Joe Sandbox 17

    We are proud to release Joe Sandbox 17 today. Below you will find some of the most important features and improvements being added:

    Generic VBA Instrumentation


    VBA instrumentation captures runtime information such as API and method calls for Macro code embedded in Microsoft Office files. With VBA instrumentation cyber security pros can understand VBA code much faster. 


    Further we added a call graph for the traced VBA code:


    The call graph enables security experts to easily spot decryption routines and offers them fast navigation. VBA instrumentation is fully generic, meaning that our customers can add their own instrumentation like, e.g. fake IP addresses (Maxmind checks) or bypass other evasions.


    User Automation for Microsoft Office ActiveX and PDF links


    Microsoft Office documents with clickable ActiveX objects really have become a major delivery mechanism. Joe Sandbox 17 includes a new cookbook command _JBActivateOfficeActiveX. The command intelligently clicks on ActiveX objects:




    Similarly we added new click command _JBClickPDFLinks which clicks on links embedded in PDF files: 




    On top, we've added a new signature which directly extracts URL links from PDF documents (even from compressed streams).

    User Automation for Joe Sandbox X


    For the new Joe Sandbox X and Ultimate version we developed a new cookbook command which clicks on buttons (_JBStartAutoInstaller). This fully automates the installation of malware embedded in installers:



    Support for Android 6.0 Marshmallow


    Joe Sandbox Mobile and Ultimate are now supporting analysis on latest Android 6.0:


    Redesigned Web Interface


    The web sample submission page of Joe Sandbox 17 has been fully redesigned. We focused 100% on usability. As a result, submitting samples to Joe Sandbox has become very easy:


    Besides the submission page, we have also fully redesigned the analysis details view, and added options for bulk Yara uploads.


    Behavior Signature Set Increase


    Joe Sandbox 17 includes over 40 new behavior signatures. This increases the total signature set to over 1217. Below you can find a non-exhaustive list of new signatures:

    • Detect latest Locky variants
    • Detect many new evasions (e.g. Word document only with p-code)
    • Detect malicious Microsoft Office documents based on VBA instrumentation data
    • Detect malicious Microsoft Office documents contain ActiveX objects
    • Detect new powershell attacks
    • Detect malicious links in PDF documents
    • Generic detection for Mac OS X malware



    Finally, another major improvement in Joe Sandbox 17 is the optimization of FPs.

    Happy analysis!

    Generic VBA Instrumentation for Microsoft Office Documents

    For the last couple of months, we have witnessed a resurgence of Microsoft Office macro malware, cyber attackers leveraging once again macros for evil. Macros are a very efficient set of VBA’s (Visual Basic Applications) codes,  used by organizations to automate frequently performed tasks in Microsoft Office. Although their time-saving potential, macros can also be used perfidiously, allowing attackers to run malicious software on someone's computer. 

    What we have also seen, is how state sponsored APT groups were using MS Office documents as an initial attack vector to infect and damage state critical infrastructure. This was possible not only because of VBA's ease of use, but also because of exploitation potential. Most notable examples from this year:

    Opening not trusted documents in a sandboxed environment slowly becomes a standard in security-aware companies. At Joe Security, we are constantly improving and quickly adapting,  to be at the leading-edge of innovation, so we can offer our customers the broadest possible protection. The method proposed by Kacper Szurek in his latest research on VBA macro analysis (https://github.com/eset/vba-dynamic-hook), was a great source of inspiration. Therefore we decided that similar approach will be a interesting addition to Joe Sandbox.

    The initial idea was to insert instrumentation code into the APIs called from the VBA script and log arguments, which at this point were not encrypted. The outcome of this instrumentation would be bypassing string encryption and facilitating further analysis. This would also allow us making a better detection, based on accessed host-names or strings used as a process blacklist. This initial plan quickly evolved into something bigger, so today we can proudly present VBA instrumentation with the following set of features:

    • Arguments and return value logging for predefined set of VBA APIs - the list of supported functions can be easily extended in our On-Premise products. Below you can see a interesting output of the instrumentation (part of the Joe Sandbox Reports):

    • Local functions execution mark - all user defined functions are logged once during script execution, so we can later divide functions to the executed / non-executed groups, this data is also shown as a colored execution graph:

    • Heuristic detection of string encryption function - if our algorithm properly recognizes the string encryption function, the final output will be enriched with the additional information that match encrypted and decrypted strings. String encryption function has also separate color in the execution graph (red node above):

    • Custom user defined Pre / Post VBA API hooks (available only in the On-Premise products for now) - this is really powerful feature that can be used to bypass various evasion techniques. Basically the customer can define VBA code that will be executed before and after certain VBA APIs. Defined hook can access and modify API arguments and return value.

    Bypassing MaxMind IP check with user defined hooks

    Checking properties of the IP number with help of the online GeoIP services is a quite popular evasion trick. Usually a malicious scrip checks:

    • the IP location/country code - used to target specific countries
    • ISP/Organization name - mostly used for blacklisting purposes (VPN providers, security companies, TOR nodes). Such lists sometimes are quite long:

     

    It can be also easily circumvented with the custom VBA hooks. In the screenshot below, we can see the behavior of the original IP check function:


    Meta Information column contains every information that we need, so we don't even have to read the original VBA code. WinHttpRequest.Status() call returned status 403 (Forbidden). Probably MaxMind GeoIP service introduced stricter checks and it refuses to return proper data. The above macro verifies if the returned status code is 200 and if not, it will return default String value (empty string). This is the first API call that we need to bypass. We can define simple Post hook for Status() function:


    Analysis can be re-run with the new hook, and the actual results will looks like this:


    WinHttpRequest.Status() now returns 200 and the JBWQC() function returns the content of the WinHttpRequest.ResponseText. Returned HTML is fully visible in the Meta Information column of the report. The sample still doesn't execute the final payload, so we need to check where the returned HTML content is used. This can be done just by looking at the VBA Call Graph:


    IP-checking function is named JBWQC() and it is reached only from mtUBxZ(). We can easily navigate to this function just by clicking on the specific graph node.


    Here we can see, that the returned HTML content is passed to the WjUJV() function which is just a wrapper for the VBA InStr API. The second argument seems to be an encrypted string, luckily we have heuristic detection of string encryption functions and in this case it properly logged the decrypted value. It is visible above the VBA function: "xINsEBWARZWSLGTDqR" - "SWITZERLAND". So, the ResponseText have to contain string "SWITZERLAND", this is our second VBA Post hook:


    After re-running analysis we can further inspect the instrumented VBA code, or just look at the rest of the report, since the macro successfully executed the final payload:


    Final words

    Being able to quickly act has become a major strategy to fight evasion. With Joe Sandbox security teams (CERTs, CIRTs, SOCs, etc.) get an extensive analysis tool which allows them to fight evasions within minutes. Our newly introduced VBA instrumentation engine is a perfect example. While dealing with a new macro based Office evasion, analyst can easily identify it via the dynamic data visible in the "Meta information" column of the VBA report. Next they can detect the evasion by writing a behavior signature, and finally bypass it by adding a new Pre or Post hook.

    VBA Instrumentation is available in Joe Sandbox 17.

    Sample analysis with VBA instrumentation turned on:
    http://joesecurity.org/reports/report-58258b89e076c4d378436f3b03682402_2.html#vba-code
    http://joesecurity.org/reports/report-43b8cc7dc3ff1987354e974d77216b1b_2.html#vba-code
    http://joesecurity.org/reports/report-2e374756930bee59c371d98ff88572a8.html#vba-code


    Introducing Joe Sandbox I – Deep iOS Malware Analysis


    We are proud to present today Joe Sandbox I – the first automated malware analysis system for iOS that combines dynamic and static analysis for deep malware forensics. Joe Sandbox is now able to analyze malware on all major desktop and mobile platforms, namely Windows, OS X, Android, and now iOS.
         

    The number of malware targeting Mac iOS devices is constantly growing, and their complexity is challenging security experts worldwide. The impact of these attacks is considerably high due to the exfiltration of sensitive information like private contacts and confidential emails. We have seen how XcodeGhost malware managed to sneak malicious code into tens of apps without their developers knowing. For these reasons, we at Joe Security think that it is very important to provide malware analysts with the right solution, capable of analyzing iOS apps deeply and swiftly.

    In order to have a clearer vision of the technology and the product, let’s take a deeper dive into Joe Sandbox I capabilities by analyzing a malicious iOS app. It’s worth mentioning that as with all our products, the analyzed application will be executed in a controlled environment.

    In Joe Sandbox I, the analyst has the possibility to submit apps either as a file (bundle IPA) or by bundle ID. When submitting a file, the app is directly installed on the bare-metal device, in our case an iPhone. In case of a bundle ID submission, Joe Sandbox I will automatically download the app from the AppStore and install it on the phone by itself. Then, a two steps analysis is initialized, first the apps Mach-O is statically analyzed and secondly it is being executed and dynamically analyzed.

    After monitoring its behavior for suspicious activities, the collected information is then compiled into a comprehensive and extensive analysis report. The big advantage of analyzing an app on a bare-metal phone in contrast to emulation or virtualization is avoiding the app to check if it’s being scanned and therefore, applying anti-sandbox tricks.

    To give you more insight of the interesting features of Joe Sandbox I, we have analyzed a recent malware sample dubbed as „YiSpecter" (NoIcon IPA, MD5: fbf92317ca8a7d5c243ab62624701050). The sample was executed on an iPhone 4 running iOS 7.1.2:


    Dynamic Analysis 

    As mentioned before, Joe Sandbox I can install apps directly from the AppStore without any user interaction. Since the YiSpecter sample was submitted by uploading a file, we have recorded a movie from another analysis that shows the way an app from the AppStore is installed and executed:


    As can be seen, a daemon will try to click itself in a smart way through the apps buttons and dialogs. By simulating user behavior, the app is exhibiting more behavior, leading to better results of the dynamic analysis than just merely opening and closing the app.

    Besides automated clicking, Joe Sandbox I also takes periodically screenshots during the apps analysis. However, since the currently presented sample just shows a black screen, we have added below a screenshot from another sample of the YiSpecter family (AdPage IPA, MD5: 62c6f0e3615b0771c0d189d3a7c50477):


    Behavioral artifacts, i.e. interesting function calls of the apps execution are presented within the report as done similarly in the Joe Sandbox Desktop or X reports. In our case, the sample has opened some files, but as well requested sysctls and URLs:



    And as for all sandboxing solutions, network capturing is a must have. Here we can see that the IMEI number is being leaked:


    Static Analysis

    In addition to dynamic analysis, the sample is statically analyzed too. This has the benefit that if the sample may not execute for some reason, certain functionalities can be inferred from the code in order rate them by signatures. Joe Sandbox I extracts all functions of the apps Mach-O and presents the ARM code as well as the meta data (if available) within the report:


    This code excerpt for instance shows that the app can query for installed apps:

       
    This functionality is as well rated by a signature:


    Or look at this code part:


    This code excerpt shows that the app can check if the phone is jailbreaked. 

    But not only the ARM code is of interest, also the Mach-O segments and commands, or other files within the bundle IPA file (ZIP) or embedded within the Mach-O itself:



    One known embedded file is the entitlements.plist. In this sample it reveals that the app has the permission to install and remove other apps: 


    Another embedded file that may exist is the apps enterprise certificate:


    This is an indication that the app can install additional apps that were signed with this certificate and were therefore not code reviewed by Apple.

    Behavior Signatures

    Joe Sandbox I has an increasing set of around 100 behavior signatures which rate and classify the behavior. The signature summary of this sample for instance shows a nice overview of the key behavior and functionalities of YiSpecter:



    Behavior signatures gives the malware analyst the possibility to classify behavior into good or bad, and in the end allowing to efficiently get a good overview of the app without deep understanding of the analyzed app itself.


    To summarize:


    • Joe Sandbox I is the first publicly presented automated iOS malware analysis system. With this product, malware analysts using Joe Sandbox can now analyze potential malware on all major desktop and mobile operating systems.
    • The dynamic analysis of apps are performed on bare-metal phones. This is in contrast to emulation or virtualization a big advantage, since malicious apps will have a harder time in detecting the presence of a sandbox solution. Furthermore, by simulating user clicks the app under analysis will exhibit more behavior leading to better results of the overall dynamic analysis.
    • In addition to dynamic analysis, static analysis of the app can be used to infer functionalities from the code. This is very beneficial if the sample is not executed, because we can still rate the app by the signatures.
    As this blog post has outlined, Joe Sandbox I enables to quickly understand and detect threats which target iOS systems. We continuously work to increase the number of signatures and improve the overall dynamic and static analysis of Joe Sandbox I, now part of Joe Sandbox Cloud. 

    For more information about the product or a demo request, feel free to contact us through our website at www.joesecurity.org.

    Full analysis report for YiSpecter:



    Pafish for Office Macro

    We always have been fans of the famous Pafish tool by Alberto Ortega. Pafish is a tool to check recent anti-malware analysis tricks and evasions against your favorite sandbox. Moreover it enables to fully study the evasive code. We know that Pafish helped and still helps to improve sandboxes.



    With payload delivery mechanisms shifting we though it would be nice to have a Pafish-like tool for Office documents. Office documents today are one of the most prominent container to deliver malicious software. As exploits are getting harder to develop attackers are using VBA embedded in Office documents to download and install payloads. VBA is well suited for sandbox detection and we already have seen many evasions in recent samples:



    We therefore have put all known VBA / Macro based sandbox checks and evasions into a single Microsoft Office Word document and released this "Pafish Macro" on Github today:



    You can download the "Pafish Macro" document here as well.

    We will update the VBA code with new evasions as frequently as possible and are looking forward to contributions!

     

    New Release: Joe Sandbox 16 out!

    We are proud to release Joe Sandbox 16 today. The release includes Joe Sandbox Mobile 5.0.0 and Joe Sandbox X 2.2.0.

    Since our last release in June we have been working on many different field to make Joe Sandbox stronger. Here you find a list of the most important features :


    • More than 52 new behavior signatures. Behavior signatures classify and rate the behavior being captured during execution. This increases our signature database to a total of 1144 signatures. Many of the signatures reveal evasive behavior, e.g. like the Locky evasions:


    • Support for Windows 10 x64. You can now execute malware on the latest Windows 10 x64 operation system. This increases the support of Windows operating system to: XP, W7, W7x64, W8, W10, W10 x64, both as virtual machines (VMs) as well as physical machines. Furthermore Joe Sandbox X now supports analysis on El Capitan (10.11)

     
     


    • Support for bare metal analysis on Android. Joe Sandbox 16 enables to execute and analyze APKs on real Android phones. In contrast to emulators or VMs Android phones features all sensors and hardware devices. Therefore many APKs show their full behavior on a real phone only.




    • Many new anti-evasions. We have improved the stealth of the VMs as well as the simulations on bare metal analysis machines. Checkout our previous blog post to learn more about some of the latest versions:

    • Support for many new file extensions. Joe Sandbox 16 newly supports: PUB, VSD, MPP, JTD, HWP, ACE, LZH and GZ files


    • WEB Interface improvements: Full WEB API Python implementation, tagging, brand new analysis download design, new executive report, SHA1 and SHA256 search:




    • New Cookbook commands: _JBActivateOfficeActiveX, automatically clicks on ActiveX elements inside Word or Excel documents:



    In addition we have added the following small features:


    • Multi DEX static analysis for Mobile
    • Fast update
    • New cookbook: accelerate system clock
    • Wscript sleep override
    • New detection status unknown
    • IDA Pro Bridge Plugin for Linux
    While Joe Sandbox 16 was small major release, we are planning for Joe Sandbox 17 (planned release in the end of October) big major release with many new analysis features!!! Stay tuned.


     
    Google Analytics Alternative