Monday, April 10, 2017

Behavior Graph 2.0

Besides working on new and deep malware analysis features we also continuously improve and extend the visualizations. Visualizations help to understand complex data very quickly and also to separate noise from interesting data. So far Joe Sandbox generates the following visualizations:


  • Classification (Spider Chart)


  • Behavior Graphs


  • IP to Country World Map

  • CPU and Memory Statistics

  • Behavior Distribution


  • Execution Graphs



Recently have added some cool new features to the Behavior Graph. In this blog post, we outline some of them. The Behavior Graph is a directed graph where nodes are:

  • Processes
  • Connected IPs & Domains
  • Dropped PE files
  • Behavior Signature

For Behavior Graph's 2.0 we added to each node multiple attributes, including:

  • Malicious / Clean
  • Is dropped file / process
  • Programming language used
  • Number of created files
  • Number of created registry key
  • Domain active / down

The attributes help to understand the behavior and to spot the most interesting part of big graphs. Let us have a look at a recent Locky / Kovter sample graph (MD5 a362758c36bed10fb64823918ed90740):



The initial sample is a Javascript file which was run by wscript. Wscript is a Windows process (see the small Windows icon on the top right corner). Wscript created 15 files, indirectly started mshta.exe and performed various network activities:


It connected via the Port 80 / HTTP to at least 3 domains which have been detected as malicious (see red hazard icon on the right). Those domains are active and hosted in the US and Russia. Wscript also dropped at least 3 PE files, among those, one (exe1.exe) has been launched and detected as malicious. The two matching signatures are shown on the right. So what did Exe1.exe really accomplish? Check out the graph below:




Exe1.exe is written in C or C++ started rundll32.exe which itself dropped an executable file. Besides injecting exe1.exe into winlogon.exe, the code injected also winlogon.exe into explorer.exe. Therefore, Explorer.exe connected to a malicious domain hosted in the USA. 

As you see by walking the graph down, you can fully understand the behavior of the sample. Also by using the node and edge attributes you get very helpful meta information. 

Besides attributes, we also introduced to our graphs, flexible coloring based on data. If you look at the whole graph you instantly see that the wscript.exe node has one of the best visibility, while e.g. the powershell.exe node is less visible:


Again this helps to spot the most interesting behavior & parts of the graph. 

Behavior Graph 2.0 and our other visualizations show how helpful they are to quickly understand complex threats and to find interesting data in large data sets.

What is next? We are working on some really cool additional visualizations, so stay tuned!

Full Analysis Report: