Thank you to all our customers and friends for your support in 2020! The whole Joe Security family wishes you good health, satisfaction and many pleasant moments in 2021! Finger crossed 2021 will be better than 2020!
Automated Malware Analysis
Thursday, December 31, 2020
Monday, October 5, 2020
Joe Sandbox v30 - Red Diamond
Today we release Joe Sandbox 30 under the code name Red Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!
mono joeboxserver.exe --updatefast
218 new Signatures
Mitre Att&ck Sub-Techniques
New Anti-Evasions
As a result, Joe Sandbox Red Diamond is able to bypass these new evasions. Further, we have added triggers to catch new related evasions.
Support for large Files
We have updated jbxapi.py, the Python wrapper for the restFUL Web API. Our Joe Sandbox customers can simply update to the latest version of jbxapi.py to benefit from larger file support size. No need to change any code or integration.
API Parameter Overwriting & Integration Key Sharing
Phishing Detection for canvas.com, dropbox.com etc.
Better Report Overview
Further, we redesigned the overview section of the executive / management report for all architectures:
Static Mach-O Analysis in Archives
Function Logs for Android Analysis
On Android we added function / method logs. Those logs contain a chronological sequence of all traced API calls, with method / class / package name, arguments and the return value:Function / method logs enable analysts to build machine learning models and understand the malicious behavior at the lowest possible level.
Final Words
In this blog post, we have presented the most important features of Joe Sandbox Red Diamond, but there are some other very interesting features on top:
- Support for VMware Workstation 16
- Unpacking of ALZ Archives
- Android No-Instrumentation Analysis Chaining for Instrumentation Failures
- Bypass for Anti-Analysis SystemCodeIntegrity and GetLastInput/GetTickCount
- Tags visible in the analyst and executive report
- Verdict and Threat Names in e-Mail Alerts
- Duplicate Password Protection
- Faster URL Analysis with Chrome
- Server Logs per Analysis
Thursday, September 17, 2020
GuLoader's VM-Exit Instruction Hammering explained
In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.
Slow VM Exits
The initial analysis on a virtual machine showed the following results:
Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual machine:
The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and switches back. This transition is much slower compared to direct CPU execution. The same is true for other instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the payload or not.
Instruction Hammering
Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other malware samples.
Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have even increased the number of delay instructions being executed:
This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used for time measurements.
Bare Metal Analysis to the Rescue
Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:
Wednesday, August 19, 2020
Analyzing VM-Malware with Joe Lab and Trace