Tuesday, March 3, 2020

Joe Lab - the Cloud-based Malware Analysis Lab

Today we have fantastic news for you! We release Joe Lab - a brand new service from Joe Security! 

In a nutshell, Joe Lab is a Cloud-based malware analysis lab. A malware analysis lab is a key infrastructure for CERTs, CIRTS, SOCs and malware analysts to securely analyze malware and exploits, or test Yara rules. A malware analysis lab usually consists of several bare metal laptops or PCs which are fully separated from the corporate network. The lab machines are connected to an anonymized Internet line or use Internet simulation. Further, lab machines can be easily wiped and restored to a baseline. 

Setting up a malware analysis lab is a lot of effort and includes several big challenges:

  • Network segregation from the corporate network, so that malware cannot spread or cause harm.
  • Secure transfer of malware and analysis results from and to the lab. Usually, corporate endpoints are not allowed to store or access malware files. 
  • Reset lab machines to a known good state or baseline - to wipe any malware infection and start a new case.
  • Anonymized Internet access for the lab, so that malware authors cannot track you.
  • Fake Internet simulation to test very sensitive malware.
  • Secure access to the Lab via remote desktop or other RDP protocol, so that malware is not able to infect your endpoint.
  • Maintain bare metal lab machines - virtual machines are easily detected by malware.

Joe Lab solves all those challenges and sets the effort of setting up a lab infrastructure to zero. Here are some of the features of Joe Lab:

Fully Cloud-Based

Joe Lab is completely located in the Cloud. The infrastructure is not located in your network. You, therefore, have very strong network segregation. Joe Lab is directly integrated into Joe Sandbox Cloud Pro and you find it in the top navigation bar:

Depending on your subscription level you get access to one or several lab machines:

Secure File System Access

At any time you can access the full file system of the lab machines via the browser. You can upload or download malware and analysis results:

Any file transfer happens over HTTPS.

Reset to Clean State

Joe Lab includes a feature to reset the lab machine to a clean state (known good state). The disk wiping is done completely automated. Within minutes, you get access again to a clean machine:

Anonymized Internet Access

With Joe Lab, all lab machines have access to an anonymized Internet line. You can choose the exit point/country from several options:

This feature is very beneficial if you analyze country-aware malware samples. You also have the option to completely disable Internet access or use Internet Simulation.

Secure Access

If you want to access the lab machine you can do so directly from the browser by clicking the Remote Desktop button:

You get full access to the lab machine and can start analyzing malware samples. Copy and paste functionality is available via the clipboard manager:

Bare Metal Lab Machines

All lab machines are bare metal - physical laptops or PCs. No virtual machine is used:

Therefore, bad luck for malware that detects virtual machines!

Joe Lab - One of its kind

To the best of our knowledge, Joe Lab is the industry's first and only Cloud-based malware analysis lab. With Joe Lab, CERTs, CIRTS, SOCs and malware analysts no longer have the burden to setup a malware analysis lab. Further Joe Lab combines the best features of a malware analysis lab, including an anonymized Internet line, fake Internet, and resettable bare metal lab machines. 

Would you like to try Joe Lab? Then don't wait and contact us for a trial!

Tuesday, February 25, 2020

Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor

As usual, at Joe Security we keep a close eye on evasive samples. Some days ago we detected an interesting Azorult sample on Cloud Basic (MD5: ff17014cbb249e173309a9e1251e4574). In this blog post, we will use Joe Sandbox Hypervisor together with the Function Log to understand the evasion techniques in this sample.

Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques, Hypervisor inspects a program more deeply and extracts more behavior data. Hypervisor can also run on bare metal. We already blogged about using Hypervisor in an analysis of Gozi's evasions technique here.

The Function Log is a new low-level report generated by Joe Sandbox. It contains all API calls (user-mode APIs and system calls). It can be found in the low-level report section:


The first evasion check starts at 0042B690 and checks for debuggers with kernel32!IsDebuggerPresent and ntdll!ZwQueryInformationProcess (ProcessDebugFlags):

All API calls are dynamically resolved as the call to GetProcAddress right before NtQueryInformationProcess proves. This hinders code analysis as the calls are known during runtime only.

Time Evasion

What follows is a sleep based evasion. Azorults verifies if a sandbox modifies the kernel32!Sleep API value by cross-checking the elapsed time via the kernel32!GetTickCount API:

Sleep value modification is often done by sandboxes to bypass sleeping malware, e.g. if the malware sleeps longer than the execution time before the payload is started. Some sandboxes modify even very small values or forget to modify other time sources such as the tick count. This weakness is exploited by Azorult:

Dummy API Calls

If the previous checks succeed, Azorult continues to perform various dummy API calls, including calling kernel32!Beep:

Right after that, various API calls are done in a random order. As a result, the function logs differ from analysis to analysis. Next, there is a random amount of API calls to kernel32!VirtualAlloc:

Dummy API calls are added to the malware in order to delay the execution in a sandbox. If the delay is longer than the analysis time the sandbox will not detect any malicious behavior.

Environment Checks

The anti-analysis checks are not yet complete. After the dummy API calls, Azorult continues with an available RAM check:

If there is less than 3GB available it stops execution. Next, it checks the screen resolution via user32!GetDesktopWindow and user32!GetWindowRect:

If the screen resolution is below 1152 x 864 it will fail. Finally, as the last check, it looks for known sandbox processes via kernel32!CreateToolhelp32Snapshot:

The process comparison list looks interesting. Qemu-ga.exe is likely related to Any.run. Cmd.exe, notepad.exe and python.exe are often used by malware analysts. Azorult does not use any API such as strcmp, strstr or similir but rather a built-in function:

This makes it hard for a sandbox to detect the process check. 

Detecting Sandbox Evasions

Thanks to the deep analysis of Joe Sandbox Hypervsior several existing and some new behavior rules catch the evasion:

Joe Sandbox Hypervisor

As this analysis proves, today's evasion techniques are more stealthy than ever. Thanks to the Function Log and Joe Sandbox Hypervisor, malware analysts can detect and understand any evasion - no matter how stealthy it is:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, February 5, 2020

Joe Sandbox v28 Lapis Lazuli

During this winter, we have not been freezing but rather working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 28 under the code name Lapis Lazuli! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!

Our Joe Sandbox Cloud ProBasic and OEM servers have recently been upgraded to Lapis Lazuli.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Lapis Lazuli features.

304 new Signatures

With these brand new behavior and Yara signatures, Joe Sandbox is able to precisely detect various malware families like Emotet, Trickbot, AgentTesla, NanoCore, Ursnif, HawkEye, AZORult, Remcos, Adwind, Raccoon and many more.

Sigma Support

A major new feature of Lapis Lazuli is the support for Sigma

Sigma is a generic and open signature format to detect malware and other security-related events in log files. With the integration into Joe Sandbox, analysts can use existing Sigma signatures (~330) to detect malicious behavior. 

Further, analysts can write their own signatures and use them in Joe Sandbox as well as in several other ESR tools. Joe Sandbox v28 features a Sigma editor which also allows synchronizing rules directly from Github:

Lapis Lazuli includes 46 new Sigma rules, and the even better news is that Joe Security has made them available for the community:

If you want to learn more about the Joe Sandbox Sigma integration please have a look at this blog post.

18 Malware Configuration Extractors

Malware often includes configuration data such as C&C IPs, domains and modules to load. Lapis Lazuli features 18 extractors for most common malware families:

Configuration Data is shown in at the "Malware Configuration" section in the HTML or PDF report: 

as well as in the malwareconfigs section in the XML or JSON report: 

New Analysis Detail Page

The analysis detail page lists high-level information on the analysis such as the verdict, threat names, and classification. In Lapis Lazuli we completely redesigned it, so that analysts can access all essential data at one glance:


Deep .NET Tracing

Today's malware, droppers and other threats targeting Windows come in various "form-factors". These can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 and early 2020 we have seen an increase in malware using the .NET Framework

Deep .NET Tracing extends Joe Sandbox's multi-technology stack with a very fine-grained tracing technology for samples using the .NET Framework:

With Deep .NET Tracing analysts can understand in detail the inner work of malware samples. Deep .NET tracing needs to be enabled via the Code Analysis tab:

Trace logs including all .NET API calls with arguments can be download from the analysis detail page:

You will find more information about deep .NET tracing in one of our latest blog posts: Dissecting Agent Tesla with Deep .NET Tracing.

Remote Assistance for Joe Sandbox Mobile and Linux

Yes, Lapis Lazuli is bringing Remote Assistance to Joe Sandbox Mobile and Linux. With Remote Assistance you can click through an attack manually by using the mouse and the keyboard:

MITRE ATT&CK mappings for Android and IOS

MITRE ATT&CK mappings already exist for Windows, Linux, and Mac. Lapis Lazuli includes mapping for Android and iOS: 

Final Words

In this blog post we have presented the most important features of Joe Sandbox Lapis Lazuli, but there are some other very interesting features on top:

  • Added threat names to e-mail notifications
  • Added download button for all screenshots
  • Added more processes information
  • Improved IE, FF and Chrome analysis performance
  • Improved Remote Assistance performance in general
  • Improved analysis of Google Drive URLs
  • Improved startup of samples with user permissions

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, January 8, 2020

Dissecting Agent Tesla with Deep .NET Tracing

Today's malware, droppers and threats targeting Windows come in various "form-factors". They can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 we have seen an increase of malware using the .NET Framework. Usually, malware or packers / crypters are written either in C Sharp or Visual Basic Net. 

Joe Sandbox is the only malware analysis system using different technologies to analyze each format deeply. Over the last nine years we have developed these ten different technologies:

Our most recent addition is what we call Deep .NET tracing. .NET tracing captures all .NET API calls with arguments. To demonstrate the power of Deep .NET tracing we will dissect a recent Agent Tesla sample. Agent Tesla is a well known .NET based RAT and used by many threat actors. Most of the variants use multi-layer obfuscation to evade detection and hinder analysis. 

Layers Layers Layers

The sample we are going to analyze has been found on VirusTotal (MD5: 03baf522fb9c86bd5512a0ee72457f86, File Name: MT ESSTAR V1911.exe). To enable Deep .NET tracing you have to tick the checkbox in the Code Analysis Section:

When the analysis is finished, you can download the trace files in the download section:

The trace files are available in two formats:

  • Text, easily readable by analysts
  • CSV, easily parsable by machines

Let's have a look at the text trace file. As we can see from the trace file MT ESSTAR V1911.exe - ,the initial file is a simple loader which loads an assembly named Model.exe from the resource section:

Next, the method set_sako is called in Model.exe

You might now think and ask yourself, wouldn't it be nice to have Model.exe as a file? Well, we have good news, Deep .NET tracing extracts all loaded assemblies. You will find all of them in the memory dumps:

All dumped assemblies are scanned against all Yara rules you have stored in Joe Sandbox. What is set_sako doing next? Well, its loading another assembly (named Software Updates.dll, 2nd stage) from its resource section:

Right before the assembly is loaded, it is decrypted, as you can see from the Param 0 and Return Value

Again, the assembly is dumped and stored so that you can download it. 

Generic .NET Unpacking

Wouldn't it be fantastic if we have the source code of the decrypted assembly? Well again we have good news, Joe Sandbox decompiles all dumped PE files (see our previous blog post about generic .NET unpacking). You can download all decompiled .NET projects here:

In the download we find the full source code for the third stage:

This looks to be CyaX Sharp which is a well-known loader and injector. It comes with various anti-analysis features:

It also employs techniques to disable Windows Defender. When all the anti-analysis techniques are passed, it calls its final injection routine to launch the Agent Tesla payload:

Continuing to follow the .NET trace, we can see the various activities related to information-stealing.

Stealing login data from Google Chrome:

System information gathering

Uploading the stolen data via e-Mail:

Deep Malware Analysis

Thanks to the new Deep .NET Tracing feature, analysts can look at each single .NET API call and fully understand the inner workings of malware. With the assembly dumping, each unpacking stage is preserved and decompiled. The dumped assembly can be scanned and detected with Yara, while the source code enables an even deeper view into the malware's inner workings.

Joe Sandbox handles the different malware form factors or formats differently and applies various technologies. This helps analyzing malware in a depth previously not possible! 

Would you like to try Deep .NET tracing? Then contact us today to get a trial for Joe Sandbox Cloud Pro. 

Full Analysis Data