Wednesday, July 18, 2018

Reduce Friction: extracting Sysmon logs with Joe Sandbox

Sysmon is a powerful tool to monitor endpoints, it is free and can be easily installed on many machines. It creates lots of log messages and stores them in the Windows event log. Those logs are usually routinely sent to a central log server such as Graylog, where blue teams can easily search them:

To get meaningful search terms, blue teams often use sandboxes such as Joe Sandbox, to deeply analyze malware. However, the IOCs generated by sandboxes are many times not in the appropriate format to easily correlate them to the Sysmon events. Blue teams in turn have to translate IOCs, which is a painful job. In addition, Sysmon event logs can serve as an input for various other tools. For instance, they can be easily translated to Sigma which allows a wider search across many other logs.

To reduce friction and make the blue teams job less painful, we added Sysmon output to Joe Sandbox.

Using a Cookbook to generate Sysmon output

In order to get Sysmon logs you have to use a custom Cookbook which will first install Sysmon. Cookbooks are small scripts which define how an analysis is executed. They give blue teams a way to fully customize a dynamic analysis. Let us have a look at our Sysmon cookbook:

In line 3 the cookbook specifies that the malware is executed on a sandbox named w7_1. On the submission page you find a mapping of system names to system configurations:

In lines 7 to 16 Sysmon is installed. Please note that you can use any Sysmon config you like, there is no restriction. By default, the template from SwiftOnSecurity is used.

In lines 18 to 24 all the analysis engines are started including the network and behavior engines.

In line 26 the sample is started and in line 30 the cookbook sleeps a maximum of two minutes. Right after that, the analysis engines are stopped and finally the machine is cleaned up.

Generate Sysmon Events for SmokeLoader

Let us take a concrete example and assume you want to verify if one of your hosts is infected by the latest SmokeLoader malware.

The cookbook is submitted together with the malware sample in the advanced tab:

In the generated analysis report, go to the explorer.exe process and then Sysmon Activities:

Joe Sandbox lists all the Sysmon events log in various formats. To construct your search query for Graylog, you can use the first 3 fields. For instance, you can easily search for LNK file creation by explorer:

You can also use the last field, copy it to a file and then use the evt2sigma converter to get a Sigma rule:

Sigma then can be converted to various other formats:

Cookbooks - Agile Malware Analysis

Thanks to Cookbooks, blue teams can benefit from a full customization of the malware analysis. Installing Sysmon is just one example. By using our Cookbook technology, analysts can easily:

  • Accelerate system time and date
  • Change keyboard layouts
  • Change the DNS server
  • Simulate USB memory sticks
  • Browse URLs on Chrome or Firefox
  • Execute multipart malware
  • Install their custom tools

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, July 5, 2018

APT28: Digging through Sandbox-Evasions with Bare Metal Analysis

In October 2017, we blogged about the advantages of analyzing malware on bare metal machines. Bare metal analysis offers the possibility to perform dynamic analysis on real devices such as laptops or PCs. The bare metal analysis is not affected by virtual machine detection, which is a major check done by most malware nowadays:

To demonstrate this, we analyzed a recent sample related to APT28/Grizzlybear which includes nine different evasion tricks.

Spotting evasive Samples on Cloud Basic

We have various triggers and alerts defined for our free online platform called Joe Sandbox Cloud Basic. Cloud Basic uses only Virtual Machines to analyze suspicious files, the bare metal analysis feature being available only in Joe Sandbox Cloud Pro

Recently, we got an interesting alert which led us to the following sample uploaded on the 2nd of July.

If we look at the behavior graph we see only one process:

The spider classification chart outlines that this sample is very likely evasive:

Further, no obvious installation or infection behavior is recorded. Therefore, we can assume that the evasions were successful.

Digging through the Evasion Checks

We reran the sample found on Cloud Basic in Cloud Pro on a bare metal W10 machine:

The resulting analysis can be found here:

If we go to the behavior signatures, section Anti-Debugging and Malware Analysis System Evasion, we find many hits:

What type of evasions has the sample used? Let us analyze the checks one by one.


Function at address 406CFC calls CPUID and checks whenever the CPU model is XEON. This type of processor is an indicator for a server and is usually not used in a Laptop or a PC, the real infection target for the malware:

If the model of the CPU is XEON the sample will stop its execution.

2. Sandboxie Check

Thanks to our Hypervisor based Inspection technology which works on virtual machines and bare metal, user-mode API calls are traced. Interesting is the GetModuleHandle API since it can be easily used to check for loaded DLLs:

If a module with the name sbiedll.dll is found, the sample will terminate. Sbiedll.dll is a DLL of the famous Sandboxie tool which is often used to analyze malware. 

3. Sleep/GetTickCount Time Evasion

At function 406DC8 the sample performs a time evasion which detects if a malware analysis system modifies Sleeps but misses to modify the GetTickCount values. Sandboxes often shorten sleep in order to trigger future behavior. Malware can detect this by comparing the Sleep duration with other time sources such as GetTickCount:

4. Command Line Checks

The sample fails to execute if a Sandbox passes one of the following arguments:

  • -autorun
  • -update

5. Virtual Machine Detection via VideoBiosVersion

At function 407118 the malware queries the registry value of  HARDWARE\Description\System\VideoBiosVersion:

If the key value contains the string VirtualBox the sample will fail.

6. Virtual Machine Detection via SetupAPI

In addition to the previous virtual machine check, a second check is executed via the SetupAPI:

Basically, the SetupAPI is used to enumerate device registry properties. The malware checks for the string "vmware". On VMWare common device properties are:

  • vmware svga 3d
  • vmware, vmware virtual s scsi disk device

7. IsDebuggerPresent

To check for debuggers, the API IsDebuggerPresent is called:

8. Name / Path check

At function 406E04, the sample checks for the following names in the path and the sample name:

  • \VIRUS
If one of the names is found the sample terminates.

9. RDTSC + CPUID Time Evasion

A second-time evasion is performed at address 406B60:

What evasion is performed? Basically, the sample measures how long the CPUID instruction takes. The measurement is done via the RDTSC instruction:

On virtual machines, the CPUID instruction executes slower compared to bare metal. The reason is that virtual machines intercept the instruction and this usually takes longer. 

Payload Analysis

Since the analysis was performed on a real machine none of the nine checks was successful. As a result, the sample injects into explorer.exe:

The sample execution then ends in a Sleep call:

This is also nicely visible in the Execution Graph. All the red nodes have been executed. All the black nodes not:

The large non-execute code includes various interesting areas, such as searching for files:

C&C communication:

Download and execute:

Executing the sample a bit longer, fully reveals the behavior of the payload and all IOCs:

Looking at the Yara rules, we finally see some hits related to APT28 / Fancy Bear implant:

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:

  • Modern Bare Metal Laptop
  • Modern Bare Metal PC
  • Mac Mini
  • MacBook Pro
  • Bare Metal Android Phone (e.g. Motorola G3)
  • iPhone
If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. If you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, June 5, 2018

Analysing VPNFilter with Joe Sandbox Linux

Linux malware is becoming a hot topic in the security news headlines, as we see more and more recent malware targeting Linux operating systems. With more than 11 billion embedded devices with networking capabilities in 2018 (Gartner), bots targeting Internet of Things (IoT) have a bright future ahead. Mirai and VPNFilter are just some recent examples.

Thus, it is the right time to step up! For some months, we have been working on a new product to analyze malware targeting Linux. Today, we are happy to release Joe Sandbox Linux, our deep malware analysis engine for fighting threats on Ubuntu and CentOS.

By adding analysis on Linux, Joe Sandbox is now the only malware analysis system available on the market which can analyze malware on all of Windows, MacOS, Linux, Android, and iOS:

In this blog post, we are going to showcase the features of Joe Sandbox Linux and take the recently discovered VPNFilter as well as a Coin miner malware as an example.


VPNFilter is a recent malware found by Cisco Talos which targets Internet routers. According to Talos, VPNFilter is likely a state-sponsored or state-affiliated threat built to gather intelligence. VPNFilter has powerful destruction payloads that infected over 500'000 routers in 54 countries. 

Just like modern malware on Windows, VPNFilter uses multiple stages:

Stage 1

In stage 1, VPNFilter mainly persists itself in order to survive the reboot by creating a cronjob. Joe Sandbox Linux directly detected VPNFilter with a generic behavior rule. In the network tab we can see that it reaches out to photobucked[.]com to get an image:

Since the threat already is some days old the resource is no longer available. The image basically would include the IP address to download the second stage malware.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 1.

Stage 2

The second stage malware contains the bot functionality. This can be easily seen in the verbose output:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Commands which can be sent to VPN Filter include: exec, kill, seturl, download, reboot, proxy, port and tor. The stage two malware is deleting itself and thus after rebooting the infected device, VPNFilter no longer exists:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Stage 3

VPNFilter also has the ability to load plugins or modules, for instance to communicate secretly via Tor:

As you can see by using the analysis report generated by Joe Sandbox Linux, you get valuable information about the threat including payloads, IOCs, and behaviors.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 3.

Coin miner

Coin miners are malware which "kidnap" the CPUs of servers in order to mine for cryptocurrencies. Especially in the Linux server world, they are very common. Let us have a look at the analysis report:

The classification shows clearly that this is Miner malware. Through the integration of Antivirus all artifacts such as dropped files are being scanned automatically:

Thanks to the extensive behavior signature set of Joe Sandbox Linux, Coin miners are detected on any architecture:

The behavior graph which is also part of Joe Sandbox Desktop (analysis on Windows) and Joe Sandbox X (analysis on MacOS) helps to fully understand the installation behavior:

As for VPNFilter, Joe Sandbox Linux fully detected the coin miner payload and provided additional insights into the malware behavior.

Full Joe Sandbox Linux Analysis Report for Coinminer.

Final Words

With the capability of analyzing Malware targeting Windows, MacOS, Linux, Android, and iOS, Joe Sandbox is the only malware analysis solution which can fully protect you from today's threats. With the introduction of Joe Sandbox Linux customers get a very advanced analysis tool to detect advanced threats targeting routers, IoT devices and Linux servers or workstations.

Joe Sandbox Linux already has been fully integrated into Joe Sandbox Cloud Pro and Basic and will be soon available as an on-premise product.

Want to try Joe Sandbox Linux? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!