Thursday, April 8, 2021

Joe Sandbox I – Deep Malware Analysis on iOS 13





Today, we have the pleasure to present a major upgrade of Joe Sandbox I product. The first version of our automated malware analysis system for iOS was introduced nearly five years ago. Back then, Joe Sandbox was and still prevails to be, the only commercial malware analysis sandbox solution that can analyze threats on all major desktop and mobile platforms – namely, Windows, macOS, Linux, Android, and iOS.


Recent years have shown that malware is getting more and more sophisticated. The current two market leaders for mobile platforms are Android and iOS. While Android malware does get more attention and is usually studied more often, maliciously acting software found on iOS is much less publicly reported. A potential reason is that analyzing apps on iOS is a difficult and cumbersome task to accomplish due to the heavily locked operating system. Thus, it is generally not trivial for security solutions or analysts to assess if an app behaves how it should. Hence, the actual malware threat landscape on iOS remains diffuse.


Despite Apple’s efforts to strictly code review apps before getting into the App Store, there have been multiple examples in the past where malware or maliciously behaving software was able to sneak into the store. A recent example was published here that affected hundreds of apps that were prone to data leakage and remote code execution.


With Joe Sandbox I, a malware analyst gets a powerful fully automated solution to analyze apps on a bare-metal iPhone without the hassle of setting up such a device and all the quirks that iOS brings. Currently, we support iOS 13 on an iPhone 7.


Joe Sandbox I features at a glance:


  • Analyze apps from the App Store or IPA files
  • Live interaction with the app during execution
  • Automated screenshotting during the analysis
  • Network capturing including HTTPS inspection
  • Selected API hooking for dynamic analysis
  • App archive and file static analysis
  • Deeper static analysis of disassembly code
  • Behavior signatures for rating dynamic and static analysis


App Store Analyzing with Live Interaction


An analyst can directly submit an App Store URL. The app then gets installed onto the iPhone in the background. It is then subsequently started and uninstalled after the analysis time:




The user has the choice to enable Live Interaction (formerly called Remote Assistance) before submission. Interacting with an app generally exhibits more behavior which leads to better dynamic analysis results. This recording demonstrates the Live Interaction feature nicely:



As one can see, the user gets a smooth interface to interact with. So, clicking through permission prompts for example, or entering text provides full interaction. Furthermore, using the keyboard facilitates faster typing.



Analyzing an IPA Archive


An analyst has also the choice to submit IPA archives for analysis. However, only IPAs with decrypted Mach-O files can be executed due to Apple’s FairPlay DRM. Nevertheless, this feature stays interesting for analysts that for example are able to extract a decrypted IPA from a suspicious device.


For the sake of this blog post, we have created a small demonstration app that behaves maliciously. It is called MyContacts and is meant to act as a simple contact viewer and caller.





The IPA file was submitted with Live Interaction enabled.



Screenshot Slideshow



Joe Sandbox I takes screenshots periodically throughout the app execution, saving only the images that changed. The resulting report shows the screenshotting feature prominently. The most interesting screenshot is shown at the beginning:





In the “Screenshots” section, all taken shots can be viewed interactively in a slideshow or as thumbnails. Here we see how that app requested permission to access the contacts database and the microphone, and then tried to call a different number than was selected:





Behavior Signatures and Classification


Joe Sandbox I has an increasing set of roughly 230 behavior signatures which rate and classify the behavior. With the signature overview, a malware analyst gets the possibility to swiftly assess if the app’s behavior is bad or not. Here we see that MyContacts does behave maliciously and has capabilities that are considered to be malintent, for example, its capability to install and launch apps:




This excerpt shows all triggered behavior signatures:




Finally, the classification spider graph consolidates the behavior signature ratings in order to show what type of potential malware we are likely looking at:






Network Capturing and HTTPS inspection


An important feature of app analysis is network analysis. Joe Sandbox I can analyze multiple protocols like HTTP or DNS, but also seldom used ones like FTP, SMTP, etc. Intercepting encrypted traffic is also possible. Here we see how MyContacts leaks email and phone numbers over HTTPS:





This behavior was rated by our signatures as malicious:






Dynamic Analysis


A core part of any malware sandbox is its ability to trace behavior. Joe Sandbox I intercepts interesting APIs, like accessed files or sysctl requests. Here we see how the app opens the previously requested URL:




We also see that email and contact information is being encrypted:






Static Analysis – IPA Archive


In addition to dynamic analysis, the app is also analyzed statically. This is done on two levels: the apps IPA archive as well the apps executable. For App Store apps, the installation directory itself is analyzed.


Here we see the content of the IPA archive:






Certain interesting file types are extracted and further analyzed, like Plist and Mach-O files. This excerpt shows the apps Mach-O:





The extracted property list (Plist) in the "embedded.mobileprovision" file reveals that the app has the capability of being provisioned to any device:




This is an indication that an app could bypass Apple's code review procedure if it attempts to abuse enterprise certificates that are used for in-house app distribution.




Static Analysis – Disassembly


Joe Sandbox I extracts all interesting functions from the apps Mach-O if it is not encrypted. For App Store submissions, the binary is decrypted from the memory and then statically analyzed. The report then presents the ARM disassembly code as well as meta information if available.


Here we see an excerpt of a function that does a jailbreak check:









It is worth mentioning that Joe Sandbox's integrated search functionality gives the analyst the possibility to easily search through the report. Each search hit provides additional information:








Summary


We have demonstrated the power of Joe Sandbox I, which enables an analyst to swiftly understand and detect threats that target iOS systems. We have shown that apps from the App Store as well as IPA files can be analyzed. With the help of the Live Interaction feature, the analyst can seamlessly interact with the app. Standard features like screenshotting and network capturing were illustrated, including interception of encrypted traffic. We then demonstrated the API dynamic analysis capabilities. Finally, static analysis features for Plists and Mach-O as well as for disassembly were showcased.



The full analysis report of MyContacts is available here.


Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!



Remarks


Joe Sandbox I is intended for malware analysis only and does not provide decrypted IPA files from the AppStore. The iPhone analysis device does not have any SIM installed, nor does it provide physical camera or microphone access. With Joe Sandbox I analysts can only analyze apps and do not get any access to iPhone services such as phone calls, SMS, photography, etc.



Monday, February 1, 2021

Joe Sandbox v31 - Emerald

Today we release Joe Sandbox 31 under the code name Emerald! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!






Our Joe Sandbox Cloud ProBasic and OEM servers have been recently upgraded to Emerald.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast

 

Even though we are delighted about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Emerald features.


213 new Signatures


With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FickerStealer, SnakeKeylogger, Egregor, Babuk, Novter, TriumphLoader, Wapomi, Citadel, ModiLoader, Strongpity, Ranzylocker, RunningRAT, Vaggen, Nitol, ElectroRAT, Lazagne and many more. In addition we added more malware configuration extractors, e.g. for FormBook:






We also added detection signatures for the backdoors used in the Solarwinds breach such as SUNBURST and SUPERNOVA:



IOC Reports


Say hello to our brand new IOC report! This report gives you a concise overview of all the IOCs found in an analysis. The report is available in HTML (direct link on the analysis page) as well as XML and JSON:





For each IOC analysis details, all matching behavior signatures and Mitre Att&ck techniques are listed:




The IOC Report is very extensive and includes:

  • All contacted IPs, Domains and URLs
  • All created or modified files
  • All created or modified registry keys
  • All processes
  • All memory dumps
  • All DOM trees (from URL / phishing detection)
For multi run analysis, e.g. if an analyst upload the same sample to multiple analyzers, the IOC report will include all IOCs from all analyses. 

Compliance Score


Application Validation - the process of testing a software for compliance or potential backdoors before installing it on the endpoint, is an important task for security analysts. With Joe Sandbox v30 we introduced large file support - analysts are able to upload samples up to 500MB. With Joe Sandbox v31 we added several new signature to measure the compliance of software installers:



In addition the report includes a new compliance score for quick identification:




URL Analysis with Chrome


Internet Explorer, the default browser for Joe Sandbox URL analysis, is deprecated and doesn't work on modern webpages. As a result Joe Sandbox v31 comes with support for URL analysis with Chrome. Chrome successfully browses phishing pages on modern webpages. Analysts can choose between IE and Chrome from the submission tab:




URL analysis in Chrome is fully automated. Joe Sandbox will follow links and uses the AI based phishing detection engine. Analysts can also use remote assistance / live interaction to browse manually a URL in Chrome:




An additional benefit for URL analysis with Chrome is that you can download the HTML DOM tree which is used for phishing detection:




Memory Dumping for macOS and Linux


Memory dumps are a great source for detection since they contain the unpacked code. We introduced memory dumping for Windows several years ago and now also added it to the macOS and Linux analyzers. Here you find some detections on memory dumps for Linux / macOS analysis of recent threats:






 

SSO Support


Single Sign On is a very convenient enterprise feature enabling end-users to login to multiple sites with the same password. With Joe Sandbox v31 Emerald we implement SSO support with OpenID Connect. This enables to connect Joe Sandbox to an Identity Provider (IdP) which handles the authentication. 


Final Words


In this blog post, we have presented the most important features of Joe Sandbox Emerald, but there are some other very interesting features on top:

  • Integration with SlashNext
  • Parsing of IOCs from malware configuration data
  • Additional OCR based phishing detection
  • Option to start sample automatically during Remote Assistance / Live Interaction
  • Download of DOM trees for URL analysis
  • Intelligent analysis time extension
  • Unpacking support for XZ archives
  • Support for vSphere SDK API
  • Configurable RDTSC NOP patching

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!


Thursday, December 31, 2020

Happy New Year 2021



Thank you to all our customers and friends for your support in 2020! The whole Joe Security family wishes you good health, satisfaction and many pleasant moments in 2021! Finger crossed 2021 will be better than 2020!

Monday, October 5, 2020

Joe Sandbox v30 - Red Diamond

Today we release Joe Sandbox 30 under the code name Red Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!






Our Joe Sandbox Cloud ProBasic and OEM servers have recently been upgraded to Red Diamond.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast

 

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Diamond features.


218 new Signatures


With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FinSpy, Liquorbot, WellMess, Taurus Stealer, Matiex Keylogger, Elysium Stealer, DCRat, Avaddon Ransomware, Netwalker Ransomware, IOCP Ransomware and many more.






We also updated many signatures to cover the latest variants of malware like BazarLoader, Formbook, Emotet, Phobos, Qbot, NJRat etc. 

Mitre Att&ck Sub-Techniques


Joe Sandbox Red Diamond is the first sandbox to officially support Mitre Att&ck Sub-Techniques! We successfully extended our behavior signatures mapping to include Sub-Techniques, giving analysts the most precise information about techniques and procedures:






Joe Sandbox Red Diamond supports Mitre Att&ck Sub Techniques for Windows, macOS, Linux and Android analysis.


New Anti-Evasions


During the last couple of months we detected several new sandbox evasions, such as API and instruction hammering in GuLoader or TrickBot. Red Diamond addresses these evasions with  technology which bypasses them. Whenever we develop new bypasses, we first write new detection signatures to classify the behavior:








As a result, Joe Sandbox Red Diamond is able to bypass these new evasions. Further, we have added triggers to catch new related evasions. 


Support for large Files


This has been a frequent customer request as up until now, Joe Sandbox had limits related to the upload size of malware binaries. Red Diamond addresses this limit and introduces chunked file upload for the Web Interface as well as the Joe Sandbox RESTful Web API




We have updated jbxapi.py, the Python wrapper for the restFUL Web API. Our Joe Sandbox customers can simply update to the latest version of jbxapi.py to benefit from larger file support size. No need to change any code or integration. 


API Parameter Overwriting & Integration Key Sharing


Joe Sandbox integrates with many different security solutions. You find a list of all supported integrations here. While having so many integration is great, updating integrations with new features is tricky. To solve this issue we introduced API Parameter Overwriting. With this option you can overwrite specific Joe Sandbox settings for samples which are submitted via the API by one of your integrations:





Let's have a look at a use case for API Parameter Overwriting. Assume that an integration is not yet supporting the Joe Sandbox cache option. The cache option will not analyze the same file or URL twice by checking an internal cache. Thanks to API Parameter Overwriting you can enforce that option for all integrations by default. This will save you quota and time since previously analyzed samples will not get analyzed again. 

Integration Key Sharing enables you to enforce a specific integration such us VirusTotal, ReversingLabs, Intezer, UrlScan etc to all your users using Joe Sandbox. This is very handy since you don't want to let your Joe Sandbox users deal with integration settings. 


Phishing Detection for canvas.com, dropbox.com etc.


Many Phishing pages host initial lures on canvas.com, dropbox.com etc. Those pages use JavaScript heavily and load most content dynamically. This makes phishing detection challenging. In addition, PDF files are often hosted on those pages which link to the real phishing page. Most sandbox solutions are not able to follow a link in a PDF on a dynamic webpage. With Joe Sandbox v30 Red Diamond we solved this challenge:













Better Report Overview


In our last release Joe Sandbox 29 Ocean Jasper we completely redesigned the overview section of the full analyst report for Windows analysis. In Red Diamond we redesigned the overview section in the macOS, Android and Linux report: 











Further, we redesigned the overview section of the executive / management report for all architectures:



The new format condenses the most important information to one page and also improves the readability and structure. 


Static Mach-O Analysis in Archives


EvilQuest has shown that actors can also be very creative on macOS. The initial DMG sample includes the payload in an additional Mach-O file. Joe Sandbox Red Diamond takes care of that and analyzes Mach-O files in archives and containers:



Static Mach-O information is shown in the Static File Info - Archive DMG section of the analyst report:



Function Logs for Android Analysis

On Android we added function / method logs. Those logs contain a chronological sequence of all traced API calls, with method / class / package name, arguments and the return value:




The logs are available in text format as well as XML:






Function / method logs enable analysts to build machine learning models and understand the malicious behavior at the lowest possible level.

Final Words


In this blog post, we have presented the most important features of Joe Sandbox Red Diamond, but there are some other very interesting features on top:

  • Support for VMware Workstation 16
  • Unpacking of ALZ Archives
  • Android No-Instrumentation Analysis Chaining for Instrumentation Failures
  • Bypass for Anti-Analysis SystemCodeIntegrity and GetLastInput/GetTickCount
  • Tags visible in the analyst and executive report
  • Verdict and Threat Names in e-Mail Alerts
  • Duplicate Password Protection
  • Faster URL Analysis with Chrome
  • Server Logs per Analysis

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!