Tuesday, July 31, 2018

Joe Sandbox 23 - Black Opal is out!

Although it's summertime and the livin' is easy, we have been working hard to deliver Joe Sandbox v23 under the code name Black Opal! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Black Opal a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXComplete 
and Ultimate installation right away, then please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Opal features.

Linux Support

Joe Sandbox Linux 1.0.0 is now officially available for purchase! With Joe Sandbox Linux you can analyze threats targeting Ubuntu as well as CentOS. 

For more details as well as latest analyses of Linux malware please have a look at our recent blog post.

31 New Behavior Signatures

New signatures include detection of Kronos, Hermes, FlawedAmmyy, new UAC bypasses, Agent Tesla, Empire, OSXDummy, XMRig and more:

AI-based Phishing Detection

We further enhanced our template based phishing detection. Instead of relying only on a template matching technique, Joe Sandbox now employs several techniques (including logo region detection, perceptual hashing, and feature detection). We used machine learning to combine the results of all techniques to minimize false positives:

STIX v2 Report

Do you use Structured Threat Information Expression (STIX) as a standard for IOCs or does your threat intelligence solution support STIX? If so, integration with Joe Sandbox has become very easy since Black Opal generates extensive STIX v2 reports (in addition to MAEC, OpenIOC and MISP):

The STIX report includes all major detections and IOCs such as dropped files, processes, domains, and IPs.

Windows 10 x64 1803 Support

Joe Sandbox x23 Black Opal analyzes malware on the latest Windows 10 version!

We have also added Windows 10 support for Joe Sandbox Hypervisor:

Thus, you can analyze threats with Hypervisor based Inspection on Windows 10!

IDA Pro 7.1 Support

IDA Pro 7.1 is now officially supported by the Joe Sandbox Bridge Plugin. The plugin allows to load memory dumps into IDA Pro and enrich it with dynamic information:

Web API v2 Enhancements

With Black Opal we added several new APIs to the RESTful Web API. This includes cookbook and Yara upload, download, deletion, and listing:

As a result, you now can fully automate Yara and Cookbook handling via the API.

Sysmon Logs Extraction

We added a new cookbook to easily extract Sysmon Logs via Joe Sandbox:

For detailed information please have a look at our recent blog post about Sysmon logs.

Android Decompilation

Black Opal decompiles Android Application Packages (APK). As a result, there are several new downloads for Android analyses:

Inside the full Android report you can easily navigate to the source code:

Final Words

In this blog post, we introduced some of the major features of the Black Opal release. Furthermore, minor features are:

  • ContentSettings-Ms support on Windows 7
  • Option to change the keyboard layout through the Web GUI
  • Option to start samples as a normal user through the Web GUI
  • Option to enable Anti-Evasion for data-aware samples through the Web GUI
  • Support for Unicode file names (Chinese, Japanese and Korean)
  • Security alerts (login, PW change etc)
  • Setup code for cookbooks
  • Major speed up for Internet Explorer analysis
  • General analysis speed up
  • Automated Yara rule validation & conflict resolving

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, July 18, 2018

Reduce Friction: extracting Sysmon logs with Joe Sandbox

Sysmon is a powerful tool to monitor endpoints, it is free and can be easily installed on many machines. It creates lots of log messages and stores them in the Windows event log. Those logs are usually routinely sent to a central log server such as Graylog, where blue teams can easily search them:

To get meaningful search terms, blue teams often use sandboxes such as Joe Sandbox, to deeply analyze malware. However, the IOCs generated by sandboxes are many times not in the appropriate format to easily correlate them to the Sysmon events. Blue teams in turn have to translate IOCs, which is a painful job. In addition, Sysmon event logs can serve as an input for various other tools. For instance, they can be easily translated to Sigma which allows a wider search across many other logs.

To reduce friction and make the blue teams job less painful, we added Sysmon output to Joe Sandbox.

Using a Cookbook to generate Sysmon output

In order to get Sysmon logs you have to use a custom Cookbook which will first install Sysmon. Cookbooks are small scripts which define how an analysis is executed. They give blue teams a way to fully customize a dynamic analysis. Let us have a look at our Sysmon cookbook:

In line 3 the cookbook specifies that the malware is executed on a sandbox named w7_1. On the submission page you find a mapping of system names to system configurations:

In lines 7 to 16 Sysmon is installed. Please note that you can use any Sysmon config you like, there is no restriction. By default, the template from SwiftOnSecurity is used.

In lines 18 to 24 all the analysis engines are started including the network and behavior engines.

In line 26 the sample is started and in line 30 the cookbook sleeps a maximum of two minutes. Right after that, the analysis engines are stopped and finally the machine is cleaned up.

Generate Sysmon Events for SmokeLoader

Let us take a concrete example and assume you want to verify if one of your hosts is infected by the latest SmokeLoader malware.

The cookbook is submitted together with the malware sample in the advanced tab:

In the generated analysis report, go to the explorer.exe process and then Sysmon Activities:

Joe Sandbox lists all the Sysmon events log in various formats. To construct your search query for Graylog, you can use the first 3 fields. For instance, you can easily search for LNK file creation by explorer:

You can also use the last field, copy it to a file and then use the evt2sigma converter to get a Sigma rule:

Sigma then can be converted to various other formats:

Cookbooks - Agile Malware Analysis

Thanks to Cookbooks, blue teams can benefit from a full customization of the malware analysis. Installing Sysmon is just one example. By using our Cookbook technology, analysts can easily:

  • Accelerate system time and date
  • Change keyboard layouts
  • Change the DNS server
  • Simulate USB memory sticks
  • Browse URLs on Chrome or Firefox
  • Execute multipart malware
  • Install their custom tools

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, July 5, 2018

APT28: Digging through Sandbox-Evasions with Bare Metal Analysis

In October 2017, we blogged about the advantages of analyzing malware on bare metal machines. Bare metal analysis offers the possibility to perform dynamic analysis on real devices such as laptops or PCs. The bare metal analysis is not affected by virtual machine detection, which is a major check done by most malware nowadays:

To demonstrate this, we analyzed a recent sample related to APT28/Grizzlybear which includes nine different evasion tricks.

Spotting evasive Samples on Cloud Basic

We have various triggers and alerts defined for our free online platform called Joe Sandbox Cloud Basic. Cloud Basic uses only Virtual Machines to analyze suspicious files, the bare metal analysis feature being available only in Joe Sandbox Cloud Pro

Recently, we got an interesting alert which led us to the following sample uploaded on the 2nd of July.

If we look at the behavior graph we see only one process:

The spider classification chart outlines that this sample is very likely evasive:

Further, no obvious installation or infection behavior is recorded. Therefore, we can assume that the evasions were successful.

Digging through the Evasion Checks

We reran the sample found on Cloud Basic in Cloud Pro on a bare metal W10 machine:

The resulting analysis can be found here:

If we go to the behavior signatures, section Anti-Debugging and Malware Analysis System Evasion, we find many hits:

What type of evasions has the sample used? Let us analyze the checks one by one.


Function at address 406CFC calls CPUID and checks whenever the CPU model is XEON. This type of processor is an indicator for a server and is usually not used in a Laptop or a PC, the real infection target for the malware:

If the model of the CPU is XEON the sample will stop its execution.

2. Sandboxie Check

Thanks to our Hypervisor based Inspection technology which works on virtual machines and bare metal, user-mode API calls are traced. Interesting is the GetModuleHandle API since it can be easily used to check for loaded DLLs:

If a module with the name sbiedll.dll is found, the sample will terminate. Sbiedll.dll is a DLL of the famous Sandboxie tool which is often used to analyze malware. 

3. Sleep/GetTickCount Time Evasion

At function 406DC8 the sample performs a time evasion which detects if a malware analysis system modifies Sleeps but misses to modify the GetTickCount values. Sandboxes often shorten sleep in order to trigger future behavior. Malware can detect this by comparing the Sleep duration with other time sources such as GetTickCount:

4. Command Line Checks

The sample fails to execute if a Sandbox passes one of the following arguments:

  • -autorun
  • -update

5. Virtual Machine Detection via VideoBiosVersion

At function 407118 the malware queries the registry value of  HARDWARE\Description\System\VideoBiosVersion:

If the key value contains the string VirtualBox the sample will fail.

6. Virtual Machine Detection via SetupAPI

In addition to the previous virtual machine check, a second check is executed via the SetupAPI:

Basically, the SetupAPI is used to enumerate device registry properties. The malware checks for the string "vmware". On VMWare common device properties are:

  • vmware svga 3d
  • vmware, vmware virtual s scsi disk device

7. IsDebuggerPresent

To check for debuggers, the API IsDebuggerPresent is called:

8. Name / Path check

At function 406E04, the sample checks for the following names in the path and the sample name:

  • \VIRUS
If one of the names is found the sample terminates.

9. RDTSC + CPUID Time Evasion

A second-time evasion is performed at address 406B60:

What evasion is performed? Basically, the sample measures how long the CPUID instruction takes. The measurement is done via the RDTSC instruction:

On virtual machines, the CPUID instruction executes slower compared to bare metal. The reason is that virtual machines intercept the instruction and this usually takes longer. 

Payload Analysis

Since the analysis was performed on a real machine none of the nine checks was successful. As a result, the sample injects into explorer.exe:

The sample execution then ends in a Sleep call:

This is also nicely visible in the Execution Graph. All the red nodes have been executed. All the black nodes not:

The large non-execute code includes various interesting areas, such as searching for files:

C&C communication:

Download and execute:

Executing the sample a bit longer, fully reveals the behavior of the payload and all IOCs:

Looking at the Yara rules, we finally see some hits related to APT28 / Fancy Bear implant:

Joe Sandbox, no restriction for Bare Metal analysis

Joe Sandbox does not restrict you to analyze malware on a particular virtualization solution or device. You are free to choose on which kind of machine to analyze:

  • Modern Bare Metal Laptop
  • Modern Bare Metal PC
  • Mac Mini
  • MacBook Pro
  • Bare Metal Android Phone (e.g. Motorola G3)
  • iPhone
If you use Bare Metal machines you leave malware no chance for detection. Detection techniques which are successful for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. If you already have a sandbox or are looking to get one, then ask yourself: is Bare Metal analysis supported? Or is the sandbox solely based on KVM, VirtualBox, Qemu or Xen?

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!