Tuesday, September 4, 2018

Hunting for similar Samples with Joe Sandbox Class 2.0

The malware landscape is constantly evolving, and currently, we no longer see tens of thousands of different active malware threats, but only a few different malware families that often share common source code.

Similarity analysis aka hunting for similar samples has recently gained a lot of attention in the security community and as a result, we decided to completely renew Joe Sandbox Class and enhance it with great new features.


In this blog post, we will outline some of the new features related to x86 / x64 code hunting while in a second one, we will outline all the major improvements we have done to search samples for similar architectures.

For those who are not yet familiar with this feature, Joe Sandbox Class is Joe Security's code hunting engine. It's built upon a large database of disassembly functions which are compared against the analyzed sample. 

Joe Sandbox Class 2.0 Intro


How does it work? Joe Sandbox Class acquires data from the Hybrid Code Analysis technology that generates disassembly from memory dumps:




Doing disassembly on memory dumps has a couple of benefits which result in richer functions that include more strings and API calls. In addition, results are more constant than what a disassembler would create from an executable on the disk. Finally, Hybrid Code Analysis generates disassembly from any code including hidden or non-executed sections, shell code etc. 

Rich disassembly functions are an excellent source for similarity analysis and hunting. They often stay the same for several malware versions or variants or are just changed slightly. 

All those rich functions are loaded into Joe Sandbox Class also known as feature selection. Next, Class will generalize the functions. For instance, a file path or URL string is replaced with a generic token. This is important because in different variants the code stays the same but a URL or file path may vary. Afterward, Class will select only the most interesting and relevant functions and those which appear too often are classified as not interesting. The same applies to functions which appear in goodware. Finally, the actual similar function search is performed:



Joe Sandbox Class has several comparison algorithms based on:
  • Strings and APIs
  • Instruction bytes
  • Opcodes 
It implements both precise and fuzzy matching. Once the similarity search is done, Class generates an extensive report. 

Hunting for similar DarkComet Samples


That all being said, let us have a look at a couple of interesting class reports. Here is a DarkComet RAT sample:



The sample was analyzed on August 29th and created six processes. If we jump to the Hybrid Code Analysis section, the redrv.exe with PID 3468 has many interesting functions. Below you can see the function which is the core of DarkComet's keylogger:



Let us now move to the Classification Report for that sample:


Strings and APIs were used for similarity analysis with a precise match:


In total, Joe Sandbox Class found 207915 similar functions in 20178 processes. If we browse down to the similar processes we see that the first process does not have many similar functions. The most are 8 functions.



However, if we scroll down to the process with PID 3468 we see some processes with many similar functions:


If we click on the first process named SCAN00GO we can have a look at all similar functions. Those functions appear one to one in our initial sample and SCAN00GO:


Do you remember this function? Yes, this is the keylogging code. 

If you browse further you can also see all similar functions and how often they appear. For instance, the keylogging function is very unique and perfect for matching similar samples since it was found only 18 times:


However, function Function_0004E254 appears very often and thus does not qualify as being relevant:


While we could introduce whitelists for functions and statistical bounds, we decided not to do that and let the analyst have the final decision. 

Hunting for EQNEDT32.EXE Shellcode

Let us have a look at another sample. This time it is a malicious RTF which uses CVE 2017-11882 or CVE-2018-0802 for payload execution:



Joe Sandbox found shell code which was executed in the Microsoft Office Equation Editor:





Let us move on to the Classification report:


There are 8 function matches in 5 processes which all are inside EQNEDT32.EXE:

 For each match we can easily access the initial file name Conti5290.doc as well as the SHA256:


Or here Quotation Request FRQW9087454.doc:



Final Words


Joe Sandbox Class 2.0 has been completely revamped with the cybersecurity analyst focus in mind. The new Classification Report enables security professionals to easily find similar processes based on rich disassembly functions generated by Hybrid Code Analysis. Hunting for individual functions is now easily possible with Class 2.0 that can be configured to use a wide set of different data sources and comparison algorithms.

Interested in trying out Joe Sandbox Class 2.0?  Then hurry up and contact us for an in-depth technical demo!

Full Analysis and Class Reports:

* DarkComet Analysis Report
* DarkComet Classification Report
* CVE 2017-1188 Shellcode Analysis Report

Tuesday, August 28, 2018

Empowering Joe Sandbox Cloud with Avira URL Cloud



Today we bring you exciting news. We have enhanced the Joe Sandbox Cloud URL reputation with Avira URL Cloud. Avira is a renowned German antivirus software, known to provide excellent malware detection rates!

To enable URL checks, go to the Submission Tab - Intelligence and select "Use third-party URL reputation lookup":


High-Value Reputation Checks for URLs from any source


How does Joe Sandbox Cloud's URL reputation work? Users (manually or via our extensive RestFul Web API) submit samples to Joe Sandbox Cloud. A sample can be either a URL or a binary file:




Joe Sandbox dynamically analyzes the file by executing it in a sandbox. During analysis, Joe Sandbox extracts URLs from several different sources, including:


Network Traffic


Joe Sandbox captures the complete network behavior of the sample. For HTTP and HTTPS (with SSL inspection) URLs are automatically extracted. 





Command Line Arguments



Often malware includes a list of several C&C URLs which are passed via command line. However, only the first URL is contacted during the execution. To get a deeper analysis it is important to also extract URLs from command line arguments.




Memory and Binaries Data


Another very good source to look for URLs is the memory as well as binaries which for instance have been dropped by the malware. Joe Sandbox captures memory dumps at various execution points to detect unpacking and decryption. In addition, any dropped or touched file is preserved and scanned for URLs:






Hybrid Code Analysis


Finally, Joe Sandbox performs extensive static code analysis on captured memory dumps. Disassembly often includes hidden strings which can be valid URLs:




All the extracted URLs are sent to reputation engines that Joe Sandbox Cloud Pro integrates with so far:



Each reputation engine provides a verdict. The verdict is being used for various purposes, such as detecting more malware, lowering false positive as well as providing insights for analysts. Below you can find a few excerpts from reports including reputation data:




Joe Sandbox Cloud more powerful than ever


Thanks to Avira URL Cloud integration, Joe Sandbox Cloud Pro customers benefit from a high-value third-party reputation engine. This without any price change!

In contrast to many other vendors, Joe Sandbox extracts URLs from many sources and checks URLs against a row of five different reputation engines.

A lot of data combined with high-value reputation engines greatly increase the virus detection efficiency of Joe Sandbox!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

Tuesday, July 31, 2018

Joe Sandbox 23 - Black Opal is out!

Although it's summertime and the livin' is easy, we have been working hard to deliver Joe Sandbox v23 under the code name Black Opal! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.





Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Black Opal a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXComplete 
and Ultimate installation right away, then please run the following command:


mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Opal features.



Linux Support


Joe Sandbox Linux 1.0.0 is now officially available for purchase! With Joe Sandbox Linux you can analyze threats targeting Ubuntu as well as CentOS. 




For more details as well as latest analyses of Linux malware please have a look at our recent blog post.



31 New Behavior Signatures


New signatures include detection of Kronos, Hermes, FlawedAmmyy, new UAC bypasses, Agent Tesla, Empire, OSXDummy, XMRig and more:









AI-based Phishing Detection


We further enhanced our template based phishing detection. Instead of relying only on a template matching technique, Joe Sandbox now employs several techniques (including logo region detection, perceptual hashing, and feature detection). We used machine learning to combine the results of all techniques to minimize false positives:













STIX v2 Report



Do you use Structured Threat Information Expression (STIX) as a standard for IOCs or does your threat intelligence solution support STIX? If so, integration with Joe Sandbox has become very easy since Black Opal generates extensive STIX v2 reports (in addition to MAEC, OpenIOC and MISP):






The STIX report includes all major detections and IOCs such as dropped files, processes, domains, and IPs.


Windows 10 x64 1803 Support



Joe Sandbox x23 Black Opal analyzes malware on the latest Windows 10 version!






We have also added Windows 10 support for Joe Sandbox Hypervisor:








Thus, you can analyze threats with Hypervisor based Inspection on Windows 10!


IDA Pro 7.1 Support


IDA Pro 7.1 is now officially supported by the Joe Sandbox Bridge Plugin. The plugin allows to load memory dumps into IDA Pro and enrich it with dynamic information:



Web API v2 Enhancements


With Black Opal we added several new APIs to the RESTful Web API. This includes cookbook and Yara upload, download, deletion, and listing:


As a result, you now can fully automate Yara and Cookbook handling via the API.


Sysmon Logs Extraction


We added a new cookbook to easily extract Sysmon Logs via Joe Sandbox:



For detailed information please have a look at our recent blog post about Sysmon logs.


Android Decompilation


Black Opal decompiles Android Application Packages (APK). As a result, there are several new downloads for Android analyses:



Inside the full Android report you can easily navigate to the source code:




Final Words



In this blog post, we introduced some of the major features of the Black Opal release. Furthermore, minor features are:

  • ContentSettings-Ms support on Windows 7
  • Option to change the keyboard layout through the Web GUI
  • Option to start samples as a normal user through the Web GUI
  • Option to enable Anti-Evasion for data-aware samples through the Web GUI
  • Support for Unicode file names (Chinese, Japanese and Korean)
  • Security alerts (login, PW change etc)
  • Setup code for cookbooks
  • Major speed up for Internet Explorer analysis
  • General analysis speed up
  • Automated Yara rule validation & conflict resolving

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!