Thursday, October 12, 2017

Joe Sandbox 20 is out!



Happy Release Day!!! A new Joe Sandbox version is out! This is our twentieth release, what a number!

Version 20 is a big release with many improvements, enhancements, and new features. If you have an on-premise installation you can simply upgrade to Joe Sandbox 20 via:

mono joeboxserver --updatefast

In this blog post, we will show some of the enhancements and features of the new release.

74 New Behavior Signatures


We have added a record number of 74 new signatures to Joe Sandbox Desktop, Mobile, X, Complete and Ultimate. Well, the last months have indeed been very busy with WannaCryPetya, WireXCVE-2017-8759 and CCleaner. Our signature set currently includes over 1,414 individual written rules!





Generic Javascript instrumentation


Javascript instrumentation allows to trace, analyze and detect any Javascript method, argument, API call or string. With Javascript instrumentation Joe Sandbox deobfuscates Javascript files and detects hidden evasions:






Javascript instrumentation is the only known technique which covers such fine-grained tracing. Full system emulation or inter-modular call tracing is not able to provide such insights. For more details on the instrumentation engine have a look at our blog post: Generic Javascript Instrumentation.

LIA - Localized Internet Anonymization



Targeted malware often checks for IP geolocation information. For instance, malware targeting a US corporation might check that the IP belongs to a Internet provider in the US. Further, the IP owner can be compared to known blacklists:







To circumvent geolocation checks we added Localized Internet Anonymization (LIA) to Joe Sandbox v20. With LIA Joe Sandbox users can choose from various countries when they submit a sample:




Reboot & Scheduler Simulation


We see more and more payloads which only execute on reboot or on specific days. To analyze those payloads Joe Sandbox v20 comes with an advanced reboot and scheduler simulation:



Please note that Joe Sandbox simulates a reboot in seconds. So the analysis machine is not really rebooted. Other solutions perform a full reboot which takes several minutes.


Web API v2


We completely redesigned our Web API. API v2 has consistent JSON output, excellent error handling, support for Python > 2.7 and is much easier to use. We also rewrote the Python wrapper. You find a complete Python web API implementation in our Github Repository.



Collider Navigation


Thanks to Deep Malware Analysis, Joe Sandbox analysis reports contain a wealth of information. Sometimes it is difficult to navigate inside that massive data. To make navigation easier we added a new control - the collider. The collider is accessible via the top menu bar:



Since the report data is structured hierarchically one can easily move from broad overview to details,  e.g. from behavior signatures to behavior groups, or from dropped files to Yara overview. One can also easily jump from network to execution graphs or processes. 


Android Device Admin Automation


Android malware often requests device administrator privileges. So far Joe Sandbox could not grant device admin privileges to APK.  With v20 this is now possible. We added automation code that clicks through the dialogs:


As a result, the analysis contains more behavior, better detection, and more runtime information.

Threat Intelligence

Joe Sandbox v20 profits from threat intelligence via Joe Sandbox View. Joe Sandbox View is a search engine backed by a collection of high-value IOCs and threat indicators shared by Joe Sandbox Cloud users. Context information is available in a new section in the Joe Sandbox v20 Report:


Final Words



In this blog post we demonstrated some of the big major features, but Joe Sandbox 20 contains many more new features in addition, such as:

  • New Yara section in reports
  • Yara scanning of unpacked PE files
  • A new load balancing script
  • IDA Pro Bridge Plugin support for x64 dumps
  • Support for CRT files
  • Randomization of sample names
  • Dropped file preservation for Android in reflective calls
  • Icons for process startup
  • New cookbook commands for fake printer, fake bookmarks, and fake documents
  • Cookbooks parameters
What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, October 5, 2017

Generic JS Instrumentation



Attackers are constantly changing their tactics and procedures in order to find new containers to deliver and execute code on end-points. Beside VBA in Microsoft Office Documents, Javascript files are a very popular infection vector:



Why? In contrast to VBA, Javascript offers many constructs for advanced obfuscation:





Obfuscation often includes eval() on a string, representing the code obtained through complex computations that are extremely hard to follow statically. As javascript runs in the browser, endpoint protection solutions have to be careful, each FP could have a big impact. Given the complexity, it's hard to correctly detect malicious JS files. 



Javascript files are often just droppers which will download a second stage malware. However, we have recently seen an increase of evasive Javascript files, crafted to prevent analysis and execution in Sandboxes.

JS Instrumentation



To better fight this type of evasion, we have added JS instrumentation to Joe Sandbox v20 (our upcoming release). What is instrumentation? Instrumentation is a technique to modify a program before runtime, by inserting logging and trace code:


Instrumentation is extremely powerful since it features the following benefits:

  • Trace of any variable such as strings, integers etc.
  • Trace of any function call, including full parameters
  • Trace of any API call, including full parameters
  • Modification of any variable, function call or function arguments

Finally, this allows us to detect and bypass evasions! Please note that full system emulation or inter-modular call tracing is not able to provide such insights. Only instrumentation covers that fine-grained access and tracing.

So how does Javascript instrumentation work internally? We have developed a full Javascript parser (this is complex). The parser understands all semantics of the code and generates an abstract syntax tree (AST). The AST allows inserting new code while making sure the newly generated code is still working correctly. 

The Javascript instrumentation can be easily enabled / disabled on Joe Sandbox's submission page:



Detecting Dropper Behavior

Let us have a look at the sample 12PO #927476.js (MD5: b5b90ef6266f34b0eb4f9d3a9878a21e, full report):


In the report, you find the Javascript Instrumentation data in the Disassembly section:


An annotated call graph visualizes what code parts have been executed:



Right below you find the Javascript code on the left side. On the right side you find the dynamic data:


The main purpose of the anonymous function on line 10 is to return the string Wscrip.Shell. We can easily find URLs, domains and IPs in the output:


The sample checks if vbc.exe (Visual Basic Command Line Compiler) is installed, as well as which Antivirus software is installed:



Additionally, it also checks the serial number of the primary disk:


Finally, the Javascript file is copied to the user startup directory. Each time the system reboots the payload gets executed.



Detecting Evasive Behavior


Let us have a look at sample mal.js  (SHA256: 206a351c718ae5e7737f6cc3866505e5de3cf10b44636a451b1506b0742d75d8, full report):






Mal3.js was uploaded to Joe Sandbox Cloud Basic and analyzed without Javascript instrumentation. The detection was "clean" and no interesting behavior has been found:




Let's turn on Javascript instrumentation and analyze the sample again (full analysis report):



The sample is now detected as malicious. If we navigate to "Malware Analysis System Evasion" we find a detection for time-based evasions:


The execution coverage is very low (orange = executed):



For each signature, we can easily navigate to the data which triggered the signature:



Which jumps to:



This sample executes its payload only before 2017-09-28 09:52:05.


Final Words


With Javascript instrumentation Security Analysts and Incident Responders get a unique and powerful technology to deeply analyze malicious Javascript. In addition, Javascript instrumentation enables Joe Sandbox to detect and circumvent evasions which other platforms miss. Javascript instrumentation offers very fine-grained tracing and access that full system emulation and intermodular tracing cannot provide. 

Have you known that we also have instrumentation for Macro / VBA Code in Microsoft Office documents? If not, check out our blog post about Generic VBA Instrumentation.

Looking to test Javascript instrumentation? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, September 20, 2017

Joe Sandbox Cloud Basic, a new era begins!



Today we’re very proud to announce the launch of the fully redesigned Joe Sandbox Cloud Basic website

Over the past years, we have constantly collected a lot of information and received extremely helpful feedback from our users that helped us build a FREE, unified and community driven automated malware analysis platform.
With today's release we made some major improvements to our community platform, among them:

  • File, Document, URL, Mobile and Mail Analyzer are now regrouped under one unified platform, matching 1:1 that of Joe Sandbox Cloud Pro.


  • The users are now able to submit any sample type or URL on Windows, as well as APK's on Android operating systems. 

  • The users have now the possibility to download reports as HTML (complete, executive), PDF, incident XML, plus PCAP data for your analysis.

  • All the analyses machines are up to date (Windows 7 with various software installed, Android 6.0).

  • All Joe Sandbox Cloud Basic users have now full access to Joe Sandbox View with more than 15,000 reports for context search.


With the new Joe Sandbox Cloud Basic, everyone can benefit from the power of our automated malware analysis engine and get a feel for the advanced features Joe Sandbox Cloud Pro has to offer.