Tuesday, May 8, 2018

Evasive Malware hits French Corporations

We recently we came across an interesting sample on Joe Sandbox Cloud Basic:

The sample has been detected as malicious, yet this is mainly due to Antivirus signatures hits:

When looking closely at the Behavior Graph, one discovers something interesting:

The main sample is unpacking itself to facture_1398665.tmp. This process then creates a whole bunch of temporary PE files which are then renamed in the next step:

Hostile Firefox loading LOL

Among the PE files is a file called firefox.exe. Firefox.exe is indeed a legit copy of the famous Internet browser:

This is interesting because Firefox is used to load some of the malicious Dlls, including LOL_Dll.dll. Likey this bypasses some end-point protection tools and Antivirus:

Right after the LOL_DLL has been launched Firefox then crashes with some COM loading error:

GetKeyBoardLayout 0xC

So what is causing this crash? When carefully examining every detail of LOL_Dll.dll, it reveals the following code (LOL_Dll is not obfuscated or packed at all):

The corresponding code for that execution graph part is shown below. The code calls the Windows API GetKeyboardLayout and then performs some checks. The keyboard layout is language dependent. A US computer user has a different layout than a Swiss PC. By checking the layout, we realized it serves as a way to target the malware to specific users:

0Ch is matching French layouts:

As a result, the sample either executes its payloads or crashes, depending on the target machine keyboard.

Custom Keyboard Layout

Thanks to Cookbooks - a tiny script which fully defines the malware analysis procedure - we can easily change the default keyboard layout in a fully automated manner to what is required by the code:

The change of the layout is done via the control panel intl.cpl.

The cookbook is submitted together with the sample to Joe Sandbox. The resulting analysis is much richer and contains many IOCs.

Final Words

Joe Sandbox cannot be easily fooled by evasive malware. Thanks to hybrid code analysis, execution graph, and cookbooks, malware analysts have a powerful tool to analyze any malware.

This blog post is a very good example for that. Within minutes we are able to detect the evasive code and write a cookbook to analyze it. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, April 25, 2018

Deep Analysis of Java Archives

Analyzing binaries dynamically is a tricky job. We believe there are 5 major challenges when attempting to do so:

Today's focus is on one problem referred to as “Variety of Input”. Let us assume you have developed a great technology which can deeply analyze malware written in x86 or x64. As great as it may be, it will not get you far if the malware is written in C#, VBS, JS, Powershell, VB, Delphi or Java.

You will have to develop for each of those runtime environments a unique solution. Unfortunately, there is no technique which deeply analyzes any input regardless of its type.

For this reason, we think a Multi-Technology and architecture platform are the means to deeply analyze malware. That is why we have already built unique techniques to analyze the following:

In addition to these, Joe Sandbox also analyzes files on Windows, Linux, macOS, Android and iOS.

To enrich this family of technologies, we have recently added a new one, with the aim the of deeply analyzing Java Archives (JAR).

The Rise of JAR

Malware written in Java has become very popular. This is due to a couple of reasons. First of all, Java is a platform independent product. As an example, a remote access trojan can be easily operated on MacOS, Windows and Linux. Secondly, it is simple to write programs in Java. Thirdly, Java malware is not that well detected by Antivirus programs.

Deep Analysis of Java Archives

Most sandbox vendors are currently able to capture system calls executed by a Java program. However, the information is not provided in too much detail. Incident Responders and Malware Analysts are keen on getting the executed Java APIs and their arguments as well as the decompiled code.

To cover these requirements, we recently added a new JAR tracing functionality to Joe Sandbox:

JAR tracing performs two tasks:

  • Dynamically instrumenting Java bytecode to capture API calls and arguments
  • Java bytecode decompilation to generate Java source code

Extraction of Java API arguments

Let us have a look at the benefits of extracting Java API arguments. Given a JRAT sample we can detect various suspicious behaviors:

Full Analysis Report

To hide code, JRAT uses AbstractScriptEngine.eval. Since Joe Sandbox can trace the API, we get the evaluated String. Java malware is often heavily obfuscated and packed. Thanks to JAR tracing, Joe Sandbox can detect the unpacking process:

Full Analysis Report

Finally, JAR tracing enables the extraction of the RAT configuration:

Full Analysis Report

This is again extracted from API arguments and not statically decrypted from the binary. 

Java Decompilation

In addition to Java API arguments, Joe Sandbox also provides the decompiled source code. Malware Analysts can directly download the source code zip in the analysis detail view:

For instance, in the case of Crossrat you can easily understand the persistence via autostart. 

Final Words

Today's malware samples come in various formats and types. A single technology approach fails to analyze all samples. Joe Sandbox includes a wide array of domain-specific technologies to always get the deepest analysis possible. 

With JAR tracing Incident Responders and Malware Analysts get a powerful tool to extract Java API calls including arguments. This increases vastly the detection capabilities and also helps to understand complex payloads. In addition, one can download the full decompiled Java source code for extensive analysis.

Interested in JAR tracing and willing to try it? Contact us today and we will provide a trial!

Thursday, April 19, 2018

Introducing Joe Sandbox Mail Monitor

Let us assume that you are working in a SOC and are receiving hundreds of requests from end-users asking if an e-Mail is safe to open or not. In most cases, you would take the e-mail and submit it to Joe Sandbox in order to check its behavior report. If the respective e-mail showed signs of malicious attachment or URL, you would consequently inform the end-user.

Wouldn't it be nice if this whole process could be automated? Wouldn't it be great if you could choose to get notified about a detection or not, based on the analysis verdict or its score?

In this regard, we have good news for you! Joe Sandbox Mail Monitor is exactly what you are looking for.

What exactly is Mail Monitor? Have a look at the diagram below:

To enable Mail Monitor you have to first create a new e-mail account with the name sandbox@yourhost.com. End-users will then forward suspicious e-Mails to the defined address. Mail Monitor will periodically fetch new e-mails from that account and submit them to Joe Sandbox. Joe Sandbox will fully dissect the e-mail and analyze all the attachments and URLs. As an example, see the report of a Phishing link below:

Once the analysis is complete, Mail Monitor will reply to the user with an e-Mail containing the verdict:

It will also add screenshots in the attachment.

SOCs, CIRTs and CERTs can fully customize the e-mail reply:

Furthermore, they can set alerts to get notified if a URL or an attachment has been detected as malicious or if a specific threat has been detected (Alerts can be customized down to the smallest detail).

Joe Sandbox Mail Monitor has been integrated into Joe Sandbox Desktop, Complete, Ultimate and Cloud Pro.

Interested in Joe Sandbox Mail Monitor and willing to try it? Contact us today and we will provide a trial!

Thursday, April 5, 2018

Introducing Joe Sandbox A1, World's first Golden Hardware appliance!

We are very happy to announce today the launch of Joe Sandbox A1, the World's first and most powerful appliance to perform Deep Malware Analysis on Bare Metal hardware. With our brand new appliance, you can say goodbye to malware evading virtual environments. 

To the best of our knowledge, A1 is the world's smallest most powerful deep malware analysis appliance. We specifically designed A1 for the analysis of APT and targeted attacks. A1 runs full standalone. Thus you do not have to worry about the privacy of any samples you analyze!

Some of the top-notch A1 features are:

Small Form Factor

Joe Sandbox A1 has a small form factor of only 145(W) x 195(D) x 44.5(H)mm. It fits into any server rack. In addition, Joe Sandbox A1 produces little noise and therefore can be used directly in your LAB.

Golden Hardware - Analysis on Bare Metal

Joe Sandbox A1 runs and analyses malware on bare metal hardware and does not use any virtualization solution like KVM, VirtualBox, XEN or VMware. Since malware is run on real hardware malware cannot detect any virtual machine.

Hypervisor-Based Inspection

Joe Sandbox A1 includes Joe Sandbox Hypervisor and benefits from all its features including user-mode, kernel, system call and memory monitoring, stealthiness and high efficiency. Please have a look at this blog post to learn more about Hypervisor based Inspection.

Third Party Integrations

Joe Sandbox A1 has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox A1 also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox A1 in the Security Automation & Orchestration Platform Phantom and Demisto. We also offer integration with additional tools such as Viper and Malsub.


Joe Sandbox A1 allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.

Full Root Access

For customization and tuning, we enable full root access to A1. This enables to change or install additional software on the bare metal analysis machine. Further customers can write their own behavior signatures.

Interested in A1 and want to know more? Contact us today and we will schedule a demo and in-depth technical presentations!

Friday, March 23, 2018

Empowering Joe Sandbox Cloud with Avira Anti-Malware

Today we bring you amazing news. We have just finalized the integration of Avira Anti-Malware into Joe Sandbox Cloud. Avira, which is a renowned German antivirus software, is known to provide excellent malware detection rates!

With the help of this integration, our Joe Sandbox Cloud Pro customers will benefit from automated Avira Anti-Malware scans of:

  • Initially submitted file
  • Dropped files
  • Unpack PE files

AV scanning of unpacked PE's is the best

Particularly the unpacked PE files should be considered for antivirus scanning.  The samples on the disks are often obfuscated & encrypted, thus giving the antivirus a hard time trying to detect something. Joe Sandbox Cloud's unpacking engine uses memory dumps captured during the whole lifetime of a process to restore the original binary. Think of it as an AV scanner which scans the process memory for each unpacking layer:

The scan is directly done on Joe Security's premise, as a result, our customer's samples remain entirely private! Many sandbox solutions upload binaries to third-party services, thus sharing samples further on without any privacy warranties! 

In addition to privacy, customers also get the antivirus label:

This will help to receive a first indication of the type of malware. Please be aware that solutions which use Virustotal or Metadefender are not allowed to use any of the detection labels!

URL Reputation

Aside from the Avira integration, we also added a third party based URL reputation lookup. URL reputation information has been directly added to the report:

It has also been added to some of the behavior signatures:

Joe Sandbox Cloud more powerful than ever

Both the Avira Anti-Malware integration, as well as the URL reputation lookup, substantially increase the virus detection efficiency of Joe Sandbox Cloud. Antivirus scanning on memory dumps and unpacked PE files makes it even more powerful!

The Avira Anti-Malware and URL reputation integration have been added to Joe Sandbox Cloud Pro for all account types, without any price change!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

Tuesday, February 27, 2018

How Malware fools Sandboxes with complex Installation Procedures

Cybercriminals are always innovative and fast in finding new tricks to bypass security solutions, and sandboxes are no exception. If you look at today's tricks, the majority belong to the group of environment checks. A malware detects that is not running on the real target system but rather in a sandbox and therefore hides its real behavior.
However, what if the sandbox does not know how to execute the sample at all or if it does not find the payload?

This blog post will outline some advanced attacks which fall into this category and show how Joe Sandbox can handle these evasions.

King PDF

PDF has been used for years to deliver malware to endpoints, mostly through exploits. The shell code inside a PDF is the trigger used to download and install a second stage malware. However, these days PDFs are also often used to just deliver a link:

When the victim clicks on the link, the malware is downloaded via a web browser and then installed.

Given this common scenario, the goal of a sandbox is to precisely simulate this behavior.

Sandbox UI automation 101

To be able to automate the user interaction, the sandbox has to first find the link in the PDF. There are two ways to do so:

  • Parse the PDF and search for links
  • Click on the link

Most sandboxes choose the first option as it is the easiest way. However, this has some big shortcomings due to the fact that a link can be well hidden inside a PDF. In addition, the link can also be obfuscated or dynamically generated via Javascript. If we look at the PDF below, it contains a link, but the PDF is encrypted. To get the link, you first have to decrypt the PDF:

As you can observe, link extraction via parsing the PDF is not really the solution. How about clicking on the link? This is also non-trivial because Adobe Reader uses its own UI elements. The Windows UI Automation (UIA) does not help here and the UISpy tool only detects the other PDF page but not the link button:

So how does Joe Sandbox solve this? Well, first it creates a grid on the PDF page and then tries to determine if each cross point is worth to be clicked. If so, it will then simulate clicks on each interesting cross point and watches the Adobe Reader process for any events:

If a button is reached and clicked successfully, the click simulation is stopped. Then right afterwards, our OCR UI engine takes over.

OCR based UI Automation

Using the above-mentioned technique, Joe Sandbox's PDF automation has successfully clicked the link. Due to that, the local browser will be opened by the operating system and since the link points to a file, it will be downloaded:

As a next step, the sandbox needs to execute the downloaded sample. Of course, the most straightforward technique for the "lazy" would be to locate the temporary file on disk and then launch it. However, we have seen some malware which checks if the parent process is the browser and not e.g. Windows Explorer. Therefore, the only way is to continue with UI automation.

Again, the Windows UI Automation and similar techniques do not help. The reason we guess is likely that Microsoft protected some of the buttons from clicking due to security reasons.

Joe Sandbox solves this problem via a unique optical character recognition (OCR) technqiue based on a UI automation approach. The engine works like this:

  • Find interesting top level window
  • Perform OCR
  • Compare detected word with a predefined button list
  • For each match click on the word

During analysis this looks like this:

The full behavior due to the simulation can be easily seen in the process startup overview:

Please note that this technology is independent of any UI framework used by any application. It is fully generic and clicks on anything which looks interesting. Below you find an example of a URL analysis:

Final Words

Joe Sandbox does not go the lazy way. In contrast to many other solutions which try to extract links via PDF parsing, Joe Sandbox uses UI automation to extract them, no matter if the link is encrypted, obfuscated or hidden. To trigger download resources it uses a unique generic OCR based UI automation approach which precisely simulates a user. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!