Wednesday, December 12, 2018

Joe Sandbox Mail Monitor 2.0

As a security professional working in a SOC, CERT or CIRT, you are constantly bombarded with requests from end users asking if the e-Mail attachment they received is safe to open or not. This kind of requests have recently increased with the last Emotet trojan malspam campaign using Word or PDF attachments as a lure:

In most cases, you would take the e-mail and submit it to Joe Sandbox in order to check if it is malicious. If the document analysis shows signs of maliciousness, you would consequently inform the end user.

Wouldn't it be nice if this whole process could be automated so that you can focus on more important tasks?

In this regards, we have good news for you! Joe Sandbox Mail Monitor may be exactly what you are looking for. Joe Sandbox Mail Monitor is integrated into Joe Sandbox Cloud Pro as well as into our on-premise products. We recently added a couple of new interesting features to Joe Sandbox Mail Monitor 2.0 and will present some of them in this blog post.

What exactly is Mail Monitor? Please have a look at the diagram below:

To enable Mail Monitor you first create a new e-mail account with the name Your end-users will then forward suspicious e-Mails to the defined email account. Mail Monitor will periodically fetch new e-mails from that account and submit them to Joe Sandbox. Then, Joe Sandbox will fully dissect the e-mail and analyze all the attachments and URLs it finds in the email body (you have a configurable whitelist to prevent analysis of links in your e-mail signatures). Once the analysis is finished a notification e-Mail is sent to the end user:

With Mail Monitor 2.0 end-users can now also be notified as soon as the forwarded e-mail has been received by Joe Sandbox:

Further, we added summary notifications. Let us assume that the forwarded email contains multiple links and/or attachments. With Mail Monitor 2.0 you can choose if the end user shall receive a notification for each analyzed link and attachment, or just one summary notification:

The detection for summary notifications is based on the analysis with the highest score, i.e. the most malicious sample or URL.

On top of this enhancement, we extended the customization of notifications:

For each notification, you can change the subject and body. For better visibility please choose the Joe Security design.

Finally, we also improved:
  • URL extraction from e-Mail bodies
  • Notifications for cached analysis
  • More intuitive design 
  • Use of {{subject}}, {{to}} and {{from}} in the templates
Does this sound good to you? Would you like to try out Joe Sandbox Mail Monitor 2.0? Contact us today!

Tuesday, November 27, 2018

Generic Unpacking Detection

Malware authors use a wide range of techniques to avoid detection by security tools. One of the most used techniques is packing. This powerful procedure allows attackers to bypass static signature detection, an important defense line of Antivirus products.

Unpacking is the process of restoring the original malware code and is considered a hot topic for academic research due to its complexity.

Joe Sandbox includes a generic unpacking engine since 2014. While unpacking is one problem, generic unpacking detection is another.

In this blog post, we are going to outline how packing works and how the recently added unpacking detection of Joe Sandbox works.

The Art of Packing and Unpacking

It is hard to describe packing in words, therefore please have a look at the visualization below:

Packing is usually applied to executable files such as the Windows Portable Executable (PE) or the Linux Executable and Linkable Format (ELF). The tool which performs the packing process is called "Packer".

The starting point is a PE file. The workflow of packing, unpacking and execution is as follows:

1) Original File

If you look at your PE file it contains a header, a code section (.text) and some additional sections (.data, .rsrc etc). Very important, all the code is available for static analysis. It is relatively simple to find unique code patterns in the code segment to detect the file as malicious. 

2) Packing Process

The packing process will generate a totally new PE file and will contain a new header. Next, the original file will be transformed. The transformation is often a compression algorithm, a cryptographic operation (XOR) or a mix of both. Often a random key is used for the transformation. As a result, each packed sample is unique. The transformed original file is copied to the new file. Finally, a small Stub code is added to the new PE file. Its goal is to reverse the transformation during execution. Since the original file is compressed and encrypted, static analysis and detection is hard

3) Loading the Packed File Phase 1

When the packed file is started it is mapped to virtual memory. Next, the unpacking stub is called to reverse the compression and/or cryptographic operation. As a result, the original file is "restored" in memory. There are two possibilities where the file is restored. Either the complete packed PE file is replaced with the original, or it is restored on a different memory address. 

4)  Loading the Packed File Phase 2

As soon as the original file is "restored", the stub will transfer execution to the "restored" file. The restored file will then execute as normal.


Packers are available in a large variety. You can buy them in the DarkNet or also from legit software vendors. Below you can see a nice map from Ange Albertini which shows some of the most famous packers:

Generic Unpacking Detection

Since most malware is packed, it not only makes sense to do generic unpacking but also to detect the unpacking process itself. This generic unpacking detection has been recently added to Joe Sandbox. In order to demonstrate its power, we will look at two different samples. 

PE Header Overwriting

The first sample is called XgkKQZc74T.exe. During execution, the image is mapped to address 0x400000:

Joe Sandbox's unpacking engine generates several "restored" files:

The first file with the name 1.0.XgkKQZc74T.exe.400000.0.unpack was captured before any code has been executed. The second file which starts with the name 1.2.XgkKQZc74T.exe.400000.0.unpack was stored when the analysis finished. Please note that both files have been restored from the same address 0x400000. 

Let us have a look at the import address table for each restored file. The import address table shows what functions are imported by the PE file. The first file (1.0.XgkKQZc74T.exe.400000.0.unpack) has many imports:

In contrast, the second file has fewer imports and most of them are not in the previous files. For instance, the sample can connect via HTTP to the Internet. The previous sample does not have an import for such a function:

This change of the PE file header proves that the sample is packed. The PE header at address 0x400000 has been overwritten with the unpacked file. As a result, the import address table changed and we see above the table from the unpacked/malicious file. With a new behavior signature Joe Sandbox detects this anomaly:

If we look at the unpacked file we can also find the command and control IP / domain:

Dynamic Code Loading

The second sample is named WBKDqSfWLj.exe. It is loaded at address 0xdb0000:

If we browse some of the behavior we detect that some calls originate from 0xdb0000:

However, there are also calls coming from 0x400000:

Could this be an unpacked file? If we browse to the memory activities we indeed see that there is some allocation of memory at the address 0x400000:

As for the previous sample, we can compare the import address table of the corresponding unpacked files. This times the base address of the images is different:

For file 1.0.WBKDqSfWLj.exe.db0000.0.unpack the import address table is:

And for file 1.2.WBKDqSfWLj.exe.400000.1.unpack the import address table is:

Again, we see different tables which outlines that a new PE file has been loaded. This time the PE header of the original file is not overwritten. Rather, the original file is unpacked/decompressed to a new memory section which was allocated by the stub. Of course, there is also a behavior signature in Joe Sandbox to detect this:

Final Words

Packing is widely used by many malware samples to bypass static signature detection. Joe Sandbox includes an unpacking engine which will restore the original file. The restored files can be downloaded by analysts:

While unpacking itself is helpful, unpacking detection is even more important. With the upgrade, Joe Sandbox detects unpacking via PE header overwriting and dynamic code loading:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, November 6, 2018

Scorch Malware with Joe Sandbox Fire Opal

We're nearing the end of 2018 and with that, we proudly release the latest Joe Sandbox update: version 24 - code name Fire Opal! This release is packed with an enormous amount of new features and interesting enhancements that will skyrocket the analysis power of Joe Sandbox.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Fire Opal a couple of days ago.

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Fire Opal features.

77 New Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of Gootkit, GrandCrab, AZORult, Darkcomet RAT and more:

Ubuntu 18.04 TLS Support

Joe Sandbox now runs on the latest and most secure Ubuntu LTS Server operating system - Bionic Beaver 18.04 LTS. Ubuntu guarantees security updates until the year 2023 for this release:


We have completely mapped over 1,800 behavior signatures of Joe Sandbox to Mitre's adversary tactics and techniques. For each analysis you now get the Mitre ATT&ck matrix and can easily compare different malware samples based on their tactics:

VMware ESXi 6.7 Cloning

Fire Opal adds support to install and run Joe Sandbox on VMware ESXi 6.7. In addition, we implemented cloning for ESXi. With cloning you can easily scale up Joe Sandbox by using a single shell command:

For detailed information, please have a look at our recent blog post about Clone Wars - Zero Effort Scaling.

INetSim Support

You have a critical sample and don't want to analyze it with a real Internet connection, but still want to see the network traffic it initiates? No problem! Fire Opal adds support to connect Joe Sandbox to INetSim - the industry standard for Internet simulation:

With INetSim malware samples cannot cause any harm to any third party since no live Internet connection is granted.

TOR connect / disconnect

You want to grant Internet access to the analysis machine but want to do it an anonymized way? Fire Opal comes with an automated Tor connector. By using a single shell command your system is configured to route all malicious traffic through Tor:

Web API 2.0 Extensions

We extended the REST API 2.0 with the ability to manage users, cookbook and Yara rules. You can create, modify and list all users, cookbooks and Yara rules:

URL Memory Extraction

Fire Opal extracts URLs directly from memory dumps and sends them to Virustotal or MetaDefender for detection:

With that feature, Joe Sandbox detects C&C URLs even if they are not called.

Dynamic Data for Hybrid Code Analysis

Dynamic information such as system or API call arguments is now fully passed to our Hybrid Code Analysis engine. As a result, you find function arguments directly in the disassembly section:

This makes reading and understanding the disassembly much easier! Thanks to this feature, we see in the example above that the address of GetTickCount is queried as well as the number of ticks returned by GetTickCount.

Screenshot Thumbnails and Downloads

We added a gallery of all screenshots as thumbnails to the analysis report. This makes it much easier to identify interesting screenshots:

In addition, you can now download a selection of "Interesting Screenshots" only:

Improved VBA Callgraphs

If you activate VBA instrumentation - a technique which enables to extract dynamic information from VBA Macros in Office documents - Joe Sandbox will generate an impressive call graph. With Fire Opal we extended that call graph and added triggers, number of calls and API calls:

Due to that improvement, you can find interesting Macro parts more quickly and understand the structure of the code better. 

RTF File Parser

Documents in RTF format are now parsed and malicious objects are detected:

Joe Sandbox Class 2.0

The Fire Opal release includes Joe Sandbox Class 2.0. Class is the code similarity engine of Joe Sandbox. It enables to identify similar samples by looking at code functions. Class 2.0 includes a wide range of new features such as opcode and instruction based similarity searches, a completely redesigned report, as well as various performance improvement:

With Joe Sandbox Class 2.0 analysts find similar samples more quickly, understand which samples are the most similar and why they are similar.

Read more about it on our blog on Hunting for similar Samples with Joe Sandbox Class 2.0.

Dialog Box Support for Android

Android samples requesting dynamic permissions have become more frequent. Therefore we added automation support for those dialog boxes:

As a result, Joe Sandbox handles all dialog boxes fully automated.

Final Words

In this blog post, we introduced some of the major features of the Fire Opal release. Furthermore, minor features are:

  • Added Windows 10 x64 support to Joe Sandbox Hypervisor as well as a huge performance upgrade
  • Added more user-mode API interceptions to Joe Sandbox Hypervisor
  • Added a new guide for Remote Assistance
  • Added a new cookbook to change the timezone of the analysis machine
  • Added a password test for protected office documents
  • Added auto dependency installation
  • Added support for dynamic instrumentation of dropped APKs
  • Added support for decompilation of dropped APKs and DEX files
  • Added support for MITM SSL inspection on Android
  • Huge performance improvement for documents and URL analysis
  • Improved the general analysis performance
  • Improved the selection of interesting Android methods
  • Improved remote assistance

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!