Wednesday, March 20, 2019

Ransomware is not dead - a light analysis of LockerGoga

Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.

Just two days ago, Norway based Norsk Hydro - one of the World's largest Aluminium producers - was hit by a severe Ransomware attack:

The attack is so massive that Hydro had to switch its productions to manual mode:

According to various press releases, the entire worldwide Norsk Hydro network is down, affecting all production as well as office operations.

If you search this incident on Twitter, you will instantly come across the Ransomware LockerGoga:

While it is still unconfirmed that Norsk Hydro was hit by LockerGoga, we saw a high amount of LockerGoga samples being submitted to VirusTotal as well as Joe Sandbox Cloud Basic.

One of the most recent samples (version 1510) has been uploaded to VirusTotal on March 19th (MD5: e11502659f6b5c5bd9f78f534bc38fea):

On Joe Sandbox Cloud Basic just some minutes later:

Joe Sandbox 25.0.0 Analysis Report

LockerGoga is not a standard Ransomware but rather has some specialties. The binary is signed by Sectigo. The certificate has been revoked recently, but it likely was valid at the time of the attack.

LockerGoga first encrypts the following file types:

Encrypted files are renamed to originalfilename.locked:

For encryption, LockerGoga does not use the Windows Crypto API CryptEncrypt, but rather its own implementation (likely CryptoPP + Boost):

The encryption of files is performed in multiple processes. A master process gathers all files and distributes encryption tasks to its slave processes:

The benefit of this architecture is that encryption is much faster since it will use all the CPU cores of the machine.
Normally, for a workstation with many documents, encryption can take hours. If the ransomware is detected fast enough some documents could be rescued.
In contrast, with LockerGoga this won't help since encryption is very performant. So far, we have not seen any other Ransomware using a distributed encryption architecture.

Goga drops the following ransomware notice:

While files are being encrypted the user is logged out:

Users are then no longer able to log in since before it overwrites the user's and administrator's password with HuHuHUHoHo283283@dJD:

This is another interesting and new behavior. While LockerGoga is not as brutal as wiper malware such as OlympicDestroyer it still completely blocks the computer. 

Update 1 (21.03.2019):

The RSA key length is not 4096 bits as claimed but rather only 1024. The key is:


Besides the account locking LockerGoga also has the capability to disable the network interface:

However, this feature is no activated in version 1510.

LockerGoga seems to be not new, e.g. searching for PE files signed by Sectigo gives us several older versions, e.g. version 1320, MD5 16bcc3b7f32c41e7c7222bf37fe39fe6, March 8th:

Joe Sandbox 25.0.0 Analysis Report

As this blog post outlines LockerGoga is different from standard ransomware:

  • Signed with a valid certificate
  • Uses a multi-process architecture to encrypt files faster
  • Locks the user and administrator account in addition to file encryption 
  • Is continuously improved (multiple version of the same ransomware exist)

Joe Sandbox nicely detected and analyzed all those different aspects. We also have added generic signatures to detect LockerGoga:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, March 5, 2019

Malicious Documents: The Evolution of country-aware VBA Macros

Today's malware is often delivered via e-mail attachments. Such documents usually contain a VBA macro or utilize the office equation editor exploit (CVE-2017-11882 or CVE-2018-0802). If it is a VBA macro, likely an encrypted PowerShell command is executed.

Lately, we have seen an increase of evasive VBA macros in Excel sheets. We have monitored new samples of the same group over a period of four months and analyzed how the macros changed over time.

This blog post will outline some of our findings.

Initial Sample

Let us have a look at an early version from December 2018, MD5: 2c2545df2bbcd506bd09641ec97ca5ae. The sheet obviously targets Japanese users:

The macro code is triggered once the workbook is opened:

The evasion check is directly performed in the Workbook_Open function:

Application.International(xlCountrySetting) returns the Country/Region version of Microsoft Excel. Here is an incomplete list of version numbers:

' Application.International(xlCountryCode) =
'Arabic                966       (Saudi Arabia)
'Czech                 42        (Czech Republic)
'Danish                45        (Denmark)
'Dutch                 31        (The Netherlands)
'English               1         (The United States of America)
'Farsi                 98        (Iran)
'Finnish               358       (Finland)
'French                33        (France)
'German                49        (Germany)
'Greek                 30        (Greece)
'Hebrew                972       (Israel)
'Hungarian             36        (Hungary)
'Indian                91        (India)
'Italian               39        (Italy)
'Japanese              81        (Japan)
'Korean                82        (Korea)
'Norwegian             47        (Norway)
'Polish                48        (Poland)
'Portuguese (Brazil)   55        (Brazil)
'Portuguese            351       (Portugal)
'Russian               7         (Russian Federation)
'Simplified Chinese    86        (People's Republic of China)
'Spanish               34        (Spain)
'Swedish               46        (Sweden)
'Thai                  66        (Thailand)
'Traditional Chinese   886       (Taiwan)
'Turkish               90        (Turkey)
'Urdu                  92        (Pakistan)
'Vietnamese            84        (Vietnam)

81 stands for Japan. This small code ensures that only Japanese computers are affected. In addition, the code prevents sandbox and dynamic malware analysis systems from analyzing the payload which usually runs on computers with US or Western European environments.

Version 2.0

A month later we detected a new variant MD5: d71eaf0ad33a749b8fe3fb8dff56a474. This time the check was split into functions:

The country code is being used by the functions kille and congamerat. Simply changing digitt would not do the job anymore:

Version 3.0

A couple of days later we found a new variant MD5: 894f2f2b7489052f9fe258f0ea70be6d. This time the Boolean check had been made more complicated:

The check includes arithmetic calculation. In addition, it uses built-in Excel constants such as xlTickLabelPositionHigh. The expression to query the country code is split into two statements:

While most of the sheets we found target Japanese users, we also found some which target Italian users (MD5 d0c862c57819f417b852cb1cd308ffa2 and d0c862c57819f417b852cb1cd308ffa2):

Version 4.0

Some days ago we found another variant, MD5: aacb83294ca96f6713da83363ffd9804. There are multiple changes. First of all, Workbook_Open is no longer used but rather Frame1_Layout:

Frame_Layout is triggered whenever Excel redraws the workbook. The country code check has not changed, it uses calculation and built-in constants:

What is more interesting is the second country check: Function tuff creates a currency format. E.g. for US dollar it creates $0.00. For Japan, it would create 0¥.

The size of the currency format is then later used to decrypt and deobfuscate the command line string passed to Shell:

Fighting country-aware Malware

As this blog demonstrates, attackers constantly improve their code base to make the detection more difficult.

Joe Sandbox has an array of different technologies to fight country aware samples. Generic VBA Instrumentation and Cookbooks are just two of them.  Below is the full analysis of the latest version:


Application.International(xlCountrySetting) and Format(0, "currency") are not the only ways to build country aware malware. Just recently we found a sample MD5 6a9eda3eb0bfc222ab46725829faaec7 which uses GetLocaleInfo:

Monday, February 18, 2019

Joe Sandbox 25 - Tiger's Eye is out!

For the last three months, we have been working on Joe Sandbox's 25th version, released today under the code name Tiger's Eye! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Tiger's Eye a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileX, LinuxComplete 
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Tiger's Eye features.

Nearly 100 new Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of ExileRAT, LuckyCat RAT, LokiBot, Anubis Loader, and more:

Optical Character Recognition (OCR) for Analysis of Office Documents

Malicious Office documents very often contain images and text used to convince the victim to enable macros or lower security settings. Thanks to the new OCR extraction of Office document content, Joe Sandbox Tiger's Eye can detect those lures:

This detection is very helpful to find malicious documents which contain old exploits that no longer work on recent Office versions.

Generic Unpacking Detection

99% of all malware today is packed. Tiger's Eye comes with a new signature to detect PE file overwriting and dynamic code loading within malware:

You can find more information about generic unpacking detection in one of our recent blog posts.

Microsoft Anti Malware Scan Interface (AMSI) Integration

Joe Sandbox v25 is able to use the Anti Malware Scan Interface of Microsoft. When adding the new cookbook command _JBEnableAMSI() Joe Sandbox will capture all AMSI buffer outputs. Through this, Joe Sandbox v25 can unpack and deobfuscate malicious Javascript, VBS, Powershell and Microsoft Office Macros:

You can find more information on the AMSI integration in one of our recent blog posts.

New Submission Options

Would you like to analyze a malware sample which requires a command line argument? No problem, Tiger's Eye includes a new submission option for that:

Besides the command line argument option there is also a new option to specify an archive password. Let us assume you keep all malware in password protected Zip archives to prevent that your local Antivirus agent deletes the files. You can now add that password as a submission option and Joe Sandbox will extract the file automatically on submission:

JA3 Support

JA3 is a method for creating SSL/TLS client fingerprints that can be easily shared for threat intelligence. You find the JA3 fingerprints in the network section - HTTPS packages:

Joe Sandbox Mail Monitor 2.0.0

The Tiger's Eye release contains Joe Sandbox Mail Monitor 2.0.0 with a row of new features and improvements. Firstly, Mail Monitor is now able to send a notification when an email has been received:

Secondly, Mail Monitor 2.0.0 enables to send summary notifications which bundle several analyses (attachments and links):

Finally, the configuration interface has been revamped. You can find more information on Joe Sandbox Mail Monitor 2.0.0 in one of our recent blog posts.

Joe Sandbox Class 3.0.0

Tiger's Eye also comes with Joe Sandbox Class 3.0.0 which includes a new engine that uses Joe Sandbox's massive behavior signature set for similarity analysis. One big benefit of this is that Class 3.0.0 allows detecting similar samples on Windows, Android, macOS, and Linux. Another benefit is that the similarity algorithm is independent of the programming language of the malware. 

The similarity is visualized in the full report with a graph and as well as with a list of similar samples. Below you can find some similarity graphs of recent samples:

LokiBot Graph (Windows)

LokiBot Variants (Windows)

Anubis e-Banking Trojan (Android)
Retefe (macOS)
For a deeper technical overview on Joe Sandbox Class 3.0.0 please check out this blog posts.

Android 8.0

We added support for Android 8.0. As a result, you can analyze Android malware on Android 8.0 Oreo:

Motion Simulation

Recent Android malware contains new evasions which are based on motion triggers. Only if the Android device receives motion data (e.g gyroscope) the payload of the malware is executed:

In order to activate such payloads, we added the cookbook command _JBSimulateMotion(). This command simulates up to 200 steps. 

Confidence Score

Android analysis now also includes a confidence score. The confidence score tells how sure Joe Sandbox is about the detection. The detection verdict combined with the confidence score delivers very precise detections:

Final Words

In this blog post, we introduced some of the major features of the Tiger's Eye release. Furthermore, minor features are:

  • Added whitelisting based on the National Software Reference Library (NSRL)
  • Added COM based Office automation
  • Added PCAP download to report
  • Added dropped binaries, memory dumps and unpacked files download to report
  • Added ssdeep hash
  • Added PE rich header information
  • Added icons to the behavior graph
  • Added WMI anti evasions
  • Added INetSim support for VMware Workstation and ESXi
  • Added an option to generate secondary forensic data to the web interface and web API
  • Added extraction for Android AD frameworks
  • Added a search for the source code report
  • Improved (up to 40%) performance of fast mode (previously named hyper mode)

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!