Automated Malware Analysis

We're nearing the end of 2018 and with that, we proudly release the latest Joe Sandbox update: version 24 - code name Fire Opal! This release is packed with an enormous amount of new features and interesting enhancements that will skyrocket the analysis power of Joe Sandbox.

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Fire Opal a couple of days ago.

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Fire Opal features.

77 New Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of Gootkit, GrandCrab, AZORult, Darkcomet RAT and more:

Ubuntu 18.04 TLS Support

Joe Sandbox now runs on the latest and most secure Ubuntu LTS Server operating system - Bionic Beaver 18.04 LTS. Ubuntu guarantees security updates until the year 2023 for this release:

MITRE ATT&CK™

We have completely mapped over 1,800 behavior signatures of Joe Sandbox to Mitre's adversary tactics and techniques. For each analysis you now get the Mitre ATT&ck matrix and can easily compare different malware samples based on their tactics:

VMware ESXi 6.7 Cloning

Fire Opal adds support to install and run Joe Sandbox on VMware ESXi 6.7. In addition, we implemented cloning for ESXi. With cloning you can easily scale up Joe Sandbox by using a single shell command:

For detailed information, please have a look at our recent blog post about Clone Wars - Zero Effort Scaling.

INetSim Support

You have a critical sample and don't want to analyze it with a real Internet connection, but still want to see the network traffic it initiates? No problem! Fire Opal adds support to connect Joe Sandbox to INetSim - the industry standard for Internet simulation:

With INetSim malware samples cannot cause any harm to any third party since no live Internet connection is granted.

TOR connect / disconnect

You want to grant Internet access to the analysis machine but want to do it an anonymized way? Fire Opal comes with an automated Tor connector. By using a single shell command your system is configured to route all malicious traffic through Tor:

Web API 2.0 Extensions

We extended the REST API 2.0 with the ability to manage users, cookbook and Yara rules. You can create, modify and list all users, cookbooks and Yara rules:

URL Memory Extraction

Fire Opal extracts URLs directly from memory dumps and sends them to Virustotal or MetaDefender for detection:

With that feature, Joe Sandbox detects C&C URLs even if they are not called.

Dynamic Data for Hybrid Code Analysis

Dynamic information such as system or API call arguments is now fully passed to our Hybrid Code Analysis engine. As a result, you find function arguments directly in the disassembly section:

This makes reading and understanding the disassembly much easier! Thanks to this feature, we see in the example above that the address of GetTickCount is queried as well as the number of ticks returned by GetTickCount.

Screenshot Thumbnails and Downloads

We added a gallery of all screenshots as thumbnails to the analysis report. This makes it much easier to identify interesting screenshots:

In addition, you can now download a selection of "Interesting Screenshots" only:

Improved VBA Callgraphs

If you activate VBA instrumentation - a technique which enables to extract dynamic information from VBA Macros in Office documents - Joe Sandbox will generate an impressive call graph. With Fire Opal we extended that call graph and added triggers, number of calls and API calls:

Due to that improvement, you can find interesting Macro parts more quickly and understand the structure of the code better.

RTF File Parser

Documents in RTF format are now parsed and malicious objects are detected:

Joe Sandbox Class 2.0

The Fire Opal release includes Joe Sandbox Class 2.0. Class is the code similarity engine of Joe Sandbox. It enables to identify similar samples by looking at code functions. Class 2.0 includes a wide range of new features such as opcode and instruction based similarity searches, a completely redesigned report, as well as various performance improvement:

With Joe Sandbox Class 2.0 analysts find similar samples more quickly, understand which samples are the most similar and why they are similar.

Read more about it on our blog on Hunting for similar Samples with Joe Sandbox Class 2.0.

Dialog Box Support for Android

Android samples requesting dynamic permissions have become more frequent. Therefore we added automation support for those dialog boxes:

As a result, Joe Sandbox handles all dialog boxes fully automated.

Final Words

In this blog post, we introduced some of the major features of the Fire Opal release. Furthermore, minor features are:

Added Windows 10 x64 support to Joe Sandbox Hypervisor as well as a huge performance upgrade
Added more user-mode API interceptions to Joe Sandbox Hypervisor
Added a new guide for Remote Assistance
Added a new cookbook to change the timezone of the analysis machine
Added a password test for protected office documents
Added auto dependency installation
Added support for dynamic instrumentation of dropped APKs
Added support for decompilation of dropped APKs and DEX files
Added support for MITM SSL inspection on Android
Huge performance improvement for documents and URL analysis
Improved the general analysis performance
Improved the selection of interesting Android methods
Improved remote assistance

What is next? We have an amazing pipeline of new technologies and features - stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Malware authors use a wide range of techniques to avoid detection by security tools. One of the most used techniques is packing. This powerful procedure allows attackers to bypass static signature detection, an important defense line of Antivirus products.

Unpacking is the process of restoring the original malware code and is considered a hot topic for academic research due to its complexity.

Joe Sandbox includes a generic unpacking engine since 2014. While unpacking is one problem, generic unpacking detection is another.

In this blog post, we are going to outline how packing works and how the recently added unpacking detection of Joe Sandbox works.

The Art of Packing and Unpacking

It is hard to describe packing in words, therefore please have a look at the visualization below:

Packing is usually applied to executable files such as the Windows Portable Executable (PE) or the Linux Executable and Linkable Format (ELF). The tool which performs the packing process is called "Packer".

The starting point is a PE file. The workflow of packing, unpacking and execution is as follows:

1) Original File

If you look at your PE file it contains a header, a code section (.text) and some additional sections (.data, .rsrc etc). Very important, all the code is available for static analysis. It is relatively simple to find unique code patterns in the code segment to detect the file as malicious.

2) Packing Process

The packing process will generate a totally new PE file and will contain a new header. Next, the original file will be transformed. The transformation is often a compression algorithm, a cryptographic operation (XOR) or a mix of both. Often a random key is used for the transformation. As a result, each packed sample is unique. The transformed original file is copied to the new file. Finally, a small Stub code is added to the new PE file. Its goal is to reverse the transformation during execution. Since the original file is compressed and encrypted, static analysis and detection is hard.

3) Loading the Packed File Phase 1

When the packed file is started it is mapped to virtual memory. Next, the unpacking stub is called to reverse the compression and/or cryptographic operation. As a result, the original file is "restored" in memory. There are two possibilities where the file is restored. Either the complete packed PE file is replaced with the original, or it is restored on a different memory address.

4) Loading the Packed File Phase 2

As soon as the original file is "restored", the stub will transfer execution to the "restored" file. The restored file will then execute as normal.

Packers

Packers are available in a large variety. You can buy them in the DarkNet or also from legit software vendors. Below you can see a nice map from Ange Albertini which shows some of the most famous packers:

Generic Unpacking Detection

Since most malware is packed, it not only makes sense to do generic unpacking but also to detect the unpacking process itself. This generic unpacking detection has been recently added to Joe Sandbox. In order to demonstrate its power, we will look at two different samples.

PE Header Overwriting

The first sample is called XgkKQZc74T.exe. During execution, the image is mapped to address 0x400000:

Joe Sandbox's unpacking engine generates several "restored" files:

The first file with the name 1.0.XgkKQZc74T.exe.400000.0.unpack was captured before any code has been executed. The second file which starts with the name 1.2.XgkKQZc74T.exe.400000.0.unpack was stored when the analysis finished. Please note that both files have been restored from the same address 0x400000.

Let us have a look at the import address table for each restored file. The import address table shows what functions are imported by the PE file. The first file (1.0.XgkKQZc74T.exe.400000.0.unpack) has many imports:

In contrast, the second file has fewer imports and most of them are not in the previous files. For instance, the sample can connect via HTTP to the Internet. The previous sample does not have an import for such a function:

This change of the PE file header proves that the sample is packed. The PE header at address 0x400000 has been overwritten with the unpacked file. As a result, the import address table changed and we see above the table from the unpacked/malicious file. With a new behavior signature Joe Sandbox detects this anomaly:

If we look at the unpacked file we can also find the command and control IP / domain:

Full Analysis Report.

Dynamic Code Loading

The second sample is named WBKDqSfWLj.exe. It is loaded at address 0xdb0000:

If we browse some of the behavior we detect that some calls originate from 0xdb0000:

However, there are also calls coming from 0x400000:

Could this be an unpacked file? If we browse to the memory activities we indeed see that there is some allocation of memory at the address 0x400000:

As for the previous sample, we can compare the import address table of the corresponding unpacked files. This times the base address of the images is different:

For file 1.0.WBKDqSfWLj.exe.db0000.0.unpack the import address table is:

And for file 1.2.WBKDqSfWLj.exe.400000.1.unpack the import address table is:

Again, we see different tables which outlines that a new PE file has been loaded. This time the PE header of the original file is not overwritten. Rather, the original file is unpacked/decompressed to a new memory section which was allocated by the stub. Of course, there is also a behavior signature in Joe Sandbox to detect this:

Full Analysis Report.

Final Words

Packing is widely used by many malware samples to bypass static signature detection. Joe Sandbox includes an unpacking engine which will restore the original file. The restored files can be downloaded by analysts:

While unpacking itself is helpful, unpacking detection is even more important. With the upgrade, Joe Sandbox detects unpacking via PE header overwriting and dynamic code loading:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

As a security professional working in a SOC, CERT or CIRT, you are constantly bombarded with requests from end users asking if the e-Mail attachment they received is safe to open or not. This kind of requests have recently increased with the last Emotet trojan malspam campaign using Word or PDF attachments as a lure:

In most cases, you would take the e-mail and submit it to Joe Sandbox in order to check if it is malicious. If the document analysis shows signs of maliciousness, you would consequently inform the end user.

Wouldn't it be nice if this whole process could be automated so that you can focus on more important tasks?

In this regards, we have good news for you! Joe Sandbox Mail Monitor may be exactly what you are looking for. Joe Sandbox Mail Monitor is integrated into Joe Sandbox Cloud Pro as well as into our on-premise products. We recently added a couple of new interesting features to Joe Sandbox Mail Monitor 2.0 and will present some of them in this blog post.

What exactly is Mail Monitor? Please have a look at the diagram below:

To enable Mail Monitor you first create a new e-mail account with the name sandbox@yourhost.com. Your end-users will then forward suspicious e-Mails to the defined email account. Mail Monitor will periodically fetch new e-mails from that account and submit them to Joe Sandbox. Then, Joe Sandbox will fully dissect the e-mail and analyze all the attachments and URLs it finds in the email body (you have a configurable whitelist to prevent analysis of links in your e-mail signatures). Once the analysis is finished a notification e-Mail is sent to the end user:

With Mail Monitor 2.0 end-users can now also be notified as soon as the forwarded e-mail has been received by Joe Sandbox:

Further, we added summary notifications. Let us assume that the forwarded email contains multiple links and/or attachments. With Mail Monitor 2.0 you can choose if the end user shall receive a notification for each analyzed link and attachment, or just one summary notification:

The detection for summary notifications is based on the analysis with the highest score, i.e. the most malicious sample or URL.

On top of this enhancement, we extended the customization of notifications:

For each notification, you can change the subject and body. For better visibility please choose the Joe Security design.

Finally, we also improved:

URL extraction from e-Mail bodies
Notifications for cached analysis
More intuitive design
Use of {{subject}}, {{to}} and {{from}} in the templates

Does this sound good to you? Would you like to try out Joe Sandbox Mail Monitor 2.0? Contact us today!

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2019!

Hunting for similar malware is the process of identifying similar samples based on IOCs, behavior, functions or other data. It helps analysts to find malware families, understand the evolution of threats and provides an indication for attribution.

There are various techniques to perform similarity analysis or classification. Often, the malware is disassembled and a unique identifier at a function level is being calculated (e.g. by using the instructions, opcodes, control flow graphs, API calls etc). This process is called feature selection and it is done on a large volume of malware. In order to check for similar malware, the feature database is queried for all samples which share a set of identical features:

Joe Sandbox Class 2.0, the similarity engine of Joe Sandbox is based on this technique. To get a better idea, please have a look at the screenshot below, extracted from a recent Emotet analysis. The first section contains the number of features in the database followed by a list of processes. For the Emotet process 161.exe, all similar samples are listed. On the right side, a bar indicates the number of similar functions for each similar process. For instance, the sample deepwindow.exe has 79 similar functions.

Using disassembly data for similarity analysis has many benefits, such as the possibility to use differential hashing, as well as the high interest in the matched data.

However, malware authors have the freedom to write malware in any programing language including C#, VB.Net, Java, Powershell, VBS or Javascript. Generating meaningful disassembly and function out of all these frameworks is a very challenging task.

Secondly, malware also targets other operating systems like Linux, macOS, or Android. Again, we have a large variety of new frameworks and programming languages to support. Think about Python, Bash, Golang, LUA etc.

Finally, x86 and x64 code can be well obfuscated, making the disassembly and feature selection extremely difficult.

Isn't there an easier way to perform similarity analysis on all of these architectures?

There is, but let us first have a look at something else: Behavior Signatures. Joe Sandbox executes malware in a controlled environment and during execution, it records dynamic data such as system calls, API calls, memory dumps etc. To identify and rate that dynamic data, we write rules, so-called Behavior Signatures. Here is an example:

Joe Sandbox has one of the largest behavior signature set in the industry. The set includes nearly 2,000 manually written behavior signatures, detecting malware on Windows, Android, MacOS, Linux and iOS. Please note, a behavior signature does not care about the programming language used by the malware, it just detects a fact about the behavior. So behavior signatures are abstractions of the code and therefore are the perfect features for similarity analysis.

In Joe Sandbox Class 3.0 which will be part of our upcoming Joe Sandbox v25 Tiger's Eye release, we have successfully implemented similarity analysis based on behavior signatures. The results are really good, let us have a look at a couple of recent samples.

Windows: LokiBot

The results of the signature similarity have been integrated into the Joe Sandbox main analysis report. However, there is also a separate report which contains just the similar sample information:

From the top navigation, go to Overview and then Signature Overview. What you see there is what we call signature similarity graph:

Each node represents a malware analysis (not a malware sample!). If two nodes are connected the analyses are similar. The number, as well as the color, indicates how similar. Each node has the name of the sample submitted to Joe Sandbox as well as a color bar. The color bar represents all the behavior signatures which matched. You can move over the bar with your mouse to see which signatures were hit:

The color bar helps to see why two analyses are similar. The graph itself is interactive, you can use your mouse wheel to zoom in or out. If a node has a small plus symbol you can extend the graph. The minus symbol will close the connected subgraph:

Let us focus on the graph structure of LokiBot - a very famous and active information stealer. On the left side of the graph, you find many samples with high similarity. We manually verified that they are all LokiBot. The samples on the right are also confirmed LokiBots, but an older version. Right after the graph, you find a list of all similar samples including a link to the behavior report:

Windows: NanoCore RAT

LokiBot is written in C/C++ so it could also have been detected with function based similarity analysis. Nanocore RAT is a remote access tool developed in .NET. The corresponding similarity graph looks like so:

What are some of the most common behaviors of NanoCore RAT? Here is a list:

Uses schtasks.exe or at.exe to add and modify task schedules
Hides that the sample has been downloaded from the Internet (zone.identifier)
Detected unpacking (overwrites its own PE header)
.NET source code contains potential unpacker
Detected TCP or UDP traffic on non-standard ports
Uses dynamic DNS services
Injects a PE file into a foreign processes
Parts of these applications are using the .NET runtime (Probably coded in C#)
Initial sample is a PE file and has a suspicious name

Because NanoCore RAT is written in .NET, x86/x64 ASM based function similarity analysis would fail. The same applies to ADWIND RAT, a remote access tool written in Java:

Android: Anubis

We have seen that behavior signatures work great to classify analysis on Windows. How about Android? A particular interesting sample is Anubis. Anubis is a well-known banking Trojan which has been around for years. Beside the Trojan payload, it has also some ransomware functionality. Joe Sandbox detects Anubis right away:

The behavior similarity graph of Anubis is shown below:

All analyses are confirmed to be Anubis. The right subgraph has some very high similarities. We checked the analysis reports in detail and found out that they all come from a specific campaign where a link to Anubis was likely distributed via MMS. To prevent that the user gets worried about his device all analyses show the same sweet puppy on the screen:

Another interesting observation is that the list of target bank has been continuously extended. The recent sample targets over 300 banks while the one from the MMS campaign has only 70 targets:

macOS: Retefe

We looked at malware targeting Windows and Android so far, what else? macOS! Retefe is an e-Banking trojan which infects Windows and macOS systems. Retefe is very active in European countries. A recent sample was detected by one of our customers. The similarity graph looks as shown below:

Only the left branch has high similarities and is Retefe. The right branch has some similar behavior but contains different programs. From the analysis reports, we extracted all screenshots which demonstrate that Retefe has changed the installer over time:

Linux: Miners

Finally, let us move to Linux and the IOT world. Crypto Miners are a constant threat to Linux server operating systems:

We will use the following crypto miner shell script named lowerv2.sh:

The generated similarity graph reveals some interesting facts:

First, all analysis have crypto mining functionality.

The analysis with the highest match is coming from a sample with the name rootv2_1.sh:

Rootv2_1.sh is a modified version:

What are the differences? First, as you can imagine it uses different domains to download the crypto config:

Secondly, it changes the install location:

However, both times the malware persists itself to /tmp.

Final Worlds

By using several recent samples we have demonstrated that behavior signature-based similarity analysis has many benefits. It classifies samples no matter if they are written in .Net, Java or Visual Basic. Traditional similarity analysis which depends on x86 / x64 functions as features can be easily foiled by using packing and obfuscations. Behavior signature does not have this limitation. Finally, behavior signatures enable to do architecture independent sample comparison.

Joe Sandbox Class 3.0 includes a new similarity analysis which is based on Joe Security's massive behavior signature set. Class 3.0 will be released as a part of our upcoming Tiger's Eye - Joe Sandbox v25 release.

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Bonus Pafish

You are looking for a bonus? Below you find the similarity graph of Pafish. Pafish is a well-known tool to check how well a sandbox hides its artifacts from the malware. Malware often tries to detect that it is running - e.g. by checking that computer is a virtual machine.

On the left side, you find a couple of different Pafish variants, mostly old versions. The fourth branch which starts with loader.exe is interesting:

Those samples are not Pafish variants but rather loaders which adopted techniques implemented in Pafish. Loaders are small tools which have the purpose to verify that all is good and then start the main payload. Often they include anti-debugging and anti-virtual machine checks:

Malicious Javascript files dominate the ranking of malicious e-mail attachments for the year 2018 with 37,2%. Why is that? Due to the flexibility of the Javascript language as well as various dynamic code execution functions, packing and encryption is easy to achieve. As a result, detection of malicious Javascript files is extremely difficult. Below is an example of a recent malicious Javascript file:

Wouldn't it be nice to get the unpacked and deobfuscated Javascript code? This would help to detect malicious Javascript and also reveal additional behavior indicators.

Security Engineers have proposed to use Javascript emulators. The emulator will run the file and output various internal states such as parameters and string values. This works great in theory, but not in the real world. Malware authors quickly adapted and added code to detect the emulator. Below is an example of a sample which verifies the number of processors:

We, therefore, thought there must be a better way. Enter the Microsoft Antimalware Scan Interface (AMSI).

AMSI in a Nutshell

AMSI is a generic interface standard that allows applications and services to integrate with any anti-malware product present on a machine. It basically enables to hook into a Windows interface which is also used by Windows Defender. Here is an image from the Microsoft Cloud Blog outlining how AMSI works with Microsoft Office.

Image Source

Behavior logs are mostly string buffers of executed code. In addition to Microsoft Office, AMSI also provides buffers for

Wscript.exe, VBA Code
Csript.exe, Javascript Code
Powershell.exe, PS1 Code

Here is an example AMSI output for a Javascript file:

Here another one:

AMSI does not care about packing & unpacking and obfuscation. It will send all executed code as strings to the interface. As a result, AMSI is the perfect unpacker and deobfuscator. Malware cannot use AMSI as an indicator for evasion since AMSI runs on real targets as part of the Windows Defender. Approaches to disable or evade AMSI can be detected and serve as an additional malicious indicator.

Detecting Packed Javascript Files with AMSI

With the AMSI output, one can also easily detect packed Javascript files. The approach is straightforward:

Given a potentially malicious Javascript file, we check if it contains suspicious strings such as IWshShell3.Run or IServerXMLHTTPRequest2.open. If we find one or a combination of such strings, the sample is considered malicious. If we do not find such strings, we will check each AMSI buffer for the strings. Please note that AMSI will send all code including the code passed to the eval function. If we find a string, we will know for sure that the sample is malicious as well as packed. If we do not find any string, the sample is considered clean.

We have added the above algorithm to Joe Sandbox v25 Tiger's Eye which is planned for mid-February. Below you find an example signature hit of unpacking detection for the Javascript sample shown in the introduction.

Joe Sandbox has detected the unpacking and displays the full unpacked code. Here the function of the script is to download a binary and then execute it.

You find the full analysis report here.

Final Words

37% of all malicious e-mail attachments are Javascript files. Javascript allows to easily pack and obfuscate code. As a result, Javascript files often slip through today's detection engines such as antivirus and endpoint protection. The Microsoft Anti-Malware Scan Interface is an ideal tool to unpack and deobfuscate malicious Javascript.

Joe Sandbox v25 Tiger's Eye includes an implementation of the AMSI interface and detects and unpacks Javascript files.

For the last three months, we have been working on Joe Sandbox's 25th version, released today under the code name Tiger's Eye! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Tiger's Eye a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Tiger's Eye features.

Nearly 100 new Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of ExileRAT, LuckyCat RAT, LokiBot, Anubis Loader, and more:

Optical Character Recognition (OCR) for Analysis of Office Documents

Malicious Office documents very often contain images and text used to convince the victim to enable macros or lower security settings. Thanks to the new OCR extraction of Office document content, Joe Sandbox Tiger's Eye can detect those lures:

This detection is very helpful to find malicious documents which contain old exploits that no longer work on recent Office versions.

Generic Unpacking Detection

99% of all malware today is packed. Tiger's Eye comes with a new signature to detect PE file overwriting and dynamic code loading within malware:

You can find more information about generic unpacking detection in one of our recent blog posts.

Microsoft Anti Malware Scan Interface (AMSI) Integration

Joe Sandbox v25 is able to use the Anti Malware Scan Interface of Microsoft. When adding the new cookbook command _JBEnableAMSI() Joe Sandbox will capture all AMSI buffer outputs. Through this, Joe Sandbox v25 can unpack and deobfuscate malicious Javascript, VBS, Powershell and Microsoft Office Macros:

You can find more information on the AMSI integration in one of our recent blog posts.

New Submission Options

Would you like to analyze a malware sample which requires a command line argument? No problem, Tiger's Eye includes a new submission option for that:

Besides the command line argument option there is also a new option to specify an archive password. Let us assume you keep all malware in password protected Zip archives to prevent that your local Antivirus agent deletes the files. You can now add that password as a submission option and Joe Sandbox will extract the file automatically on submission:

JA3 Support

JA3 is a method for creating SSL/TLS client fingerprints that can be easily shared for threat intelligence. You find the JA3 fingerprints in the network section - HTTPS packages:

Joe Sandbox Mail Monitor 2.0.0

The Tiger's Eye release contains Joe Sandbox Mail Monitor 2.0.0 with a row of new features and improvements. Firstly, Mail Monitor is now able to send a notification when an email has been received:

Secondly, Mail Monitor 2.0.0 enables to send summary notifications which bundle several analyses (attachments and links):

Finally, the configuration interface has been revamped. You can find more information on Joe Sandbox Mail Monitor 2.0.0 in one of our recent blog posts.

Joe Sandbox Class 3.0.0

Tiger's Eye also comes with Joe Sandbox Class 3.0.0 which includes a new engine that uses Joe Sandbox's massive behavior signature set for similarity analysis. One big benefit of this is that Class 3.0.0 allows detecting similar samples on Windows, Android, macOS, and Linux. Another benefit is that the similarity algorithm is independent of the programming language of the malware.

The similarity is visualized in the full report with a graph and as well as with a list of similar samples. Below you can find some similarity graphs of recent samples:

LokiBot Graph (Windows)

LokiBot Variants (Windows)

Anubis e-Banking Trojan (Android)

Retefe (macOS)

For a deeper technical overview on Joe Sandbox Class 3.0.0 please check out this blog posts.

Android 8.0

We added support for Android 8.0. As a result, you can analyze Android malware on Android 8.0 Oreo:

Motion Simulation

Recent Android malware contains new evasions which are based on motion triggers. Only if the Android device receives motion data (e.g gyroscope) the payload of the malware is executed:

In order to activate such payloads, we added the cookbook command _JBSimulateMotion(). This command simulates up to 200 steps.

Confidence Score

Android analysis now also includes a confidence score. The confidence score tells how sure Joe Sandbox is about the detection. The detection verdict combined with the confidence score delivers very precise detections:

Final Words

In this blog post, we introduced some of the major features of the Tiger's Eye release. Furthermore, minor features are:

Added whitelisting based on the National Software Reference Library (NSRL)
Added COM based Office automation
Added PCAP download to report
Added dropped binaries, memory dumps and unpacked files download to report
Added ssdeep hash
Added PE rich header information
Added icons to the behavior graph
Added WMI anti evasions
Added INetSim support for VMware Workstation and ESXi
Added an option to generate secondary forensic data to the web interface and web API
Added extraction for Android AD frameworks
Added a search for the source code report
Improved (up to 40%) performance of fast mode (previously named hyper mode)

What is next? We have an amazing pipeline of new technologies and features - stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Today's malware is often delivered via e-mail attachments. Such documents usually contain a VBA macro or utilize the office equation editor exploit (CVE-2017-11882 or CVE-2018-0802). If it is a VBA macro, likely an encrypted PowerShell command is executed.

Lately, we have seen an increase of evasive VBA macros in Excel sheets. We have monitored new samples of the same group over a period of four months and analyzed how the macros changed over time.

This blog post will outline some of our findings.

Initial Sample

Let us have a look at an early version from December 2018, MD5: 2c2545df2bbcd506bd09641ec97ca5ae. The sheet obviously targets Japanese users:

The macro code is triggered once the workbook is opened:

The evasion check is directly performed in the Workbook_Open function:

Application.International(xlCountrySetting) returns the Country/Region version of Microsoft Excel. Here is an incomplete list of version numbers:

' Application.International(xlCountryCode) =
'
'Arabic                966       (Saudi Arabia)
'Czech                 42        (Czech Republic)
'Danish                45        (Denmark)
'Dutch                 31        (The Netherlands)
'English               1         (The United States of America)
'Farsi                 98        (Iran)
'Finnish               358       (Finland)
'French                33        (France)
'German                49        (Germany)
'Greek                 30        (Greece)
'Hebrew                972       (Israel)
'Hungarian             36        (Hungary)
'Indian                91        (India)
'Italian               39        (Italy)
'Japanese              81        (Japan)
'Korean                82        (Korea)
'Norwegian             47        (Norway)
'Polish                48        (Poland)
'Portuguese (Brazil)   55        (Brazil)
'Portuguese            351       (Portugal)
'Russian               7         (Russian Federation)
'Simplified Chinese    86        (People's Republic of China)
'Spanish               34        (Spain)
'Swedish               46        (Sweden)
'Thai                  66        (Thailand)
'Traditional Chinese   886       (Taiwan)
'Turkish               90        (Turkey)
'Urdu                  92        (Pakistan)
'Vietnamese            84        (Vietnam)

81 stands for Japan. This small code ensures that only Japanese computers are affected. In addition, the code prevents sandbox and dynamic malware analysis systems from analyzing the payload which usually runs on computers with US or Western European environments.

Version 2.0

A month later we detected a new variant MD5: d71eaf0ad33a749b8fe3fb8dff56a474. This time the check was split into functions:

The country code is being used by the functions kille and congamerat. Simply changing digitt would not do the job anymore:

Version 3.0

A couple of days later we found a new variant MD5: 894f2f2b7489052f9fe258f0ea70be6d. This time the Boolean check had been made more complicated:

The check includes arithmetic calculation. In addition, it uses built-in Excel constants such as xlTickLabelPositionHigh. The expression to query the country code is split into two statements:

While most of the sheets we found target Japanese users, we also found some which target Italian users (MD5 d0c862c57819f417b852cb1cd308ffa2 and d0c862c57819f417b852cb1cd308ffa2):

Version 4.0

Some days ago we found another variant, MD5: aacb83294ca96f6713da83363ffd9804. There are multiple changes. First of all, Workbook_Open is no longer used but rather Frame1_Layout:

Frame_Layout is triggered whenever Excel redraws the workbook. The country code check has not changed, it uses calculation and built-in constants:

What is more interesting is the second country check: Function tuff creates a currency format. E.g. for US dollar it creates $0.00. For Japan, it would create 0¥.

The size of the currency format is then later used to decrypt and deobfuscate the command line string passed to Shell:

Fighting country-aware Malware

As this blog demonstrates, attackers constantly improve their code base to make the detection more difficult.

Joe Sandbox has an array of different technologies to fight country aware samples. Generic VBA Instrumentation and Cookbooks are just two of them. Below is the full analysis of the latest version:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Bonus:

Application.International(xlCountrySetting) and Format(0, "currency") are not the only ways to build country aware malware. Just recently we found a sample MD5 6a9eda3eb0bfc222ab46725829faaec7 which uses GetLocaleInfo:

Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.

Just two days ago, Norway based Norsk Hydro - one of the World's largest Aluminium producers - was hit by a severe Ransomware attack:

The attack is so massive that Hydro had to switch its productions to manual mode:

According to various press releases, the entire worldwide Norsk Hydro network is down, affecting all production as well as office operations.

If you search this incident on Twitter, you will instantly come across the Ransomware LockerGoga:

While it is still unconfirmed that Norsk Hydro was hit by LockerGoga, we saw a high amount of LockerGoga samples being submitted to VirusTotal as well as Joe Sandbox Cloud Basic.

One of the most recent samples (version 1510) has been uploaded to VirusTotal on March 19th (MD5: e11502659f6b5c5bd9f78f534bc38fea):

On Joe Sandbox Cloud Basic just some minutes later:

Joe Sandbox 25.0.0 Analysis Report

LockerGoga is not a standard Ransomware but rather has some specialties. The binary is signed by Sectigo. The certificate has been revoked recently, but it likely was valid at the time of the attack.

LockerGoga first encrypts the following file types:

Encrypted files are renamed to originalfilename.locked:

For encryption, LockerGoga does not use the Windows Crypto API CryptEncrypt, but rather its own implementation (likely CryptoPP + Boost):

The encryption of files is performed in multiple processes. A master process gathers all files and distributes encryption tasks to its slave processes:

The benefit of this architecture is that encryption is much faster since it will use all the CPU cores of the machine.
Normally, for a workstation with many documents, encryption can take hours. If the ransomware is detected fast enough some documents could be rescued.
In contrast, with LockerGoga this won't help since encryption is very performant. So far, we have not seen any other Ransomware using a distributed encryption architecture.

Goga drops the following ransomware notice:

While files are being encrypted the user is logged out:

Users are then no longer able to log in since before it overwrites the user's and administrator's password with HuHuHUHoHo283283@dJD:

This is another interesting and new behavior. While LockerGoga is not as brutal as wiper malware such as OlympicDestroyer it still completely blocks the computer.

LockerGoga seems to be not new, e.g. searching for PE files signed by Sectigo gives us several older versions, e.g. version 1320, MD5 16bcc3b7f32c41e7c7222bf37fe39fe6, March 8th:

Joe Sandbox 25.0.0 Analysis Report

As this blog post outlines LockerGoga is different from standard ransomware:

Signed with a valid certificate
Uses a multi-process architecture to encrypt files faster
Locks the user and administrator account in addition to file encryption
Is continuously improved (multiple version of the same ransomware exist)

Joe Sandbox nicely detected and analyzed all those different aspects. We also have added generic signatures to detect LockerGoga:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Joe Sandbox is known to provide the industry's deepest and richest behavior reports. While it is beneficial to have a massive amount of information on the malware execution, this also has its downsides. For instance, it is difficult to get an overview, find interesting data or share findings with colleagues or with other teams. Joe Security has taken the challenge and implemented various tools and features to make behavior reports easier to understand and navigate despite their huge size. In this blog post, we are going to walk you through some of them.

Report Search

On average, a Joe Sandbox HTML report is between ten and 32 Megabyte big. This is a considerable amount of data that includes dynamic behavior, static information, network behavior, execution graphs, disassembly, decompiled C code and much more. Having the possibility to search easily through this ocean of data is mandatory. For this purpose we added a search tool at the bottom right of the analysis page:

If you click on the magnifier a search bar will open. You can search the report for any string longer than 4 chars:

You can even search for strings inside graphs and diagrams:

If you click on a search result, the browser will jump to the report section containing those strings. In addition, the search result is highlighted with a yellow border:

The report search is very fast and you usually get the results back in under one second.

Collider Navigation

Getting an overview of what is inside a Joe Sandbox report is difficult. To address this problem we have created the so-called collider navigation. You access the navigation on the top right:

If you click on it you will see the following snail shell-like chart:

The report has a hierarchical structure, which is represented by this collider. The inner circle segments contain the top sections. Each section has inner sections which then again have inner sections. If you move your mouse over a specific segment of the report, it will show you the data inside of that structure. For instance, the section System Behavior contains Analysis Processes:

Or the Static File Info contains Static PE Info which contains the Data Directories:

As you can see, the collider navigation makes it very easy to get an overview of the structure of a report and allows you to navigate it quickly. If you click on a section the browser will jump to the corresponding data:

Interactive Tour

Let us assume that you read a Joe Sandbox report and you made some interesting findings that you would like to share with another team or colleague. Of course, you could take some screenshots, but a screenshot is static and you cannot copy text or include context. In order to address this limitation, we created the Interactive Tour. Think of the Interactive Tour as a way to directly add comments to the report. Once done, you can share the report and everybody can see and navigate your comments.

You can find the Interactive Tour on the top right corner of each report:

If you click on it the Tour menu opens:

With the Select Element button you can select interesting data and right afterwards add a title and description:

By clicking the Add Step, you can add a second comment:

By using the two small error buttons you can change the order of the comments. Once finished click Export:

Add a title for the Interactive Tour and then click Export Report Tour. This will download a new report HTML which includes your comments. If you open the new report file, the tour directly starts:

The menu on the bottom can be used to navigate through the comments:

As this small tutorial shows, it is very simple to add Interactive Tours. This enables you to easily mark or comment on interesting findings and then share that knowledge.

Here are three examples of reports with an Interactive Tour:

Conclusion

Joe Sandbox behavior reports provide a wealth of interesting data. This can be sometimes intimidating. Luckily, we have developed the three features described above to remove the friction. Thanks to the report search tool, analysts can now quickly search for any data in the report. The collider navigation enables them to get a fast overview of all the data inside of the report and navigate through quickly. Interactive Tours enable analysts to annotate interesting data inside reports and share these annotations with their colleagues and teams.

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Today we bring you amazing news. Joe Sandbox now features its own Machine Learning and Artificial Intelligence based static detection engine: Joe Sandbox ML.

Joe Sandbox ML is a plug-in which integrates seamlessly into Joe Sandbox Desktop, Joe Sandbox Complete, Joe Sandbox Ultimate, and Joe Sandbox Cloud. With Joe Sandbox ML, Joe Sandbox Desktop, Complete and Ultimate benefit from enhanced detection capabilities:

Dynamic plus static is the best

Combining dynamic and static analysis is extremely powerful. Dynamic analysis detects threats based on the behavior and is resilient against packing and code obfuscation. However, malware can evade dynamic analysis by delaying or hindering execution. Malware may also not execute because the C&C server has been taken down or downloads are no longer reachable from the Internet. Finally, it might also not work due to the wrong operating system or framework versions. Those samples are ideal targets for static detection.

Sample 56KHL48745.exe which was recently uploaded to Cloud Basic is a perfect example. The file crashed due to a .NET interoperability issue:

As a result, no malicious behavior is detected. However, Joe Sandbox ML detects the initial sample as well as the unpacked PE files:

In consequence, Joe Sandbox successfully identifies the sample as malware:

In addition to the original sample, Joe Sandbox ML also scans the unpacked PE files as well as any dropped, modified or created files.

While other ML engines only support PE files, Joe Sandbox ML has wide support for different file formats including PDFs, Office Documents and ELF files.

Are you worried about the performance impact? Joe Sandbox ML is extremely fast and makes its decision within milliseconds.

Joe Sandbox more powerful than ever

Joe Sandbox ML substantially increases the malware detection efficiency of Joe Sandbox. If a sample does not show any malicious behavior there is still a good chance that Joe Sandbox detects it thanks to the help of Joe Sandbox ML.

Joe Sandbox ML is applied to all captured file artifacts and features a wide range of file formats (not just PE files).

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

Joe Sandbox is known to provide very deep analysis reports on malware. As a result, the size of the output data is enormous. In a recent blog post, we have outlined how you can master the large volume of the generated data. In this blog post, we will present the new Splunk Add-on, which also helps to handle the behavior data Joe Sandbox captures.

Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Splunk is often used as a SIEM within SOCs, CERTs and CIRTs. Various data streams from firewalls, endpoints and sandboxes are sent to Splunk, which then correlates the data.

The Joe Sandbox Splunk Add-on is a connector between Joe Sandbox and Splunk. It fully automates the import of behavior data from Joe Sandbox to Splunk:

Installing the Joe Sandbox Splunk Add-on

Installing the Add-on is easy. Download the Add-on from our Github repository. In Splunk, go to Manage Apps and then choose installation from file. Once Splunk has restarted go to apps - Joe Sandbox Add-on and create an input:

You have to provide a name and add your Joe Sandbox API Key. The API Key can be found in the user settings of the Joe Sandbox web interface. If you like to perform deep searches, untick the use small report checkbox and once done, hit Add. The Add-on will then start importing all your behavior reports. Please note the Add-on will continuously import new behavior reports generated by Joe Sandbox.

Rich Reports allow deep Searches

In order to run queries, you have to use the sourcetype jbx. Here are a couple of simple searches:

List all samples with the name id and detection verdict

sourcetype=jbx | table fileinfo.filename, generalinfo.target.url, generalinfo.id, fileinfo.md5, signaturedetections.strategy{}.detection

Search for dropped PE files

sourcetype=jbx | rename "droppedinfo.hash{}.@type" as dropped_type, "droppedinfo.hash{}.@file" as dropped_file, "generalinfo.id" as id | eval temp=mvzip(dropped_type,dropped_file, "|") | mvexpand temp | eval dropped_type=mvindex(split(temp,"|"),0) | eval dropped_file=mvindex(split(temp,"|"),1) | search dropped_type="PE*" | table id, dropped_type, dropped_file

Search for all samples which connected to a specific IP address

sourcetype=jbx | search "ipinfo.ip{}.@ip"="172.217.168.34" | table fileinfo.filename, generalinfo.target.url, generalinfo.id

Search for all samples which connected to a malicious IP address

sourcetype=jbx | rename "ipinfo.ip{}.@malicious" as ip_malicious, "ipinfo.ip{}.@ip" as ip_value, "generalinfo.id" as id | eval temp=mvzip(ip_malicious,ip_value, "|") | mvexpand temp | eval ip_malicious=mvindex(split(temp,"|"),0) | eval ip_value=mvindex(split(temp,"|"),1) | search ip_malicious="true" | table id, ip_value

Search for all samples which connected to a malicious URL

sourcetype=jbx | rename "urlinfo.url{}.@malicious" as url_malicious, "urlinfo.url{}.@name" as url_value, "generalinfo.id" as id | eval temp=mvzip(url_malicious,url_value, "|") | mvexpand temp | eval url_malicious=mvindex(split(temp,"|"),0) | eval url_value=mvindex(split(temp,"|"),1) | search url_malicious="true" | table id, url_value

Search for all samples which connected to a malicious domain

sourcetype=jbx | rename "domaininfo.domain{}.@malicious" as domain_malicious, "domaininfo.domain{}.@name" as domain_value, "generalinfo.id" as id | eval temp=mvzip(domain_malicious,domain_value, "|") | mvexpand temp | eval domain_malicious=mvindex(split(temp,"|"),0) | eval domain_value=mvindex(split(temp,"|"),1) | search domain_malicious="true" | table id, domain_value

As you can see, the behavior data is nicely structured in JSON. Here is a quick overview of what data is available:

Fileinfo contains static information on the file. E.g. if the submitted file is an Office document you will find the OLE streams as well as the VBA code inside this object. Behavior contains detailed system-level behavior, such as all files created, opened, written, deleted, etc. It also contains network traffic such as all TCP, UDP, HTTP, HTTPS streams. Domaininfo, ipinfo, urlinfo and droppedinfo are classic IOC objects. They contain the created files with MD5 and SHA hashes, IP, domain and URL information. Signaturedetections, signatureclassficiation, mitreattack and signatureinfo include all the matching behavior rules, the detection verdict (clean, suspicious or malicious), detection score and classification (ransomware, banker, worm etc). Eventlog includes all the Windows event log data including PowerShell logs. Finally yara and avhit list Yara and Antivirus matches.

All those objects can be easily searched. Here are some more advanced search queries:

Search for all samples with a valid PE certificate

sourcetype=jbx | search "fileinfo.pe.signature.sigvalid"="true"

Search for all samples which created a file in C:\Windows

source=jbx | rename "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "generalinfo.id" as id | mvexpand fileCreated_path | search fileCreated_path="C:\\Windows\\*" | table id, fileCreated_path

Search for all samples which injected into explorer.exe

sourcetype=jbx | search behavior.system.processes.process{}.general.name="explorer.exe" | search behavior.system.processes.process{}.general.reason="extstingprocessinject" | table "generalinfo.id", "fileinfo.filename"

Search PowerShell event log (transcript)

sourcetype=jbx | search "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.name"="ScriptBlockText" | table "generalinfo.id", "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.execution"

Search for all samples which use a specific MITRE ATT&CK technique

sourcetype=jbx | search mitreattack.tactic{}.technique{}.id="t1022" | table "generalinfo.id", "mitreattack.tactic{}.technique{}.id"

If you are looking for more example searches and visualizations please check out the Joe Sandbox Add-on Github page.

For each search, you can define custom alerts. E.g. if you would like to get informed whenever you analyze a malware sample with a valid PE file:

Joe Sandbox and Splunk - a powerful combination

Thanks to the free Joe Sandbox Splunk Add-on, cybersecurity analysts can automatically import rich Joe Sandbox behavior data into Splunk.

The behavior data is extensive and nicely structured. As a result, analysts can easily perform deep searches to reveal e.g. related malware samples. They can also easily build visualizations, statistics and much more.

Want to try Joe Sandbox and use the Joe Sandbox Splunk Add-on? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

We continue our endeavors to make Joe Sandbox the world's best malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 26 under the code name Aquamarine! This release is packed with brand new features and interesting enhancements based on our customers' precious feedback.

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Aquamarine recently.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Aquamarine features.

108 new Behavior Signatures

With 108 new signatures, Joe Sandbox precisely detects the latest threats and evasions! This includes detection of SmokeLoader, xRAT, CobInt, AZORult, LockerGoga, MALXMR, OceanLotus v2, and more:

Report Tour

Sharing is caring! All the Joe Sandbox v26 behavior reports include a new feature which enables every analyst to add comments to the report. This way, you can build a Report Tour which outlines your interpretation of the analysis results. You can then easily share this new custom report with your colleagues and the security community:

Find more information on the Report Tour in one of our recent blog posts.

RDTSC Anti Evasion

RDTSC is a special CPU instruction which queries the Time Stamp Counter (TSC), a 64-bit register present on all x86/64 processors. The time stamp counter allows a very fine grained time measurement. Malware often uses RDTSC to detect virtual machines. For instance, the special CPU instruction CPUID is interrupted by a virtual machine. Due to that, execution takes longer than on real hardware. The difference in execution time is measured with the help of RDTSC:

Joe Sandbox v26 includes a new technology which bypasses virtualization detections that use RDTSC for execution time measurement:

As a result, malware is no longer able to detect virtualization.

Locale Customization

The number of malware which only executes their payload on specific targets is increasing. In the last months we have seen more and more malware which checks the keyboard language, the locale (a language setting of Windows) as well as the localization setting (e.g. the country):

[Blog] #Malicious #Excel sheets with embedded country-aware #VBA #macros are on the rise! Read our findings we gathered over a period of 4 months:https://t.co/C3yD1znWrQ #malware #dfir pic.twitter.com/lIjWhdjWoZ
— Joe Security (@joe4security) March 5, 2019

To make these malware samples execute their payload, we have added new locale submission settings:

Command Line Submission

More and more attacks no longer start with malware, but rather a domain controller is breached and a Powershell command line is launched by the attacker on all end-points. To cover this scenario we added a new Command Line submission option to Joe Sandbox Aquamarine:

Note: Please don't mix this up with the option for command line arguments. That option adds an additional argument to a submitted sample (e.g. sample.exe \install).

The command line submission together with PowerShell Script Block Logging (enabled on all Windows 10 analysis by default) also helps to deobfuscate command lines:

New Reports

We added a couple of new analysis reports, which are interesting for deep investigation, IOC extraction and hunting:

The Function Logs Reports contains all the low-level system call and Win32 API events in chronological order:

The AMSI Log Report contains raw data extracted via the Microsoft Anti Malware Scan Interface:

The Event Log Report is an XML file containing all Windows Event Logs:

Finally, the PowerShell Event Log is an XML file containing all Events related to PowerShell including Script Block Logging:

MacOS Mojave Support

We added support for macOS Mojave:

This enables customers to run macOS malware on the latest macOS operating system.

Joe Sandbox ML

Dynamic analysis, also known as Sandboxing, is great, but combining dynamic and static analysis is even better. This is why we have added Joe Sandbox ML, which is available as a plugin for Joe Sandbox Aquamarine. Joe Sandbox ML is a static file parser which uses latest AI and machine learning techniques to detect malware:

With Joe Sandbox ML Joe Sandbox detects more malware, especially if the malware does not show any malicious behavior (e.g. because the payload is no longer available on the C&C).

You can find more information on Joe Sandbox ML in one of our recent blog posts.

Final Words

In this blog post, we introduced some of the major features of the Aquamarine release. Furthermore, minor features are:

Drag & Drop support for Sample Upload
Opcode based Yara rule downloads in report
Option to extend analysis time for Remote Assistance
Improved decoupling of the web application from the back end
New submission routes in Web API
SHA-1 and SHA-256 thumbprint for PE Authenticode certificates
STrace analysis for Android native binaries
Improved MITRE ATT&CK mapping

What is next? We have an amazing pipeline of new technologies and features - stay tuned!

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Cloud based solutions, especially in the malware detection and analysis field, are well known to use and exploit the uploaded data for commercial purposes. For instance, any malware sample uploaded to the World's most popular online virus scanner can be shared with third parties including customers, antivirus vendors etc.

At Joe Security, we take data privacy extremely seriously. By default, Joe Security does not share any malware sample or any IOCs with third parties. In addition, we have implemented various technical privacy protection measures for Joe Sandbox Cloud that we will present in this blog post.

Infrastructure and Server Security

Major parts of Joe Sandbox Cloud Pro are hosted in data centers which feature DIN ISO/IEC 27001 certification. The certification proves that the data center operator will uphold strict information security standards. E.g. there is strong access control to access our servers.

We monitor all our servers for physical and virtual intrusions, do regular security patches and backups. Joe Sandbox Cloud Pro has failover capability since we run a shadow copy of the complete system. To prevent DDoS attacks our Cloud is protected by one of the largest web proxy and content delivery networks. We imply least privilege access on our servers via permissions, containers, and virtualization. Professional penetration tests are run on our server infrastructure on a regular basis.

Data Privacy

All malware samples, as well as any analysis results such as IOCs and behavior information are private. The data is encrypted at rest and we grant full access rights to our customers to their data. This includes deletion access. Once a customer deletes an analysis, all data is securely deleted in near real time!

Configurable Data Retention Policy

To make deletion even easier, Joe Sandbox Cloud Pro features a configurable data retention policy. When you submit a malware sample for analysis you can define how long Joe Sandbox Cloud shall keep the sample and the associated data until it is deleted:

You can set a value of 1 which will result in automated data deletion after one day. The date of deletion is visible in the analysis detail overview:

Encryption of Analysis Data

Another data protection feature we recently introduced is analysis encryption. Customers can specify a password during the submission of the malware sample. This password is used to encrypt (AES-256) all data including the sample and all associated information post-analysis. The password is then erased from the Joe Sandbox Cloud server. As a result, only the customer can decrypt the data. The malware sample and analysis data stay unencrypted only during the analysis.

Encryption of analysis data provides the strongest possible data protection for an automated malware analysis solution.

Web Security

Let us also have a look at the Web security of Joe Sandbox Cloud Pro. It is protected by a WAF (Web Application Firewall) and uses HTTPS / TLS 1.2 for transport encryption (SSL Labs grade A). All passwords are salted and stored hashed. The web application database encrypts sensitive fields, so direct database access does not help. Users can enable two-factor authentication as well as security alerts to monitor access. Accounts are locked if the wrong password is entered too many times (password brute force attack prevention). To test all this we let third-parties perform regular penetration tests of the web application.

Best in Class Protection

Security and privacy are key features of an automated malware analysis system. If malware samples or IOCs are leaked the bad guys instantly know that you detected their attack - killing the possibility of an active investigation.

As this blog post proves, Joe Sandbox Cloud Pro features a variety of best in class security and privacy protections. The configurable data retention policy, as well as the encryption of analysis data, are very unique and increase the privacy protection of your data.

Want to try Joe Sandbox and test the data privacy features? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Today, we are proud to show-case Joe Sandbox Detect. In a nutshell, Joe Sandbox Detect is a configurable endpoint sensor with Joe Sandbox Cloud as its backend. What is an endpoint sensor and why does my organization need it? This blog post addresses those questions.

Endpoint Overloading

Detecting malware on endpoints is a hard job. Endpoint security vendors have to make sure not to consume too many resources, not to interrupt end-users, do not weaken the security and not do conflict with other endpoint security tools. This, of course, limits the effectiveness of malware detection.

Holy Cloud

The best solution to escape those limitations is to move the malware detection to the Cloud. As a result, the agent is light-weight, with very little resource consumption, high security, and compatibility. The malware detection in the Cloud has access to massive computing resources and will not slow down the endpoint. This design increases the effectiveness of malware detection massively.

Joe Sandbox Detect is a slim endpoint sensor which utilizes Joe Sandbox Cloud for malware detection. Joe Sandbox is the industries deepest malware analysis engine. It uses a combination of static and dynamic malware analysis (sandboxing) to detect even the most sophisticated malware.

Malware Entry Points

Deep malware analysis is great but it also takes time to analyze a file in depth. Thus, it is not possible to analyze any files on an endpoint. To address this challenge Joe Sandbox Detect includes configurable filters. By default, those filters select only files which might contain code and are created by applications which are known for malware entry points (e-mail clients, web browsers, etc).

Filters can be set during installation via command-line arguments.

Notifications and Alerts

Let us assume a user has opened a potential malicious Microsoft Word document via Thunderbird or Outlook:

Joe Sandbox Detect is monitoring e-mail clients for the creation of Microsoft Office documents. Therefore Ferreria's Quote.doc is uploaded for deep inspection to Joe Sandbox Cloud. Joe Sandbox Cloud analyzes the file and once completed will first alert the security team. Joe Sandbox Cloud includes configurable filters for alerts. For instance, the security team can enable that only for malicious detections an alert is sent or only for certain file types:

The security team can also access the analysis data including IOCs and see from which endpoint and application the file origins:

IOCs can be used to block malware on endpoints and search other endpoints for existing infections. Detailed behavior information enables to understand if the threat has spyware, spreading or ransomware functionality.

After alerting the security team the end-user is also notified. This notification is configurable and can also be disabled. End-users can also open the management report which contains only high-level information:

Privacy - Encrypted Analysis

Because Joe Sandbox Detect might also analyze documents which contain confidential information privacy is extremely important. We recently outlined in a blog post what privacy features Joe Sandbox Cloud implements. Encrypted Analysis is one of these features which also Joe Sandbox Detect uses. Whenever Joe Sandbox Detect uploads a file and the analysis is completed Joe Sandbox Cloud encrypts all data including the file, IOCs, reports, etc. with a random password. Encrypted analyses are indicated with the small lock icon:

The password for encryption is only kept on the end-point. Therefore, Joe Security cannot access the analysis data anymore. Security teams can decide to use a unique password for encryption for all their endpoints during the installation of Joe Sandbox Detect. End-users can also copy the password and share it with the security team on purpose:

Encrypted analyses provide the strongest privacy and are a unique feature of Joe Sandbox Cloud. You don't trust cloud services at all? Joe Security also offers on-premise products which work with Joe Sandbox Detect as good as with Joe Sandbox Cloud.

Manual Submissions

Automated analysis is great but there is also the use case where an end-user detects a malicious e-mail and is not opening the attachments and he still wants to check if he is right. To address this Joe Sandbox Detect includes an optional small bar which shows up on the Desktop. End-users can drag and drop e-mails to this bar for analysis by Joe Sandbox Detect:

This also works for files on USB sticks. The same alerts and notifications are sent as if it were an automated analysis. Analyses are also encrypted.

Enhancing your Endpoint Security

Joe Sandbox Detect is a unique endpoint sensor with the following feature set:

Leverages Joe Sandbox Cloud for in-depth malware analysis
Configurable filters to define what is analyzed and what not
Extensive alerting for SOCs
Complete privacy due to encrypted analyses
Extremely low resource consumption
Compatible with any other endpoint security solution
Convenient manual submissions
Parameterized MSI installer for easy deployment

Want to try Joe Sandbox Detect and test its malware detection capabilities? Contact us today for a trial or an in-depth technical demo!

We are happy to release today the Joe Sandbox - Carbon Black connector! With the connector, Carbon Black Response users benefit from automated deep malware analysis with Joe Sandbox. The connector will submit suspicious files detected by Carbon Black to Joe Sandbox for deeper analysis and will import the generated threat intelligence data into Carbon Black.

You find our Carbon Black connector as well as the installation guide in our Github repository: https://github.com/joesecurity/carbonblack-connector.

Deep Threat Intelligence

Once you have completed the installation you can search for malicious detections via the Binary Search. Click on Add Criteria and then select Joe Sandbox Score:

The Joe Sandbox Score is an indicator of how the behavior has been rated by Joe Sandbox. 0 means no malicious behavior while 100 is very malicious. In the new form, you can define if you would like to search for all binaries with e.g. a Joe Sandbox Score higher or equal than X:

A score bigger or equal to 50 means the sample shows malicious behavior. For our current example Carbon Black found a binary with a score higher or equal than 50 on one endpoint:

Clicking on the hash link provides us with more information on the binary:

We have the Joe Sandbox Score of 100 at the top right. Via the View on joesandbox link we can open up the analysis report:

Since we know now that this is Agent Tesla we can easily block the binary thanks to Carbon Black on all our endpoints with a single click:

Watchlists

Wouldn't it be nice to automatically be alerted as soon as Carbon Black detects a new binary on the endpoint and Joe Sandbox detects it as malicious? This you can achieve by creating a Watchlist. To create one, open Watchlists on the main menu and then use the query "cb.q.applicance_score_joesandobx=[50 TO *]:

Finally, select how you would like to get alerted.

Joe Sandbox and Carbon Black - a powerful combination

Thanks to the Joe Sandbox Carbon Black connector, cyber security analysts using Carbon Black benefit from deep malware analysis done by Joe Sandbox. This enables to detect and block zero-day and targeted attacks.

Do you want to try Joe Sandbox and use the Joe Sandbox Carbon Black connector? Request a free Joe Sandbox Cloud Pro trial now!

Over the last couple of months, we have been listening to your feedback and working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 27 under the code name Red Agate! This release is packed with brand new features and improvements, designed to make malware analysis deeper and more precise than ever!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Red Agate recently.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Agate features.

163 new Behavior Signatures

With these brand new signatures, Joe Sandbox is able to precisely detect various malware families like MegaCortex, Dridex, Ryuk, CresentCore, NetWire, Watchbog, Necro and many more.

2986 Community Yara Rules

There is a big number of community Yara rules out there. We took all of them and built a selection by checking them for performance and FPs. The final selection of 2'986 rules has been included in Red Agate and greatly increases detection and malware classification capabilities in Joe Sandbox.

47 Custom Yara rules

Red Agate also includes 47 new custom rules. Those rules are written by Joe Security's threat intelligence analysts and extend the community rules:

Web Push Notifications

The Web Interface now features Push Notifications. Push notifications are very useful in notifying end-users as soon as an analysis is finished or an analyzer is ready for remote assistance:

Joe Sandbox will ask you to enable Push Notifications once during submission, and you can also enable or disable it later on in your user settings.

Threat Names

Threat Names have been added in order to easily identify which threat has been detected by Joe Sandbox. Threat Names are shown in the analysis overview page as well as inside the report:

Intelligent Analysis

Particular samples often require command-line arguments properly execute and show malicious behavior. Others need to be run as part of a service. For these specific cases, Joe Sandbox will automatically re-analyze the sample with the right action, tremendously increasing the execution success.

Joe Sandbox Detect

Joe Sandbox Detect is a powerful endpoint client which detects suspicious files delivered via targeted attacks or spear-phishing campaigns. It directly leverages the power of Joe Sandbox Red Agate.

If you want to learn more about Joe Sandbox Detect please have a look at this blog post.

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Red Agate, but there are some other very interesting features on top:

Intelligent Memory Dumping
New integrations: Carbon Black, Intezer and MISP
AutoIt unpacker
Function Log in XML format
Matching Strings for Yara detections
Password submission for protected PDFs
Download & Execute submission option for macOS
New submission options for Remote Assistance

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Is it true that Joe Sandbox supports Sigma? Yes, we have successfully integrated Sigma into Joe Sandbox. Sigma is available in Joe Sandbox Cloud and will be part of the upcoming Joe Sandbox v28 Lapis Lazuli release.

Do you know what Sigma is? If you don't, this blog post will help you get a better understanding.

Sigma in a Nutshell

Sigma is a generic and open signature format to detect malware and other security-related events in log files. Which are the log files currently supported?

Firewall logs
Operating System logs
Proxy logs
Web server access logs

For Windows, the operating system logs include:

Sysmon events
Event logs
Process creation events

Logs are usually kept in a security information and event management system (SIEM). To search in your SIEM or log source, Sigma offers to convert your rule into a search query specific to your SIEM product (the target):

Currently, Sigma rules can be converted to the following targets:

Splunk (plain queries and dashboards)

ElasticSearch Query Strings

ElasticSearch Query DSL

Kibana

Elastic X-Pack Watcher

Logpoint

Windows Defender Advanced Threat Protection (WDATP)

Azure Sentinel / Azure Log Analytics

Sumologic

ArcSight

QRadar

Qualys

RSA NetWitness

PowerShell

Grep

By supporting so many targets, Sigma has a tremendous advantage: one rule can be used in various SIEMs. This allows sharing, prevents vendor lock-in, and makes Sigma generic.

Sigma and Joe Sandbox

Okay, Sigma is great, but Joe Sandbox is not a SIEM! So how shall Joe Sandbox benefit from Sigma?
Well, Sigma is being used (among other things) to write threat detection rules for events such as Sysmon events, Windows event logs, and operating system process creation events. All those events are captured during the detonation of malware in a sandbox:

If the sandbox understands Sigma, a rule written to detect a threat on the endpoint (e.g. based on Sysmon data) could be also used to detect the threat in the Sandbox. Or the other way around, Sigma rules that were written for a sandbox can be applied to your SIEM! Isn't that fantastic? We truly think it is!

Sigma in Joe Sandbox enables any customer to write and share threat detection rules based on dynamic data/events even if they don't have a SIEM!

Joe Sandbox also supports Yara rules (including scanning of memory dumps). Yara for the binary world and Sigma for the dynamic world make a perfect combination.

Events

What Sigma rules can I write in Joe Sandbox? Joe Sandbox currently supports eight different events:

Process creations (product: windows or linux or macos, category: process_creation)
Sysmon: Process creation, Event ID 1 (product: windows, category: sysmon)
Sysmon: Network connection, Event ID 3 (product: windows, category: sysmon)
Sysmon: Remote thread creation, Event ID 8 (product: windows, category: sysmon)
Sysmon: File creation, Event ID 11 (product: windows or linux or macos, category: sysmon)
Sysmon: Registry key set, Event ID 13 (product: windows, category: sysmon)
Powershell: Powershell Transcript Logging (product: windows, service: powershell)
Windows Event Logs (product: windows, service: security|application|system)

A detailed description of the event fields can be found in our user guide under Sigma - List of events.

We have directly added Linux and macOS support for the process creation and file creation event. With that, you can write Sigma rules covering Linux and macOS threats!

Rules

Sigma rules are written in YAML format and have a very simple structure. Below you can see an example which uses the process creation event as input:

Joe Sandbox uses various optional meta attributes, such as threatname, behaviorgroup or id. This helps Joe Sandbox to identify threats and do proper classification. The level attribute impacts the verdict of the sandbox. For instance, many Sigma rules matched with a critical level will lead to an overall malicious verdict.

The heart of the rule is the detection definition which contains a selector with fields or lists. Fields and lists have great wildcard support. The condition is a Boolean expression which in case it evaluates to true, will lead to a rule match.

You can find a full specification of Sigma here.

Importing Rules

Importing Sigma rules is super easy. Note you don't need to convert any of the Sigma rules. Joe Sandbox understands Sigma natively.

To import a rule go to the Editor navigation tab. Then click Sigma:

You might either upload a Sigma rule as a .yml file or a zip of .yml files or alternatively specify a Github repository containing Sigma rules:

In this case, Joe Sandbox will always import the latest Sigma rule from that repository. Very handy for open source repositories!

Do you want to modify a rule? This can be easily done in the Sigma editor:

Sigma matches

Once you have imported a rule, you will find the Sigma matches for the new analysis in the full behavior report:

In the top navigation bar click on Overview - Sigma Overview:

Clicking on Show sources will tell you the underlying event responsible for the match:

Sigma Rule Feed

The events supported by Joe Sandbox cover currently around 70% of all community Sigma rules.

Joe Security itself started writing its own Sigma rules and decided to share all of the current and new rules with the community under the GPL license. You will find all our Sigma rules on Github: https://github.com/joesecurity/sigma-rules

Examples

We have uploaded the current Sigma and Joe Security community rules to Joe Sandbox Cloud Basic. You can easily search matched Sigma rules by using Joe Sandbox View, our threat hunting & search engine:

Via Sigma, Joe Sandbox found a sample using Get2Downloader, likely associated with TA505:

Or here, a Sigma based Wannacry detection via the open-source rules:

Joint Power

Sigma is great, it is generic and therefore allows to easily share threat rules. There is no vendor lock-in. Joe Sandbox's community rules, once converted, can be used to search in many SIEMs.

You can write your own Sigma rules and use them in Joe Sandbox. Simply upload them in the Sigma editor and you are ready to rock!

Joe Security has committed to open source all its major Sigma rules on the Joe Security Sigma Github Repo.

Would you like to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.

Country aware malware, which is also known as location or geo-aware malware, is again on the rise. Recently, we have spotted a new campaign targeting Italian organizations. The attack vector is a spam email containing an attachment with a malicious Microsoft Office Macro inside. We covered a similar case that targeted French organizations at the beginning of this year.

In this blog post, we will look at another recent variant and showcase how Joe Sandbox is automatically bypassing the evasions.

The sample we are going to investigate (MD5: c5e1106f9654a23320132cbc61b3f29d) was submitted to Joe Sandbox Cloud Basic on December 9th 2019 (full analysis link, IOCs: https://www.joesandbox.com/analysis/287432#iocs). The file format is a Microsoft Office Excel sheet. Interestingly, we see more Excel spreadsheets than Word or Power Point files using evasions. There is a high chance that using Excel documents makes it easier for attackers to bypass static detectors. The sample we are going to present targets Italian users:

File Name and Country check

The Macro it contains is triggered via Notifica_Layout:

The Object_Layout routine is less known compared to Workbook_Open or Auto_Open and therefore lowers the detection probability. Notifica_Layout performs the first evasion as a file name check. The execution will proceed only if there is the letter "I" in the file name:

Renaming potential suspicious files is a very common practice. We often see users renaming files to the MD5 or SHA1 name, add the extension .virus, .bin, .sample etc. Obviously, this is very bad practice if you want to analyze the sample in a sandbox, since it's trivial to check for such changes. Please also note that a sandbox has no way of reconstructing the original file name.

Happily, the user of this Excel sheet decided to submit the sample with the original file. As a result, the function Formato is called:

Formato performs another evasion check by calling Finesta. Finesta returns the user interface language (msoLanguageIDUI).

Formato then compares the user interface language to 1040 which is Italian:

The Power of VBA Instrumentation

Now if you look at the screenshot you will see that Excel has English as the UI language:

So how was Joe Sandbox able to fake that user interface language setting? The key technology for doing this is VBA instrumentation. We introduced VBA instrumentation in 2016. If you want to learn more about this unique technology please have a look at this blog post.
VBA instrumentation enables Joe Sandbox to completely control the VBA code. It generates the nice VBA call graph as well as annotated VBA functions. For the given LanguageID function we are able to define a custom "hook" which returns a fake ID:

However, to do so, Joe Sandbox also needs to find out which country is targeted by the document. To achieve this, we developed a new technology which analyzes all strings inside a Microsoft Office document and provides a best guess on the target:

Please note that all this happens fully automated. Other sandboxes require that the user chooses the targeting country manually if such an option exists at all.

Next, an obfuscated PowerShell command is launched via WMIC:

PowerShell then extracts and launches the Ursnif Trojan:

A Sigma rule also detects Ursnif brilliantly:

Multi-Technology Platform

VBA instrumentation paired with static target discovery ("Which country or the victim is targeted by a sample?") is a very powerful combination. It enables Joe Sandbox to automatically adapt the analysis system as well as the malware sample behavior to bypass any evasion.

Joe Sandbox incorporates many other analysis technologies, including simulation, emulation, hybrid analysis, hypervisor based analysis, execution graph analysis etc. All these technologies make Joe Sandbox one of the most advanced and powerful malware analysis system for Windows, macOS, Linux, Android and iOS.

Interested to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2020!