Monday, February 18, 2019

Joe Sandbox 25 - Tiger's Eye is out!

For the last three months, we have been working on Joe Sandbox's 25th version, released today under the code name Tiger's Eye! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Tiger's Eye a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileX, LinuxComplete 
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Tiger's Eye features.

Nearly 100 new Behavior Signatures

With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of ExileRAT, LuckyCat RAT, LokiBot, Anubis Loader, and more:

Optical Character Recognition (OCR) for Analysis of Office Documents

Malicious Office documents very often contain images and text used to convince the victim to enable macros or lower security settings. Thanks to the new OCR extraction of Office document content, Joe Sandbox Tiger's Eye can detect those lures:

This detection is very helpful to find malicious documents which contain old exploits that no longer work on recent Office versions.

Generic Unpacking Detection

99% of all malware today is packed. Tiger's Eye comes with a new signature to detect PE file overwriting and dynamic code loading within malware:

You can find more information about generic unpacking detection in one of our recent blog posts.

Microsoft Anti Malware Scan Interface (AMSI) Integration

Joe Sandbox v25 is able to use the Anti Malware Scan Interface of Microsoft. When adding the new cookbook command _JBEnableAMSI() Joe Sandbox will capture all AMSI buffer outputs. Through this, Joe Sandbox v25 can unpack and deobfuscate malicious Javascript, VBS, Powershell and Microsoft Office Macros:

You can find more information on the AMSI integration in one of our recent blog posts.

New Submission Options

Would you like to analyze a malware sample which requires a command line argument? No problem, Tiger's Eye includes a new submission option for that:

Besides the command line argument option there is also a new option to specify an archive password. Let us assume you keep all malware in password protected Zip archives to prevent that your local Antivirus agent deletes the files. You can now add that password as a submission option and Joe Sandbox will extract the file automatically on submission:

JA3 Support

JA3 is a method for creating SSL/TLS client fingerprints that can be easily shared for threat intelligence. You find the JA3 fingerprints in the network section - HTTPS packages:

Joe Sandbox Mail Monitor 2.0.0

The Tiger's Eye release contains Joe Sandbox Mail Monitor 2.0.0 with a row of new features and improvements. Firstly, Mail Monitor is now able to send a notification when an email has been received:

Secondly, Mail Monitor 2.0.0 enables to send summary notifications which bundle several analyses (attachments and links):

Finally, the configuration interface has been revamped. You can find more information on Joe Sandbox Mail Monitor 2.0.0 in one of our recent blog posts.

Joe Sandbox Class 3.0.0

Tiger's Eye also comes with Joe Sandbox Class 3.0.0 which includes a new engine that uses Joe Sandbox's massive behavior signature set for similarity analysis. One big benefit of this is that Class 3.0.0 allows detecting similar samples on Windows, Android, macOS, and Linux. Another benefit is that the similarity algorithm is independent of the programming language of the malware. 

The similarity is visualized in the full report with a graph and as well as with a list of similar samples. Below you can find some similarity graphs of recent samples:

LokiBot Graph (Windows)

LokiBot Variants (Windows)

Anubis e-Banking Trojan (Android)
Retefe (macOS)
For a deeper technical overview on Joe Sandbox Class 3.0.0 please check out this blog posts.

Android 8.0

We added support for Android 8.0. As a result, you can analyze Android malware on Android 8.0 Oreo:

Motion Simulation

Recent Android malware contains new evasions which are based on motion triggers. Only if the Android device receives motion data (e.g gyroscope) the payload of the malware is executed:

In order to activate such payloads, we added the cookbook command _JBSimulateMotion(). This command simulates up to 200 steps. 

Confidence Score

Android analysis now also includes a confidence score. The confidence score tells how sure Joe Sandbox is about the detection. The detection verdict combined with the confidence score delivers very precise detections:

Final Words

In this blog post, we introduced some of the major features of the Tiger's Eye release. Furthermore, minor features are:

  • Added whitelisting based on the National Software Reference Library (NSRL)
  • Added COM based Office automation
  • Added PCAP download to report
  • Added dropped binaries, memory dumps and unpacked files download to report
  • Added ssdeep hash
  • Added PE rich header information
  • Added icons to the behavior graph
  • Added WMI anti evasions
  • Added INetSim support for VMware Workstation and ESXi
  • Added an option to generate secondary forensic data to the web interface and web API
  • Added extraction for Android AD frameworks
  • Added a search for the source code report
  • Improved (up to 40%) performance of fast mode (previously named hyper mode)

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, February 5, 2019

Generic Unpacking of Javascript with Microsoft AMSI

Malicious Javascript files dominate the ranking of malicious e-mail attachments for the year 2018 with 37,2%. Why is that? Due to the flexibility of the Javascript language as well as various dynamic code execution functions, packing and encryption is easy to achieve. As a result, detection of malicious Javascript files is extremely difficult. Below is an example of a recent malicious Javascript file:

Wouldn't it be nice to get the unpacked and deobfuscated Javascript code? This would help to detect malicious Javascript and also reveal additional behavior indicators.

Security Engineers have proposed to use Javascript emulators. The emulator will run the file and output various internal states such as parameters and string values. This works great in theory, but not in the real world. Malware authors quickly adapted and added code to detect the emulator. Below is an example of a sample which verifies the number of processors:

We, therefore, thought there must be a better way. Enter the Microsoft Antimalware Scan Interface (AMSI).

AMSI in a Nutshell

AMSI is a generic interface standard that allows applications and services to integrate with any anti-malware product present on a machine. It basically enables to hook into a Windows interface which is also used by Windows Defender. Here is an image from the Microsoft Cloud Blog outlining how AMSI works with Microsoft Office.

Image Source

Behavior logs are mostly string buffers of executed code. In addition to Microsoft Office, AMSI also provides buffers for

  • Wscript.exe, VBA Code
  • Csript.exe, Javascript Code
  • Powershell.exe, PS1 Code
Here is an example AMSI output for a Javascript file:

Here another one:

AMSI does not care about packing & unpacking and obfuscation. It will send all executed code as strings to the interface. As a result, AMSI is the perfect unpacker and deobfuscator. Malware cannot use AMSI as an indicator for evasion since AMSI runs on real targets as part of the Windows Defender. Approaches to disable or evade AMSI can be detected and serve as an additional malicious indicator. 

Detecting Packed Javascript Files with AMSI

With the AMSI output, one can also easily detect packed Javascript files. The approach is straightforward:

Given a potentially malicious Javascript file, we check if it contains suspicious strings such as IWshShell3.Run or If we find one or a combination of such strings, the sample is considered malicious. If we do not find such strings, we will check each AMSI buffer for the strings. Please note that AMSI will send all code including the code passed to the eval function. If we find a string, we will know for sure that the sample is malicious as well as packed. If we do not find any string, the sample is considered clean.

We have added the above algorithm to Joe Sandbox v25 Tiger's Eye which is planned for mid-February. Below you find an example signature hit of unpacking detection for the Javascript sample shown in the introduction.

Joe Sandbox has detected the unpacking and displays the full unpacked code. Here the function of the script is to download a binary and then execute it.

You find the full analysis report here.

Final Words

37% of all malicious e-mail attachments are Javascript files. Javascript allows to easily pack and obfuscate code. As a result, Javascript files often slip through today's detection engines such as antivirus and endpoint protection. The Microsoft Anti-Malware Scan Interface is an ideal tool to unpack and deobfuscate malicious Javascript.

Joe Sandbox v25 Tiger's Eye includes an implementation of the AMSI interface and detects and unpacks Javascript files.

Tuesday, January 15, 2019

Architecture independent Malware Similarity Analysis with Joe Sandbox Class 3.0

Hunting for similar malware is the process of identifying similar samples based on IOCs, behavior, functions or other data. It helps analysts to find malware families, understand the evolution of threats and provides an indication for attribution.

There are various techniques to perform similarity analysis or classification. Often, the malware is disassembled and a unique identifier at a function level is being calculated (e.g. by using the instructions, opcodes, control flow graphs, API calls etc). This process is called feature selection and it is done on a large volume of malware. In order to check for similar malware, the feature database is queried for all samples which share a set of identical features:

Joe Sandbox Class 2.0, the similarity engine of Joe Sandbox is based on this technique. To get a better idea, please have a look at the screenshot below, extracted from a recent Emotet analysis. The first section contains the number of features in the database followed by a list of processes. For the Emotet process 161.exe, all similar samples are listed. On the right side, a bar indicates the number of similar functions for each similar process. For instance, the sample deepwindow.exe has 79 similar functions.

Using disassembly data for similarity analysis has many benefits, such as the possibility to use differential hashing, as well as the high interest in the matched data.

However, malware authors have the freedom to write malware in any programing language including C#, VB.Net, Java, Powershell, VBS or Javascript. Generating meaningful disassembly and function out of all these frameworks is a very challenging task.

Secondly, malware also targets other operating systems like Linux, macOS, or Android. Again, we have a large variety of new frameworks and programming languages to support. Think about Python, Bash, Golang, LUA etc.

Finally, x86 and x64 code can be well obfuscated, making the disassembly and feature selection extremely difficult.

Isn't there an easier way to perform similarity analysis on all of these architectures?

There is, but let us first have a look at something else: Behavior Signatures. Joe Sandbox executes malware in a controlled environment and during execution, it records dynamic data such as system calls, API calls, memory dumps etc. To identify and rate that dynamic data, we write rules, so-called Behavior Signatures. Here is an example:

Joe Sandbox has one of the largest behavior signature set in the industry. The set includes nearly 2,000 manually written behavior signatures, detecting malware on Windows, Android, MacOS, Linux and iOS. Please note, a behavior signature does not care about the programming language used by the malware, it just detects a fact about the behavior. So behavior signatures are abstractions of the code and therefore are the perfect features for similarity analysis.

In Joe Sandbox Class 3.0 which will be part of our upcoming Joe Sandbox v25 Tiger's Eye release, we have successfully implemented similarity analysis based on behavior signatures. The results are really good, let us have a look at a couple of recent samples.

Windows: LokiBot

The results of the signature similarity have been integrated into the Joe Sandbox main analysis report. However, there is also a separate report which contains just the similar sample information:

From the top navigation, go to Overview and then Signature Overview. What you see there is what we call signature similarity graph:

Each node represents a malware analysis (not a malware sample!). If two nodes are connected the analyses are similar. The number, as well as the color, indicates how similar. Each node has the name of the sample submitted to Joe Sandbox as well as a color bar. The color bar represents all the behavior signatures which matched. You can move over the bar with your mouse to see which signatures were hit:

The color bar helps to see why two analyses are similar. The graph itself is interactive, you can use your mouse wheel to zoom in or out. If a node has a small plus symbol you can extend the graph. The minus symbol will close the connected subgraph:

Let us focus on the graph structure of LokiBot - a very famous and active information stealer. On the left side of the graph, you find many samples with high similarity. We manually verified that they are all LokiBot. The samples on the right are also confirmed LokiBots, but an older version. Right after the graph, you find a list of all similar samples including a link to the behavior report:

Windows: NanoCore RAT

LokiBot is written in C/C++ so it could also have been detected with function based similarity analysis. Nanocore RAT is a remote access tool developed in .NET. The corresponding similarity graph looks like so:

What are some of the most common behaviors of NanoCore RAT? Here is a list:

  • Uses schtasks.exe or at.exe to add and modify task schedules
  • Hides that the sample has been downloaded from the Internet (zone.identifier)
  • Detected unpacking (overwrites its own PE header)
  • .NET source code contains potential unpacker
  • Detected TCP or UDP traffic on non-standard ports
  • Uses dynamic DNS services
  • Injects a PE file into a foreign processes
  • Parts of these applications are using the .NET runtime (Probably coded in C#)
  • Initial sample is a PE file and has a suspicious name

Because NanoCore RAT is written in .NET, x86/x64 ASM based function similarity analysis would fail. The same applies to ADWIND RAT, a remote access tool written in Java:

Android: Anubis

We have seen that behavior signatures work great to classify analysis on Windows. How about Android? A particular interesting sample is Anubis. Anubis is a well-known banking Trojan which has been around for years. Beside the Trojan payload, it has also some ransomware functionality. Joe Sandbox detects Anubis right away:

The behavior similarity graph of Anubis is shown below:

All analyses are confirmed to be Anubis. The right subgraph has some very high similarities. We checked the analysis reports in detail and found out that they all come from a specific campaign where a link to Anubis was likely distributed via MMS. To prevent that the user gets worried about his device all analyses show the same sweet puppy on the screen:

Another interesting observation is that the list of target bank has been continuously extended. The recent sample targets over 300 banks while the one from the MMS campaign has only 70 targets:

macOS: Retefe

We looked at malware targeting Windows and Android so far, what else? macOS! Retefe is an e-Banking trojan which infects Windows and macOS systems. Retefe is very active in European countries. A recent sample was detected by one of our customers. The similarity graph looks as shown below:

Only the left branch has high similarities and is Retefe. The right branch has some similar behavior but contains different programs. From the analysis reports, we extracted all screenshots which demonstrate that Retefe has changed the installer over time:

Linux: Miners

Finally, let us move to Linux and the IOT world. Crypto Miners are a constant threat to Linux server operating systems:

We will use the following crypto miner shell script named

The generated similarity graph reveals some interesting facts:

First, all analysis have crypto mining functionality. 

The analysis with the highest match is coming from a sample with the name is a modified version:

What are the differences? First, as you can imagine it uses different domains to download the crypto config:

Secondly, it changes the install location:

However, both times the malware persists itself to /tmp.

Final Worlds

By using several recent samples we have demonstrated that behavior signature-based similarity analysis has many benefits. It classifies samples no matter if they are written in .Net, Java or Visual Basic. Traditional similarity analysis which depends on x86 / x64 functions as features can be easily foiled by using packing and obfuscations. Behavior signature does not have this limitation. Finally, behavior signatures enable to do architecture independent sample comparison. 

Joe Sandbox Class 3.0 includes a new similarity analysis which is based on Joe Security's massive behavior signature set. Class 3.0 will be released as a part of our upcoming Tiger's Eye - Joe Sandbox v25 release.

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Bonus Pafish

You are looking for a bonus? Below you find the similarity graph of Pafish. Pafish is a well-known tool to check how well a sandbox hides its artifacts from the malware. Malware often tries to detect that it is running - e.g. by checking that computer is a virtual machine.

On the left side, you find a couple of different Pafish variants, mostly old versions. The fourth branch which starts with loader.exe is interesting:

Those samples are not Pafish variants but rather loaders which adopted techniques implemented in Pafish. Loaders are small tools which have the purpose to verify that all is good and then start the main payload. Often they include anti-debugging and anti-virtual machine checks: