Tuesday, February 13, 2018

Deep Malware Analysis with Joe Sandbox 21 - Sapphire

Now, in the middle of Q1, we are happy to release our newest and greatest Joe Sandbox version with the code name Sapphire!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Sapphire a couple of weeks ago.

If you want to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation now, please perform:

mono joeboxserver.exe --updatefast

In this blog post, we will show some of the enhancements and features of Sapphire.

80 New Behavior Signatures

New signatures including detections for Spectre, Meltdown, various new CVEs, coin miners, DNS hijacker, Loapi and more:


DNS Hijacker

The new signatures enable analysts to spot and catch the latest security threats!

Remote Assistance

Given the complexity of automating the execution of some malware we added a functionality to provide remote assistance. With remote assistance, analysts can connect to the analysis machine via VNC and start samples manually. Further, they can click away security warnings:

Remote Assistance Option

Connect to Analysis Machine

Perform Remote Assistance

Please note VNC has been directly integrated into the Joe Sandbox Web interface. Therefore it is not required to install any VNC client. Remote Assistance is also very useful to detect credit card scams:

Template based Phishing Detection

We strengthened the phishing detection with a template engine. The template engine searches the phishing page for a known template (usually a brand image):

Phishing Page

Template Match

Template based phishing detection increase chances to catch targeted phishing attacks. Analysts can easily add their own brand templates and images. Interested? Read more about template based phishing detection in our recent blog post.

Analysis Report Improvements

Sapphire includes a lot of new graphics, visualizations and report specific improvements. They all make it easier to understand complex threat data:

API groups per Hybrid Code Analysis function

Call Graph for Hybrid Code Analysis
Per Hybrid Code Analysis function CFG Graph

Restructured Dropped File Section

Please note the entropy, which is very efficient to detect ransomware!

HTTP Sessions
Behavior Graphs for analysis on macOS

Support for analysis on macOS High Sierra

Analyse binaries on the latest macOS version:

Support for analysis on Android 7.1 Nougat

Analyse binaries on the recent Android 7.1 release:

Dynamic Instrumentation for Android

With Dynamic Instrumentation Joe Sandbox instruments and analyses dynamically loaded DEX code, enabling deep insights into the latest Android threads:

Want to learn more about Dynamic Instrumentation? Read more about it in this blog post.

Final Words

In this blog post, we introduced some of the major features of the Sapphire release. Furthermore, minor features are

  • IOC logging via Syslog
  • VT / Metadefender score for analysis overview
  • Redesign of the submission page configuration
  • Integration with Viper
  • Integration with Malsub
  • SSL key extraction
  • Button click list for Android
  • Jbxbalancer API script
  • ACE unpacking
  • Fine-grained status information during analysis
  • Backjumping in the HTML analysis report

What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Wednesday, February 7, 2018

Decrypting C&C traffic with Hypervisor based Inspection

In mid 2017 we blogged about Hypervisor based Inspection, our technology to deeply analyze malware.

HBI uses hardware assisted virtualization to inspect a program during runtime. HBI also provides very fine grained analysis and captures the following data:

  • System calls
  • Kernel calls
  • User mode calls
  • Access to user mode memory areas (e.g. PEB)
  • Access to performance counters
  • Execution of specific instructions (e.g. CPUID) by kernel and user code

Hypervisor Based Inspection

We continue extending the technology and would like to showcase an interesting analysis where HBI gives some additional insights.

The sample we are analyzing has been uploaded to Joe Sandbox Cloud Basic the 8th of January 2018:

If we look at the behavior graph we see that two processes named dnschart.exe and certcache.exe are started:

Certcache.exe is posting some data via HTTP POST to IP and

The HTTP post looks like compressed or encrypted data. Wouldn't it be nice to know what data is sent by the malware? Maybe the two IPs belong to the command and control server?


Let us assume the POST data is encrypted. How would the malware encrypt the data? Well, there two possibilities: via Windows WinCrypt API or by using it's own implementation. Let us assume the malware is lazy and thus intercept the standard APIs with the help of HBI:

All intercepted APIs are collected in a configuration file. Removing or adding new APIs is very simple and can be easily automated.

After we submitted the sample with the new interception configuration we directly see all crypto related activities including the plaintext data:

But the plaintext does not match the POST data, also it still looks like a binary.


Some of you (with a reversing engineering brain :) might spot in the beginning of data a familiar byte sequence:

What does 7801 mean? It is known as one of the magic headers of a Zlib compressed stream:
  • 78 01 - No Compression/low
  • 78 9C - Default Compression
  • 78 DA - Best Compression

Thus let us decrypt the data from that position with Zlib, and value:

Putting all this together enables to automatically extract Zlib compressed plaintext:

Final Words

Thanks to HBI, Joe Sandbox is able to inspect any API calls. Crypto related API calls which are executed before network related operations are often a good target for hunting. The combination of capturing Crypt API arguments with compression detection, reveals the plaintext send to C&C and allows to identify C&C IOCs.

Interested in trying out HBI or Joe Sandbox Hypervisor? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.

Tuesday, January 23, 2018

Generic .Net Unpacking

Nowadays, malware written in C# or VB.NET (also known as the Microsoft .NET Framework) has become more and more common. Ransomware, Spyware and Trojans, they are all available in .NET.

In contrast to C or C++ or even assembly, .NET is much easier and fast to implement. Via Reflection, the code can be dynamically loaded or called, providing an interesting possibility for obfuscation.

Fire and Fury

While browsing some malware samples we recently came across an interesting one:

The first layer is a WinRAR self-extracting archive:

The SFX archive extracts two files, a PE file written in C# and a PDF file. Both are launched:

The PDF indeed is the e-book version of the recently launched book "Fire and Fury" by Michael Wolff which details the behavior of U.S. President Donald Trump during the presidential campaign. The SFX file uses the PDF to conceal its main payload.

Since version 19 (July 2017) Joe Sandbox features automated decompilation of .NET samples. Therefore we can directly inspect the C# source code of fero.exe. Very interesting here is the Form_Load function:

The function decrypts a resource, then loads it, and finally calls its entry point. Wouldn't it be nice to get the decompiled code of the decrypted resource? Enter Generic .NET Unpacking.

Generic .Net Unpacking

Joe Sandbox Ultimate includes a generic PE unpacking engine for any PE file loaded into memory during analysis. Unpacked PE files can be directly downloaded from the analysis results webpage under the secondary analysis results:

With Joe Sandbox v21, those unpacked PE files are also automatically decompiled, resulting in generic .NET Unpacking and decompilation. Cool, isn't it?

Let us have a look at the code of the decrypted and decompiled resource:


Command Handler

Capture Screenshot

Key Logger

Thanks to generic .NET unpacking, we can find all the payloads including: capture screenshot, gather information, keylogger, download and execute, USB infection etc.

Of course, Joe Sandbox is able to automatically detect such code:

Final Words

Thanks to Joe Sandbox Ultimate's generic unpacking engine, analysts get access to any dynamically loaded PE files. With the help of the Joe Sandbox .NET Decompiler, those PE files are automatically converted to source code.

Source code enables the fastest and most accurate analysis of malware.

Interested in trying out Joe Sandbox Ultimate? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.

Sunday, December 31, 2017

Happy New Year!

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2018!

Friday, December 22, 2017

Loapi - from Static to Dynamic Instrumentation

You might have already heard about Loapi - the Android malware which will kill your phone due to exhaustive bitcoin mining. Loapi was found by Kaspersky, an excellent write-up can be found here: Jack of all trades.

While Kaspersky's blog post gives a good overview, it does not provide a fine-grained analysis to deeply understand Loapi's behavior. Interesting forensic information, like Loapi's unpacking and obfuscation techniques being left out.

In our opinion, Loapi is one of the first Android trojans which uses multi-stage unpacking and dynamic code loading. Therefore, this blog post is dedicated to explaining how unpacking works and also shortly outlining why Loapi is challenging to be dynamically analyzed - especially through instrumentation approaches.

Layer 1

If we launch Loapi in Joe Sandbox Mobile we get two executed methods:

The more interesting method is attachBaseContext:

The method constructs the DexClassLoader class and contains some very large string. If we browse the code we can indeed see that the long string is decrypted (first base64 decoded) and then stored to a zip file:

The zip file is mapped by the DexClassLoader:

Next method etxtfvw.cqwwrwk.attachBaseContext is called via Java Reflection. Jave Reflection is super cool because it lets you dynamically call method during runtime. During static analysis, it is not clear what method is actually called.

Unfortunately, we do not have any method with that name in the Joe Sandbox report. Why that? Because we first have to understand how static instrumentation works.

Static instrumentation is a method to extract additional runtime information from a program. To achieve that, a program is statically analyzed and new code is added (instrumentation). The purpose of that code is often to log method calls, arguments, class invokes etc. For APK the process looks like this:

To problem with Loapi is that the modified APK is loading new code from itself - to be precise from a string in the APK code. Further, the string is encrypted, then decrypted at runtime and finally loaded. Due to that, no instrumentation takes place and the behavior of that code is fully hidden.

Dynamic Instrumentation

So what can we do? The answer is Dynamic Instrumentation. The instrumentation of the original APK can be done in a way that the newly added code not only logs method calls but also fully controls it. In our case, we can instrument the DexClassLoader constructor call. If it is called we can instrument the DEX code that will be loaded:

So we added a dynamic instrumentation of DEX code. Pretty cool? Yes and, for Loapi this is really a necessity.

Thanks to dynamic instrumentation we can now inspect function etxtfvw.cqwwrwk.attachBaseContext:

We can see an interesting String called /system/framework/XposedBridge.jar and some code to kill the current process. Anti Analysis? You are right. The Xposed Framework is used in CuckooDroid / Cuckoo Sandbox and likely also in some Checkpoint products. Loapi checks the stack trace for method names used by this hooking Framework.

Layer 2

So what is next? After the Anti Analysis check method, YRkfJMV is called:
Let us have a brief look at it:

Another DEX file? Right. This time it is an encrypted file inside the APK resources:

Please note that any API call in method YRkfJMV is done via Reflection. It's important because this is already unpacked / dynamic code. Finally, the newly created DEX file is loaded via reflective constructor call:

From a high-level perspective, the unpacking can be understood as follows:

Any string in the original APK, as well as the stub, are XOR encrypted:

Final Words

Loapi uses a multilayer unpacking approach to obfuscate its payload. It first decrypts a stub which contains an Anti-Analysis technique and the same stub will then decrypts the main trojan. Loapi uses heavily string obfuscation and Java Reflection in the unpacker. All those approaches are well known for Windows malware and now are more and more transferred to Android. 

With dynamic instrumentation, Joe Sandbox Mobile can inspect, instrument and control any DEX code - loaded from a decrypted resource file or downloaded from the internet. For any DEX code, Joe Sandbox Mobile provides some deep content, including method calls, arguments, and other dynamic data. This provides a deep understanding of threats and a best in class malware detection.

Interested in trying Joe Sandbox Mobile? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Repor of Loapi.