Dissecting Agent Tesla with Deep .NET Tracing

January 8, 2020, 5:57 am

Today's malware, droppers and threats targeting Windows come in various "form-factors". They can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 we have seen an increase of malware using the .NET Framework. Usually, malware or packers / crypters are written either in C Sharp or Visual Basic Net.

Joe Sandbox is the only malware analysis system using different technologies to analyze each format deeply. Over the last nine years we have developed these ten different technologies:

Our most recent addition is what we call Deep .NET tracing. .NET tracing captures all .NET API calls with arguments. To demonstrate the power of Deep .NET tracing we will dissect a recent Agent Tesla sample. Agent Tesla is a well known .NET based RAT and used by many threat actors. Most of the variants use multi-layer obfuscation to evade detection and hinder analysis.

Layers Layers Layers

The sample we are going to analyze has been found on VirusTotal (MD5: 03baf522fb9c86bd5512a0ee72457f86, File Name: MTESSTAR V1911.exe). To enable Deep .NET tracing you have to tick the checkbox in the Code Analysis Section:

When the analysis is finished, you can download the trace files in the download section:

The trace files are available in two formats:

Text, easily readable by analysts
CSV, easily parsable by machines

Let's have a look at the text trace file. As we can see from the trace file MT ESSTAR V1911.exe - ,the initial file is a simple loader which loads an assembly named Model.exe from the resource section:

Next, the method set_sako is called in Model.exe:

You might now think and ask yourself, wouldn't it be nice to have Model.exe as a file? Well, we have good news, Deep .NET tracing extracts all loaded assemblies. You will find all of them in the memory dumps:

All dumped assemblies are scanned against all Yara rules you have stored in Joe Sandbox. What is set_sako doing next? Well, its loading another assembly (named Software Updates.dll, 2nd stage) from its resource section:

Right before the assembly is loaded, it is decrypted, as you can see from the Param 0 and Return Value.

Again, the assembly is dumped and stored so that you can download it.

Generic .NET Unpacking

Wouldn't it be fantastic if we have the source code of the decrypted assembly? Well again we have good news, Joe Sandbox decompiles all dumped PE files (see our previous blog post about generic .NET unpacking). You can download all decompiled .NET projects here:

In the download we find the full source code for the third stage:

This looks to be CyaX Sharp which is a well-known loader and injector. It comes with various anti-analysis features:

It also employs techniques to disable Windows Defender. When all the anti-analysis techniques are passed, it calls its final injection routine to launch the Agent Tesla payload:

Continuing to follow the .NET trace, we can see the various activities related to information-stealing.
Keylogging:

Stealing login data from Google Chrome:

System information gathering

Uploading the stolen data via e-Mail:

Deep Malware Analysis

Thanks to the new Deep .NET Tracing feature, analysts can look at each single .NET API call and fully understand the inner workings of malware. With the assembly dumping, each unpacking stage is preserved and decompiled. The dumped assembly can be scanned and detected with Yara, while the source code enables an even deeper view into the malware's inner workings.

Joe Sandbox handles the different malware form factors or formats differently and applies various technologies. This helps analyzing malware in a depth previously not possible!

Would you like to try Deep .NET tracing? Then contact us today to get a trial for Joe Sandbox Cloud Pro.

Full Analysis Data

Analysis Report: http://www.joesecurity.org/reports/report-03baf522fb9c86bd5512a0ee72457f86.html
Deep .NET Trace files: https://www.joesecurity.org/resources/nettrace-03baf522fb9c86bd5512a0ee72457f86.zip
Decompiled .NET projects: https://www.joesecurity.org/resources/dotnet-03baf522fb9c86bd5512a0ee72457f86.zip
Dumped Assemblies: https://www.joesecurity.org/resources/memdumps-03baf522fb9c86bd5512a0ee72457f86.zip
IOCs: https://www.joesecurity.org/resources/irreportfixed-03baf522fb9c86bd5512a0ee72457f86.json

↧

Joe Sandbox v28 Lapis Lazuli

February 5, 2020, 5:00 am

≫ Next: Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor

≪ Previous: Dissecting Agent Tesla with Deep .NET Tracing

During this winter, we have not been freezing but rather working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 28 under the code name Lapis Lazuli! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have recently been upgraded to Lapis Lazuli.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Lapis Lazuli features.

304 new Signatures

With these brand new behavior and Yara signatures, Joe Sandbox is able to precisely detect various malware families like Emotet, Trickbot, AgentTesla, NanoCore, Ursnif, HawkEye, AZORult, Remcos, Adwind, Raccoon and many more.

Sigma Support

A major new feature of Lapis Lazuli is the support for Sigma.

Sigma is a generic and open signature format to detect malware and other security-related events in log files. With the integration into Joe Sandbox, analysts can use existing Sigma signatures (~330) to detect malicious behavior.

Further, analysts can write their own signatures and use them in Joe Sandbox as well as in several other ESR tools. Joe Sandbox v28 features a Sigma editor which also allows synchronizing rules directly from Github:

Lapis Lazuli includes 46 new Sigma rules, and the even better news is that Joe Security has made them available for the community:

If you want to learn more about the Joe Sandbox Sigma integration please have a look at this blog post.

18 Malware Configuration Extractors

Malware often includes configuration data such as C&C IPs, domains and modules to load. Lapis Lazuli features 18 extractors for most common malware families:

Configuration Data is shown in at the "Malware Configuration" section in the HTML or PDF report:

as well as in the malwareconfigs section in the XML or JSON report:

New Analysis Detail Page

The analysis detail page lists high-level information on the analysis such as the verdict, threat names, and classification. In Lapis Lazuli we completely redesigned it, so that analysts can access all essential data at one glance:

Deep .NET Tracing

Today's malware, droppers and other threats targeting Windows come in various "form-factors". These can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 and early 2020 we have seen an increase in malware using the .NET Framework.

Deep .NET Tracing extends Joe Sandbox's multi-technology stack with a very fine-grained tracing technology for samples using the .NET Framework:

With Deep .NET Tracing analysts can understand in detail the inner work of malware samples. Deep .NET tracing needs to be enabled via the Code Analysis tab:

Trace logs including all .NET API calls with arguments can be download from the analysis detail page:

You will find more information about deep .NET tracing in one of our latest blog posts: Dissecting Agent Tesla with Deep .NET Tracing.

Remote Assistance for Joe Sandbox Mobile and Linux

Yes, Lapis Lazuli is bringing Remote Assistance to Joe Sandbox Mobile and Linux. With Remote Assistance you can click through an attack manually by using the mouse and the keyboard:

MITRE ATT&CK mappings for Android and IOS

MITRE ATT&CK mappings already exist for Windows, Linux, and Mac. Lapis Lazuli includes mapping for Android and iOS:

Final Words

In this blog post we have presented the most important features of Joe Sandbox Lapis Lazuli, but there are some other very interesting features on top:

Added threat names to e-mail notifications
Added download button for all screenshots
Added more processes information
Improved IE, FF and Chrome analysis performance
Improved Remote Assistance performance in general
Improved analysis of Google Drive URLs
Improved startup of samples with user permissions

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor

February 25, 2020, 1:22 am

≫ Next: Joe Lab - the Cloud-based Malware Analysis Lab

≪ Previous: Joe Sandbox v28 Lapis Lazuli

As usual, at Joe Security we keep a close eye on evasive samples. Some days ago we detected an interesting Azorult sample on Cloud Basic (MD5: ff17014cbb249e173309a9e1251e4574). In this blog post, we will use Joe Sandbox Hypervisor together with the Function Log to understand the evasion techniques in this sample.

Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques, Hypervisor inspects a program more deeply and extracts more behavior data. Hypervisor can also run on bare metal. We already blogged about using Hypervisor in an analysis of Gozi's evasions technique here.

The Function Log is a new low-level report generated by Joe Sandbox. It contains all API calls (user-mode APIs and system calls). It can be found in the low-level report section:

Anti-Debugging

The first evasion check starts at 0042B690 and checks for debuggers with kernel32!IsDebuggerPresent and ntdll!ZwQueryInformationProcess (ProcessDebugFlags):

All API calls are dynamically resolved as the call to GetProcAddress right before NtQueryInformationProcess proves. This hinders code analysis as the calls are known during runtime only.

Time Evasion

What follows is a sleep based evasion. Azorults verifies if a sandbox modifies the kernel32!Sleep API value by cross-checking the elapsed time via the kernel32!GetTickCount API:

Sleep value modification is often done by sandboxes to bypass sleeping malware, e.g. if the malware sleeps longer than the execution time before the payload is started. Some sandboxes modify even very small values or forget to modify other time sources such as the tick count. This weakness is exploited by Azorult:

Dummy API Calls

If the previous checks succeed, Azorult continues to perform various dummy API calls, including calling kernel32!Beep:

Right after that, various API calls are done in a random order. As a result, the function logs differ from analysis to analysis. Next, there is a random amount of API calls to kernel32!VirtualAlloc:

Dummy API calls are added to the malware in order to delay the execution in a sandbox. If the delay is longer than the analysis time the sandbox will not detect any malicious behavior.

Environment Checks

The anti-analysis checks are not yet complete. After the dummy API calls, Azorult continues with an available RAM check:

If there is less than 3GB available it stops execution. Next, it checks the screen resolution via user32!GetDesktopWindow and user32!GetWindowRect:

If the screen resolution is below 1152 x 864 it will fail. Finally, as the last check, it looks for known sandbox processes via kernel32!CreateToolhelp32Snapshot:

The process comparison list looks interesting. Qemu-ga.exe is likely related to Any.run. Cmd.exe, notepad.exe and python.exe are often used by malware analysts. Azorult does not use any API such as strcmp, strstr or similir but rather a built-in function:

This makes it hard for a sandbox to detect the process check.

Detecting Sandbox Evasions

Thanks to the deep analysis of Joe Sandbox Hypervsior several existing and some new behavior rules catch the evasion:

Analysis Data:

Joe Sandbox Hypervisor

As this analysis proves, today's evasion techniques are more stealthy than ever. Thanks to the Function Log and Joe Sandbox Hypervisor, malware analysts can detect and understand any evasion - no matter how stealthy it is:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Joe Lab - the Cloud-based Malware Analysis Lab

March 3, 2020, 6:19 am

≫ Next: Joe Trace - a Process Monitor on Steroids

≪ Previous: Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor

Today we have fantastic news for you! We release Joe Lab - a brand new service from Joe Security!

In a nutshell, Joe Lab is a Cloud-based malware analysis lab. A malware analysis lab is a key infrastructure for CERTs, CIRTS, SOCs and malware analysts to securely analyze malware and exploits, or test Yara rules. A malware analysis lab usually consists of several bare metal laptops or PCs which are fully separated from the corporate network. The lab machines are connected to an anonymized Internet line or use Internet simulation. Further, lab machines can be easily wiped and restored to a baseline.

Setting up a malware analysis lab is a lot of effort and includes several big challenges:

Network segregation from the corporate network, so that malware cannot spread or cause harm.
Secure transfer of malware and analysis results from and to the lab. Usually, corporate endpoints are not allowed to store or access malware files.
Reset lab machines to a known good state or baseline - to wipe any malware infection and start a new case.
Anonymized Internet access for the lab, so that malware authors cannot track you.
Fake Internet simulation to test very sensitive malware.
Secure access to the Lab via remote desktop or other RDP protocol, so that malware is not able to infect your endpoint.
Maintain bare metal lab machines - virtual machines are easily detected by malware.

Joe Lab solves all those challenges and sets the effort of setting up a lab infrastructure to zero. Here are some of the features of Joe Lab:

Fully Cloud-Based

Joe Lab is completely located in the Cloud. The infrastructure is not located in your network. You, therefore, have very strong network segregation. Joe Lab is directly integrated into Joe Sandbox Cloud Pro and you find it in the top navigation bar:

Depending on your subscription level you get access to one or several lab machines:

Secure File System Access

At any time you can access the full file system of the lab machines via the browser. You can upload or download malware and analysis results:

Any file transfer happens over HTTPS.

Reset to Clean State

Joe Lab includes a feature to reset the lab machine to a clean state (known good state). The disk wiping is done completely automated. Within minutes, you get access again to a clean machine:

Anonymized Internet Access

With Joe Lab, all lab machines have access to an anonymized Internet line. You can choose the exit point/country from several options:

This feature is very beneficial if you analyze country-aware malware samples. You also have the option to completely disable Internet access or use Internet Simulation.

Secure Access

If you want to access the lab machine you can do so directly from the browser by clicking the Remote Desktop button:

You get full access to the lab machine and can start analyzing malware samples. Copy and paste functionality is available via the clipboard manager:

Bare Metal Lab Machines

All lab machines are bare metal - physical laptops or PCs. No virtual machine is used:

Therefore, bad luck for malware that detects virtual machines!

Joe Lab - One of its kind

To the best of our knowledge, Joe Lab is the industry's first and only Cloud-based malware analysis lab. With Joe Lab, CERTs, CIRTS, SOCs and malware analysts no longer have the burden to setup a malware analysis lab. Further Joe Lab combines the best features of a malware analysis lab, including an anonymized Internet line, fake Internet, and resettable bare metal lab machines.

Would you like to try Joe Lab? Then don't wait and contact us for a trial!

↧

Joe Trace - a Process Monitor on Steroids

May 7, 2020, 3:24 am

≫ Next: New Sandbox Evasions spot in VBS samples

≪ Previous: Joe Lab - the Cloud-based Malware Analysis Lab

Today, we have fantastic news for you. Joe Security is very proud to publicly release Joe Trace - a brand new product in our portfolio. Joe Trace has been in our minds for a while, and thanks to the hard work of our engineers we are able to showcase this unique product today. This blog post will outline what Joe Trace is and what makes it so unique.

So what is Joe Trace? In a nutshell, Joe Trace is Sysinternal's Process Monitor on Steroids. Process monitors are tools to manually observe the behavior of a program in real-time. For instance, process monitors trace system call events of all processes on a system and graphically visualizes the stream of events in time.

Why do you need a process monitor? Process monitors are extremely handy to study the behavior of malware in extreme depth and for a long time. Sandboxes cannot do that and usually analyze a sample just for a few minutes. Due to performance reasons, the depth is limited.

So what is unique about Joe Trace? Well, a lot. If you compare it to Sysinternals Process Monitor, then Joe Trace has the following unique features:

In the following sections, we are going to outline all of the unique features of Joe Trace.

Hypervisor-Based System Call Tracing

First of all, we designed Joe Trace for malware analysis. System call tracing is achieved by using the hardware virtualization feature of modern CPUs (VT-x, hypervisor). As a result, Joe Trace analyses more system calls and especially the ones often used by malware, for example NtWriteVirtualMemory, NtQueueAPCThread, NtUserSetWindowsHookEx etc. Next, a hypervisor is harder to bypass. Below you see Joe Trace analyzing Remcos RAT injecting into installutil.exe - a benign Windows process:

Joe Trace captures file, registry, process, thread as well as network events like TCP, UDP, DNS and ICMP. Additionally, numerous system calls related to virtual memory, section, mutex, driver, and window behavior are intercepted, too.

System calls are great but only a part of the data that Joe Trace captures. In the next section, we are going to have a look at how Joe Trace extracts user-mode API calls.

Frida Integration

Frida is a world-class dynamic instrumentation framework. It enables the instrumentation of any API in user-mode by using a Javascript-based interface. Joe Trace features a rich Frida integration which by default intercepts WinInet API calls such as InternetOpenUrl or HttpOpenRequest:

Malware analysts can easily extend the default Frida script and add more instrumentations:

System-Wide Raw Data Capturing

As you might have seen in one of the first Joe Trace screenshots there is also an event for memory dumps. Besides system call and Win32 API tracing, Joe Trace includes extensive data capturing capabilities.

Downloaded, dropped or modified files are an extremely important resource for malware analysts. With these files, malware analysts can write new signatures, do further analysis, and extract IOCs.

Joe Trace captures and persists all dropped and modified files:

In addition, Joe Trace captures memory dumps of all monitored processes. Those memory dumps are taken during the life time of a process. Therefore they often contain unpacked or decrypted malware code:

Finally, the complete network traffic is stored in a PCAP. By using Wireshark analysts can perform a deep dive into the network protocols. All the resources are accessible in a folder created by Joe Trace:

Yara Integration

Extracting data is one thing and detection another. To perform malware detection we added Yara to Joe Trace. Basically, any dropped/modified file and memory dump gets scanned with Yara in real-time. Yara signature hits are shown as additional events. Below you can see Yara detections while executing a Casandra-crypted dropper which installs Remcos RAT:

Yara signature detection is also visible via the Yara hit counter bar at the top:

Malware analysts can use their own Yara rules for malware detection or license Joe Security's extensive signature repository. Yara rules can be directly specified during the startup of Joe Trace:

Thanks to the Yara integration, Joe Trace serves as a tool for Yara signature development. Yara signatures can be tested offline against the extracted memory dumps or dropped files, or alternatively much easier live with Joe Trace.

Since Joe Trace captures a large number of events, filtering and search capabilities are key. In the next section, we will outline an advanced tracking feature that helps analysts to focus on malware behavior.

Malware Execution Tracking

Joe Trace traces by default the behavior of all processes on the system. However, if an analyst launches a malware sample, he/she is usually only interested in tracing the malware behavior and not for example the behavior of a benign Windows process. To tackle this challenge Joe Trace provides a malware tracking technique. The feature filters out all processes which are not part of the malware execution chain. It will include benign Windows processes in which malware injects into.

To tell Joe Trace to start tracking malware execution analysts can follow a given process by selecting it in the Processes tab:

Joe Trace will then filter out "noisy" behavior. Different colors are used to show followed processes and new processes. Guloader, the dropper in this case, first started itself and then injected into explorer.exe. As a result, explorer.exe is added automatically to our filter:

Besides malware execution tracking, Joe Trace includes extensive filtering capabilities including quick filter buttons, instant search, highlighting, and more:

Analysts can even filter event classes, event names, and API arguments among other details. Malware execution tracking and the extensive filtering possibilities are ideal for finding the needle in the haystack.

E-Mail Alerts

A very important use case for malware analysts is long-term malware analysis. Sandboxes usually run a sample for up to ten minutes. Some malware might not exhibit interesting behavior such as the downloading of the payload, C&C call-outs, or config downloads during this limited analysis time. Joe Trace fills this gap. However, it is painful to regularly check Joe Trace for new events. To remove this pain Joe Trace offers alerts:

An alert can be an e-Mail that Joe Trace sends you every five minutes in case new events have been filtered. The e-mail includes the Yara signature matches as well as some statistics about new events:

In case e-mail is not your favorite alerting mechanism, you can script a notification via the command line alert option. Alerts are very handy since you can relax and wait to get a notification as soon as a Yara signature detected a new config or payload being downloaded. This makes long-term malware observation super simple.

Joe Trace - the Process Monitor on Steroids

As this blog post demonstrates Joe Trace is truly unique and will raise the bar for manual dynamic malware analysis tools! To the best of our knowledge, there is no comparable tool on the market with a similar feature set. Below you find a compressed list of all the features of Joe Trace:

Hypervisor-based stealthy system call tracing (VMx)

Tracing of processes, threads, files, registries, network,
memory and driver system events among others

Customizable user-mode API tracing based on Frida

Extensive system-wide raw data capturing like network traffic (PCAP),
dropped files and memory dumps

Deep Yara integration for malware detection (live raw data scanning)

Extensive filtering including malware execution tracking

Quick searching and event highlighting

E-mail and command alerting on filter hits

Event exporting capabilities to different formats like CSV, XML and JSON

Tree-based process overview with highlighting of interesting processes

Finally, we would like to highlight that Joe Lab, Joe Security's new cloud-based malware analysis lab can be equipped with Joe Trace as a default analysis tool. Joe Lab and Joe Trace perfectly work together and offer SOCs, CERTs and CIRTS an ideal tool for manual malware analysis.

You liked this blog post and would like to try Joe Trace? Then don't wait and contact us for a trial!

↧

New Sandbox Evasions spot in VBS samples

June 5, 2020, 5:24 am

≫ Next: Joe Sandbox v29 - Ocean Jasper

≪ Previous: Joe Trace - a Process Monitor on Steroids

While hidden Macro 4.0 samples are on the rise, we recently spotted some very interesting evasive VBS samples. In this short blog post, we will look at sample files#_56117.vbs, MD5: 147091e61ec59f67ab598d26f15ad0e7 and outline some of the evasive tricks.

An initial look at the Joe Sandbox v29 analysis reveals two evasive behavior signature hits:

In addition, there is no payload behavior, the sample shows a fake error message box and deletes itself and quits:

The two evasive signatures hits gave us enough evidence to investigate the sample further.

ExecuteGlobal

The VBS file itself is obfuscated. Large arrays hold encrypted characters which are decrypted during runtime and executed with the VBA function ExecuteGlobal:

Deobfuscation is straight forward - simply replace ExecuteGlobal with a function to append the code to a text file, or even easier, download the AMSI output which is captured by Joe Sandbox:

It holds all the code executed by ExecuteGlobal.

You find a complete deobfuscated version of the script for your reference here.

The executed code performs nine different evasive checks which are outlined in the next sections.

Total Disk Size Check

The VBS sample checks if the size of all disks combined is bigger than 60 GB. In addition, the code verifies if there is no empty CD-ROM drive. In case there is an empty CD-ROM drive or the total size of all disks is smaller than 60 GB the sample will quit:

To enumerate all disks it uses the WMI class Win32_LogicalDisk. Likely the authors recognized that many sandbox VMs still have an empty CD-ROM drive connected, meanwhile end-user laptops don't. The CD-ROM drive check is a new evasion method that we haven't seen before.

File Count Check

Next, a file count check follows. The sample verifies if the number of files in the user download folder is bigger than 2. The same check is executed for temporary files:

If the count of either directory is below 3 then the sample quits.

Process Name Check

Checking for debugging and reverse engineer tools is very common for many malware samples. This VBS sample has a very extensive list of debugging tools:

If one of the listed process names is found running on the system the sample quits. In addition, it also verifies that the total number of running processes is bigger than 28. This is a nice trick that has also been used by many other samples, especially VBA droppers. On a real endpoint, a user has usually opened many applications (e.g. web browser, Microsoft Office, etc) while on a VM sandbox there are no applications running.

Country / Region Check

The sample will quit if the geographical location of Windows is Russia:

In the sample, this check is currently disabled.

CPU Count Check

If there are less than 3 CPUs available on the system the sample quits:

Memory Check

If the total physical memory is below 1030 MB the sample quits:

Last Boot Time Check

This is a newer evasion and we haven't seen it a lot in malware samples. The sample verifies if the time the system booted is more than 10 minutes ago. Again VM sandboxes might have a much shorted last boot time.

Real end-user systems on the other hand, are rebooting the system less often.

Name and File Checks

Finally, there are also some sample name-checks that are very common. The most prominent one is to check for sample or myapp or in the current case testing:

There is also a weird additional check for microsoft.url in the temp directory. So far we have not yet found which sandbox is targeted by this check:

IOCs

Full run of the sample - all evasions bypassed
C&C: https://iplogger.org/1N3Ei7

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Joe Sandbox v29 - Ocean Jasper

June 18, 2020, 3:45 am

≫ Next: TrickBot's new API-Hammering explained

≪ Previous: New Sandbox Evasions spot in VBS samples

Today we release Joe Sandbox 29 under the code name Ocean Jasper! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have recently been upgraded to Ocean Jasper.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Ocean Jasper features.

447 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like MassLogger, Bazar(team9 loader), Octopus Scanner, Devilshadow, Kaiji, Exile RAT, Crimson RAT, CloudSnooper, Lucifer Stealer, Wildlogger keylogger, DarkNexus, Blackclaw ransomware, Nefilim, Pedo Ransomware, Payday Ransomware, Avaddon Ransomware and many more.

ReversingLabs Integration

A major new feature of Ocean Jasper is the ReversingLabs integration. ReversingLabs TitaniumCloud customers can add their username and API to Joe Sandbox and increase the detection precision:

Joe Sandbox Ocean Jasper checks all samples and dropped files against ReversingLabs TitaniumCloud.

Urlscan.io Integration

Another great feature of Ocean Jasper is the urlscan.io (A sandbox for the web) integration. With the integration enabled Joe Sandbox customer will benefit from increased precision for phishing detection:

Excel Macro 4.0 Extractor and Deobfuscator

Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catch-up and detect them properly. We, therefore, decided to add a full extractor and deobfuscator to Joe Sandbox v29. The deobfuscated code can be found in the full report under Static - Macro 4.0:

Ocean Jasper also includes several signatures to detect malicious Excel 4.0 macros:

Enhanced Phishing Detection

We have enhanced our Phishing Detection in multiple areas. First, we added a new detection technology based on Internet Explorer cache files. The appearance of a specific image on a foreign web page is a good indicator for phishing. Thanks to the Internet Explorer caching we can easily blacklist images.

The Microsoft phishing page uses the following image resources:

In the Internet Explorer cache those resources can be easily found and blacklisted:

Secondly, AI-based Phishing detection has been made available for Remote Assistance (Live Interaction). This enables analysts to detect phishing pages for cases where link browsing is hard to automate:

Easy submission of Malware Bundles

Sometimes analysts come across a malware sample that only runs with dependencies file, e.g. a malware.exe requiring a DLL in the same folder. Previously, analysts were required to submit cookbook for launching the malware.exe together with the DLL. With Ocean Jasper this is now becoming super easy - with a new file dialog:

Better Report Overview

We have completely redesigned the overview part of the full analyst report in Ocean Jasper. Analysts can now see all the key information at one glance:

Android 9.0 Support

Ocean Jasper comes with Android 9.0 support:

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Ocean Jasper, but there are some other very interesting features on top:

Added analysis mode to boost performance
Added support for Windows 10 build 1903 and 1909
Added analysis and execution of DMG pre-install scripts (Zoom)
Added Yara scanning for unpacked AutoIt binaries
Added download-all option to the Web interface
Improved config extractor for Emotet
Improved performance for Remote Assistance
Large performance optimization for RDTSC time evasions
Large FP optimization for phishing detection

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

TrickBot's new API-Hammering explained

July 13, 2020, 4:43 am

≫ Next: Analyzing VM-Malware with Joe Lab and Trace

≪ Previous: Joe Sandbox v29 - Ocean Jasper

As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.

The full analysis report of the TrickBot variant is available here.

Two Stage API Hammering

Right after the entry point, the sample tries to load taskmgr.exe as a DLL:

This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next, it performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls do basically nothing:

This code has been directly copied from the documentation of printf:

So what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including the 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. As a result, the final payload is never called.

This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several years ago e.g. in the Nymaim Loader. Joe Sandbox detects the API hammering successfully and rates it as malicious:

Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps:

Again, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid.

WERMGR

Finally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit wermgr.exe - the process responsible for Windows error handling and reporting:

It's noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit.

In wermgr.exe TrickBot fully unpacks itself:

This enables Joe Sandbox to successfully detect TrickBot and extract full configurations:

Conclusion

In contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly exploits the design of a sandbox. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly.

You are interested to get a list of other evasive malware analyses? Check out these other blogs:

or this extensive list of evasive samples.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Analyzing VM-Malware with Joe Lab and Trace

August 19, 2020, 3:57 am

≫ Next: GuLoader's VM-Exit Instruction Hammering explained

≪ Previous: TrickBot's new API-Hammering explained

VM-malware is a special type of malware which uses virtualization technology to stay hidden. A recent type of a such malware is Load Miner. In this blog post we will showcase how to use Joe Lab - the Cloud-based Malware Analysis Lab and Joe Trace - a Process Monitor on Steroids to analyze Load Miner (MD5 8a2a344d985f50a08a1ace0c995b064a).

Load Miner is often bundled with large benign software in an MSI package. The packages have an average size of 450MB. Most sandboxes don't support such large files upload.

We have successfully uploaded the file to a Windows 10 analyzer on Joe Lab and connected via Web based VNC:

Joe Lab features a full network capturing technology which we can be easily enabled via the quick action bar on the right:

The whole capturing process happens outside of the machine and therefore it is invisible for the malware.

Joe Trace

Further, we would like to analyze Load Miner with Joe Trace. Joe Trace is a very advanced process monitor tool designed for malware analysis. It comes preinstalled on a Joe Lab machine:

As a first step, we enable file and memory dumping and configure the usage of Joe Security's Yara rules set. Yara rules will be used to scan all captured files and memory dumps. Right after hitting the Start button we see that the full system behavior is captured.

By clicking on the top left Process tab, we get a nice overview of all processes. We will now manually launch the malware sample and instantly see the MSI process startup:

New processes are colored so that you can visually catch all new startups. MSI files are launched by msiexec and later by the module installer service:

After some seconds a suspicious popup is shown. It looks like the malware is installing the virtualization solution VirtualBox. We can confirm that by going to the event tabs and filter for all created files:

Why using virtual machines? Well it is harder for Antivirus and EDR to detect it since a whole new operating system is running. Given the fact that most sandboxes run malware samples on virtual machines, the current sample won't work - as it is using virtual machines itself.

After a few seconds, we see new processes being launched:

We can also observe the installation of the VirtualBox driver as well as the launch of attrib.exe. Via the context menu we can get full command line:

Furthermore, in order to hide VirtualBox, the installation folder is marked hidden.

Next, we can also see that an OVA (Open Virtualization Appliance) is created and later imported via VBoxManage:

Lets now have a look at VmServiceControl.exe. What is this?

By following the process, we can see that it registers a service by using a INI file previously dropped:

Since Joe Trace captures all files we can inspect that INI file:

We can also find the new service in the Service App:

With the service installation the installer finally quits:

Yara

For seeing all Yara detection we can easily apply a filter via the quick filters in the top bar:

Interestingly, one of Joe Security's Xmrig signature hit. By clicking on the events one can see the matching data source:

The matching data is the VMDK image file which is inside the OVA.

Full Hardware Control

Lets now reboot the lab machine and see if the VM is automatically started:

Opening again Joe Trace and check the newly started processes:

Also we can download the captured PCAP and analyze it in Wireshark to find the network IOCs:

Finally since we fully uncovered the behavior we can reset the Lab machine to a pristine state:

Joe Lab and Trace - One of its kind

This blog post illustrates how Joe Lab and Trace can be used to deeply analyze a complex malware using virtualization for protection and evasion. Thanks to Joe Lab we were able to launch the sample in a secure way, capture full system PCAPs and reboot / reset the lab machine. Thanks to Trace we were able to fully inspect and understand the malware behavior, access dropped files / memory dumps and use Yara rules for detection.

Would you like to try Joe Lab and Trace? Then don't wait and contact us for a trial!

↧

GuLoader's VM-Exit Instruction Hammering explained

September 17, 2020, 4:56 am

≫ Next: Joe Sandbox v30 - Red Diamond

≪ Previous: Analyzing VM-Malware with Joe Lab and Trace

In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.

Slow VM Exits

The initial analysis on a virtual machine showed the following results:

As we can see in the Signature section, there are some RDTSC based evasion checks executed:

Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual machine:

The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and switches back. This transition is much slower compared to direct CPU execution. The same is true for other instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the payload or not.

Instruction Hammering

Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other malware samples.

Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have even increased the number of delay instructions being executed:

This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used for time measurements.

On a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:

On real hardware, the loop is executed in under one second!

Bare Metal Analysis to the Rescue

Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:

The full analysis report of the GuLoader variant is available here.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Joe Sandbox v30 - Red Diamond

October 5, 2020, 2:41 am

≫ Next: Happy New Year 2021

≪ Previous: GuLoader's VM-Exit Instruction Hammering explained

Today we release Joe Sandbox 30 under the code name Red Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have recently been upgraded to Red Diamond.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Diamond features.

218 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FinSpy, Liquorbot, WellMess, Taurus Stealer, Matiex Keylogger, Elysium Stealer, DCRat, Avaddon Ransomware, Netwalker Ransomware, IOCP Ransomware and many more.

We also updated many signatures to cover the latest variants of malware like BazarLoader, Formbook, Emotet, Phobos, Qbot, NJRat etc.

Mitre Att&ck Sub-Techniques

Joe Sandbox Red Diamond is the first sandbox to officially support Mitre Att&ck Sub-Techniques! We successfully extended our behavior signatures mapping to include Sub-Techniques, giving analysts the most precise information about techniques and procedures:

Joe Sandbox Red Diamond supports Mitre Att&ck Sub Techniques for Windows, macOS, Linux and Android analysis.

New Anti-Evasions

During the last couple of months we detected several new sandbox evasions, such as API and instruction hammering in GuLoader or TrickBot. Red Diamond addresses these evasions with technology which bypasses them. Whenever we develop new bypasses, we first write new detection signatures to classify the behavior:

As a result, Joe Sandbox Red Diamond is able to bypass these new evasions. Further, we have added triggers to catch new related evasions.

Support for large Files

This has been a frequent customer request as up until now, Joe Sandbox had limits related to the upload size of malware binaries. Red Diamond addresses this limit and introduces chunked file upload for the Web Interface as well as the Joe Sandbox RESTful Web API.

We have updated jbxapi.py, the Python wrapper for the restFUL Web API. Our Joe Sandbox customers can simply update to the latest version of jbxapi.py to benefit from larger file support size. No need to change any code or integration.

API Parameter Overwriting & Integration Key Sharing

Joe Sandbox integrates with many different security solutions. You find a list of all supported integrations here. While having so many integration is great, updating integrations with new features is tricky. To solve this issue we introduced API Parameter Overwriting. With this option you can overwrite specific Joe Sandbox settings for samples which are submitted via the API by one of your integrations:

Let's have a look at a use case for API Parameter Overwriting. Assume that an integration is not yet supporting the Joe Sandbox cache option. The cache option will not analyze the same file or URL twice by checking an internal cache. Thanks to API Parameter Overwriting you can enforce that option for all integrations by default. This will save you quota and time since previously analyzed samples will not get analyzed again.

Integration Key Sharing enables you to enforce a specific integration such us VirusTotal, ReversingLabs, Intezer, UrlScan etc to all your users using Joe Sandbox. This is very handy since you don't want to let your Joe Sandbox users deal with integration settings.

Phishing Detection for canvas.com, dropbox.com etc.

Many Phishing pages host initial lures on canvas.com, dropbox.com etc. Those pages use JavaScript heavily and load most content dynamically. This makes phishing detection challenging. In addition, PDF files are often hosted on those pages which link to the real phishing page. Most sandbox solutions are not able to follow a link in a PDF on a dynamic webpage. With Joe Sandbox v30 Red Diamond we solved this challenge:

Better Report Overview

In our last release Joe Sandbox 29 Ocean Jasper we completely redesigned the overview section of the full analyst report for Windows analysis. In Red Diamond we redesigned the overview section in the macOS, Android and Linux report:

Further, we redesigned the overview section of the executive / management report for all architectures:

The new format condenses the most important information to one page and also improves the readability and structure.

Static Mach-O Analysis in Archives

EvilQuest has shown that actors can also be very creative on macOS. The initial DMG sample includes the payload in an additional Mach-O file. Joe Sandbox Red Diamond takes care of that and analyzes Mach-O files in archives and containers:

Static Mach-O information is shown in the Static File Info - Archive DMG section of the analyst report:

Function Logs for Android Analysis

On Android we added function / method logs. Those logs contain a chronological sequence of all traced API calls, with method / class / package name, arguments and the return value:

The logs are available in text format as well as XML:

Function / method logs enable analysts to build machine learning models and understand the malicious behavior at the lowest possible level.

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Red Diamond, but there are some other very interesting features on top:

Support for VMware Workstation 16
Unpacking of ALZ Archives
Android No-Instrumentation Analysis Chaining for Instrumentation Failures
Bypass for Anti-Analysis SystemCodeIntegrity and GetLastInput/GetTickCount
Tags visible in the analyst and executive report
Verdict and Threat Names in e-Mail Alerts
Duplicate Password Protection
Faster URL Analysis with Chrome
Server Logs per Analysis

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Happy New Year 2021

December 31, 2020, 8:15 am

≫ Next: Joe Sandbox v31 - Emerald

≪ Previous: Joe Sandbox v30 - Red Diamond

Thank you to all our customers and friends for your support in 2020! The whole Joe Security family wishes you good health, satisfaction and many pleasant moments in 2021! Finger crossed 2021 will be better than 2020!

↧

Joe Sandbox v31 - Emerald

February 1, 2021, 3:50 am

≫ Next: Joe Sandbox I – Deep Malware Analysis on iOS 13

≪ Previous: Happy New Year 2021

Today we release Joe Sandbox 31 under the code name Emerald! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have been recently upgraded to Emerald.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we are delighted about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Emerald features.

213 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FickerStealer, SnakeKeylogger, Egregor, Babuk, Novter, TriumphLoader, Wapomi, Citadel, ModiLoader, Strongpity, Ranzylocker, RunningRAT, Vaggen, Nitol, ElectroRAT, Lazagne and many more. In addition we added more malware configuration extractors, e.g. for FormBook:

We also added detection signatures for the backdoors used in the Solarwinds breach such as SUNBURST and SUPERNOVA:

IOC Reports

Say hello to our brand new IOC report! This report gives you a concise overview of all the IOCs found in an analysis. The report is available in HTML (direct link on the analysis page) as well as XML and JSON:

For each IOC analysis details, all matching behavior signatures and Mitre Att&ck techniques are listed:

The IOC Report is very extensive and includes:

All contacted IPs, Domains and URLs
All created or modified files
All created or modified registry keys
All processes
All memory dumps
All DOM trees (from URL / phishing detection)

For multi run analysis, e.g. if an analyst upload the same sample to multiple analyzers, the IOC report will include all IOCs from all analyses.

Compliance Score

Application Validation - the process of testing a software for compliance or potential backdoors before installing it on the endpoint, is an important task for security analysts. With Joe Sandbox v30 we introduced large file support - analysts are able to upload samples up to 500MB. With Joe Sandbox v31 we added several new signature to measure the compliance of software installers:

In addition the report includes a new compliance score for quick identification:

URL Analysis with Chrome

Internet Explorer, the default browser for Joe Sandbox URL analysis, is deprecated and doesn't work on modern webpages. As a result Joe Sandbox v31 comes with support for URL analysis with Chrome. Chrome successfully browses phishing pages on modern webpages. Analysts can choose between IE and Chrome from the submission tab:

URL analysis in Chrome is fully automated. Joe Sandbox will follow links and uses the AI based phishing detection engine. Analysts can also use remote assistance / live interaction to browse manually a URL in Chrome:

An additional benefit for URL analysis with Chrome is that you can download the HTML DOM tree which is used for phishing detection:

Memory Dumping for macOS and Linux

Memory dumps are a great source for detection since they contain the unpacked code. We introduced memory dumping for Windows several years ago and now also added it to the macOS and Linux analyzers. Here you find some detections on memory dumps for Linux / macOS analysis of recent threats:

SSO Support

Single Sign On is a very convenient enterprise feature enabling end-users to login to multiple sites with the same password. With Joe Sandbox v31 Emerald we implement SSO support with OpenID Connect. This enables to connect Joe Sandbox to an Identity Provider (IdP) which handles the authentication.

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Emerald, but there are some other very interesting features on top:

Integration with SlashNext
Parsing of IOCs from malware configuration data
Additional OCR based phishing detection
Option to start sample automatically during Remote Assistance / Live Interaction
Download of DOM trees for URL analysis
Intelligent analysis time extension
Unpacking support for XZ archives
Support for vSphere SDK API
Configurable RDTSC NOP patching

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

↧

Joe Sandbox I – Deep Malware Analysis on iOS 13

April 8, 2021, 5:21 am

≪ Previous: Joe Sandbox v31 - Emerald

Today, we have the pleasure to present a major upgrade of Joe Sandbox I product. The first version of our automated malware analysis system for iOS was introduced nearly five years ago. Back then, Joe Sandbox was and still prevails to be, the only commercial malware analysis sandbox solution that can analyze threats on all major desktop and mobile platforms – namely, Windows, macOS, Linux, Android, and iOS.

Recent years have shown that malware is getting more and more sophisticated. The current two market leaders for mobile platforms are Android and iOS. While Android malware does get more attention and is usually studied more often, maliciously acting software found on iOS is much less publicly reported. A potential reason is that analyzing apps on iOS is a difficult and cumbersome task to accomplish due to the heavily locked operating system. Thus, it is generally not trivial for security solutions or analysts to assess if an app behaves how it should. Hence, the actual malware threat landscape on iOS remains diffuse.

Despite Apple’s efforts to strictly code review apps before getting into the App Store, there have been multiple examples in the past where malware or maliciously behaving software was able to sneak into the store. A recent example was published here that affected hundreds of apps that were prone to data leakage and remote code execution.

With Joe Sandbox I, a malware analyst gets a powerful fully automated solution to analyze apps on a bare-metal iPhone without the hassle of setting up such a device and all the quirks that iOS brings. Currently, we support iOS 13 on an iPhone 7.

Joe Sandbox I features at a glance:

Analyze apps from the App Store or IPA files
Live interaction with the app during execution
Automated screenshotting during the analysis
Network capturing including HTTPS inspection
Selected API hooking for dynamic analysis
App archive and file static analysis
Deeper static analysis of disassembly code
Behavior signatures for rating dynamic and static analysis

App Store Analyzing with Live Interaction

An analyst can directly submit an App Store URL. The app then gets installed onto the iPhone in the background. It is then subsequently started and uninstalled after the analysis time:

The user has the choice to enable Live Interaction (formerly called Remote Assistance) before submission. Interacting with an app generally exhibits more behavior which leads to better dynamic analysis results. This recording demonstrates the Live Interaction feature nicely:

As one can see, the user gets a smooth interface to interact with. So, clicking through permission prompts for example, or entering text provides full interaction. Furthermore, using the keyboard facilitates faster typing.

Analyzing an IPA Archive

An analyst has also the choice to submit IPA archives for analysis. However, only IPAs with decrypted Mach-O files can be executed due to Apple’s FairPlay DRM. Nevertheless, this feature stays interesting for analysts that for example are able to extract a decrypted IPA from a suspicious device.

For the sake of this blog post, we have created a small demonstration app that behaves maliciously. It is called MyContacts and is meant to act as a simple contact viewer and caller.

The IPA file was submitted with Live Interaction enabled.

Screenshot Slideshow

Joe Sandbox I takes screenshots periodically throughout the app execution, saving only the images that changed. The resulting report shows the screenshotting feature prominently. The most interesting screenshot is shown at the beginning:

In the “Screenshots” section, all taken shots can be viewed interactively in a slideshow or as thumbnails. Here we see how that app requested permission to access the contacts database and the microphone, and then tried to call a different number than was selected:

Behavior Signatures and Classification

Joe Sandbox I has an increasing set of roughly 230 behavior signatures which rate and classify the behavior. With the signature overview, a malware analyst gets the possibility to swiftly assess if the app’s behavior is bad or not. Here we see that MyContactsdoes behave maliciously and has capabilities that are considered to be malintent, for example, its capability to install and launch apps:

This excerpt shows all triggered behavior signatures:

Finally, the classification spider graph consolidates the behavior signature ratings in order to show what type of potential malware we are likely looking at:

Network Capturing and HTTPS inspection

An important feature of app analysis is network analysis. Joe Sandbox I can analyze multiple protocols like HTTP or DNS, but also seldom used ones like FTP, SMTP, etc. Intercepting encrypted traffic is also possible. Here we see how MyContacts leaks email and phone numbers over HTTPS:

This behavior was rated by our signatures as malicious:

Dynamic Analysis

A core part of any malware sandbox is its ability to trace behavior. Joe Sandbox I intercepts interesting APIs, like accessed files or sysctl requests. Here we see how the app opens the previously requested URL:

We also see that email and contact information is being encrypted:

Static Analysis – IPA Archive

In addition to dynamic analysis, the app is also analyzed statically. This is done on two levels: the apps IPA archive as well the apps executable. For App Store apps, the installation directory itself is analyzed.

Here we see the content of the IPA archive:

Certain interesting file types are extracted and further analyzed, like Plist and Mach-O files. This excerpt shows the apps Mach-O:

The extracted property list (Plist) in the "embedded.mobileprovision" file reveals that the app has the capability of being provisioned to any device:

This is an indication that an app could bypass Apple's code review procedure if it attempts to abuse enterprise certificates that are used for in-house app distribution.

Static Analysis – Disassembly

Joe Sandbox I extracts all interesting functions from the apps Mach-O if it is not encrypted. For App Store submissions, the binary is decrypted from the memory and then statically analyzed. The report then presents the ARM disassembly code as well as meta information if available.

Here we see an excerpt of a function that does a jailbreak check:

It is worth mentioning that Joe Sandbox's integrated search functionality gives the analyst the possibility to easily search through the report. Each search hit provides additional information:

Summary

We have demonstrated the power of Joe Sandbox I, which enables an analyst to swiftly understand and detect threats that target iOS systems. We have shown that apps from the App Store as well as IPA files can be analyzed. With the help of the Live Interaction feature, the analyst can seamlessly interact with the app. Standard features like screenshotting and network capturing were illustrated, including interception of encrypted traffic. We then demonstrated the API dynamic analysis capabilities. Finally, static analysis features for Plists and Mach-O as well as for disassembly were showcased.

The full analysis report of MyContacts is available here.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Remarks

Joe Sandbox I is intended for malware analysis only and does not provide decrypted IPA files from the AppStore. The iPhone analysis device does not have any SIM installed, nor does it provide physical camera or microphone access. With Joe Sandbox I analysts can only analyze apps and do not get any access to iPhone services such as phone calls, SMS, photography, etc.

↧