Wednesday, August 19, 2020

Analyzing VM-Malware with Joe Lab and Trace

 




VM-malware is a special type of malware which uses virtualization technology to stay hidden. A recent type of a such malware is Load Miner. In this blog post we will showcase how to use Joe Lab - the Cloud-based Malware Analysis Lab and Joe Trace - a Process Monitor on Steroids to analyze Load Miner (MD5 8a2a344d985f50a08a1ace0c995b064a).

Load Miner is often bundled with large benign software in an MSI package. The packages have an average size of 450MB. Most sandboxes don't support such large files upload.

We have successfully uploaded the file to a Windows 10 analyzer on Joe Lab and connected via Web based VNC:





Joe Lab features a full network capturing technology which we can be easily enabled via the quick action bar on the right:




The whole capturing process happens outside of the machine and therefore it is invisible for the malware. 

Joe Trace


Further, we would like to analyze Load Miner with Joe Trace. Joe Trace is a very advanced process monitor tool designed for malware analysis. It comes preinstalled on a Joe Lab machine:




As a first step, we enable file and memory dumping and configure the usage of Joe Security's Yara rules set. Yara rules will be used to scan all captured files and memory dumps. Right after hitting the Start button we see that the full system behavior is captured. 




By clicking on the top left Process tab, we get a nice overview of all processes. We will now manually launch the malware sample and instantly see the MSI process startup:




New processes are colored so that you can visually catch all new startups. MSI files are launched by msiexec and later by the module installer service




After some seconds a suspicious popup is shown. It looks like the malware is installing the virtualization solution VirtualBox. We can confirm that by going to the event tabs and filter for all created files:




Why using virtual machines? Well it is harder for Antivirus and EDR to detect it since a whole new operating system is running. Given the fact that most sandboxes run malware samples on virtual machines, the current sample won't work - as it is using virtual machines itself. 

After a few seconds, we see new processes being launched:




We can also observe the installation of the VirtualBox driver as well as the launch of attrib.exe. Via the context menu we can get full command line:




Furthermore, in order to hide VirtualBox, the installation folder is marked hidden.

Next, we can also see that an OVA (Open Virtualization Appliance) is created and later imported via VBoxManage:





 Lets now have a look at VmServiceControl.exe. What is this? 




By following the process, we can see that it registers a service by using a INI file previously dropped:





Since Joe Trace captures all files we can inspect that INI file:




We can also find the new service in the Service App:



With the service installation the installer finally quits:


Yara


For seeing all Yara detection we can easily apply a filter via the quick filters in the top bar:



Interestingly, one of Joe Security's Xmrig signature hit. By clicking on the events one can see the matching data source:


The matching data is the VMDK image file which is inside the OVA. 

Full Hardware Control


Lets now reboot the lab machine and see if the VM is automatically started:




Opening again Joe Trace and check the newly started processes:




Also we can download the captured PCAP and analyze it in Wireshark to find the network IOCs:




Finally, since we fully uncovered the behavior we can reset the Lab machine to a pristine state:






Joe Lab and Trace - One of its kind


This blog post illustrates how Joe Lab and Trace can be used to deeply analyze a complex malware using virtualization for protection and evasion. Thanks to Joe Lab we were able to launch the sample in a secure way, capture full system PCAPs and reboot / reset the lab machine. Thanks to Trace we were able to fully inspect and understand the malware behavior, access dropped files / memory dumps and use Yara rules for detection. 

Would you like to try Joe Lab and Trace? Then don't wait and contact us for a trial!