Tuesday, May 28, 2019

Joe Sandbox 26.0.0 - Aquamarine is ready!

We continue our endeavors to make Joe Sandbox the world's best malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 26 under the code name Aquamarine! This release is packed with brand new features and interesting enhancements based on our customers' precious feedback.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Aquamarine recently.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Aquamarine features.

108 new Behavior Signatures

With 108 new signatures, Joe Sandbox precisely detects the latest threats and evasions! This includes detection of SmokeLoader, xRAT, CobInt, AZORult, LockerGoga, MALXMR, OceanLotus v2, and more:

Report Tour

Sharing is caring! All the Joe Sandbox v26 behavior reports include a new feature which enables every analyst to add comments to the report. This way, you can build a Report Tour which outlines your interpretation of the analysis results. You can then easily share this new custom report with your colleagues and the security community:

Find more information on the Report Tour in one of our recent blog posts.

RDTSC Anti Evasion

RDTSC is a special CPU instruction which queries the Time Stamp Counter (TSC), a 64-bit register present on all x86/64 processors. The time stamp counter allows a very fine grained time measurement. Malware often uses RDTSC to detect virtual machines. For instance, the special CPU instruction CPUID is interrupted by a virtual machine. Due to that, execution takes longer than on real hardware. The difference in execution time is measured with the help of RDTSC:

Joe Sandbox v26 includes a new technology which bypasses virtualization detections that use RDTSC for execution time measurement:

As a result, malware is no longer able to detect virtualization. 

Locale Customization

The number of malware which only executes their payload on specific targets is increasing. In the last months we have seen more and more malware which checks the keyboard language, the locale (a language setting of Windows) as well as the localization setting (e.g. the country):

To make these malware samples execute their payload, we have added new locale submission settings:

Command Line Submission

More and more attacks no longer start with malware, but rather a domain controller is breached and a Powershell command line is launched by the attacker on all end-points. To cover this scenario we added a new Command Line submission option to Joe Sandbox Aquamarine:

Note: Please don't mix this up with the option for command line arguments. That option adds an additional argument to a submitted sample (e.g. sample.exe \install). 

The command line submission together with PowerShell Script Block Logging (enabled on all Windows 10 analysis by default) also helps to deobfuscate command lines:

New Reports

We added a couple of new analysis reports, which are interesting for deep investigation, IOC extraction and hunting:

The Function Logs Reports contains all the low-level system call and Win32 API events in chronological order:

The AMSI Log Report contains raw data extracted via the Microsoft Anti Malware Scan Interface:

The Event Log Report is an XML file containing all Windows Event Logs:

Finally, the PowerShell Event Log is an XML file containing all Events related to PowerShell including Script Block Logging:

MacOS Mojave Support

We added support for macOS Mojave:

This enables customers to run macOS malware on the latest macOS operating system. 

Joe Sandbox ML

Dynamic analysis, also known as Sandboxing, is great, but combining dynamic and static analysis is even better. This is why we have added Joe Sandbox ML, which is available as a plugin for Joe Sandbox Aquamarine. Joe Sandbox ML is a static file parser which uses latest AI and machine learning techniques to detect malware:

With Joe Sandbox ML Joe Sandbox detects more malware, especially if the malware does not show any malicious behavior (e.g. because the payload is no longer available on the C&C).

You can find more information on Joe Sandbox ML in one of our recent blog posts.

Final Words

In this blog post, we introduced some of the major features of the Aquamarine release. Furthermore, minor features are:
  • Drag & Drop support for Sample Upload
  • Opcode based Yara rule downloads in report
  • Option to extend analysis time for Remote Assistance
  • Improved decoupling of the web application from the back end
  • New submission routes in Web API
  • SHA-1 and SHA-256 thumbprint for PE Authenticode certificates
  • STrace analysis for Android native binaries
  • Improved MITRE ATT&CK mapping

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, May 14, 2019

Dive deeper with the Joe Sandbox Splunk Add-On

Joe Sandbox is known to provide very deep analysis reports on malware. As a result, the size of the output data is enormous. In a recent blog post, we have outlined how you can master the large volume of the generated data. In this blog post, we will present the new Splunk Add-on, which also helps to handle the behavior data Joe Sandbox captures.

Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations. Splunk is often used as a SIEM within SOCs, CERTs and CIRTs. Various data streams from firewalls, endpoints and sandboxes are sent to Splunk, which then correlates the data.

The Joe Sandbox Splunk Add-on is a connector between Joe Sandbox and Splunk. It fully automates the import of behavior data from Joe Sandbox to Splunk:

Installing the Joe Sandbox Splunk Add-on

Installing the Add-on is easy. Download the Add-on from our Github repository. In Splunk, go to Manage Apps and then choose installation from file. Once Splunk has restarted go to apps - Joe Sandbox Add-on and create an input:

You have to provide a name and add your Joe Sandbox API Key. The API Key can be found in the user settings of the Joe Sandbox web interface. If you like to perform deep searches, untick the use small report checkbox and once done, hit Add. The Add-on will then start importing all your behavior reports. Please note the Add-on will continuously import new behavior reports generated by Joe Sandbox.

Rich Reports allow deep Searches

In order to run queries, you have to use the sourcetype jbx. Here are a couple of simple searches:

  • List all samples with the name id and detection verdict
sourcetype=jbx | table fileinfo.filename, generalinfo.target.url, generalinfo.id, fileinfo.md5, signaturedetections.strategy{}.detection
  • Search for dropped PE files
sourcetype=jbx | rename "droppedinfo.hash{}.@type" as dropped_type, "droppedinfo.hash{}.@file" as dropped_file, "generalinfo.id" as id | eval temp=mvzip(dropped_type,dropped_file, "|") | mvexpand temp | eval dropped_type=mvindex(split(temp,"|"),0) | eval dropped_file=mvindex(split(temp,"|"),1) | search dropped_type="PE*" | table id, dropped_type, dropped_file
  • Search for all samples which connected to a specific IP address
sourcetype=jbx | search "ipinfo.ip{}.@ip"="" | table fileinfo.filename, generalinfo.target.url, generalinfo.id
  • Search for all samples which connected to a malicious IP address
sourcetype=jbx | rename "ipinfo.ip{}.@malicious" as ip_malicious, "ipinfo.ip{}.@ip" as ip_value, "generalinfo.id" as id | eval temp=mvzip(ip_malicious,ip_value, "|") | mvexpand temp | eval ip_malicious=mvindex(split(temp,"|"),0) | eval ip_value=mvindex(split(temp,"|"),1) | search ip_malicious="true" | table id, ip_value
  • Search for all samples which connected to a malicious URL
sourcetype=jbx | rename "urlinfo.url{}.@malicious" as url_malicious, "urlinfo.url{}.@name" as url_value, "generalinfo.id" as id | eval temp=mvzip(url_malicious,url_value, "|") | mvexpand temp | eval url_malicious=mvindex(split(temp,"|"),0) | eval url_value=mvindex(split(temp,"|"),1) | search url_malicious="true" | table id, url_value
  • Search for all samples which connected to a malicious domain
sourcetype=jbx | rename "domaininfo.domain{}.@malicious" as domain_malicious, "domaininfo.domain{}.@name" as domain_value, "generalinfo.id" as id | eval temp=mvzip(domain_malicious,domain_value, "|") | mvexpand temp | eval domain_malicious=mvindex(split(temp,"|"),0) | eval domain_value=mvindex(split(temp,"|"),1) | search domain_malicious="true" | table id, domain_value

As you can see, the behavior data is nicely structured in JSON. Here is a quick overview of what data is available:

Fileinfo contains static information on the file. E.g. if the submitted file is an Office document you will find the OLE streams as well as the VBA code inside this object. Behavior contains detailed system-level behavior, such as all files created, opened, written, deleted, etc. It also contains network traffic such as all TCP, UDP, HTTP, HTTPS streams. Domaininfo, ipinfo, urlinfo and droppedinfo are classic IOC objects. They contain the created files with MD5 and SHA hashes, IP, domain and URL information. Signaturedetections, signatureclassficiation, mitreattack and signatureinfo include all the matching behavior rules, the detection verdict (clean, suspicious or malicious), detection score and classification (ransomware, banker, worm etc). Eventlog includes all the Windows event log data including PowerShell logs. Finally yara and avhit list Yara and Antivirus matches.

All those objects can be easily searched. Here are some more advanced search queries:

  • Search for all samples with a valid PE certificate
sourcetype=jbx | search "fileinfo.pe.signature.sigvalid"="true"
  • Search for all samples which created a file in C:\Windows
source=jbx | rename "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path" as fileCreated_path, "generalinfo.id" as id | mvexpand fileCreated_path | search fileCreated_path="C:\\Windows\\*" | table id, fileCreated_path
  • Search for all samples which injected into explorer.exe
sourcetype=jbx | search behavior.system.processes.process{}.general.name="explorer.exe" | search behavior.system.processes.process{}.general.reason="extstingprocessinject" | table "generalinfo.id", "fileinfo.filename"
  • Search PowerShell event log (transcript)
sourcetype=jbx | search "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.name"="ScriptBlockText" | table "generalinfo.id", "behavior.system.processes.process{}.powershellactivities.eventlog.call{}.execution"
  • Search for all samples which use a specific MITRE ATT&CK technique
sourcetype=jbx | search mitreattack.tactic{}.technique{}.id="t1022" | table "generalinfo.id", "mitreattack.tactic{}.technique{}.id"

If you are looking for more example searches and visualizations please check out the Joe Sandbox Add-on Github page.

For each search, you can define custom alerts. E.g. if you would like to get informed whenever you analyze a malware sample with a valid PE file:

Joe Sandbox and Splunk - a powerful combination

Thanks to the free Joe Sandbox Splunk Add-on, cybersecurity analysts can automatically import rich Joe Sandbox behavior data into Splunk.

The behavior data is extensive and nicely structured. As a result, analysts can easily perform deep searches to reveal e.g. related malware samples. They can also easily build visualizations, statistics and much more.

Want to try Joe Sandbox and use the Joe Sandbox Splunk Add-on? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, May 2, 2019

Introducing Joe Sandbox ML

Today we bring you amazing news. Joe Sandbox now features its own Machine Learning and Artificial Intelligence based static detection engine: Joe Sandbox ML.

Joe Sandbox ML is a plug-in which integrates seamlessly into Joe Sandbox Desktop, Joe Sandbox Complete, Joe Sandbox Ultimate, and Joe Sandbox Cloud. With Joe Sandbox ML, Joe Sandbox Desktop, Complete and Ultimate benefit from enhanced detection capabilities:

Dynamic plus static is the best

Combining dynamic and static analysis is extremely powerful. Dynamic analysis detects threats based on the behavior and is resilient against packing and code obfuscation. However, malware can evade dynamic analysis by delaying or hindering execution. Malware may also not execute because the C&C server has been taken down or downloads are no longer reachable from the Internet. Finally, it might also not work due to the wrong operating system or framework versions. Those samples are ideal targets for static detection.

Sample 56KHL48745.exe which was recently uploaded to Cloud Basic is a perfect example. The file crashed due to a .NET interoperability issue:

As a result, no malicious behavior is detected. However, Joe Sandbox ML detects the initial sample as well as the unpacked PE files:

In consequence, Joe Sandbox successfully identifies the sample as malware:

In addition to the original sample, Joe Sandbox ML also scans the unpacked PE files as well as any dropped, modified or created files. 

While other ML engines only support PE files, Joe Sandbox ML has wide support for different file formats including PDFs, Office Documents and ELF files. 

Are you worried about the performance impact? Joe Sandbox ML is extremely fast and makes its decision within milliseconds. 

Joe Sandbox more powerful than ever

Joe Sandbox ML substantially increases the malware detection efficiency of Joe Sandbox. If a sample does not show any malicious behavior there is still a good chance that Joe Sandbox detects it thanks to the help of Joe Sandbox ML.

Joe Sandbox ML is applied to all captured file artifacts and features a wide range of file formats (not just PE files). 

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!

Wednesday, April 17, 2019

Deep Behavior Reports - how to find the needle in the haystack

Joe Sandbox is known to provide the industry's deepest and richest behavior reports. While it is beneficial to have a massive amount of information on the malware execution, this also has its downsides. For instance, it is difficult to get an overview, find interesting data or share findings with colleagues or with other teams. Joe Security has taken the challenge and implemented various tools and features to make behavior reports easier to understand and navigate despite their huge size. In this blog post, we are going to walk you through some of them.

Report Search

On average, a Joe Sandbox HTML report is between ten and 32 Megabyte big. This is a considerable amount of data that includes dynamic behavior, static information, network behavior, execution graphs, disassembly, decompiled C code and much more. Having the possibility to search easily through this ocean of data is mandatory. For this purpose we added a search tool at the bottom right of the analysis page:

If you click on the magnifier a search bar will open. You can search the report for any string longer than 4 chars:

You can even search for strings inside graphs and diagrams:

If you click on a search result, the browser will jump to the report section containing those strings. In addition, the search result is highlighted with a yellow border:

The report search is very fast and you usually get the results back in under one second.

Collider Navigation

Getting an overview of what is inside a Joe Sandbox report is difficult. To address this problem we have created the so-called collider navigation. You access the navigation on the top right:

If you click on it you will see the following snail shell-like chart:

The report has a hierarchical structure, which is represented by this collider. The inner circle segments contain the top sections. Each section has inner sections which then again have inner sections. If you move your mouse over a specific segment of the report, it will show you the data inside of that structure. For instance, the section System Behavior contains Analysis Processes:

Or the Static File Info contains Static PE Info which contains the Data Directories:

As you can see, the collider navigation makes it very easy to get an overview of the structure of a report and allows you to navigate it quickly. If you click on a section the browser will jump to the corresponding data:

Interactive Tour

Let us assume that you read a Joe Sandbox report and you made some interesting findings that you would like to share with another team or colleague. Of course, you could take some screenshots, but a screenshot is static and you cannot copy text or include context. In order to address this limitation, we created the Interactive Tour. Think of the Interactive Tour as a way to directly add comments to the report. Once done, you can share the report and everybody can see and navigate your comments. 

You can find the Interactive Tour on the top right corner of each report:

If you click on it the Tour menu opens:

With the Select Element button you  can select interesting data and right afterwards add a title and description:

By clicking the Add Step, you can add a second comment:

By using the two small error buttons you can change the order of the comments. Once finished click Export:

Add a title for the Interactive Tour and then click Export Report Tour. This will download a new report HTML which includes your comments. If you open the new report file, the tour directly starts:

The menu on the bottom can be used to navigate through the comments:

As this small tutorial shows, it is very simple to add Interactive Tours. This enables you to easily mark or comment on interesting findings and then share that knowledge.

Here are three examples of reports with an Interactive Tour:


Joe Sandbox behavior reports provide a wealth of interesting data. This can be sometimes intimidating. Luckily, we have developed the three features described above to remove the friction. Thanks to the report search tool, analysts can now quickly search for any data in the report. The collider navigation enables them to get a fast overview of all the data inside of the report and navigate through quickly. Interactive Tours enable analysts to annotate interesting data inside reports and share these annotations with their colleagues and teams.

Wednesday, March 20, 2019

Ransomware is not dead - a light analysis of LockerGoga

Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.

Just two days ago, Norway based Norsk Hydro - one of the World's largest Aluminium producers - was hit by a severe Ransomware attack:

The attack is so massive that Hydro had to switch its productions to manual mode:

According to various press releases, the entire worldwide Norsk Hydro network is down, affecting all production as well as office operations.

If you search this incident on Twitter, you will instantly come across the Ransomware LockerGoga:

While it is still unconfirmed that Norsk Hydro was hit by LockerGoga, we saw a high amount of LockerGoga samples being submitted to VirusTotal as well as Joe Sandbox Cloud Basic.

One of the most recent samples (version 1510) has been uploaded to VirusTotal on March 19th (MD5: e11502659f6b5c5bd9f78f534bc38fea):

On Joe Sandbox Cloud Basic just some minutes later:

Joe Sandbox 25.0.0 Analysis Report

LockerGoga is not a standard Ransomware but rather has some specialties. The binary is signed by Sectigo. The certificate has been revoked recently, but it likely was valid at the time of the attack.

LockerGoga first encrypts the following file types:

Encrypted files are renamed to originalfilename.locked:

For encryption, LockerGoga does not use the Windows Crypto API CryptEncrypt, but rather its own implementation (likely CryptoPP + Boost):

The encryption of files is performed in multiple processes. A master process gathers all files and distributes encryption tasks to its slave processes:

The benefit of this architecture is that encryption is much faster since it will use all the CPU cores of the machine.
Normally, for a workstation with many documents, encryption can take hours. If the ransomware is detected fast enough some documents could be rescued.
In contrast, with LockerGoga this won't help since encryption is very performant. So far, we have not seen any other Ransomware using a distributed encryption architecture.

Goga drops the following ransomware notice:

While files are being encrypted the user is logged out:

Users are then no longer able to log in since before it overwrites the user's and administrator's password with HuHuHUHoHo283283@dJD:

This is another interesting and new behavior. While LockerGoga is not as brutal as wiper malware such as OlympicDestroyer it still completely blocks the computer. 

Update 1 (21.03.2019):

The RSA key length is not 4096 bits as claimed but rather only 1024. The key is:


Besides the account locking LockerGoga also has the capability to disable the network interface:

However, this feature is no activated in version 1510.

LockerGoga seems to be not new, e.g. searching for PE files signed by Sectigo gives us several older versions, e.g. version 1320, MD5 16bcc3b7f32c41e7c7222bf37fe39fe6, March 8th:

Joe Sandbox 25.0.0 Analysis Report

As this blog post outlines LockerGoga is different from standard ransomware:

  • Signed with a valid certificate
  • Uses a multi-process architecture to encrypt files faster
  • Locks the user and administrator account in addition to file encryption 
  • Is continuously improved (multiple version of the same ransomware exist)

Joe Sandbox nicely detected and analyzed all those different aspects. We also have added generic signatures to detect LockerGoga:

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!