Tuesday, November 6, 2018

Scorch Malware with Joe Sandbox Fire Opal

We're nearing the end of 2018 and with that, we proudly release the latest Joe Sandbox update: version 24 - code name Fire Opal! This release is packed with an enormous amount of new features and interesting enhancements that will skyrocket the analysis power of Joe Sandbox.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Fire Opal a couple of days ago.

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Fire Opal features.

77 New Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of Gootkit, GrandCrab, AZORult, Darkcomet RAT and more:

Ubuntu 18.04 TLS Support

Joe Sandbox now runs on the latest and most secure Ubuntu LTS Server operating system - Bionic Beaver 18.04 LTS. Ubuntu guarantees security updates until the year 2023 for this release:


We have completely mapped over 1,800 behavior signatures of Joe Sandbox to Mitre's adversary tactics and techniques. For each analysis you now get the Mitre ATT&ck matrix and can easily compare different malware samples based on their tactics:

VMware ESXi 6.7 Cloning

Fire Opal adds support to install and run Joe Sandbox on VMware ESXi 6.7. In addition, we implemented cloning for ESXi. With cloning you can easily scale up Joe Sandbox by using a single shell command:

For detailed information, please have a look at our recent blog post about Clone Wars - Zero Effort Scaling.

INetSim Support

You have a critical sample and don't want to analyze it with a real Internet connection, but still want to see the network traffic it initiates? No problem! Fire Opal adds support to connect Joe Sandbox to INetSim - the industry standard for Internet simulation:

With INetSim malware samples cannot cause any harm to any third party since no live Internet connection is granted.

TOR connect / disconnect

You want to grant Internet access to the analysis machine but want to do it an anonymized way? Fire Opal comes with an automated Tor connector. By using a single shell command your system is configured to route all malicious traffic through Tor:

Web API 2.0 Extensions

We extended the REST API 2.0 with the ability to manage users, cookbook and Yara rules. You can create, modify and list all users, cookbooks and Yara rules:

URL Memory Extraction

Fire Opal extracts URLs directly from memory dumps and sends them to Virustotal or MetaDefender for detection:

With that feature, Joe Sandbox detects C&C URLs even if they are not called.

Dynamic Data for Hybrid Code Analysis

Dynamic information such as system or API call arguments is now fully passed to our Hybrid Code Analysis engine. As a result, you find function arguments directly in the disassembly section:

This makes reading and understanding the disassembly much easier! Thanks to this feature, we see in the example above that the address of GetTickCount is queried as well as the number of ticks returned by GetTickCount.

Screenshot Thumbnails and Downloads

We added a gallery of all screenshots as thumbnails to the analysis report. This makes it much easier to identify interesting screenshots:

In addition, you can now download a selection of "Interesting Screenshots" only:

Improved VBA Callgraphs

If you activate VBA instrumentation - a technique which enables to extract dynamic information from VBA Macros in Office documents - Joe Sandbox will generate an impressive call graph. With Fire Opal we extended that call graph and added triggers, number of calls and API calls:

Due to that improvement, you can find interesting Macro parts more quickly and understand the structure of the code better. 

RTF File Parser

Documents in RTF format are now parsed and malicious objects are detected:

Joe Sandbox Class 2.0

The Fire Opal release includes Joe Sandbox Class 2.0. Class is the code similarity engine of Joe Sandbox. It enables to identify similar samples by looking at code functions. Class 2.0 includes a wide range of new features such as opcode and instruction based similarity searches, a completely redesigned report, as well as various performance improvement:

With Joe Sandbox Class 2.0 analysts find similar samples more quickly, understand which samples are the most similar and why they are similar.

Read more about it on our blog on Hunting for similar Samples with Joe Sandbox Class 2.0.

Dialog Box Support for Android

Android samples requesting dynamic permissions have become more frequent. Therefore we added automation support for those dialog boxes:

As a result, Joe Sandbox handles all dialog boxes fully automated.

Final Words

In this blog post, we introduced some of the major features of the Fire Opal release. Furthermore, minor features are:

  • Added Windows 10 x64 support to Joe Sandbox Hypervisor as well as a huge performance upgrade
  • Added more user-mode API interceptions to Joe Sandbox Hypervisor
  • Added a new guide for Remote Assistance
  • Added a new cookbook to change the timezone of the analysis machine
  • Added a password test for protected office documents
  • Added auto dependency installation
  • Added support for dynamic instrumentation of dropped APKs
  • Added support for decompilation of dropped APKs and DEX files
  • Added support for MITM SSL inspection on Android
  • Huge performance improvement for documents and URL analysis
  • Improved the general analysis performance
  • Improved the selection of interesting Android methods
  • Improved remote assistance

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, October 18, 2018

Clone Wars - Zero Effort Scaling

Joe Sandbox v24 Fire Opal release is knocking at the door and will bring a lot of interesting new features. One of the most interesting ones is the support for VMware ESXi 6.7. VMware ESXi is the perfect virtualization solution for building an infrastructure which is able to analyze large volumes of samples very quickly. Large means 5'000, 10'000 or 20'000 samples per day. In this blog post, we will show you how easy it is to scale Fire Opal with ESXi 6.7.

First of all, why is VMware ESXi the best solution for large-scale malware analysis? Well, there are a couple of reasons. First ESXi is a type 1 hypervisor:

For type 1 hypervisor there is no real host OS, the hypervisor itself is the OS. Examples of type 1 hypervisors are VMware ESXi, Xen or Hyper-V. Examples for type 2 hypervisors are VMWare Workstation, VirtualBox or KVM.

Generally, type 2 hypervisors are more often used for virtualization on desktops, while type 1 hypervisors mainly run server applications. As result, type 1 hypervisors tend to be much more stable, easy to maintain and better to scale. For instance, VMWare ESXi can be connected to vCenter which allows you to easily maintain several ESXi servers, template VMs, cloning etc. Often such features are not available for type 2 hypervisors.

Linked Clones

With Fire Opal, Joe Sandbox now fully supports ESXi 6.7. In addition, we implemented linked cloning for Windows analyzers. Linked cloning is already available for VMware Workstation and VirtualBox. What are linked clones? Linked clones make your job as a Joe Sandbox administrator much easier. Let us assume you have set up and configured Joe Sandbox with one analysis machine named "Analyzer 1":

With a simple shell command, you can create up to n clones of your analyzer. The new clones "link" to the parent Analyzer 1 and thus only require a very minimal amount of storage (normally the size of RAM of analyzer 1). 

Let us have a look at an ESXi instance running Joe Sandbox Fire Opal. We have one Windows 10 analyzer configured:

After login, use the --clonemachine command. The first argument is the number of clones you would like to create and the second the name of your parent/template VM.

Once cloning is finished refresh the vSphere Web Client:

Don't be afraid of the "used size", it is not correct. All the clones taken together use only 82GB of storage space:

After cloning, the analyzers are ready to analyze samples. To see the number of analyzers in action simply go to the Admin Tab - Monitoring:

Zero Effort Scaling

Thanks to the new support for VMware ESXi, scaling has become incredibly easy. A Joe Sandbox administrator has to set up an analyzer and then can multiply the analysis performance by using a simple shell command.

In contrast to VMware Workstation and VirtualBox, ESXi is much better suited for large-scale analysis. It is more stable than type 2 hypervisors, has better features for maintenance and enables zero effort scaling. 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, October 3, 2018

Analyzing Gozi's Anti-Analysis Tricks with Joe Sandbox Hypervisor 2.0

Over the past couple of months, we have focused our efforts on the development of the second version of Joe Sandbox Hypervisor. To inspect a program during runtime, Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques Hypervisor-based Inspection (HBI) inspects a program more deeply and therefore extracts more malicious behavior. Hypervisor 2.0 can also run on bare metal. We already blogged about how to extract C&C traffic with Joe Sandbox Hypervisor here.

This blog post will show some of the new features we added to Joe Sandbox Hypervisor 2.0 by using a recent Gozi sample found on Vitali Kremez (big kudo) twitter account:

The Gozi developers are very active and add new tricks and evasions frequently. This time they added two new evasions:

  • GetCursorPos, WaitForSingleObject user activity check
  • GetLocaleInfo, language check

Locale Check

Language checks are very common in targeted malware samples. They help the attackers to restrict the execution of particular samples to one country or to a specific geographical zone (e.g. Asia). If you start browsing the Execution Graph, you can easily spot a suspicious looking section:

The red nodes with a diamond shape are so-called "key decisions". They refer to a location in the code where a decision is made. For evasion, the decision often relates to a process termination, a sleep or crash. Zooming in reveals the API calls and edges:

First "Locale" information is queried, then a string in string comparison is done using StrStrIA. In 4010e7 the decision is made to execute the payload (left branch) or not:

In case the right branch is taken, the process is simply exited. As a result, the payload is not executed and the sandbox will not detect any malicious behavior:

What is Locale information about and what does Gozi compare? To answer this question, we can easily jump to the corresponding Hybrid Code Analysis function. Thanks to Hypervisor 2.0 we have the API arguments for many strings comparison functions:

String 1 is a list of country codes to compare with. String 2 shows the actual Locale information of the analysis machine on which Joe Sandbox executed Gozi. By putting all this together, the evasion works as follows:

In case the machine is located in China or Russia, Gozi will simply terminate and not execute its payload.

Since the Locale of the analysis is US and not CN or RU the evasion does not work. Customers analyzing in Russia or China can easily use one of our Cookbooks to change the locale for analysis:

User Behavior driven Unpacking

The second evasion which is more unique is related to the User Behavior. Most of the time, when a sandbox analyzes a threat, there is no direct user interaction with the analysis machine. Therefore, the mouse or the keyboard is inactive, allowing advanced malware to detect the sandbox and to evade the dynamic analysis.

Let us have a look at function 4010ED:

We see GetCursorPos, WaitForSingleObject and GetCursorPos. GetCursorPos is an API to query the actual coordinates of the mouse pointer. WaitForSingleObject a routine to pause execution. Thanks to the C code decompiler we can easily understand the functionality of the evasion:

At line 45, we can see that the initial cursor coordinates are stored in v108. and then the thread sleeps for 64 milliseconds. Right after, at line 52, the cursor coordinates are stored in v120. If we look further at line 54, the deviation of the coordinates is calculated. The deviation is used as an argument for the unpacking routine at 401C7A. The whole process repeats until the unpacking routine returns 0 (line 56). A returned value of 0 means the unpacking is completed.

If we put this all together the evasion works as follows:

In case the mouse is not moved, the deviation of the two cursors coordinates is zero. If the deviation is zero, the malware does not trigger the unpacking and as a result, the evasion process continues forever. 

Joe Sandbox simulates mouse movements and clicks since version 8.0.0. Thus, unpacking completes successfully and the payload is triggered:

Joe Sandbox Hypervisor 2.0

Today's evasion techniques often use string comparison functions such as StrStr, StrCmp or StrRChr. Joe Sandbox Hypervisor 2.0 is capturing such API calls and therefore is able to detect and bypass samples which are country or region aware.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report of Gozi 2.17.

Tuesday, September 4, 2018

Hunting for similar Samples with Joe Sandbox Class 2.0

The malware landscape is constantly evolving, and currently, we no longer see tens of thousands of different active malware threats, but only a few different malware families that often share common source code.

Similarity analysis aka hunting for similar samples has recently gained a lot of attention in the security community and as a result, we decided to completely renew Joe Sandbox Class and enhance it with great new features.

In this blog post, we will outline some of the new features related to x86 / x64 code hunting while in a second one, we will outline all the major improvements we have done to search samples for similar architectures.

For those who are not yet familiar with this feature, Joe Sandbox Class is Joe Security's code hunting engine. It's built upon a large database of disassembly functions which are compared against the analyzed sample. 

Joe Sandbox Class 2.0 Intro

How does it work? Joe Sandbox Class acquires data from the Hybrid Code Analysis technology that generates disassembly from memory dumps:

Doing disassembly on memory dumps has a couple of benefits which result in richer functions that include more strings and API calls. In addition, results are more constant than what a disassembler would create from an executable on the disk. Finally, Hybrid Code Analysis generates disassembly from any code including hidden or non-executed sections, shell code etc. 

Rich disassembly functions are an excellent source for similarity analysis and hunting. They often stay the same for several malware versions or variants or are just changed slightly. 

All those rich functions are loaded into Joe Sandbox Class also known as feature selection. Next, Class will generalize the functions. For instance, a file path or URL string is replaced with a generic token. This is important because in different variants the code stays the same but a URL or file path may vary. Afterward, Class will select only the most interesting and relevant functions and those which appear too often are classified as not interesting. The same applies to functions which appear in goodware. Finally, the actual similar function search is performed:

Joe Sandbox Class has several comparison algorithms based on:
  • Strings and APIs
  • Instruction bytes
  • Opcodes 
It implements both precise and fuzzy matching. Once the similarity search is done, Class generates an extensive report. 

Hunting for similar DarkComet Samples

That all being said, let us have a look at a couple of interesting class reports. Here is a DarkComet RAT sample:

The sample was analyzed on August 29th and created six processes. If we jump to the Hybrid Code Analysis section, the redrv.exe with PID 3468 has many interesting functions. Below you can see the function which is the core of DarkComet's keylogger:

Let us now move to the Classification Report for that sample:

Strings and APIs were used for similarity analysis with a precise match:

In total, Joe Sandbox Class found 207915 similar functions in 20178 processes. If we browse down to the similar processes we see that the first process does not have many similar functions. The most are 8 functions.

However, if we scroll down to the process with PID 3468 we see some processes with many similar functions:

If we click on the first process named SCAN00GO we can have a look at all similar functions. Those functions appear one to one in our initial sample and SCAN00GO:

Do you remember this function? Yes, this is the keylogging code. 

If you browse further you can also see all similar functions and how often they appear. For instance, the keylogging function is very unique and perfect for matching similar samples since it was found only 18 times:

However, function Function_0004E254 appears very often and thus does not qualify as being relevant:

While we could introduce whitelists for functions and statistical bounds, we decided not to do that and let the analyst have the final decision. 

Hunting for EQNEDT32.EXE Shellcode

Let us have a look at another sample. This time it is a malicious RTF which uses CVE 2017-11882 or CVE-2018-0802 for payload execution:

Joe Sandbox found shell code which was executed in the Microsoft Office Equation Editor:

Let us move on to the Classification report:

There are 8 function matches in 5 processes which all are inside EQNEDT32.EXE:

 For each match we can easily access the initial file name Conti5290.doc as well as the SHA256:

Or here Quotation Request FRQW9087454.doc:

Final Words

Joe Sandbox Class 2.0 has been completely revamped with the cybersecurity analyst focus in mind. The new Classification Report enables security professionals to easily find similar processes based on rich disassembly functions generated by Hybrid Code Analysis. Hunting for individual functions is now easily possible with Class 2.0 that can be configured to use a wide set of different data sources and comparison algorithms.

Interested in trying out Joe Sandbox Class 2.0?  Then hurry up and contact us for an in-depth technical demo!

Full Analysis and Class Reports:

* DarkComet Analysis Report
* DarkComet Classification Report
* CVE 2017-1188 Shellcode Analysis Report