joe Sandbox Analysis Data, including Sample + IOCs:

Interested in trying Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

You might have already heard about Loapi - the Android malware which will kill your phone due to exhaustive bitcoin mining. Loapi was found by Kaspersky, an excellent write-up can be found here: Jack of all trades.

While Kaspersky's blog post gives a good overview, it does not provide a fine-grained analysis to deeply understand Loapi's behavior. Interesting forensic information, like Loapi's unpacking and obfuscation techniques being left out.

In our opinion, Loapi is one of the first Android trojans which uses multi-stage unpacking and dynamic code loading. Therefore, this blog post is dedicated to explaining how unpacking works and also shortly outlining why Loapi is challenging to be dynamically analyzed - especially through instrumentation approaches.

Layer 1

If we launch Loapi in Joe Sandbox Mobile we get two executed methods:

The more interesting method is attachBaseContext:

The method constructs the DexClassLoader class and contains some very large string. If we browse the code we can indeed see that the long string is decrypted (first base64 decoded) and then stored to a zip file:

The zip file is mapped by the DexClassLoader:

Next method etxtfvw.cqwwrwk.attachBaseContext is called via Java Reflection. Jave Reflection is super cool because it lets you dynamically call method during runtime. During static analysis, it is not clear what method is actually called.

Unfortunately, we do not have any method with that name in the Joe Sandbox report. Why that? Because we first have to understand how static instrumentation works.

Static instrumentation is a method to extract additional runtime information from a program. To achieve that, a program is statically analyzed and new code is added (instrumentation). The purpose of that code is often to log method calls, arguments, class invokes etc. For APK the process looks like this:

To problem with Loapi is that the modified APK is loading new code from itself - to be precise from a string in the APK code. Further, the string is encrypted, then decrypted at runtime and finally loaded. Due to that, no instrumentation takes place and the behavior of that code is fully hidden.

Dynamic Instrumentation

So what can we do? The answer is Dynamic Instrumentation. The instrumentation of the original APK can be done in a way that the newly added code not only logs method calls but also fully controls it. In our case, we can instrument the DexClassLoader constructor call. If it is called we can instrument the DEX code that will be loaded:

So we added a dynamic instrumentation of DEX code. Pretty cool? Yes and, for Loapi this is really a necessity.

Thanks to dynamic instrumentation we can now inspect function etxtfvw.cqwwrwk.attachBaseContext:

We can see an interesting String called /system/framework/XposedBridge.jar and some code to kill the current process. Anti Analysis? You are right. The Xposed Framework is used in CuckooDroid / Cuckoo Sandbox and likely also in some Checkpoint products. Loapi checks the stack trace for method names used by this hooking Framework.

Layer 2

So what is next? After the Anti Analysis check method, YRkfJMV is called:

Let us have a brief look at it:

Another DEX file? Right. This time it is an encrypted file inside the APK resources:

Please note that any API call in method YRkfJMV is done via Reflection. It's important because this is already unpacked / dynamic code. Finally, the newly created DEX file is loaded via reflective constructor call:

From a high-level perspective, the unpacking can be understood as follows:

Any string in the original APK, as well as the stub, are XOR encrypted:

Final Words

Loapi uses a multilayer unpacking approach to obfuscate its payload. It first decrypts a stub which contains an Anti-Analysis technique and the same stub will then decrypts the main trojan. Loapi uses heavily string obfuscation and Java Reflection in the unpacker. All those approaches are well known for Windows malware and now are more and more transferred to Android.

With dynamic instrumentation, Joe Sandbox Mobile can inspect, instrument and control any DEX code - loaded from a decrypted resource file or downloaded from the internet. For any DEX code, Joe Sandbox Mobile provides some deep content, including method calls, arguments, and other dynamic data. This provides a deep understanding of threats and a best in class malware detection.

Interested in trying Joe Sandbox Mobile? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Repor of Loapi.