Wednesday, January 8, 2020

Dissecting Agent Tesla with Deep .NET Tracing

Today's malware, droppers and threats targeting Windows come in various "form-factors". They can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 we have seen an increase of malware using the .NET Framework. Usually, malware or packers / crypters are written either in C Sharp or Visual Basic Net. 

Joe Sandbox is the only malware analysis system using different technologies to analyze each format deeply. Over the last nine years we have developed these ten different technologies:

Our most recent addition is what we call Deep .NET tracing. .NET tracing captures all .NET API calls with arguments. To demonstrate the power of Deep .NET tracing we will dissect a recent Agent Tesla sample. Agent Tesla is a well known .NET based RAT and used by many threat actors. Most of the variants use multi-layer obfuscation to evade detection and hinder analysis. 

Layers Layers Layers

The sample we are going to analyze has been found on VirusTotal (MD5: 03baf522fb9c86bd5512a0ee72457f86, File Name: MT ESSTAR V1911.exe). To enable Deep .NET tracing you have to tick the checkbox in the Code Analysis Section:

When the analysis is finished, you can download the trace files in the download section:

The trace files are available in two formats:

  • Text, easily readable by analysts
  • CSV, easily parsable by machines

Let's have a look at the text trace file. As we can see from the trace file MT ESSTAR V1911.exe - ,the initial file is a simple loader which loads an assembly named Model.exe from the resource section:

Next, the method set_sako is called in Model.exe

You might now think and ask yourself, wouldn't it be nice to have Model.exe as a file? Well, we have good news, Deep .NET tracing extracts all loaded assemblies. You will find all of them in the memory dumps:

All dumped assemblies are scanned against all Yara rules you have stored in Joe Sandbox. What is set_sako doing next? Well, its loading another assembly (named Software Updates.dll, 2nd stage) from its resource section:

Right before the assembly is loaded, it is decrypted, as you can see from the Param 0 and Return Value

Again, the assembly is dumped and stored so that you can download it. 

Generic .NET Unpacking

Wouldn't it be fantastic if we have the source code of the decrypted assembly? Well again we have good news, Joe Sandbox decompiles all dumped PE files (see our previous blog post about generic .NET unpacking). You can download all decompiled .NET projects here:

In the download we find the full source code for the third stage:

This looks to be CyaX Sharp which is a well-known loader and injector. It comes with various anti-analysis features:

It also employs techniques to disable Windows Defender. When all the anti-analysis techniques are passed, it calls its final injection routine to launch the Agent Tesla payload:

Continuing to follow the .NET trace, we can see the various activities related to information-stealing.

Stealing login data from Google Chrome:

System information gathering

Uploading the stolen data via e-Mail:

Deep Malware Analysis

Thanks to the new Deep .NET Tracing feature, analysts can look at each single .NET API call and fully understand the inner workings of malware. With the assembly dumping, each unpacking stage is preserved and decompiled. The dumped assembly can be scanned and detected with Yara, while the source code enables an even deeper view into the malware's inner workings.

Joe Sandbox handles the different malware form factors or formats differently and applies various technologies. This helps analyzing malware in a depth previously not possible! 

Would you like to try Deep .NET tracing? Then contact us today to get a trial for Joe Sandbox Cloud Pro. 

Full Analysis Data

Tuesday, December 31, 2019

Happy New Year

The Joe Security team wishes you success, satisfaction and many pleasant moments in 2020!

Wednesday, December 18, 2019

Fighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation

Country aware malware, which is also known as location or geo-aware malware, is again on the rise. Recently, we have spotted a new campaign targeting Italian organizations. The attack vector is a spam email containing an attachment with a malicious Microsoft Office Macro inside. We covered a similar case that targeted French organizations at the beginning of this year.

In this blog post, we will look at another recent variant and showcase how Joe Sandbox is automatically bypassing the evasions.

The sample we are going to investigate (MD5: c5e1106f9654a23320132cbc61b3f29d) was submitted to Joe Sandbox Cloud Basic on December 9th 2019 (full analysis link, IOCs: The file format is a Microsoft Office Excel sheet. Interestingly, we see more Excel spreadsheets than Word or Power Point files using evasions. There is a high chance that using Excel documents makes it easier for attackers to bypass static detectors. The sample we are going to present targets Italian users:

File Name and Country check

The Macro it contains is triggered via Notifica_Layout:

The Object_Layout routine is less known compared to Workbook_Open or Auto_Open and therefore lowers the detection probability. Notifica_Layout performs the first evasion as a file name check. The execution will proceed only if there is the letter "I" in the file name:

Renaming potential suspicious files is a very common practice. We often see users renaming files to the MD5 or SHA1 name, add the extension .virus, .bin, .sample etc. Obviously, this is very bad practice if you want to analyze the sample in a sandbox, since it's trivial to check for such changes. Please also note that a sandbox has no way of reconstructing the original file name.

Happily, the user of this Excel sheet decided to submit the sample with the original file. As a result, the function Formato is called:

Formato performs another evasion check by calling Finesta. Finesta returns the user interface language (msoLanguageIDUI).

Formato then compares the user interface language to 1040 which is Italian:

The Power of VBA Instrumentation

Now if you look at the screenshot you will see that Excel has English as the UI language:

So how was Joe Sandbox able to fake that user interface language setting? The key technology for doing this is VBA instrumentation. We introduced VBA instrumentation in 2016. If you want to learn more about this unique technology please have a look at this blog post.
VBA instrumentation enables Joe Sandbox to completely control the VBA code. It generates the nice VBA call graph as well as annotated VBA functions. For the given LanguageID function we are able to define a custom "hook" which returns a fake ID:

However, to do so, Joe Sandbox also needs to find out which country is targeted by the document. To achieve this, we developed a new technology which analyzes all strings inside a Microsoft Office document and provides a best guess on the target:

Please note that all this happens fully automated. Other sandboxes require that the user chooses the targeting country manually if such an option exists at all.

Next, an obfuscated PowerShell command is launched via WMIC:

PowerShell then extracts and launches the Ursnif Trojan:

 A Sigma rule also detects Ursnif brilliantly:

Multi-Technology Platform

VBA instrumentation paired with static target discovery ("Which country or the victim is targeted by a sample?") is a very powerful combination. It enables Joe Sandbox to automatically adapt the analysis system as well as the malware sample behavior to bypass any evasion.

Joe Sandbox incorporates many other analysis technologies, including simulation, emulation, hybrid analysis, hypervisor based analysis, execution graph analysis etc. All these technologies make Joe Sandbox one of the most advanced and powerful malware analysis system for Windows, macOS, Linux, Android and iOS. 

Interested to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.

Tuesday, October 29, 2019

Joe Sandbox + SIGMA

Is it true that Joe Sandbox supports Sigma? Yes, we have successfully integrated Sigma into Joe Sandbox. Sigma is available in Joe Sandbox Cloud and will be part of the upcoming Joe Sandbox v28 Lapis Lazuli release. 

Do you know what Sigma is? If you don't, this blog post will help you get a better understanding. 

Sigma in a Nutshell

Sigma is a generic and open signature format to detect malware and other security-related events in log files. Which are the log files currently supported? 

  • Firewall logs
  • Operating System logs
  • Proxy logs
  • Web server access logs

For Windows, the operating system logs include:

  • Sysmon events
  • Event logs 
  • Process creation events

Logs are usually kept in a security information and event management system (SIEM). To search in your SIEM or log source, Sigma offers to convert your rule into a search query specific to your SIEM product (the target):

Currently, Sigma rules can be converted to the following targets:

  • Splunk (plain queries and dashboards)
  • ElasticSearch Query Strings
  • ElasticSearch Query DSL
  • Kibana
  • Elastic X-Pack Watcher
  • Logpoint
  • Windows Defender Advanced Threat Protection (WDATP)
  • Azure Sentinel / Azure Log Analytics
  • Sumologic
  • ArcSight
  • QRadar
  • Qualys
  • RSA NetWitness
  • PowerShell
  • Grep

By supporting so many targets, Sigma has a tremendous advantage: one rule can be used in various SIEMs. This allows sharing, prevents vendor lock-in, and makes Sigma generic. 

Sigma and Joe Sandbox

Okay, Sigma is great, but Joe Sandbox is not a SIEM! So how shall Joe Sandbox benefit from Sigma?
Well, Sigma is being used (among other things) to write threat detection rules for events such as Sysmon events, Windows event logs, and operating system process creation events. All those events are captured during the detonation of malware in a sandbox:

If the sandbox understands Sigma, a rule written to detect a threat on the endpoint (e.g. based on Sysmon data) could be also used to detect the threat in the Sandbox. Or the other way around, Sigma rules that were written for a sandbox can be applied to your SIEM! Isn't that fantastic? We truly think it is! 

Sigma in Joe Sandbox enables any customer to write and share threat detection rules based on dynamic data/events even if they don't have a SIEM!

Joe Sandbox also supports Yara rules (including scanning of memory dumps). Yara for the binary world and Sigma for the dynamic world make a perfect combination.


What Sigma rules can I write in Joe Sandbox? Joe Sandbox currently supports eight different events:

  • Process creations (product: windows or linux or macos, category: process_creation)
  • Sysmon: Process creation, Event ID 1 (product: windows, category: sysmon)
  • Sysmon: Network connection, Event ID 3 (product: windows, category: sysmon)
  • Sysmon: Remote thread creation, Event ID 8 (product: windows, category: sysmon)
  • Sysmon: File creation, Event ID 11 (product: windows or linux or macos, category: sysmon)
  • Sysmon: Registry key set, Event ID 13 (product: windows, category: sysmon)
  • Powershell: Powershell Transcript Logging (product: windows, service: powershell)
  • Windows Event Logs (product: windows, service: security|application|system)

A detailed description of the event fields can be found in our user guide under Sigma - List of events.

We have directly added Linux and macOS support for the process creation and file creation event. With that, you can write Sigma rules covering Linux and macOS threats!


Sigma rules are written in YAML format and have a very simple structure. Below you can see an example which uses the process creation event as input:

Joe Sandbox uses various optional meta attributes, such as threatname, behaviorgroup or id. This helps Joe Sandbox to identify threats and do proper classification. The level attribute impacts the verdict of the sandbox. For instance, many Sigma rules matched with a critical level will lead to an overall malicious verdict. 

The heart of the rule is the detection definition which contains a selector with fields or lists. Fields and lists have great wildcard support. The condition is a Boolean expression which in case it evaluates to true, will lead to a rule match.

You can find a full specification of Sigma here

Importing Rules

Importing Sigma rules is super easy. Note you don't need to convert any of the Sigma rules. Joe Sandbox understands Sigma natively. 

To import a rule go to the Editor navigation tab. Then click Sigma:

You might either upload a Sigma rule as a .yml file or a zip of .yml files or alternatively  specify a Github repository containing Sigma rules:

In this case, Joe Sandbox will always import the latest Sigma rule from that repository. Very handy for open source repositories! 

Do you want to modify a rule? This can be easily done in the Sigma editor:

Sigma matches

Once you have imported a rule, you will find the Sigma matches for the new analysis in the full behavior report:

In the top navigation bar click on Overview - Sigma Overview:

Clicking on Show sources will tell you the underlying event responsible for the match:

Sigma Rule Feed

The events supported by Joe Sandbox cover currently around 70% of all community Sigma rules

Joe Security itself started writing its own Sigma rules and decided to share all of the current and new rules with the community under the GPL license. You will find all our Sigma rules on Github:


We have uploaded the current Sigma and Joe Security community rules to Joe Sandbox Cloud Basic. You can easily search matched Sigma rules by using Joe Sandbox View, our threat hunting & search engine:

Via Sigma, Joe Sandbox found a sample using Get2Downloader, likely associated with TA505:

Or here, a Sigma based Wannacry detection via the open-source rules:

Joint Power

Sigma is great, it is generic and therefore allows to easily share threat rules. There is no vendor lock-in. Joe Sandbox's community rules, once converted, can be used to search in many SIEMs. 

You can write your own Sigma rules and use them in Joe Sandbox. Simply upload them in the Sigma editor and you are ready to rock! 

Joe Security has committed to open source all its major Sigma rules on the Joe Security Sigma Github Repo

Would you like to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.