Monday, October 5, 2020

Joe Sandbox v30 - Red Diamond

Today we release Joe Sandbox 30 under the code name Red Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!

Our Joe Sandbox Cloud ProBasic and OEM servers have recently been upgraded to Red Diamond.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast


Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Diamond features.

218 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FinSpy, Liquorbot, WellMess, Taurus Stealer, Matiex Keylogger, Elysium Stealer, DCRat, Avaddon Ransomware, Netwalker Ransomware, IOCP Ransomware and many more.

We also updated many signatures to cover the latest variants of malware like BazarLoader, Formbook, Emotet, Phobos, Qbot, NJRat etc. 

Mitre Att&ck Sub-Techniques

Joe Sandbox Red Diamond is the first sandbox to officially support Mitre Att&ck Sub-Techniques! We successfully extended our behavior signatures mapping to include Sub-Techniques, giving analysts the most precise information about techniques and procedures:

Joe Sandbox Red Diamond supports Mitre Att&ck Sub Techniques for Windows, macOS, Linux and Android analysis.

New Anti-Evasions

During the last couple of months we detected several new sandbox evasions, such as API and instruction hammering in GuLoader or TrickBot. Red Diamond addresses these evasions with  technology which bypasses them. Whenever we develop new bypasses, we first write new detection signatures to classify the behavior:

As a result, Joe Sandbox Red Diamond is able to bypass these new evasions. Further, we have added triggers to catch new related evasions. 

Support for large Files

This has been a frequent customer request as up until now, Joe Sandbox had limits related to the upload size of malware binaries. Red Diamond addresses this limit and introduces chunked file upload for the Web Interface as well as the Joe Sandbox RESTful Web API

We have updated, the Python wrapper for the restFUL Web API. Our Joe Sandbox customers can simply update to the latest version of to benefit from larger file support size. No need to change any code or integration. 

API Parameter Overwriting & Integration Key Sharing

Joe Sandbox integrates with many different security solutions. You find a list of all supported integrations here. While having so many integration is great, updating integrations with new features is tricky. To solve this issue we introduced API Parameter Overwriting. With this option you can overwrite specific Joe Sandbox settings for samples which are submitted via the API by one of your integrations:

Let's have a look at a use case for API Parameter Overwriting. Assume that an integration is not yet supporting the Joe Sandbox cache option. The cache option will not analyze the same file or URL twice by checking an internal cache. Thanks to API Parameter Overwriting you can enforce that option for all integrations by default. This will save you quota and time since previously analyzed samples will not get analyzed again. 

Integration Key Sharing enables you to enforce a specific integration such us VirusTotal, ReversingLabs, Intezer, UrlScan etc to all your users using Joe Sandbox. This is very handy since you don't want to let your Joe Sandbox users deal with integration settings. 

Phishing Detection for, etc.

Many Phishing pages host initial lures on, etc. Those pages use JavaScript heavily and load most content dynamically. This makes phishing detection challenging. In addition, PDF files are often hosted on those pages which link to the real phishing page. Most sandbox solutions are not able to follow a link in a PDF on a dynamic webpage. With Joe Sandbox v30 Red Diamond we solved this challenge:

Better Report Overview

In our last release Joe Sandbox 29 Ocean Jasper we completely redesigned the overview section of the full analyst report for Windows analysis. In Red Diamond we redesigned the overview section in the macOS, Android and Linux report: 

Further, we redesigned the overview section of the executive / management report for all architectures:

The new format condenses the most important information to one page and also improves the readability and structure. 

Static Mach-O Analysis in Archives

EvilQuest has shown that actors can also be very creative on macOS. The initial DMG sample includes the payload in an additional Mach-O file. Joe Sandbox Red Diamond takes care of that and analyzes Mach-O files in archives and containers:

Static Mach-O information is shown in the Static File Info - Archive DMG section of the analyst report:

Function Logs for Android Analysis

On Android we added function / method logs. Those logs contain a chronological sequence of all traced API calls, with method / class / package name, arguments and the return value:

The logs are available in text format as well as XML:

Function / method logs enable analysts to build machine learning models and understand the malicious behavior at the lowest possible level.

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Red Diamond, but there are some other very interesting features on top:

  • Support for VMware Workstation 16
  • Unpacking of ALZ Archives
  • Android No-Instrumentation Analysis Chaining for Instrumentation Failures
  • Bypass for Anti-Analysis SystemCodeIntegrity and GetLastInput/GetTickCount
  • Tags visible in the analyst and executive report
  • Verdict and Threat Names in e-Mail Alerts
  • Duplicate Password Protection
  • Faster URL Analysis with Chrome
  • Server Logs per Analysis

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, September 17, 2020

GuLoader's VM-Exit Instruction Hammering explained

In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.

Slow VM Exits

 The initial analysis on a virtual machine showed the following results:

As we can see in the Signature section, there are some RDTSC based evasion checks executed:

Among many other anti-evasion checks, GuLoader uses the following code to detect that it is running in a virtual machine:

The code has two main purposes. First, it measures how long the execution of the CPUID instructions takes. On real hardware, CPUID is directly executed by the CPU. Inside a virtual machine, the CPUID instruction forces a VM exit - execution is transferred from the guest VM to the host. The hypervisor handles the instructions and switches back. This transition is much slower compared to direct CPU execution. The same is true for other instructions like RDTSC. This difference is measured and used to decide if the loader is going to execute the payload or not.

Instruction Hammering

Secondly, the measurements are not executed once but executed thousands of times. The result is an overall delay which often exceeds the execution time on a sandboxed analyzer. As a result, the payload execution is never reached. This method of executing massive amounts of delay instructions to prevent the execution - also known as Instruction Hammering - is very similar to API hammering, a technique we saw in TrickBot and many other malware samples. 

Instruction Hammering is extremely powerful since it is hard to detect and challenging to bypass, as it exploits the architecture of virtualization. The GuLoader creators seem to have noticed that, and in the new version they have even increased the number of delay instructions being executed:

This code executes RDTSC and CPUID 11 million times. In addition, UserSharedData.SystemTime is being used for time measurements.

On a Windows 10 x64 system running on VirtualBox the delay loop takes several minutes to finish:

On real hardware, the loop is executed in under one second!

Bare Metal Analysis to the Rescue

Joe Sandbox is one of a few vendors offering analysis on bare metal. In this setup, the malware sample is run on a real physical machine. Physical machines are much closer to the real target of the malware. As a result, VM-based evasions don't work and the sandbox can catch and record the real payload. If we analyze GuLoader on bare metal the delay loop is passed in under a second and we can see that the LuminosityLink RAT is dropped:

The full analysis report of the GuLoader variant is available here.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Wednesday, August 19, 2020

Analyzing VM-Malware with Joe Lab and Trace


VM-malware is a special type of malware which uses virtualization technology to stay hidden. A recent type of a such malware is Load Miner. In this blog post we will showcase how to use Joe Lab - the Cloud-based Malware Analysis Lab and Joe Trace - a Process Monitor on Steroids to analyze Load Miner (MD5 8a2a344d985f50a08a1ace0c995b064a).

Load Miner is often bundled with large benign software in an MSI package. The packages have an average size of 450MB. Most sandboxes don't support such large files upload.

We have successfully uploaded the file to a Windows 10 analyzer on Joe Lab and connected via Web based VNC:

Joe Lab features a full network capturing technology which we can be easily enabled via the quick action bar on the right:

The whole capturing process happens outside of the machine and therefore it is invisible for the malware. 

Joe Trace

Further, we would like to analyze Load Miner with Joe Trace. Joe Trace is a very advanced process monitor tool designed for malware analysis. It comes preinstalled on a Joe Lab machine:

As a first step, we enable file and memory dumping and configure the usage of Joe Security's Yara rules set. Yara rules will be used to scan all captured files and memory dumps. Right after hitting the Start button we see that the full system behavior is captured. 

By clicking on the top left Process tab, we get a nice overview of all processes. We will now manually launch the malware sample and instantly see the MSI process startup:

New processes are colored so that you can visually catch all new startups. MSI files are launched by msiexec and later by the module installer service

After some seconds a suspicious popup is shown. It looks like the malware is installing the virtualization solution VirtualBox. We can confirm that by going to the event tabs and filter for all created files:

Why using virtual machines? Well it is harder for Antivirus and EDR to detect it since a whole new operating system is running. Given the fact that most sandboxes run malware samples on virtual machines, the current sample won't work - as it is using virtual machines itself. 

After a few seconds, we see new processes being launched:

We can also observe the installation of the VirtualBox driver as well as the launch of attrib.exe. Via the context menu we can get full command line:

Furthermore, in order to hide VirtualBox, the installation folder is marked hidden.

Next, we can also see that an OVA (Open Virtualization Appliance) is created and later imported via VBoxManage:

 Lets now have a look at VmServiceControl.exe. What is this? 

By following the process, we can see that it registers a service by using a INI file previously dropped:

Since Joe Trace captures all files we can inspect that INI file:

We can also find the new service in the Service App:

With the service installation the installer finally quits:


For seeing all Yara detection we can easily apply a filter via the quick filters in the top bar:

Interestingly, one of Joe Security's Xmrig signature hit. By clicking on the events one can see the matching data source:

The matching data is the VMDK image file which is inside the OVA. 

Full Hardware Control

Lets now reboot the lab machine and see if the VM is automatically started:

Opening again Joe Trace and check the newly started processes:

Also we can download the captured PCAP and analyze it in Wireshark to find the network IOCs:

Finally, since we fully uncovered the behavior we can reset the Lab machine to a pristine state:

Joe Lab and Trace - One of its kind

This blog post illustrates how Joe Lab and Trace can be used to deeply analyze a complex malware using virtualization for protection and evasion. Thanks to Joe Lab we were able to launch the sample in a secure way, capture full system PCAPs and reboot / reset the lab machine. Thanks to Trace we were able to fully inspect and understand the malware behavior, access dropped files / memory dumps and use Yara rules for detection. 

Would you like to try Joe Lab and Trace? Then don't wait and contact us for a trial!