Wednesday, October 25, 2017

NotPetya reappears as BadRabbit and keeps the Semi Kill Switch

Yesterday, Russia and Ukraine have been targeted by the Bad Rabbit Ransomware, distributed via drive by.

The sample named install_flash_player.exe, sha256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da has some very strong similarities to NotPetya, the ransomware spreading via EternalBlue SMB exploit in June.

There are many behaviors based similarities, such as started processes:


Bad Rabbit

But there are also many code based similarities. Multiple companies already blogged about the differences (1,2), however, what we found very interesting is also that the ransomware kept the kill switch. Not the one which was domain based and activated by @Malwaretech for NotPetya but rather the local machine based, which once set prevents infection. If one looks at function 807E8E we can see that Bad Rabbit checks for the file C:\Windows\cscc.dat. If it exists the process will exit:

So, to get protected just create the file C:\Windows\cscc.dat and you are good!

Full analysis + sample available at Joe Sandbox Cloud Basic.

Thursday, October 19, 2017

Bare Metal - Golden Hardware

Joe Sandbox enables analysts to execute and analyze malware on Bare Metal machines. What is Bare Metal and why does it matter? No, it is not the cool Bare Metal hot rod above, but it has a similar performance!

Dynamic malware analysis systems (so-called sandboxes) execute malware samples on a segregated machine and capture the runtime of the behavior. Sandbox vendors use different types of analysis machines:

Virtual Machines

Virtual Machines (VMs) are the most common. They run inside VirtualBox, VMware, KVM or Xen - the top four virtualization solutions. VMs typically run on hardware with hardware virtualization. Hardware virtualization helps to run multiple operating systems efficient and secure on the same physical machine. Although a VM can run hardware virtualized it is not equal to Bare Metal.

Qemu (Full System Emulation)

Qemu is a machine emulator. The hardware has been fully implemented in software, including the CPU, disk, video card etc.

Bare Metal 

Bare Metal is referring to using a physical device for analysis, e.g. a laptop or PC directly purchased from the local hardware store.

Bare Metal is King

So does it matter if a malware is executed on a VM, Qemu or Bare Metal? It does a lot! The "normal" execution environment of malware is always on Bare Metal. Your employee laptop does not run on a VM or Qemu. Malware exploits that fact by checking if it is running on Bare Metal. If it is not running on Bare Metal it simply does not show any malicious behavior. As a result, the sandbox will not detect any malicious activities, plus will wrongly classify the file as clean:

How difficult is it for malware to detect a VM or Qemu? Very simple. How hard is it to make a VM or Qemu look like a Bare Metal machine? Practically not feasible. There are scripts around to remove some of the vendor brands and strings, however, that is just the tip of the iceberg.

To prove that let us execute the tool HWInfo (displays the hardware configuration of the machine) both on a KVM virtual machine, and a Bare Metal machine:


The full HWInfo report on KVM is available here.

Bare Metal

We have summarized some of the outliers below:

As you see there are many differences. The table just lists some outliers for hardware devices. However, malware could also check and compare the performance of the machines, e.g. the GPU.


Bare Metal

Again, there are big differences. And again, making the KVM VM equal to Bare Metal is practically not feasible.

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:

  • Modern Bare Metal Laptop
  • Modern Bare Metal PC
  • Mac Mini
  • Mac Book Pro
  • Bare Metal Android Phone (e.g. Motorola G3)
  • iPhone
If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. So if you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?

Golden Image - Golden Hardware

With Joe Sandbox you are not only free to choose the target analysis machine but also the operating system, its configuration and installed applications. Again there is no restriction, you can install any software. 

With Joe Sandbox you get the ability to analyze malware on a Golden Image on Golden Hardware!

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, October 12, 2017

Joe Sandbox 20 is out!

Happy Release Day!!! A new Joe Sandbox version is out! This is our twentieth release, what a number!

Version 20 is a big release with many improvements, enhancements, and new features. If you have an on-premise installation you can simply upgrade to Joe Sandbox 20 via:

mono joeboxserver --updatefast

In this blog post, we will show some of the enhancements and features of the new release.

74 New Behavior Signatures

We have added a record number of 74 new signatures to Joe Sandbox Desktop, Mobile, X, Complete and Ultimate. Well, the last months have indeed been very busy with WannaCryPetya, WireXCVE-2017-8759 and CCleaner. Our signature set currently includes over 1,414 individual written rules!

Generic Javascript instrumentation

Javascript instrumentation allows to trace, analyze and detect any Javascript method, argument, API call or string. With Javascript instrumentation Joe Sandbox deobfuscates Javascript files and detects hidden evasions:

Javascript instrumentation is the only known technique which covers such fine-grained tracing. Full system emulation or inter-modular call tracing is not able to provide such insights. For more details on the instrumentation engine have a look at our blog post: Generic Javascript Instrumentation.

LIA - Localized Internet Anonymization

Targeted malware often checks for IP geolocation information. For instance, malware targeting a US corporation might check that the IP belongs to a Internet provider in the US. Further, the IP owner can be compared to known blacklists:

To circumvent geolocation checks we added Localized Internet Anonymization (LIA) to Joe Sandbox v20. With LIA Joe Sandbox users can choose from various countries when they submit a sample:

Reboot & Scheduler Simulation

We see more and more payloads which only execute on reboot or on specific days. To analyze those payloads Joe Sandbox v20 comes with an advanced reboot and scheduler simulation:

Please note that Joe Sandbox simulates a reboot in seconds. So the analysis machine is not really rebooted. Other solutions perform a full reboot which takes several minutes.

Web API v2

We completely redesigned our Web API. API v2 has consistent JSON output, excellent error handling, support for Python > 2.7 and is much easier to use. We also rewrote the Python wrapper. You find a complete Python web API implementation in our Github Repository.

Collider Navigation

Thanks to Deep Malware Analysis, Joe Sandbox analysis reports contain a wealth of information. Sometimes it is difficult to navigate inside that massive data. To make navigation easier we added a new control - the collider. The collider is accessible via the top menu bar:

Since the report data is structured hierarchically one can easily move from broad overview to details,  e.g. from behavior signatures to behavior groups, or from dropped files to Yara overview. One can also easily jump from network to execution graphs or processes. 

Android Device Admin Automation

Android malware often requests device administrator privileges. So far Joe Sandbox could not grant device admin privileges to APK.  With v20 this is now possible. We added automation code that clicks through the dialogs:

As a result, the analysis contains more behavior, better detection, and more runtime information.

Threat Intelligence

Joe Sandbox v20 profits from threat intelligence via Joe Sandbox View. Joe Sandbox View is a search engine backed by a collection of high-value IOCs and threat indicators shared by Joe Sandbox Cloud users. Context information is available in a new section in the Joe Sandbox v20 Report:

Final Words

In this blog post we demonstrated some of the big major features, but Joe Sandbox 20 contains many more new features in addition, such as:

  • New Yara section in reports
  • Yara scanning of unpacked PE files
  • A new load balancing script
  • IDA Pro Bridge Plugin support for x64 dumps
  • Support for CRT files
  • Randomization of sample names
  • Dropped file preservation for Android in reflective calls
  • Icons for process startup
  • New cookbook commands for fake printer, fake bookmarks, and fake documents
  • Cookbooks parameters
What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, October 5, 2017

Generic JS Instrumentation

Attackers are constantly changing their tactics and procedures in order to find new containers to deliver and execute code on end-points. Beside VBA in Microsoft Office Documents, Javascript files are a very popular infection vector:

Why? In contrast to VBA, Javascript offers many constructs for advanced obfuscation:

Obfuscation often includes eval() on a string, representing the code obtained through complex computations that are extremely hard to follow statically. As javascript runs in the browser, endpoint protection solutions have to be careful, each FP could have a big impact. Given the complexity, it's hard to correctly detect malicious JS files. 

Javascript files are often just droppers which will download a second stage malware. However, we have recently seen an increase of evasive Javascript files, crafted to prevent analysis and execution in Sandboxes.

JS Instrumentation

To better fight this type of evasion, we have added JS instrumentation to Joe Sandbox v20 (our upcoming release). What is instrumentation? Instrumentation is a technique to modify a program before runtime, by inserting logging and trace code:

Instrumentation is extremely powerful since it features the following benefits:

  • Trace of any variable such as strings, integers etc.
  • Trace of any function call, including full parameters
  • Trace of any API call, including full parameters
  • Modification of any variable, function call or function arguments

Finally, this allows us to detect and bypass evasions! Please note that full system emulation or inter-modular call tracing is not able to provide such insights. Only instrumentation covers that fine-grained access and tracing.

So how does Javascript instrumentation work internally? We have developed a full Javascript parser (this is complex). The parser understands all semantics of the code and generates an abstract syntax tree (AST). The AST allows inserting new code while making sure the newly generated code is still working correctly. 

The Javascript instrumentation can be easily enabled / disabled on Joe Sandbox's submission page:

Detecting Dropper Behavior

Let us have a look at the sample 12PO #927476.js (MD5: b5b90ef6266f34b0eb4f9d3a9878a21e, full report):

In the report, you find the Javascript Instrumentation data in the Disassembly section:

An annotated call graph visualizes what code parts have been executed:

Right below you find the Javascript code on the left side. On the right side you find the dynamic data:

The main purpose of the anonymous function on line 10 is to return the string Wscrip.Shell. We can easily find URLs, domains and IPs in the output:

The sample checks if vbc.exe (Visual Basic Command Line Compiler) is installed, as well as which Antivirus software is installed:

Additionally, it also checks the serial number of the primary disk:

Finally, the Javascript file is copied to the user startup directory. Each time the system reboots the payload gets executed.

Detecting Evasive Behavior

Let us have a look at sample mal.js  (SHA256: 206a351c718ae5e7737f6cc3866505e5de3cf10b44636a451b1506b0742d75d8, full report):

Mal3.js was uploaded to Joe Sandbox Cloud Basic and analyzed without Javascript instrumentation. The detection was "clean" and no interesting behavior has been found:

Let's turn on Javascript instrumentation and analyze the sample again (full analysis report):

The sample is now detected as malicious. If we navigate to "Malware Analysis System Evasion" we find a detection for time-based evasions:

The execution coverage is very low (orange = executed):

For each signature, we can easily navigate to the data which triggered the signature:

Which jumps to:

This sample executes its payload only before 2017-09-28 09:52:05.

Final Words

With Javascript instrumentation Security Analysts and Incident Responders get a unique and powerful technology to deeply analyze malicious Javascript. In addition, Javascript instrumentation enables Joe Sandbox to detect and circumvent evasions which other platforms miss. Javascript instrumentation offers very fine-grained tracing and access that full system emulation and intermodular tracing cannot provide. 

Have you known that we also have instrumentation for Macro / VBA Code in Microsoft Office documents? If not, check out our blog post about Generic VBA Instrumentation.

Looking to test Javascript instrumentation? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!