Tuesday, June 5, 2018

Analysing VPNFilter with Joe Sandbox Linux

Linux malware is becoming a hot topic in the security news headlines, as we see more and more recent malware targeting Linux operating systems. With more than 11 billion embedded devices with networking capabilities in 2018 (Gartner), bots targeting Internet of Things (IoT) have a bright future ahead. Mirai and VPNFilter are just some recent examples.

Thus, it is the right time to step up! For some months, we have been working on a new product to analyze malware targeting Linux. Today, we are happy to release Joe Sandbox Linux, our deep malware analysis engine for fighting threats on Ubuntu and CentOS.

By adding analysis on Linux, Joe Sandbox is now the only malware analysis system available on the market which can analyze malware on all of Windows, MacOS, Linux, Android, and iOS:

In this blog post, we are going to showcase the features of Joe Sandbox Linux and take the recently discovered VPNFilter as well as a Coin miner malware as an example.


VPNFilter is a recent malware found by Cisco Talos which targets Internet routers. According to Talos, VPNFilter is likely a state-sponsored or state-affiliated threat built to gather intelligence. VPNFilter has powerful destruction payloads that infected over 500'000 routers in 54 countries. 

Just like modern malware on Windows, VPNFilter uses multiple stages:

Stage 1

In stage 1, VPNFilter mainly persists itself in order to survive the reboot by creating a cronjob. Joe Sandbox Linux directly detected VPNFilter with a generic behavior rule. In the network tab we can see that it reaches out to photobucked[.]com to get an image:

Since the threat already is some days old the resource is no longer available. The image basically would include the IP address to download the second stage malware.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 1.

Stage 2

The second stage malware contains the bot functionality. This can be easily seen in the verbose output:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Commands which can be sent to VPN Filter include: exec, kill, seturl, download, reboot, proxy, port and tor. The stage two malware is deleting itself and thus after rebooting the infected device, VPNFilter no longer exists:

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 2.

Stage 3

VPNFilter also has the ability to load plugins or modules, for instance to communicate secretly via Tor:

As you can see by using the analysis report generated by Joe Sandbox Linux, you get valuable information about the threat including payloads, IOCs, and behaviors.

Full Joe Sandbox Linux Analysis Report for VPNFilter Stage 3.

Coin miner

Coin miners are malware which "kidnap" the CPUs of servers in order to mine for cryptocurrencies. Especially in the Linux server world, they are very common. Let us have a look at the analysis report:

The classification shows clearly that this is Miner malware. Through the integration of Antivirus all artifacts such as dropped files are being scanned automatically:

Thanks to the extensive behavior signature set of Joe Sandbox Linux, Coin miners are detected on any architecture:

The behavior graph which is also part of Joe Sandbox Desktop (analysis on Windows) and Joe Sandbox X (analysis on MacOS) helps to fully understand the installation behavior:

As for VPNFilter, Joe Sandbox Linux fully detected the coin miner payload and provided additional insights into the malware behavior.

Full Joe Sandbox Linux Analysis Report for Coinminer.

Final Words

With the capability of analyzing Malware targeting Windows, MacOS, Linux, Android, and iOS, Joe Sandbox is the only malware analysis solution which can fully protect you from today's threats. With the introduction of Joe Sandbox Linux customers get a very advanced analysis tool to detect advanced threats targeting routers, IoT devices and Linux servers or workstations.

Joe Sandbox Linux already has been fully integrated into Joe Sandbox Cloud Pro and Basic and will be soon available as an on-premise product.

Want to try Joe Sandbox Linux? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Monday, May 28, 2018

Deep Malware Analysis with Joe Sandbox 22 - Mountain Crystal

Now, at the end of Q2, we are happy to release our newest and greatest Joe Sandbox version with the code name Mountain Crystal!

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Mountain Crystal a couple of weeks ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXComplete and Ultimate installation right away, then please run the following command:

mono joeboxserver.exe --updatefast

In this blog post, we will present some of the enhancements and new features of Joe Sandbox Mountain Crystal.

111 New Behavior Signatures

New signatures include detections for Process Doppelgänging, early Bird Code Injection, Tinynuke, Grandcrab, GravityRAT, Cobalt Strike Beacon, Gootkit, Crossrider  and more:

The new signatures enable analysts to spot and catch the latest security threats!

Java tracing for Java Archive (JAR) files

Malware written in Java has become very popular. Current malware analysis solutions can only trace Windows System and API calls. Therefore, Java API calls are hidden. To analyze Java APIs we added JAR Tracing to Mountain Crystal:

With JAR Tracing Joe Sandbox generically extracts the Adwind RAT configuration.

JAR Tracing also enables to detect any Java RAT for instance by analyzing the unpacking behavior:

Read more about JAR tracing in our recent blog post: Deep Analysis of Java Archives

Java Decompilation

JAR Tracing is great, however, for malware analysts, the source code is even better. That is why Mountain Crystal also decompiles JAR archives to source code:

The source code easily reveals all the details about the payloads, execution conditions, C&C communication and more.

Read more about JAR Decompilation in our recent blog post: Deep Analysis of Java Archives

Favicon based Phishing Detection

We further extend our template based Phishing Detection by using the Favicon of web pages. Favicons are the tiny little images you see in your browser tab. Phishing pages often reuse the original icons:

Favicon based Phishing Detection strengthens Joe Sandbox ability to generically detect password fishing. 

Behavior Animation

Wouldn't it be nice to see what is happing from a process, dropped files and network perspective? Mountain Crystal includes a new feature called Behavior Animation. In the screenshot section of the report, simply click in the center to start the animation:

On the right side, you will see the system behavior popping up. You can also easily use the slider on the left to jump to a later time. Behavior Animation also works for analysis on MacOS:

Final Words

In this blog post, we introduced some of the major features of the Mountain Crystal release. Furthermore, minor features are

  • New cookbook commands to start a sample as a user or with different integrity levels
  • New example cookbook to start a sample with different keyboard layouts
  • Stop Internet option for Android and Mac analysis
  • Logging of system power state
  • New sleep evasion based on sleep loops
  • Fast install mode for VMware
  • URL section in the report
  • Scanning of URLs with Virustotal and Metadefender
  • Javascript unpacking in PDF files
  • Ability to edit tags 
  • Slider to easily change the analysis time
  • Option to pass arguments to sample for Mac analysis
  • URL analysis on Mac
  • Recursive unpacking of EML and MSG files

What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, May 8, 2018

Evasive Malware hits French Corporations

We recently we came across an interesting sample on Joe Sandbox Cloud Basic:

The sample has been detected as malicious, yet this is mainly due to Antivirus signatures hits:

When looking closely at the Behavior Graph, one discovers something interesting:

The main sample is unpacking itself to facture_1398665.tmp. This process then creates a whole bunch of temporary PE files which are then renamed in the next step:

Hostile Firefox loading LOL

Among the PE files is a file called firefox.exe. Firefox.exe is indeed a legit copy of the famous Internet browser:

This is interesting because Firefox is used to load some of the malicious Dlls, including LOL_Dll.dll. Likey this bypasses some end-point protection tools and Antivirus:

Right after the LOL_DLL has been launched Firefox then crashes with some COM loading error:

GetKeyBoardLayout 0xC

So what is causing this crash? When carefully examining every detail of LOL_Dll.dll, it reveals the following code (LOL_Dll is not obfuscated or packed at all):

The corresponding code for that execution graph part is shown below. The code calls the Windows API GetKeyboardLayout and then performs some checks. The keyboard layout is language dependent. A US computer user has a different layout than a Swiss PC. By checking the layout, we realized it serves as a way to target the malware to specific users:

0Ch is matching French layouts:

As a result, the sample either executes its payloads or crashes, depending on the target machine keyboard.

Custom Keyboard Layout

Thanks to Cookbooks - a tiny script which fully defines the malware analysis procedure - we can easily change the default keyboard layout in a fully automated manner to what is required by the code:

The change of the layout is done via the control panel intl.cpl.

The cookbook is submitted together with the sample to Joe Sandbox. The resulting analysis is much richer and contains many IOCs.

Final Words

Joe Sandbox cannot be easily fooled by evasive malware. Thanks to hybrid code analysis, execution graph, and cookbooks, malware analysts have a powerful tool to analyze any malware.

This blog post is a very good example for that. Within minutes we are able to detect the evasive code and write a cookbook to analyze it. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, April 25, 2018

Deep Analysis of Java Archives

Analyzing binaries dynamically is a tricky job. We believe there are 5 major challenges when attempting to do so:

Today's focus is on one problem referred to as “Variety of Input”. Let us assume you have developed a great technology which can deeply analyze malware written in x86 or x64. As great as it may be, it will not get you far if the malware is written in C#, VBS, JS, Powershell, VB, Delphi or Java.

You will have to develop for each of those runtime environments a unique solution. Unfortunately, there is no technique which deeply analyzes any input regardless of its type.

For this reason, we think a Multi-Technology and architecture platform are the means to deeply analyze malware. That is why we have already built unique techniques to analyze the following:

In addition to these, Joe Sandbox also analyzes files on Windows, Linux, macOS, Android and iOS.

To enrich this family of technologies, we have recently added a new one, with the aim the of deeply analyzing Java Archives (JAR).

The Rise of JAR

Malware written in Java has become very popular. This is due to a couple of reasons. First of all, Java is a platform independent product. As an example, a remote access trojan can be easily operated on MacOS, Windows and Linux. Secondly, it is simple to write programs in Java. Thirdly, Java malware is not that well detected by Antivirus programs.

Deep Analysis of Java Archives

Most sandbox vendors are currently able to capture system calls executed by a Java program. However, the information is not provided in too much detail. Incident Responders and Malware Analysts are keen on getting the executed Java APIs and their arguments as well as the decompiled code.

To cover these requirements, we recently added a new JAR tracing functionality to Joe Sandbox:

JAR tracing performs two tasks:

  • Dynamically instrumenting Java bytecode to capture API calls and arguments
  • Java bytecode decompilation to generate Java source code

Extraction of Java API arguments

Let us have a look at the benefits of extracting Java API arguments. Given a JRAT sample we can detect various suspicious behaviors:

Full Analysis Report

To hide code, JRAT uses AbstractScriptEngine.eval. Since Joe Sandbox can trace the API, we get the evaluated String. Java malware is often heavily obfuscated and packed. Thanks to JAR tracing, Joe Sandbox can detect the unpacking process:

Full Analysis Report

Finally, JAR tracing enables the extraction of the RAT configuration:

Full Analysis Report

This is again extracted from API arguments and not statically decrypted from the binary. 

Java Decompilation

In addition to Java API arguments, Joe Sandbox also provides the decompiled source code. Malware Analysts can directly download the source code zip in the analysis detail view:

For instance, in the case of Crossrat you can easily understand the persistence via autostart. 

Final Words

Today's malware samples come in various formats and types. A single technology approach fails to analyze all samples. Joe Sandbox includes a wide array of domain-specific technologies to always get the deepest analysis possible. 

With JAR tracing Incident Responders and Malware Analysts get a powerful tool to extract Java API calls including arguments. This increases vastly the detection capabilities and also helps to understand complex payloads. In addition, one can download the full decompiled Java source code for extensive analysis.

Interested in JAR tracing and willing to try it? Contact us today and we will provide a trial!