Tuesday, February 27, 2018

How Malware fools Sandboxes with complex Installation Procedures

Cybercriminals are always innovative and fast in finding new tricks to bypass security solutions, and sandboxes are no exception. If you look at today's tricks, the majority belong to the group of environment checks. A malware detects that is not running on the real target system but rather in a sandbox and therefore hides its real behavior.
However, what if the sandbox does not know how to execute the sample at all or if it does not find the payload?

This blog post will outline some advanced attacks which fall into this category and show how Joe Sandbox can handle these evasions.

King PDF

PDF has been used for years to deliver malware to endpoints, mostly through exploits. The shell code inside a PDF is the trigger used to download and install a second stage malware. However, these days PDFs are also often used to just deliver a link:

When the victim clicks on the link, the malware is downloaded via a web browser and then installed.

Given this common scenario, the goal of a sandbox is to precisely simulate this behavior.

Sandbox UI automation 101

To be able to automate the user interaction, the sandbox has to first find the link in the PDF. There are two ways to do so:

  • Parse the PDF and search for links
  • Click on the link

Most sandboxes choose the first option as it is the easiest way. However, this has some big shortcomings due to the fact that a link can be well hidden inside a PDF. In addition, the link can also be obfuscated or dynamically generated via Javascript. If we look at the PDF below, it contains a link, but the PDF is encrypted. To get the link, you first have to decrypt the PDF:

As you can observe, link extraction via parsing the PDF is not really the solution. How about clicking on the link? This is also non-trivial because Adobe Reader uses its own UI elements. The Windows UI Automation (UIA) does not help here and the UISpy tool only detects the other PDF page but not the link button:

So how does Joe Sandbox solve this? Well, first it creates a grid on the PDF page and then tries to determine if each cross point is worth to be clicked. If so, it will then simulate clicks on each interesting cross point and watches the Adobe Reader process for any events:

If a button is reached and clicked successfully, the click simulation is stopped. Then right afterwards, our OCR UI engine takes over.

OCR based UI Automation

Using the above-mentioned technique, Joe Sandbox's PDF automation has successfully clicked the link. Due to that, the local browser will be opened by the operating system and since the link points to a file, it will be downloaded:

As a next step, the sandbox needs to execute the downloaded sample. Of course, the most straightforward technique for the "lazy" would be to locate the temporary file on disk and then launch it. However, we have seen some malware which checks if the parent process is the browser and not e.g. Windows Explorer. Therefore, the only way is to continue with UI automation.

Again, the Windows UI Automation and similar techniques do not help. The reason we guess is likely that Microsoft protected some of the buttons from clicking due to security reasons.

Joe Sandbox solves this problem via a unique optical character recognition (OCR) technqiue based on a UI automation approach. The engine works like this:

  • Find interesting top level window
  • Perform OCR
  • Compare detected word with a predefined button list
  • For each match click on the word

During analysis this looks like this:

The full behavior due to the simulation can be easily seen in the process startup overview:

Please note that this technology is independent of any UI framework used by any application. It is fully generic and clicks on anything which looks interesting. Below you find an example of a URL analysis:

Final Words

Joe Sandbox does not go the lazy way. In contrast to many other solutions which try to extract links via PDF parsing, Joe Sandbox uses UI automation to extract them, no matter if the link is encrypted, obfuscated or hidden. To trigger download resources it uses a unique generic OCR based UI automation approach which precisely simulates a user. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, February 20, 2018

Latest Elise APT comes packed with Sandbox Evasions

Recently we came across an interesting sample which seems to be related to Elise Malware. Elise is tight to the Dragon Fish and Lotus Blossom APT groups which primary targets governments and defense contractors. Elise is known to infect victims by using the latest exploits available and is often packed with interesting Sandbox evasion techniques.

In this blog post, we will dissect the latest version of Elise.

The sample under investigation is distributed as an Office document lure. To be more precise in Rich Text Format.


We start the analysis by having a look at the behavior graph and acknowledge that the process EQNEDT32.EXE was started among Winword.exe:

This process is the Microsoft Office Equation Editor. In November 2017 the security company Embedi detected an exploit in EQNEDT32.EXE which later got the identification CVE-2017-11882. Microsoft patched the flaw in November.

So, is Elise using this exploit? To answer this question we had a detailed look at the exploit itself. The outcome: no it is not CVE-2017-11882 but rather CVE-2018-0802. CVE-2018-0802? This a second exploit also included in EQNEDT32.EXE which was detected in later December.

We extracted the trampoline and shellcode:

The code renames and loads the PE file (named a.b) previously dropped by Word. The newly loaded code is then injected into IExplorer.exe where the main payload is executed:

Sandbox Evasions

Elise performs a variety of sandbox checks in In IExplorer:

VMware backdoor check
Disk Name Check
Check for various Analysis Tools
Process Check

Mac Address Check


After passing all the sandbox checks Elise creates an autostart key:

Thanks to Hybrid Code Analysis we can also detect all malicious functionalities:

Add a Proxy to Internet Explorer
Add a Proxy to Firefox

Finally, in function 514D05, 5159AF and 515486 we find the download, upload and command execution handlers. Elise can collect and upload the following data:

  • CPU Usage
  • Ram (size/free)
  • Disk space (size/free)
  • Windows Version
  • Username
  • Locale
  • Timezone
  • SID
  • List of tasks
  • List of network adapters
  • List of files on Desktop

Final Words

Elise is a very advanced piece of malware using for its distribution only the latest exploits. Before the main payload is executed many different Sandbox evasions are performed. The payload and the communication code is injected into IExplorer likely bypassing PFW and HIPS. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, February 13, 2018

Deep Malware Analysis with Joe Sandbox 21 - Sapphire

Now, in the middle of Q1, we are happy to release our newest and greatest Joe Sandbox version with the code name Sapphire!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Sapphire a couple of weeks ago.

If you want to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation now, please perform:

mono joeboxserver.exe --updatefast

In this blog post, we will show some of the enhancements and features of Sapphire.

80 New Behavior Signatures

New signatures including detections for Spectre, Meltdown, various new CVEs, coin miners, DNS hijacker, Loapi and more:


DNS Hijacker

The new signatures enable analysts to spot and catch the latest security threats!

Remote Assistance

Given the complexity of automating the execution of some malware we added a functionality to provide remote assistance. With remote assistance, analysts can connect to the analysis machine via VNC and start samples manually. Further, they can click away security warnings:

Remote Assistance Option

Connect to Analysis Machine

Perform Remote Assistance

Please note VNC has been directly integrated into the Joe Sandbox Web interface. Therefore it is not required to install any VNC client. Remote Assistance is also very useful to detect credit card scams:

Template based Phishing Detection

We strengthened the phishing detection with a template engine. The template engine searches the phishing page for a known template (usually a brand image):

Phishing Page

Template Match

Template based phishing detection increase chances to catch targeted phishing attacks. Analysts can easily add their own brand templates and images. Interested? Read more about template based phishing detection in our recent blog post.

Analysis Report Improvements

Sapphire includes a lot of new graphics, visualizations and report specific improvements. They all make it easier to understand complex threat data:

API groups per Hybrid Code Analysis function

Call Graph for Hybrid Code Analysis
Per Hybrid Code Analysis function CFG Graph

Restructured Dropped File Section

Please note the entropy, which is very efficient to detect ransomware!

HTTP Sessions
Behavior Graphs for analysis on macOS

Support for analysis on macOS High Sierra

Analyse binaries on the latest macOS version:

Support for analysis on Android 7.1 Nougat

Analyse binaries on the recent Android 7.1 release:

Dynamic Instrumentation for Android

With Dynamic Instrumentation Joe Sandbox instruments and analyses dynamically loaded DEX code, enabling deep insights into the latest Android threads:

Want to learn more about Dynamic Instrumentation? Read more about it in this blog post.

Final Words

In this blog post, we introduced some of the major features of the Sapphire release. Furthermore, minor features are

  • IOC logging via Syslog
  • VT / Metadefender score for analysis overview
  • Redesign of the submission page configuration
  • Integration with Viper
  • Integration with Malsub
  • SSL key extraction
  • Button click list for Android
  • Jbxbalancer API script
  • ACE unpacking
  • Fine-grained status information during analysis
  • Backjumping in the HTML analysis report

What is next? We have an amazing pipeline of new technologies and features! Stay tuned!