Automated Malware Analysis

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2018!

Nowadays, malware written in C# or VB.NET (also known as the Microsoft .NET Framework) has become more and more common. Ransomware, Spyware and Trojans, they are all available in .NET.

In contrast to C or C++ or even assembly, .NET is much easier and fast to implement. Via Reflection, the code can be dynamically loaded or called, providing an interesting possibility for obfuscation.

Fire and Fury

While browsing some malware samples we recently came across an interesting one:

The first layer is a WinRAR self-extracting archive:

The SFX archive extracts two files, a PE file written in C# and a PDF file. Both are launched:

The PDF indeed is the e-book version of the recently launched book "Fire and Fury" by Michael Wolff which details the behavior of U.S. President Donald Trump during the presidential campaign. The SFX file uses the PDF to conceal its main payload.

Since version 19 (July 2017) Joe Sandbox features automated decompilation of .NET samples. Therefore we can directly inspect the C# source code of fero.exe. Very interesting here is the Form_Load function:

The function decrypts a resource, then loads it, and finally calls its entry point. Wouldn't it be nice to get the decompiled code of the decrypted resource? Enter Generic .NET Unpacking.

Generic .Net Unpacking

Joe Sandbox Ultimate includes a generic PE unpacking engine for any PE file loaded into memory during analysis. Unpacked PE files can be directly downloaded from the analysis results webpage under the secondary analysis results:

With Joe Sandbox v21, those unpacked PE files are also automatically decompiled, resulting in generic .NET Unpacking and decompilation. Cool, isn't it?

Let us have a look at the code of the decrypted and decompiled resource:

Init

Command Handler

Capture Screenshot

Key Logger

Thanks to generic .NET unpacking, we can find all the payloads including: capture screenshot, gather information, keylogger, download and execute, USB infection etc.

Of course, Joe Sandbox is able to automatically detect such code:

Final Words

Thanks to Joe Sandbox Ultimate's generic unpacking engine, analysts get access to any dynamically loaded PE files. With the help of the Joe Sandbox .NET Decompiler, those PE files are automatically converted to source code.

Source code enables the fastest and most accurate analysis of malware.

Interested in trying out Joe Sandbox Ultimate? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.

In mid 2017 we blogged about Hypervisor based Inspection, our technology to deeply analyze malware.

HBI uses hardware assisted virtualization to inspect a program during runtime. HBI also provides very fine grained analysis and captures the following data:

System calls
Kernel calls
User mode calls
Access to user mode memory areas (e.g. PEB)
Access to performance counters
Execution of specific instructions (e.g. CPUID) by kernel and user code

Hypervisor Based Inspection

We continue extending the technology and would like to showcase an interesting analysis where HBI gives some additional insights.

The sample we are analyzing has been uploaded to Joe Sandbox Cloud Basic the 8th of January 2018:

If we look at the behavior graph we see that two processes named dnschart.exe and certcache.exe are started:

Certcache.exe is posting some data via HTTP POST to IP 69.16.193.12 and 178.32.255.132:

The HTTP post looks like compressed or encrypted data. Wouldn't it be nice to know what data is sent by the malware? Maybe the two IPs belong to the command and control server?

CryptEncrypt

Let us assume the POST data is encrypted. How would the malware encrypt the data? Well, there two possibilities: via Windows WinCrypt API or by using it's own implementation. Let us assume the malware is lazy and thus intercept the standard APIs with the help of HBI:

All intercepted APIs are collected in a configuration file. Removing or adding new APIs is very simple and can be easily automated.

After we submitted the sample with the new interception configuration we directly see all crypto related activities including the plaintext data:

But the plaintext does not match the POST data, also it still looks like a binary.

Compression

Some of you (with a reversing engineering brain :) might spot in the beginning of data a familiar byte sequence:

What does 7801 mean? It is known as one of the magic headers of a Zlib compressed stream:

78 01 - No Compression/low
78 9C - Default Compression
78 DA - Best Compression

Thus let us decrypt the data from that position with Zlib, and value:

Putting all this together enables to automatically extract Zlib compressed plaintext:

Final Words

Thanks to HBI, Joe Sandbox is able to inspect any API calls. Crypto related API calls which are executed before network related operations are often a good target for hunting. The combination of capturing Crypt API arguments with compression detection, reveals the plaintext send to C&C and allows to identify C&C IOCs.

Interested in trying out HBI or Joe Sandbox Hypervisor? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.

Now, in the middle of Q1, we are happy to release our newest and greatest Joe Sandbox version with the code name Sapphire!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Sapphire a couple of weeks ago.

If you want to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation now, please perform:

mono joeboxserver.exe --updatefast

In this blog post, we will show some of the enhancements and features of Sapphire.

80 New Behavior Signatures

New signatures including detections for Spectre, Meltdown, various new CVEs, coin miners, DNS hijacker, Loapi and more:

Spectre

DNS Hijacker

Loapi

The new signatures enable analysts to spot and catch the latest security threats!

Remote Assistance

Given the complexity of automating the execution of some malware we added a functionality to provide remote assistance. With remote assistance, analysts can connect to the analysis machine via VNC and start samples manually. Further, they can click away security warnings:

Remote Assistance Option

Connect to Analysis Machine

Perform Remote Assistance

Please note VNC has been directly integrated into the Joe Sandbox Web interface. Therefore it is not required to install any VNC client. Remote Assistance is also very useful to detect credit card scams:

Template based Phishing Detection

We strengthened the phishing detection with a template engine. The template engine searches the phishing page for a known template (usually a brand image):

Phishing Page

Template

Template Match

Template based phishing detection increase chances to catch targeted phishing attacks. Analysts can easily add their own brand templates and images. Interested? Read more about template based phishing detection in our recent blog post.

Analysis Report Improvements

Sapphire includes a lot of new graphics, visualizations and report specific improvements. They all make it easier to understand complex threat data:

API groups per Hybrid Code Analysis function

Call Graph for Hybrid Code Analysis

Per Hybrid Code Analysis function CFG Graph

Restructured Dropped File Section

Please note the entropy, which is very efficient to detect ransomware!

HTTP Sessions

Behavior Graphs for analysis on macOS

Support for analysis on macOS High Sierra

Analyse binaries on the latest macOS version:

Support for analysis on Android 7.1 Nougat

Analyse binaries on the recent Android 7.1 release:

Dynamic Instrumentation for Android

With Dynamic Instrumentation Joe Sandbox instruments and analyses dynamically loaded DEX code, enabling deep insights into the latest Android threads:

Want to learn more about Dynamic Instrumentation? Read more about it in this blog post.

Final Words

In this blog post, we introduced some of the major features of the Sapphire release. Furthermore, minor features are

IOC logging via Syslog
VT / Metadefender score for analysis overview
Redesign of the submission page configuration
Integration with Viper
Integration with Malsub
SSL key extraction
Button click list for Android
Jbxbalancer API script
ACE unpacking
Fine-grained status information during analysis
Backjumping in the HTML analysis report

What is next? We have an amazing pipeline of new technologies and features! Stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Recently we came across an interesting sample which seems to be related to Elise Malware. Elise is tight to the Dragon Fish and Lotus Blossom APT groups which primary targets governments and defense contractors. Elise is known to infect victims by using the latest exploits available and is often packed with interesting Sandbox evasion techniques.

In this blog post, we will dissect the latest version of Elise.

The sample under investigation is distributed as an Office document lure. To be more precise in Rich Text Format.

CVE-2018-0802

We start the analysis by having a look at the behavior graph and acknowledge that the process EQNEDT32.EXE was started among Winword.exe:

This process is the Microsoft Office Equation Editor. In November 2017 the security company Embedi detected an exploit in EQNEDT32.EXE which later got the identification CVE-2017-11882. Microsoft patched the flaw in November.

So, is Elise using this exploit? To answer this question we had a detailed look at the exploit itself. The outcome: no it is not CVE-2017-11882 but rather CVE-2018-0802. CVE-2018-0802? This a second exploit also included in EQNEDT32.EXE which was detected in later December.

We extracted the trampoline and shellcode:

The code renames and loads the PE file (named a.b) previously dropped by Word. The newly loaded code is then injected into IExplorer.exe where the main payload is executed:

Sandbox Evasions

Elise performs a variety of sandbox checks in In IExplorer:

VMware backdoor check

Disk Name Check

Check for various Analysis Tools

Process Check

Mac Address Check

Payloads

After passing all the sandbox checks Elise creates an autostart key:

Thanks to Hybrid Code Analysis we can also detect all malicious functionalities:

Add a Proxy to Internet Explorer

Add a Proxy to Firefox

Finally, in function 514D05, 5159AF and 515486 we find the download, upload and command execution handlers. Elise can collect and upload the following data:

CPU Usage
Ram (size/free)
Disk space (size/free)
Windows Version
Username
Locale
Timezone
SID
List of tasks
List of network adapters
List of files on Desktop

Final Words

Elise is a very advanced piece of malware using for its distribution only the latest exploits. Before the main payload is executed many different Sandbox evasions are performed. The payload and the communication code is injected into IExplorer likely bypassing PFW and HIPS.

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.

Cybercriminals are always innovative and fast in finding new tricks to bypass security solutions, and sandboxes are no exception. If you look at today's tricks, the majority belong to the group of environment checks. A malware detects that is not running on the real target system but rather in a sandbox and therefore hides its real behavior.
However, what if the sandbox does not know how to execute the sample at all or if it does not find the payload?

This blog post will outline some advanced attacks which fall into this category and show how Joe Sandbox can handle these evasions.

King PDF

PDF has been used for years to deliver malware to endpoints, mostly through exploits. The shell code inside a PDF is the trigger used to download and install a second stage malware. However, these days PDFs are also often used to just deliver a link:

When the victim clicks on the link, the malware is downloaded via a web browser and then installed.

Given this common scenario, the goal of a sandbox is to precisely simulate this behavior.

Sandbox UI automation 101

To be able to automate the user interaction, the sandbox has to first find the link in the PDF. There are two ways to do so:

Parse the PDF and search for links
Click on the link

Most sandboxes choose the first option as it is the easiest way. However, this has some big shortcomings due to the fact that a link can be well hidden inside a PDF. In addition, the link can also be obfuscated or dynamically generated via Javascript. If we look at the PDF below, it contains a link, but the PDF is encrypted. To get the link, you first have to decrypt the PDF:

As you can observe, link extraction via parsing the PDF is not really the solution. How about clicking on the link? This is also non-trivial because Adobe Reader uses its own UI elements. The Windows UI Automation (UIA) does not help here and the UISpy tool only detects the other PDF page but not the link button:

So how does Joe Sandbox solve this? Well, first it creates a grid on the PDF page and then tries to determine if each cross point is worth to be clicked. If so, it will then simulate clicks on each interesting cross point and watches the Adobe Reader process for any events:

If a button is reached and clicked successfully, the click simulation is stopped. Then right afterwards, our OCR UI engine takes over.

OCR based UI Automation

Using the above-mentioned technique, Joe Sandbox's PDF automation has successfully clicked the link. Due to that, the local browser will be opened by the operating system and since the link points to a file, it will be downloaded:

As a next step, the sandbox needs to execute the downloaded sample. Of course, the most straightforward technique for the "lazy" would be to locate the temporary file on disk and then launch it. However, we have seen some malware which checks if the parent process is the browser and not e.g. Windows Explorer. Therefore, the only way is to continue with UI automation.

Again, the Windows UI Automation and similar techniques do not help. The reason we guess is likely that Microsoft protected some of the buttons from clicking due to security reasons.

Joe Sandbox solves this problem via a unique optical character recognition (OCR) technqiue based on a UI automation approach. The engine works like this:

Find interesting top level window
Perform OCR
Compare detected word with a predefined button list
For each match click on the word

During analysis this looks like this:

The full behavior due to the simulation can be easily seen in the process startup overview:

Please note that this technology is independent of any UI framework used by any application. It is fully generic and clicks on anything which looks interesting. Below you find an example of a URL analysis:

Final Words

Joe Sandbox does not go the lazy way. In contrast to many other solutions which try to extract links via PDF parsing, Joe Sandbox uses UI automation to extract them, no matter if the link is encrypted, obfuscated or hidden. To trigger download resources it uses a unique generic OCR based UI automation approach which precisely simulates a user.

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report of PDF
Full Analysis Report of URL

Today we bring you amazing news. We have just finalized the integration of Avira Anti-Malware into Joe Sandbox Cloud. Avira, which is a renowned German antivirus software, is known to provide excellent malware detection rates!

With the help of this integration, our Joe Sandbox Cloud Pro customers will benefit from automated Avira Anti-Malware scans of:

Initially submitted file
Dropped files
Unpack PE files

AV scanning of unpacked PE's is the best

Particularly the unpacked PE files should be considered for antivirus scanning. The samples on the disks are often obfuscated & encrypted, thus giving the antivirus a hard time trying to detect something. Joe Sandbox Cloud's unpacking engine uses memory dumps captured during the whole lifetime of a process to restore the original binary. Think of it as an AV scanner which scans the process memory for each unpacking layer:

The scan is directly done on Joe Security's premise, as a result, our customer's samples remain entirely private! Many sandbox solutions upload binaries to third-party services, thus sharing samples further on without any privacy warranties!

In addition to privacy, customers also get the antivirus label:

This will help to receive a first indication of the type of malware. Please be aware that solutions which use Virustotal or Metadefender are not allowed to use any of the detection labels!

URL Reputation

Aside from the Avira integration, we also added a third party based URL reputation lookup. URL reputation information has been directly added to the report:

It has also been added to some of the behavior signatures:

Joe Sandbox Cloud more powerful than ever

Both the Avira Anti-Malware integration, as well as the URL reputation lookup, substantially increase the virus detection efficiency of Joe Sandbox Cloud. Antivirus scanning on memory dumps and unpacked PE files makes it even more powerful!

The Avira Anti-Malware and URL reputation integration have been added to Joe Sandbox Cloud Pro for all account types, without any price change!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

We are very happy to announce today the launch of Joe Sandbox A1, the World's first and most powerful appliance to perform Deep Malware Analysis on Bare Metal hardware. With our brand new appliance, you can say goodbye to malware evading virtual environments.

To the best of our knowledge, A1 is the world's smallest most powerful deep malware analysis appliance. We specifically designed A1 for the analysis of APT and targeted attacks. A1 runs full standalone. Thus you do not have to worry about the privacy of any samples you analyze!

Some of the top-notch A1 features are:

Small Form Factor

Joe Sandbox A1 has a small form factor of only 145(W) x 195(D) x 44.5(H)mm. It fits into any server rack. In addition, Joe Sandbox A1 produces little noise and therefore can be used directly in your LAB.

Golden Hardware - Analysis on Bare Metal

Joe Sandbox A1 runs and analyses malware on bare metal hardware and does not use any virtualization solution like KVM, VirtualBox, XEN or VMware. Since malware is run on real hardware malware cannot detect any virtual machine.

Hypervisor-Based Inspection

Joe Sandbox A1 includes Joe Sandbox Hypervisor and benefits from all its features including user-mode, kernel, system call and memory monitoring, stealthiness and high efficiency. Please have a look at this blog post to learn more about Hypervisor based Inspection.

Third Party Integrations

Joe Sandbox A1 has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox A1 also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox A1 in the Security Automation & Orchestration Platform Phantom and Demisto. We also offer integration with additional tools such as Viper and Malsub.

RestFul WEB API

Joe Sandbox A1 allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.

Full Root Access

For customization and tuning, we enable full root access to A1. This enables to change or install additional software on the bare metal analysis machine. Further customers can write their own behavior signatures.

Interested in A1 and want to know more? Contact us today and we will schedule a demo and in-depth technical presentations!

Let us assume that you are working in a SOC and are receiving hundreds of requests from end-users asking if an e-Mail is safe to open or not. In most cases, you would take the e-mail and submit it to Joe Sandbox in order to check its behavior report. If the respective e-mail showed signs of malicious attachment or URL, you would consequently inform the end-user.

Wouldn't it be nice if this whole process could be automated? Wouldn't it be great if you could choose to get notified about a detection or not, based on the analysis verdict or its score?

In this regard, we have good news for you! Joe Sandbox Mail Monitor is exactly what you are looking for.

What exactly is Mail Monitor? Have a look at the diagram below:

To enable Mail Monitor you have to first create a new e-mail account with the name sandbox@yourhost.com. End-users will then forward suspicious e-Mails to the defined address. Mail Monitor will periodically fetch new e-mails from that account and submit them to Joe Sandbox. Joe Sandbox will fully dissect the e-mail and analyze all the attachments and URLs. As an example, see the report of a Phishing link below:

Once the analysis is complete, Mail Monitor will reply to the user with an e-Mail containing the verdict:

It will also add screenshots in the attachment.

SOCs, CIRTs and CERTs can fully customize the e-mail reply:

Furthermore, they can set alerts to get notified if a URL or an attachment has been detected as malicious or if a specific threat has been detected (Alerts can be customized down to the smallest detail).

Joe Sandbox Mail Monitor has been integrated into Joe Sandbox Desktop, Complete, Ultimate and Cloud Pro.

Interested in Joe Sandbox Mail Monitor and willing to try it? Contact us today and we will provide a trial!

Analyzing binaries dynamically is a tricky job. We believe there are 5 major challenges when attempting to do so:

Today's focus is on one problem referred to as “Variety of Input”. Let us assume you have developed a great technology which can deeply analyze malware written in x86 or x64. As great as it may be, it will not get you far if the malware is written in C#, VBS, JS, Powershell, VB, Delphi or Java.

You will have to develop for each of those runtime environments a unique solution. Unfortunately, there is no technique which deeply analyzes any input regardless of its type.

For this reason, we think a Multi-Technology and architecture platform are the means to deeply analyze malware. That is why we have already built unique techniques to analyze the following:

In addition to these, Joe Sandbox also analyzes files on Windows, Linux, macOS, Android and iOS.

To enrich this family of technologies, we have recently added a new one, with the aim the of deeply analyzing Java Archives (JAR).

The Rise of JAR

Malware written in Java has become very popular. This is due to a couple of reasons. First of all, Java is a platform independent product. As an example, a remote access trojan can be easily operated on MacOS, Windows and Linux. Secondly, it is simple to write programs in Java. Thirdly, Java malware is not that well detected by Antivirus programs.

Deep Analysis of Java Archives

Most sandbox vendors are currently able to capture system calls executed by a Java program. However, the information is not provided in too much detail. Incident Responders and Malware Analysts are keen on getting the executed Java APIs and their arguments as well as the decompiled code.

To cover these requirements, we recently added a new JAR tracing functionality to Joe Sandbox:

JAR tracing performs two tasks:

Dynamically instrumenting Java bytecode to capture API calls and arguments
Java bytecode decompilation to generate Java source code

Extraction of Java API arguments

Let us have a look at the benefits of extracting Java API arguments. Given a JRAT sample we can detect various suspicious behaviors:

Full Analysis Report

To hide code, JRAT uses AbstractScriptEngine.eval. Since Joe Sandbox can trace the API, we get the evaluated String. Java malware is often heavily obfuscated and packed. Thanks to JAR tracing, Joe Sandbox can detect the unpacking process:

Full Analysis Report

Finally, JAR tracing enables the extraction of the RAT configuration:

Full Analysis Report

This is again extracted from API arguments and not statically decrypted from the binary.

Java Decompilation

In addition to Java API arguments, Joe Sandbox also provides the decompiled source code. Malware Analysts can directly download the source code zip in the analysis detail view:

For instance, in the case of Crossrat you can easily understand the persistence via autostart.

Final Words

Today's malware samples come in various formats and types. A single technology approach fails to analyze all samples. Joe Sandbox includes a wide array of domain-specific technologies to always get the deepest analysis possible.

With JAR tracing Incident Responders and Malware Analysts get a powerful tool to extract Java API calls including arguments. This increases vastly the detection capabilities and also helps to understand complex payloads. In addition, one can download the full decompiled Java source code for extensive analysis.

Interested in JAR tracing and willing to try it? Contact us today and we will provide a trial!

We recently we came across an interesting sample on Joe Sandbox Cloud Basic:

The sample has been detected as malicious, yet this is mainly due to Antivirus signatures hits:

When looking closely at the Behavior Graph, one discovers something interesting:

The main sample is unpacking itself to facture_1398665.tmp. This process then creates a whole bunch of temporary PE files which are then renamed in the next step:

Hostile Firefox loading LOL

Among the PE files is a file called firefox.exe. Firefox.exe is indeed a legit copy of the famous Internet browser:

This is interesting because Firefox is used to load some of the malicious Dlls, including LOL_Dll.dll. Likey this bypasses some end-point protection tools and Antivirus:

Right after the LOL_DLL has been launched Firefox then crashes with some COM loading error:

GetKeyBoardLayout 0xC

So what is causing this crash? When carefully examining every detail of LOL_Dll.dll, it reveals the following code (LOL_Dll is not obfuscated or packed at all):

The corresponding code for that execution graph part is shown below. The code calls the Windows API GetKeyboardLayout and then performs some checks. The keyboard layout is language dependent. A US computer user has a different layout than a Swiss PC. By checking the layout, we realized it serves as a way to target the malware to specific users:

0Ch is matching French layouts:

As a result, the sample either executes its payloads or crashes, depending on the target machine keyboard.

Custom Keyboard Layout

Thanks to Cookbooks - a tiny script which fully defines the malware analysis procedure - we can easily change the default keyboard layout in a fully automated manner to what is required by the code:

The change of the layout is done via the control panel intl.cpl.

The cookbook is submitted together with the sample to Joe Sandbox. The resulting analysis is much richer and contains many IOCs.

Final Words

Joe Sandbox cannot be easily fooled by evasive malware. Thanks to hybrid code analysis, execution graph, and cookbooks, malware analysts have a powerful tool to analyze any malware.

This blog post is a very good example for that. Within minutes we are able to detect the evasive code and write a cookbook to analyze it.

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report (PDF)
Full Analysis Report (HTML)

Now, at the end of Q2, we are happy to release our newest and greatest Joe Sandbox version with the code name Mountain Crystal!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Mountain Crystal a couple of weeks ago.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation right away, then please run the following command:

mono joeboxserver.exe --updatefast

In this blog post, we will present some of the enhancements and new features of Joe Sandbox Mountain Crystal.

111 New Behavior Signatures

New signatures include detections for Process Doppelgänging, early Bird Code Injection, Tinynuke, Grandcrab, GravityRAT, Cobalt Strike Beacon, Gootkit, Crossrider and more:

The new signatures enable analysts to spot and catch the latest security threats!

Java tracing for Java Archive (JAR) files

Malware written in Java has become very popular. Current malware analysis solutions can only trace Windows System and API calls. Therefore, Java API calls are hidden. To analyze Java APIs we added JAR Tracing to Mountain Crystal:

With JAR Tracing Joe Sandbox generically extracts the Adwind RAT configuration.

JAR Tracing also enables to detect any Java RAT for instance by analyzing the unpacking behavior:

Read more about JAR tracing in our recent blog post: Deep Analysis of Java Archives

Java Decompilation

JAR Tracing is great, however, for malware analysts, the source code is even better. That is why Mountain Crystal also decompiles JAR archives to source code:

The source code easily reveals all the details about the payloads, execution conditions, C&C communication and more.

Read more about JAR Decompilation in our recent blog post: Deep Analysis of Java Archives

Favicon based Phishing Detection

We further extend our template based Phishing Detection by using the Favicon of web pages. Favicons are the tiny little images you see in your browser tab. Phishing pages often reuse the original icons:

Favicon based Phishing Detection strengthens Joe Sandbox ability to generically detect password fishing.

Behavior Animation

Wouldn't it be nice to see what is happing from a process, dropped files and network perspective? Mountain Crystal includes a new feature called Behavior Animation. In the screenshot section of the report, simply click in the center to start the animation:

On the right side, you will see the system behavior popping up. You can also easily use the slider on the left to jump to a later time. Behavior Animation also works for analysis on MacOS:

Final Words

In this blog post, we introduced some of the major features of the Mountain Crystal release. Furthermore, minor features are

New cookbook commands to start a sample as a user or with different integrity levels
New example cookbook to start a sample with different keyboard layouts
Stop Internet option for Android and Mac analysis
Logging of system power state
New sleep evasion based on sleep loops
Fast install mode for VMware
URL section in the report
Scanning of URLs with Virustotal and Metadefender
Javascript unpacking in PDF files
Ability to edit tags
Slider to easily change the analysis time
Option to pass arguments to sample for Mac analysis
URL analysis on Mac
Recursive unpacking of EML and MSG files

What is next? We have an amazing pipeline of new technologies and features! Stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Linux malware is becoming a hot topic in the security news headlines, as we see more and more recent malware targeting Linux operating systems. With more than 11 billion embedded devices with networking capabilities in 2018 (Gartner), bots targeting Internet of Things (IoT) have a bright future ahead. Mirai and VPNFilter are just some recent examples.

Thus, it is the right time to step up! For some months, we have been working on a new product to analyze malware targeting Linux. Today, we are happy to release Joe Sandbox Linux, our deep malware analysis engine for fighting threats on Ubuntu and CentOS.

By adding analysis on Linux, Joe Sandbox is now the only malware analysis system available on the market which can analyze malware on all of Windows, MacOS, Linux, Android, and iOS:

In this blog post, we are going to showcase the features of Joe Sandbox Linux and take the recently discovered VPNFilter as well as a Coin miner malware as an example.

VPNFilter

VPNFilter is a recent malware found by Cisco Talos which targets Internet routers. According to Talos, VPNFilter is likely a state-sponsored or state-affiliated threat built to gather intelligence. VPNFilter has powerful destruction payloads that infected over 500'000 routers in 54 countries.

Just like modern malware on Windows, VPNFilter uses multiple stages:

Stage 1

In stage 1, VPNFilter mainly persists itself in order to survive the reboot by creating a cronjob. Joe Sandbox Linux directly detected VPNFilter with a generic behavior rule. In the network tab we can see that it reaches out to photobucked[.]com to get an image:

Since the threat already is some days old the resource is no longer available. The image basically would include the IP address to download the second stage malware.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 1.

Stage 2

The second stage malware contains the bot functionality. This can be easily seen in the verbose output:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Commands which can be sent to VPN Filter include: exec, kill, seturl, download, reboot, proxy, port and tor. The stage two malware is deleting itself and thus after rebooting the infected device, VPNFilter no longer exists:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Stage 3

VPNFilter also has the ability to load plugins or modules, for instance to communicate secretly via Tor:

As you can see by using the analysis report generated by Joe Sandbox Linux, you get valuable information about the threat including payloads, IOCs, and behaviors.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 3.

Coin miner

Coin miners are malware which "kidnap" the CPUs of servers in order to mine for cryptocurrencies. Especially in the Linux server world, they are very common. Let us have a look at the analysis report:

The classification shows clearly that this is Miner malware. Through the integration of Antivirus all artifacts such as dropped files are being scanned automatically:

Thanks to the extensive behavior signature set of Joe Sandbox Linux, Coin miners are detected on any architecture:

The behavior graph which is also part of Joe Sandbox Desktop (analysis on Windows) and Joe Sandbox X (analysis on MacOS) helps to fully understand the installation behavior:

As for VPNFilter, Joe Sandbox Linux fully detected the coin miner payload and provided additional insights into the malware behavior.

Full Joe Sandbox Linux Analysis Report for Coinminer.

Final Words

With the capability of analyzing Malware targeting Windows, MacOS, Linux, Android, and iOS, Joe Sandbox is the only malware analysis solution which can fully protect you from today's threats. With the introduction of Joe Sandbox Linux customers get a very advanced analysis tool to detect advanced threats targeting routers, IoT devices and Linux servers or workstations.

Joe Sandbox Linux already has been fully integrated into Joe Sandbox Cloud Pro and Basic and will be soon available as an on-premise product.

Want to try Joe Sandbox Linux? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

In October 2017, we blogged about the advantages of analyzing malware on bare metal machines. Bare metal analysis offers the possibility to perform dynamic analysis on real devices such as laptops or PCs. The bare metal analysis is not affected by virtual machine detection, which is a major check done by most malware nowadays:

To demonstrate this, we analyzed a recent sample related to APT28/Grizzlybear which includes nine different evasion tricks.

Spotting evasive Samples on Cloud Basic

We have various triggers and alerts defined for our free online platform called Joe Sandbox Cloud Basic. Cloud Basic uses only Virtual Machines to analyze suspicious files, the bare metal analysis feature being available only in Joe Sandbox Cloud Pro.

Recently, we got an interesting alert which led us to the following sample uploaded on the 2nd of July.

If we look at the behavior graph we see only one process:

The spider classification chart outlines that this sample is very likely evasive:

Further, no obvious installation or infection behavior is recorded. Therefore, we can assume that the evasions were successful.

Digging through the Evasion Checks

We reran the sample found on Cloud Basic in Cloud Pro on a bare metal W10 machine:

The resulting analysis can be found here:

Joe Sandbox v23 Analysis on W10 Native

If we go to the behavior signatures, section Anti-Debugging and Malware Analysis System Evasion, we find many hits:

What type of evasions has the sample used? Let us analyze the checks one by one.

1. XEON CPU

Function at address 406CFC calls CPUID and checks whenever the CPU model is XEON. This type of processor is an indicator for a server and is usually not used in a Laptop or a PC, the real infection target for the malware:

If the model of the CPU is XEON the sample will stop its execution.

2. Sandboxie Check

Thanks to our Hypervisor based Inspection technology which works on virtual machines and bare metal, user-mode API calls are traced. Interesting is the GetModuleHandle API since it can be easily used to check for loaded DLLs:

If a module with the name sbiedll.dll is found, the sample will terminate. Sbiedll.dll is a DLL of the famous Sandboxie tool which is often used to analyze malware.

3. Sleep/GetTickCount Time Evasion

At function 406DC8 the sample performs a time evasion which detects if a malware analysis system modifies Sleeps but misses to modify the GetTickCount values. Sandboxes often shorten sleep in order to trigger future behavior. Malware can detect this by comparing the Sleep duration with other time sources such as GetTickCount:

4. Command Line Checks

The sample fails to execute if a Sandbox passes one of the following arguments:

-autorun
-update

5. Virtual Machine Detection via VideoBiosVersion

At function 407118 the malware queries the registry value of HARDWARE\Description\System\VideoBiosVersion:

If the key value contains the string VirtualBox the sample will fail.

6. Virtual Machine Detection via SetupAPI

In addition to the previous virtual machine check, a second check is executed via the SetupAPI:

Basically, the SetupAPI is used to enumerate device registry properties. The malware checks for the string "vmware". On VMWare common device properties are:

vmware svga 3d
vmware, vmware virtual s scsi disk device

7. IsDebuggerPresent

To check for debuggers, the API IsDebuggerPresent is called:

8. Name / Path check

At function 406E04, the sample checks for the following names in the path and the sample name:

\SAMPLE
\VIRUS
SANDBOX

If one of the names is found the sample terminates.

9. RDTSC + CPUID Time Evasion

A second-time evasion is performed at address 406B60:

What evasion is performed? Basically, the sample measures how long the CPUID instruction takes. The measurement is done via the RDTSC instruction:

On virtual machines, the CPUID instruction executes slower compared to bare metal. The reason is that virtual machines intercept the instruction and this usually takes longer.

Payload Analysis

Since the analysis was performed on a real machine none of the nine checks was successful. As a result, the sample injects into explorer.exe:

The sample execution then ends in a Sleep call:

This is also nicely visible in the Execution Graph. All the red nodes have been executed. All the black nodes not:

The large non-execute code includes various interesting areas, such as searching for files:

C&C communication:

Download and execute:

Executing the sample a bit longer, fully reveals the behavior of the payload and all IOCs:

Looking at the Yara rules, we finally see some hits related to APT28 / Fancy Bear implant:

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:

Modern Bare Metal Laptop
Modern Bare Metal PC
Mac Mini
MacBook Pro
Bare Metal Android Phone (e.g. Motorola G3)
iPhone

If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. If you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Sysmon is a powerful tool to monitor endpoints, it is free and can be easily installed on many machines. It creates lots of log messages and stores them in the Windows event log. Those logs are usually routinely sent to a central log server such as Graylog, where blue teams can easily search them:

To get meaningful search terms, blue teams often use sandboxes such as Joe Sandbox, to deeply analyze malware. However, the IOCs generated by sandboxes are many times not in the appropriate format to easily correlate them to the Sysmon events. Blue teams in turn have to translate IOCs, which is a painful job. In addition, Sysmon event logs can serve as an input for various other tools. For instance, they can be easily translated to Sigma which allows a wider search across many other logs.

To reduce friction and make the blue teams job less painful, we added Sysmon output to Joe Sandbox.

Using a Cookbook to generate Sysmon output

In order to get Sysmon logs you have to use a custom Cookbook which will first install Sysmon. Cookbooks are small scripts which define how an analysis is executed. They give blue teams a way to fully customize a dynamic analysis. Let us have a look at our Sysmon cookbook:

In line 3 the cookbook specifies that the malware is executed on a sandbox named w7_1. On the submission page you find a mapping of system names to system configurations:

In lines 7 to 16 Sysmon is installed. Please note that you can use any Sysmon config you like, there is no restriction. By default, the template from SwiftOnSecurity is used.

In lines 18 to 24 all the analysis engines are started including the network and behavior engines.

In line 26 the sample is started and in line 30 the cookbook sleeps a maximum of two minutes. Right after that, the analysis engines are stopped and finally the machine is cleaned up.

Generate Sysmon Events for SmokeLoader

Let us take a concrete example and assume you want to verify if one of your hosts is infected by the latest SmokeLoader malware.

The cookbook is submitted together with the malware sample in the advanced tab:

In the generated analysis report, go to the explorer.exe process and then Sysmon Activities:

Joe Sandbox lists all the Sysmon events log in various formats. To construct your search query for Graylog, you can use the first 3 fields. For instance, you can easily search for LNK file creation by explorer:

You can also use the last field, copy it to a file and then use the evt2sigma converter to get a Sigma rule:

Sigma then can be converted to various other formats:

Cookbooks - Agile Malware Analysis

Thanks to Cookbooks, blue teams can benefit from a full customization of the malware analysis. Installing Sysmon is just one example. By using our Cookbook technology, analysts can easily:

Accelerate system time and date
Change keyboard layouts
Change the DNS server
Simulate USB memory sticks
Browse URLs on Chrome or Firefox
Execute multipart malware
Install their custom tools

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Although it's summertime and the livin' is easy, we have been working hard to deliver Joe Sandbox v23 under the code name Black Opal! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Black Opal a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete
and Ultimate installation right away, then please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Opal features.

Linux Support

Joe Sandbox Linux 1.0.0 is now officially available for purchase! With Joe Sandbox Linux you can analyze threats targeting Ubuntu as well as CentOS.

For more details as well as latest analyses of Linux malware please have a look at our recent blog post.

31 New Behavior Signatures

New signatures include detection of Kronos, Hermes, FlawedAmmyy, new UAC bypasses, Agent Tesla, Empire, OSXDummy, XMRig and more:

AI-based Phishing Detection

We further enhanced our template based phishing detection. Instead of relying only on a template matching technique, Joe Sandbox now employs several techniques (including logo region detection, perceptual hashing, and feature detection). We used machine learning to combine the results of all techniques to minimize false positives:

STIX v2 Report

Do you use Structured Threat Information Expression (STIX) as a standard for IOCs or does your threat intelligence solution support STIX? If so, integration with Joe Sandbox has become very easy since Black Opal generates extensive STIX v2 reports (in addition to MAEC, OpenIOC and MISP):

The STIX report includes all major detections and IOCs such as dropped files, processes, domains, and IPs.

Windows 10 x64 1803 Support

Joe Sandbox x23 Black Opal analyzes malware on the latest Windows 10 version!

We have also added Windows 10 support for Joe Sandbox Hypervisor:

Thus, you can analyze threats with Hypervisor based Inspection on Windows 10!

IDA Pro 7.1 Support

IDA Pro 7.1 is now officially supported by the Joe Sandbox Bridge Plugin. The plugin allows to load memory dumps into IDA Pro and enrich it with dynamic information:

Web API v2 Enhancements

With Black Opal we added several new APIs to the RESTful Web API. This includes cookbook and Yara upload, download, deletion, and listing:

As a result, you now can fully automate Yara and Cookbook handling via the API.

Sysmon Logs Extraction

We added a new cookbook to easily extract Sysmon Logs via Joe Sandbox:

For detailed information please have a look at our recent blog post about Sysmon logs.

Android Decompilation

Black Opal decompiles Android Application Packages (APK). As a result, there are several new downloads for Android analyses:

Inside the full Android report you can easily navigate to the source code:

Final Words

In this blog post, we introduced some of the major features of the Black Opal release. Furthermore, minor features are:

ContentSettings-Ms support on Windows 7
Option to change the keyboard layout through the Web GUI
Option to start samples as a normal user through the Web GUI
Option to enable Anti-Evasion for data-aware samples through the Web GUI
Support for Unicode file names (Chinese, Japanese and Korean)
Security alerts (login, PW change etc)
Setup code for cookbooks
Major speed up for Internet Explorer analysis
General analysis speed up
Automated Yara rule validation & conflict resolving

What is next? We have an amazing pipeline of new technologies and features - stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Today we bring you exciting news. We have enhanced the Joe Sandbox Cloud URL reputation with Avira URL Cloud. Avira is a renowned German antivirus software, known to provide excellent malware detection rates!

To enable URL checks, go to the Submission Tab - Intelligence and select "Use third-party URL reputation lookup":

High-Value Reputation Checks for URLs from any source

How does Joe Sandbox Cloud's URL reputation work? Users (manually or via our extensive RestFul Web API) submit samples to Joe Sandbox Cloud. A sample can be either a URL or a binary file:

Joe Sandbox dynamically analyzes the file by executing it in a sandbox. During analysis, Joe Sandbox extracts URLs from several different sources, including:

Network Traffic

Joe Sandbox captures the complete network behavior of the sample. For HTTP and HTTPS (with SSL inspection) URLs are automatically extracted.

Command Line Arguments

Often malware includes a list of several C&C URLs which are passed via command line. However, only the first URL is contacted during the execution. To get a deeper analysis it is important to also extract URLs from command line arguments.

Memory and Binaries Data

Another very good source to look for URLs is the memory as well as binaries which for instance have been dropped by the malware. Joe Sandbox captures memory dumps at various execution points to detect unpacking and decryption. In addition, any dropped or touched file is preserved and scanned for URLs:

Hybrid Code Analysis

Finally, Joe Sandbox performs extensive static code analysis on captured memory dumps. Disassembly often includes hidden strings which can be valid URLs:

All the extracted URLs are sent to reputation engines that Joe Sandbox Cloud Pro integrates with so far:

Each reputation engine provides a verdict. The verdict is being used for various purposes, such as detecting more malware, lowering false positive as well as providing insights for analysts. Below you can find a few excerpts from reports including reputation data:

Joe Sandbox Cloud more powerful than ever

Thanks to Avira URL Cloud integration, Joe Sandbox Cloud Pro customers benefit from a high-value third-party reputation engine. This without any price change!

In contrast to many other vendors, Joe Sandbox extracts URLs from many sources and checks URLs against a row of five different reputation engines.

A lot of data combined with high-value reputation engines greatly increase the virus detection efficiency of Joe Sandbox!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

The malware landscape is constantly evolving, and currently, we no longer see tens of thousands of different active malware threats, but only a few different malware families that often share common source code.

Similarity analysis aka hunting for similar samples has recently gained a lot of attention in the security community and as a result, we decided to completely renew Joe Sandbox Class and enhance it with great new features.

In this blog post, we will outline some of the new features related to x86 / x64 code hunting while in a second one, we will outline all the major improvements we have done to search samples for similar architectures.

For those who are not yet familiar with this feature, Joe Sandbox Class is Joe Security's code hunting engine. It's built upon a large database of disassembly functions which are compared against the analyzed sample.

Joe Sandbox Class 2.0 Intro

How does it work? Joe Sandbox Class acquires data from the Hybrid Code Analysis technology that generates disassembly from memory dumps:

Doing disassembly on memory dumps has a couple of benefits which result in richer functions that include more strings and API calls. In addition, results are more constant than what a disassembler would create from an executable on the disk. Finally, Hybrid Code Analysis generates disassembly from any code including hidden or non-executed sections, shell code etc.

Rich disassembly functions are an excellent source for similarity analysis and hunting. They often stay the same for several malware versions or variants or are just changed slightly.

All those rich functions are loaded into Joe Sandbox Class also known as feature selection. Next, Class will generalize the functions. For instance, a file path or URL string is replaced with a generic token. This is important because in different variants the code stays the same but a URL or file path may vary. Afterward, Class will select only the most interesting and relevant functions and those which appear too often are classified as not interesting. The same applies to functions which appear in goodware. Finally, the actual similar function search is performed:

Joe Sandbox Class has several comparison algorithms based on:

Strings and APIs
Instruction bytes
Opcodes

It implements both precise and fuzzy matching. Once the similarity search is done, Class generates an extensive report.

Hunting for similar DarkComet Samples

That all being said, let us have a look at a couple of interesting class reports. Here is a DarkComet RAT sample:

The sample was analyzed on August 29th and created six processes. If we jump to the Hybrid Code Analysis section, the redrv.exe with PID 3468 has many interesting functions. Below you can see the function which is the core of DarkComet's keylogger:

Let us now move to the Classification Report for that sample:

Strings and APIs were used for similarity analysis with a precise match:

In total, Joe Sandbox Class found 207915 similar functions in 20178 processes. If we browse down to the similar processes we see that the first process does not have many similar functions. The most are 8 functions.

However, if we scroll down to the process with PID 3468 we see some processes with many similar functions:

If we click on the first process named SCAN00GO we can have a look at all similar functions. Those functions appear one to one in our initial sample and SCAN00GO:

Do you remember this function? Yes, this is the keylogging code.

If you browse further you can also see all similar functions and how often they appear. For instance, the keylogging function is very unique and perfect for matching similar samples since it was found only 18 times:

However, function Function_0004E254 appears very often and thus does not qualify as being relevant:

While we could introduce whitelists for functions and statistical bounds, we decided not to do that and let the analyst have the final decision.

Hunting for EQNEDT32.EXE Shellcode

Let us have a look at another sample. This time it is a malicious RTF which uses CVE 2017-11882 or CVE-2018-0802 for payload execution:

Joe Sandbox found shell code which was executed in the Microsoft Office Equation Editor:

Let us move on to the Classification report:

There are 8 function matches in 5 processes which all are inside EQNEDT32.EXE:

For each match we can easily access the initial file name Conti5290.doc as well as the SHA256:

Or here Quotation Request FRQW9087454.doc:

Final Words

Joe Sandbox Class 2.0 has been completely revamped with the cybersecurity analyst focus in mind. The new Classification Report enables security professionals to easily find similar processes based on rich disassembly functions generated by Hybrid Code Analysis. Hunting for individual functions is now easily possible with Class 2.0 that can be configured to use a wide set of different data sources and comparison algorithms.

Interested in trying out Joe Sandbox Class 2.0? Then hurry up and contact us for an in-depth technical demo!

Full Analysis and Class Reports:

* DarkComet Analysis Report
* DarkComet Classification Report
* CVE 2017-1188 Shellcode Analysis Report

* CVE 2017-1188 Classification Report

Over the past couple of months, we have focused our efforts on the development of the second version of Joe Sandbox Hypervisor. To inspect a program during runtime, Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques Hypervisor-based Inspection (HBI) inspects a program more deeply and therefore extracts more malicious behavior. Hypervisor 2.0 can also run on bare metal. We already blogged about how to extract C&C traffic with Joe Sandbox Hypervisor here.

This blog post will show some of the new features we added to Joe Sandbox Hypervisor 2.0 by using a recent Gozi sample found on Vitali Kremez (big kudo) twitter account:

The Gozi developers are very active and add new tricks and evasions frequently. This time they added two new evasions:

GetCursorPos, WaitForSingleObject user activity check
GetLocaleInfo, language check

Locale Check

Language checks are very common in targeted malware samples. They help the attackers to restrict the execution of particular samples to one country or to a specific geographical zone (e.g. Asia). If you start browsing the Execution Graph, you can easily spot a suspicious looking section:

The red nodes with a diamond shape are so-called "key decisions". They refer to a location in the code where a decision is made. For evasion, the decision often relates to a process termination, a sleep or crash. Zooming in reveals the API calls and edges:

First "Locale" information is queried, then a string in string comparison is done using StrStrIA. In 4010e7 the decision is made to execute the payload (left branch) or not:

In case the right branch is taken, the process is simply exited. As a result, the payload is not executed and the sandbox will not detect any malicious behavior:

What is Locale information about and what does Gozi compare? To answer this question, we can easily jump to the corresponding Hybrid Code Analysis function. Thanks to Hypervisor 2.0 we have the API arguments for many strings comparison functions:

String 1 is a list of country codes to compare with. String 2 shows the actual Locale information of the analysis machine on which Joe Sandbox executed Gozi. By putting all this together, the evasion works as follows:

In case the machine is located in China or Russia, Gozi will simply terminate and not execute its payload.

Since the Locale of the analysis is US and not CN or RU the evasion does not work. Customers analyzing in Russia or China can easily use one of our Cookbooks to change the locale for analysis:

User Behavior driven Unpacking

The second evasion which is more unique is related to the User Behavior. Most of the time, when a sandbox analyzes a threat, there is no direct user interaction with the analysis machine. Therefore, the mouse or the keyboard is inactive, allowing advanced malware to detect the sandbox and to evade the dynamic analysis.

Let us have a look at function 4010ED:

We see GetCursorPos, WaitForSingleObject and GetCursorPos. GetCursorPos is an API to query the actual coordinates of the mouse pointer. WaitForSingleObject a routine to pause execution. Thanks to the C code decompiler we can easily understand the functionality of the evasion:

At line 45, we can see that the initial cursor coordinates are stored in v108. and then the thread sleeps for 64 milliseconds. Right after, at line 52, the cursor coordinates are stored in v120. If we look further at line 54, the deviation of the coordinates is calculated. The deviation is used as an argument for the unpacking routine at 401C7A. The whole process repeats until the unpacking routine returns 0 (line 56). A returned value of 0 means the unpacking is completed.

If we put this all together the evasion works as follows:

In case the mouse is not moved, the deviation of the two cursors coordinates is zero. If the deviation is zero, the malware does not trigger the unpacking and as a result, the evasion process continues forever.

Joe Sandbox simulates mouse movements and clicks since version 8.0.0. Thus, unpacking completes successfully and the payload is triggered:

Joe Sandbox Hypervisor 2.0

Today's evasion techniques often use string comparison functions such as StrStr, StrCmp or StrRChr. Joe Sandbox Hypervisor 2.0 is capturing such API calls and therefore is able to detect and bypass samples which are country or region aware.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report of Gozi 2.17.

Joe Sandbox v24 Fire Opal release is knocking at the door and will bring a lot of interesting new features. One of the most interesting ones is the support for VMware ESXi 6.7. VMware ESXi is the perfect virtualization solution for building an infrastructure which is able to analyze large volumes of samples very quickly. Large means 5'000, 10'000 or 20'000 samples per day. In this blog post, we will show you how easy it is to scale Fire Opal with ESXi 6.7.

First of all, why is VMware ESXi the best solution for large-scale malware analysis? Well, there are a couple of reasons. First ESXi is a type 1 hypervisor:

For type 1 hypervisor there is no real host OS, the hypervisor itself is the OS. Examples of type 1 hypervisors are VMware ESXi, Xen or Hyper-V. Examples for type 2 hypervisors are VMWare Workstation, VirtualBox or KVM.

Generally, type 2 hypervisors are more often used for virtualization on desktops, while type 1 hypervisors mainly run server applications. As result, type 1 hypervisors tend to be much more stable, easy to maintain and better to scale. For instance, VMWare ESXi can be connected to vCenter which allows you to easily maintain several ESXi servers, template VMs, cloning etc. Often such features are not available for type 2 hypervisors.

Linked Clones

With Fire Opal, Joe Sandbox now fully supports ESXi 6.7. In addition, we implemented linked cloning for Windows analyzers. Linked cloning is already available for VMware Workstation and VirtualBox. What are linked clones? Linked clones make your job as a Joe Sandbox administrator much easier. Let us assume you have set up and configured Joe Sandbox with one analysis machine named "Analyzer 1":

With a simple shell command, you can create up to n clones of your analyzer. The new clones "link" to the parent Analyzer 1 and thus only require a very minimal amount of storage (normally the size of RAM of analyzer 1).

Let us have a look at an ESXi instance running Joe Sandbox Fire Opal. We have one Windows 10 analyzer configured:

After login, use the --clonemachine command. The first argument is the number of clones you would like to create and the second the name of your parent/template VM.

Once cloning is finished refresh the vSphere Web Client:

Don't be afraid of the "used size", it is not correct. All the clones taken together use only 82GB of storage space:

After cloning, the analyzers are ready to analyze samples. To see the number of analyzers in action simply go to the Admin Tab - Monitoring:

Zero Effort Scaling

Thanks to the new support for VMware ESXi, scaling has become incredibly easy. A Joe Sandbox administrator has to set up an analyzer and then can multiply the analysis performance by using a simple shell command.

In contrast to VMware Workstation and VirtualBox, ESXi is much better suited for large-scale analysis. It is more stable than type 2 hypervisors, has better features for maintenance and enables zero effort scaling.

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!