Thursday, May 7, 2020

Joe Trace - a Process Monitor on Steroids



Today, we have fantastic news for you. Joe Security is very proud to publicly release Joe Trace - a brand new product in our portfolio. Joe Trace has been in our minds for a while, and thanks to the hard work of our engineers we are able to showcase this unique product today. This blog post will outline what Joe Trace is and what makes it so unique.

So what is Joe Trace? In a nutshell, Joe Trace is Sysinternal's Process Monitor on Steroids. Process monitors are tools to manually observe the behavior of a program in real-time. For instance, process monitors trace system call events of all processes on a system and graphically visualizes the stream of events in time. 

Why do you need a process monitor? Process monitors are extremely handy to study the behavior of malware in extreme depth and for a long time. Sandboxes cannot do that and usually analyze a sample just for a few minutes. Due to performance reasons, the depth is limited. 

So what is unique about Joe Trace? Well, a lot. If you compare it to Sysinternals Process Monitor, then Joe Trace has the following unique features:







In the following sections, we are going to outline all of the unique features of Joe Trace. 


Hypervisor-Based System Call Tracing


First of all, we designed Joe Trace for malware analysis. System call tracing is achieved by using the hardware virtualization feature of modern CPUs (VT-x, hypervisor). As a result, Joe Trace analyses more system calls and especially the ones often used by malware, for example NtWriteVirtualMemory, NtQueueAPCThread, NtUserSetWindowsHookEx etc. Next, a hypervisor is harder to bypass. Below you see Joe Trace analyzing Remcos RAT injecting into installutil.exe - a benign Windows process:






Joe Trace captures file, registry, process, thread as well as network events like TCP, UDP, DNS and ICMP. Additionally, numerous system calls related to virtual memory, section, mutex, driver, and window behavior are intercepted, too. 

System calls are great but only a part of the data that Joe Trace captures. In the next section, we are going to have a look at how Joe Trace extracts user-mode API calls. 

Frida Integration


Frida is a world-class dynamic instrumentation framework. It enables the instrumentation of any API in user-mode by using a Javascript-based interface. Joe Trace features a rich Frida integration which by default intercepts WinInet API calls such as InternetOpenUrl or HttpOpenRequest:





Malware analysts can easily extend the default Frida script and add more instrumentations:





System-Wide Raw Data Capturing 


As you might have seen in one of the first Joe Trace screenshots there is also an event for memory dumps. Besides system call and Win32 API tracing, Joe Trace includes extensive data capturing capabilities.

Downloaded, dropped or modified files are an extremely important resource for malware analysts. With these files, malware analysts can write new signatures, do further analysis, and extract IOCs. 

Joe Trace captures and persists all dropped and modified files: 






In addition, Joe Trace captures memory dumps of all monitored processes. Those memory dumps are taken during the life time of a process. Therefore they often contain unpacked or decrypted malware code:




Finally, the complete network traffic is stored in a PCAP. By using Wireshark analysts can perform a deep dive into the network protocols. All the resources are accessible in a folder created by Joe Trace:




Yara Integration


Extracting data is one thing and detection another. To perform malware detection we added Yara to Joe Trace. Basically, any dropped/modified file and memory dump gets scanned with Yara in real-time. Yara signature hits are shown as additional events. Below you can see Yara detections while executing a Casandra-crypted dropper which installs Remcos RAT:






Yara signature detection is also visible via the Yara hit counter bar at the top:




Malware analysts can use their own Yara rules for malware detection or license Joe Security's extensive signature repository. Yara rules can be directly specified during the startup of Joe Trace:




Thanks to the Yara integration, Joe Trace serves as a tool for Yara signature development. Yara signatures can be tested offline against the extracted memory dumps or dropped files, or alternatively much easier live with Joe Trace. 

Since Joe Trace captures a large number of events, filtering and search capabilities are key. In the next section, we will outline an advanced tracking feature that helps analysts to focus on malware behavior. 

Malware Execution Tracking 


Joe Trace traces by default the behavior of all processes on the system. However, if an analyst launches a malware sample, he/she is usually only interested in tracing the malware behavior and not for example the behavior of a benign Windows process. To tackle this challenge Joe Trace provides a malware tracking technique. The feature filters out all processes which are not part of the malware execution chain. It will include benign Windows processes in which malware injects into. 

To tell Joe Trace to start tracking malware execution analysts can follow a given process by selecting it in the Processes tab:



Joe Trace will then filter out "noisy" behavior. Different colors are used to show followed processes and new processes. Guloader, the dropper in this case, first started itself and then injected into explorer.exe. As a result, explorer.exe is added automatically to our filter:





Besides malware execution tracking, Joe Trace includes extensive filtering capabilities including quick filter buttons, instant search, highlighting, and more:





Analysts can even filter event classes, event names, and API arguments among other details. Malware execution tracking and the extensive filtering possibilities are ideal for finding the needle in the haystack.


E-Mail Alerts


A very important use case for malware analysts is long-term malware analysis. Sandboxes usually run a sample for up to ten minutes. Some malware might not exhibit interesting behavior such as the downloading of the payload, C&C call-outs, or config downloads during this limited analysis time. Joe Trace fills this gap. However, it is painful to regularly check Joe Trace for new events. To remove this pain Joe Trace offers alerts:





An alert can be an e-Mail that Joe Trace sends you every five minutes in case new events have been filtered. The e-mail includes the Yara signature matches as well as some statistics about new events:





In case e-mail is not your favorite alerting mechanism, you can script a notification via the command line alert option. Alerts are very handy since you can relax and wait to get a notification as soon as a Yara signature detected a new config or payload being downloaded. This makes long-term malware observation super simple. 

Joe Trace - the Process Monitor on Steroids


As this blog post demonstrates Joe Trace is truly unique and will raise the bar for manual dynamic malware analysis tools! To the best of our knowledge, there is no comparable tool on the market with a similar feature set. Below you find a compressed list of all the features of Joe Trace:

  • Hypervisor-based stealthy system call tracing (VMx)
  • Tracing of processes, threads, files, registries, network,
    memory and driver system events among others
  • Customizable user-mode API tracing based on Frida
  • Extensive system-wide raw data capturing like network traffic (PCAP),
    dropped files and memory dumps
  • Deep Yara integration for malware detection (live raw data scanning)
  • Extensive filtering including malware execution tracking
  • Quick searching and event highlighting
  • E-mail and command alerting on filter hits
  • Event exporting capabilities to different formats like CSV, XML and JSON
  • Tree-based process overview with highlighting of interesting processes


Finally, we would like to highlight that Joe Lab, Joe Security's new cloud-based malware analysis lab can be equipped with Joe Trace as a default analysis tool. Joe Lab and Joe Trace perfectly work together and offer SOCs, CERTs and CIRTS an ideal tool for manual malware analysis. 

You liked this blog post and would like to try Joe Trace? Then don't wait and contact us for a trial!