Thursday, October 18, 2018

Clone Wars - Zero Effort Scaling




Joe Sandbox v24 Fire Opal release is knocking at the door and will bring a lot of interesting new features. One of the most interesting ones is the support for VMware ESXi 6.7. VMware ESXi is the perfect virtualization solution for building an infrastructure which is able to analyze large volumes of samples very quickly. Large means 5'000, 10'000 or 20'000 samples per day. In this blog post, we will show you how easy it is to scale Fire Opal with ESXi 6.7.

First of all, why is VMware ESXi the best solution for large-scale malware analysis? Well, there are a couple of reasons. First ESXi is a type 1 hypervisor:





For type 1 hypervisor there is no real host OS, the hypervisor itself is the OS. Examples of type 1 hypervisors are VMware ESXi, Xen or Hyper-V. Examples for type 2 hypervisors are VMWare Workstation, VirtualBox or KVM.

Generally, type 2 hypervisors are more often used for virtualization on desktops, while type 1 hypervisors mainly run server applications. As result, type 1 hypervisors tend to be much more stable, easy to maintain and better to scale. For instance, VMWare ESXi can be connected to vCenter which allows you to easily maintain several ESXi servers, template VMs, cloning etc. Often such features are not available for type 2 hypervisors.



Linked Clones


With Fire Opal, Joe Sandbox now fully supports ESXi 6.7. In addition, we implemented linked cloning for Windows analyzers. Linked cloning is already available for VMware Workstation and VirtualBox. What are linked clones? Linked clones make your job as a Joe Sandbox administrator much easier. Let us assume you have set up and configured Joe Sandbox with one analysis machine named "Analyzer 1":





With a simple shell command, you can create up to n clones of your analyzer. The new clones "link" to the parent Analyzer 1 and thus only require a very minimal amount of storage (normally the size of RAM of analyzer 1). 

Let us have a look at an ESXi instance running Joe Sandbox Fire Opal. We have one Windows 10 analyzer configured:





After login, use the --clonemachine command. The first argument is the number of clones you would like to create and the second the name of your parent/template VM.





Once cloning is finished refresh the vSphere Web Client:





Don't be afraid of the "used size", it is not correct. All the clones taken together use only 82GB of storage space:




After cloning, the analyzers are ready to analyze samples. To see the number of analyzers in action simply go to the Admin Tab - Monitoring:





Zero Effort Scaling


Thanks to the new support for VMware ESXi, scaling has become incredibly easy. A Joe Sandbox administrator has to set up an analyzer and then can multiply the analysis performance by using a simple shell command.

In contrast to VMware Workstation and VirtualBox, ESXi is much better suited for large-scale analysis. It is more stable than type 2 hypervisors, has better features for maintenance and enables zero effort scaling. 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, October 3, 2018

Analyzing Gozi's Anti-Analysis Tricks with Joe Sandbox Hypervisor 2.0


Over the past couple of months, we have focused our efforts on the development of the second version of Joe Sandbox Hypervisor. To inspect a program during runtime, Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques Hypervisor-based Inspection (HBI) inspects a program more deeply and therefore extracts more malicious behavior. Hypervisor 2.0 can also run on bare metal. We already blogged about how to extract C&C traffic with Joe Sandbox Hypervisor here.

This blog post will show some of the new features we added to Joe Sandbox Hypervisor 2.0 by using a recent Gozi sample found on Vitali Kremez (big kudo) twitter account:


The Gozi developers are very active and add new tricks and evasions frequently. This time they added two new evasions:

  • GetCursorPos, WaitForSingleObject user activity check
  • GetLocaleInfo, language check

Locale Check


Language checks are very common in targeted malware samples. They help the attackers to restrict the execution of particular samples to one country or to a specific geographical zone (e.g. Asia). If you start browsing the Execution Graph, you can easily spot a suspicious looking section:



The red nodes with a diamond shape are so-called "key decisions". They refer to a location in the code where a decision is made. For evasion, the decision often relates to a process termination, a sleep or crash. Zooming in reveals the API calls and edges:


First "Locale" information is queried, then a string in string comparison is done using StrStrIA. In 4010e7 the decision is made to execute the payload (left branch) or not:



In case the right branch is taken, the process is simply exited. As a result, the payload is not executed and the sandbox will not detect any malicious behavior:


What is Locale information about and what does Gozi compare? To answer this question, we can easily jump to the corresponding Hybrid Code Analysis function. Thanks to Hypervisor 2.0 we have the API arguments for many strings comparison functions:





String 1 is a list of country codes to compare with. String 2 shows the actual Locale information of the analysis machine on which Joe Sandbox executed Gozi. By putting all this together, the evasion works as follows:

In case the machine is located in China or Russia, Gozi will simply terminate and not execute its payload.


Since the Locale of the analysis is US and not CN or RU the evasion does not work. Customers analyzing in Russia or China can easily use one of our Cookbooks to change the locale for analysis:


User Behavior driven Unpacking



The second evasion which is more unique is related to the User Behavior. Most of the time, when a sandbox analyzes a threat, there is no direct user interaction with the analysis machine. Therefore, the mouse or the keyboard is inactive, allowing advanced malware to detect the sandbox and to evade the dynamic analysis.

Let us have a look at function 4010ED:



We see GetCursorPos, WaitForSingleObject and GetCursorPos. GetCursorPos is an API to query the actual coordinates of the mouse pointer. WaitForSingleObject a routine to pause execution. Thanks to the C code decompiler we can easily understand the functionality of the evasion:



At line 45, we can see that the initial cursor coordinates are stored in v108. and then the thread sleeps for 64 milliseconds. Right after, at line 52, the cursor coordinates are stored in v120. If we look further at line 54, the deviation of the coordinates is calculated. The deviation is used as an argument for the unpacking routine at 401C7A. The whole process repeats until the unpacking routine returns 0 (line 56). A returned value of 0 means the unpacking is completed.

If we put this all together the evasion works as follows:

In case the mouse is not moved, the deviation of the two cursors coordinates is zero. If the deviation is zero, the malware does not trigger the unpacking and as a result, the evasion process continues forever. 


Joe Sandbox simulates mouse movements and clicks since version 8.0.0. Thus, unpacking completes successfully and the payload is triggered:



Joe Sandbox Hypervisor 2.0


Today's evasion techniques often use string comparison functions such as StrStr, StrCmp or StrRChr. Joe Sandbox Hypervisor 2.0 is capturing such API calls and therefore is able to detect and bypass samples which are country or region aware.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report of Gozi 2.17.

Tuesday, September 4, 2018

Hunting for similar Samples with Joe Sandbox Class 2.0

The malware landscape is constantly evolving, and currently, we no longer see tens of thousands of different active malware threats, but only a few different malware families that often share common source code.

Similarity analysis aka hunting for similar samples has recently gained a lot of attention in the security community and as a result, we decided to completely renew Joe Sandbox Class and enhance it with great new features.


In this blog post, we will outline some of the new features related to x86 / x64 code hunting while in a second one, we will outline all the major improvements we have done to search samples for similar architectures.

For those who are not yet familiar with this feature, Joe Sandbox Class is Joe Security's code hunting engine. It's built upon a large database of disassembly functions which are compared against the analyzed sample. 

Joe Sandbox Class 2.0 Intro


How does it work? Joe Sandbox Class acquires data from the Hybrid Code Analysis technology that generates disassembly from memory dumps:




Doing disassembly on memory dumps has a couple of benefits which result in richer functions that include more strings and API calls. In addition, results are more constant than what a disassembler would create from an executable on the disk. Finally, Hybrid Code Analysis generates disassembly from any code including hidden or non-executed sections, shell code etc. 

Rich disassembly functions are an excellent source for similarity analysis and hunting. They often stay the same for several malware versions or variants or are just changed slightly. 

All those rich functions are loaded into Joe Sandbox Class also known as feature selection. Next, Class will generalize the functions. For instance, a file path or URL string is replaced with a generic token. This is important because in different variants the code stays the same but a URL or file path may vary. Afterward, Class will select only the most interesting and relevant functions and those which appear too often are classified as not interesting. The same applies to functions which appear in goodware. Finally, the actual similar function search is performed:



Joe Sandbox Class has several comparison algorithms based on:
  • Strings and APIs
  • Instruction bytes
  • Opcodes 
It implements both precise and fuzzy matching. Once the similarity search is done, Class generates an extensive report. 

Hunting for similar DarkComet Samples


That all being said, let us have a look at a couple of interesting class reports. Here is a DarkComet RAT sample:



The sample was analyzed on August 29th and created six processes. If we jump to the Hybrid Code Analysis section, the redrv.exe with PID 3468 has many interesting functions. Below you can see the function which is the core of DarkComet's keylogger:



Let us now move to the Classification Report for that sample:


Strings and APIs were used for similarity analysis with a precise match:


In total, Joe Sandbox Class found 207915 similar functions in 20178 processes. If we browse down to the similar processes we see that the first process does not have many similar functions. The most are 8 functions.



However, if we scroll down to the process with PID 3468 we see some processes with many similar functions:


If we click on the first process named SCAN00GO we can have a look at all similar functions. Those functions appear one to one in our initial sample and SCAN00GO:


Do you remember this function? Yes, this is the keylogging code. 

If you browse further you can also see all similar functions and how often they appear. For instance, the keylogging function is very unique and perfect for matching similar samples since it was found only 18 times:


However, function Function_0004E254 appears very often and thus does not qualify as being relevant:


While we could introduce whitelists for functions and statistical bounds, we decided not to do that and let the analyst have the final decision. 

Hunting for EQNEDT32.EXE Shellcode

Let us have a look at another sample. This time it is a malicious RTF which uses CVE 2017-11882 or CVE-2018-0802 for payload execution:



Joe Sandbox found shell code which was executed in the Microsoft Office Equation Editor:





Let us move on to the Classification report:


There are 8 function matches in 5 processes which all are inside EQNEDT32.EXE:

 For each match we can easily access the initial file name Conti5290.doc as well as the SHA256:


Or here Quotation Request FRQW9087454.doc:



Final Words


Joe Sandbox Class 2.0 has been completely revamped with the cybersecurity analyst focus in mind. The new Classification Report enables security professionals to easily find similar processes based on rich disassembly functions generated by Hybrid Code Analysis. Hunting for individual functions is now easily possible with Class 2.0 that can be configured to use a wide set of different data sources and comparison algorithms.

Interested in trying out Joe Sandbox Class 2.0?  Then hurry up and contact us for an in-depth technical demo!

Full Analysis and Class Reports:

* DarkComet Analysis Report
* DarkComet Classification Report
* CVE 2017-1188 Shellcode Analysis Report

Tuesday, August 28, 2018

Empowering Joe Sandbox Cloud with Avira URL Cloud



Today we bring you exciting news. We have enhanced the Joe Sandbox Cloud URL reputation with Avira URL Cloud. Avira is a renowned German antivirus software, known to provide excellent malware detection rates!

To enable URL checks, go to the Submission Tab - Intelligence and select "Use third-party URL reputation lookup":


High-Value Reputation Checks for URLs from any source


How does Joe Sandbox Cloud's URL reputation work? Users (manually or via our extensive RestFul Web API) submit samples to Joe Sandbox Cloud. A sample can be either a URL or a binary file:




Joe Sandbox dynamically analyzes the file by executing it in a sandbox. During analysis, Joe Sandbox extracts URLs from several different sources, including:


Network Traffic


Joe Sandbox captures the complete network behavior of the sample. For HTTP and HTTPS (with SSL inspection) URLs are automatically extracted. 





Command Line Arguments



Often malware includes a list of several C&C URLs which are passed via command line. However, only the first URL is contacted during the execution. To get a deeper analysis it is important to also extract URLs from command line arguments.




Memory and Binaries Data


Another very good source to look for URLs is the memory as well as binaries which for instance have been dropped by the malware. Joe Sandbox captures memory dumps at various execution points to detect unpacking and decryption. In addition, any dropped or touched file is preserved and scanned for URLs:






Hybrid Code Analysis


Finally, Joe Sandbox performs extensive static code analysis on captured memory dumps. Disassembly often includes hidden strings which can be valid URLs:




All the extracted URLs are sent to reputation engines that Joe Sandbox Cloud Pro integrates with so far:



Each reputation engine provides a verdict. The verdict is being used for various purposes, such as detecting more malware, lowering false positive as well as providing insights for analysts. Below you can find a few excerpts from reports including reputation data:




Joe Sandbox Cloud more powerful than ever


Thanks to Avira URL Cloud integration, Joe Sandbox Cloud Pro customers benefit from a high-value third-party reputation engine. This without any price change!

In contrast to many other vendors, Joe Sandbox extracts URLs from many sources and checks URLs against a row of five different reputation engines.

A lot of data combined with high-value reputation engines greatly increase the virus detection efficiency of Joe Sandbox!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!