Friday, June 5, 2020

New Sandbox Evasions spot in VBS samples

While hidden Macro 4.0 samples are on the rise, we recently spotted some very interesting evasive VBS samples. In this short blog post, we will look at sample files#_56117.vbs, MD5: 147091e61ec59f67ab598d26f15ad0e7 and outline some of the evasive tricks. 

An initial look at the Joe Sandbox v29 analysis reveals two evasive behavior signature hits:

In addition, there is no payload behavior, the sample shows a fake error message box and deletes itself and quits:

The two evasive signatures hits gave us enough evidence to investigate the sample further. 


The VBS file itself is obfuscated. Large arrays hold encrypted characters which are decrypted during runtime and executed with the VBA function ExecuteGlobal:

Deobfuscation is straight forward - simply replace ExecuteGlobal with a function to append the code to a text file, or even easier, download the AMSI output which is captured by Joe Sandbox:

It holds all the code executed by ExecuteGlobal

You find a complete deobfuscated version of the script for your reference here.

The executed code performs nine different evasive checks which are outlined in the next sections.

Total Disk Size Check

The VBS sample checks if the size of all disks combined is bigger than 60 GB. In addition, the code verifies if there is no empty CD-ROM drive. In case there is an empty CD-ROM drive or the total size of all disks is smaller than 60 GB the sample will quit:

To enumerate all disks it uses the WMI class Win32_LogicalDisk. Likely the authors recognized that many sandbox VMs still have an empty CD-ROM drive connected, meanwhile end-user laptops don't. The CD-ROM drive check is a new evasion method that we haven't seen before.

File Count Check

Next, a file count check follows. The sample verifies if the number of files in the user download folder is bigger than 2. The same check is executed for temporary files:

If the count of either directory is below 3 then the sample quits.

Process Name Check

Checking for debugging and reverse engineer tools is very common for many malware samples. This VBS sample has a very extensive list of debugging tools:

If one of the listed process names is found running on the system the sample quits. In addition, it also verifies that the total number of running processes is bigger than 28. This is a nice trick that has also been used by many other samples, especially VBA droppers. On a real endpoint, a user has usually opened many applications (e.g. web browser, Microsoft Office, etc) while on a VM sandbox there are no applications running. 

Country / Region Check

The sample will quit if the geographical location of Windows is Russia:

In the sample, this check is currently disabled. 

CPU Count Check

If there are less than 3 CPUs available on the system the sample quits:

Memory Check

If the total physical memory is below 1030 MB the sample quits:

Last Boot Time Check

This is a newer evasion and we haven't seen it a lot in malware samples. The sample verifies if the time the system booted is more than 10 minutes ago. Again VM sandboxes might have a much shorted last boot time.

Real end-user systems on the other hand, are rebooting the system less often.

Name and File Checks

Finally, there are also some sample name-checks that are very common. The most prominent one is to check for sample or myapp or in the current case testing:

There is also a weird additional check for microsoft.url in the temp directory. So far we have not yet found which sandbox is targeted by this check:


Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Thursday, May 7, 2020

Joe Trace - a Process Monitor on Steroids

Today, we have fantastic news for you. Joe Security is very proud to publicly release Joe Trace - a brand new product in our portfolio. Joe Trace has been in our minds for a while, and thanks to the hard work of our engineers we are able to showcase this unique product today. This blog post will outline what Joe Trace is and what makes it so unique.

So what is Joe Trace? In a nutshell, Joe Trace is Sysinternal's Process Monitor on Steroids. Process monitors are tools to manually observe the behavior of a program in real-time. For instance, process monitors trace system call events of all processes on a system and graphically visualizes the stream of events in time. 

Why do you need a process monitor? Process monitors are extremely handy to study the behavior of malware in extreme depth and for a long time. Sandboxes cannot do that and usually analyze a sample just for a few minutes. Due to performance reasons, the depth is limited. 

So what is unique about Joe Trace? Well, a lot. If you compare it to Sysinternals Process Monitor, then Joe Trace has the following unique features:

In the following sections, we are going to outline all of the unique features of Joe Trace. 

Hypervisor-Based System Call Tracing

First of all, we designed Joe Trace for malware analysis. System call tracing is achieved by using the hardware virtualization feature of modern CPUs (VT-x, hypervisor). As a result, Joe Trace analyses more system calls and especially the ones often used by malware, for example NtWriteVirtualMemory, NtQueueAPCThread, NtUserSetWindowsHookEx etc. Next, a hypervisor is harder to bypass. Below you see Joe Trace analyzing Remcos RAT injecting into installutil.exe - a benign Windows process:

Joe Trace captures file, registry, process, thread as well as network events like TCP, UDP, DNS and ICMP. Additionally, numerous system calls related to virtual memory, section, mutex, driver, and window behavior are intercepted, too. 

System calls are great but only a part of the data that Joe Trace captures. In the next section, we are going to have a look at how Joe Trace extracts user-mode API calls. 

Frida Integration

Frida is a world-class dynamic instrumentation framework. It enables the instrumentation of any API in user-mode by using a Javascript-based interface. Joe Trace features a rich Frida integration which by default intercepts WinInet API calls such as InternetOpenUrl or HttpOpenRequest:

Malware analysts can easily extend the default Frida script and add more instrumentations:

System-Wide Raw Data Capturing 

As you might have seen in one of the first Joe Trace screenshots there is also an event for memory dumps. Besides system call and Win32 API tracing, Joe Trace includes extensive data capturing capabilities.

Downloaded, dropped or modified files are an extremely important resource for malware analysts. With these files, malware analysts can write new signatures, do further analysis, and extract IOCs. 

Joe Trace captures and persists all dropped and modified files: 

In addition, Joe Trace captures memory dumps of all monitored processes. Those memory dumps are taken during the life time of a process. Therefore they often contain unpacked or decrypted malware code:

Finally, the complete network traffic is stored in a PCAP. By using Wireshark analysts can perform a deep dive into the network protocols. All the resources are accessible in a folder created by Joe Trace:

Yara Integration

Extracting data is one thing and detection another. To perform malware detection we added Yara to Joe Trace. Basically, any dropped/modified file and memory dump gets scanned with Yara in real-time. Yara signature hits are shown as additional events. Below you can see Yara detections while executing a Casandra-crypted dropper which installs Remcos RAT:

Yara signature detection is also visible via the Yara hit counter bar at the top:

Malware analysts can use their own Yara rules for malware detection or license Joe Security's extensive signature repository. Yara rules can be directly specified during the startup of Joe Trace:

Thanks to the Yara integration, Joe Trace serves as a tool for Yara signature development. Yara signatures can be tested offline against the extracted memory dumps or dropped files, or alternatively much easier live with Joe Trace. 

Since Joe Trace captures a large number of events, filtering and search capabilities are key. In the next section, we will outline an advanced tracking feature that helps analysts to focus on malware behavior. 

Malware Execution Tracking 

Joe Trace traces by default the behavior of all processes on the system. However, if an analyst launches a malware sample, he/she is usually only interested in tracing the malware behavior and not for example the behavior of a benign Windows process. To tackle this challenge Joe Trace provides a malware tracking technique. The feature filters out all processes which are not part of the malware execution chain. It will include benign Windows processes in which malware injects into. 

To tell Joe Trace to start tracking malware execution analysts can follow a given process by selecting it in the Processes tab:

Joe Trace will then filter out "noisy" behavior. Different colors are used to show followed processes and new processes. Guloader, the dropper in this case, first started itself and then injected into explorer.exe. As a result, explorer.exe is added automatically to our filter:

Besides malware execution tracking, Joe Trace includes extensive filtering capabilities including quick filter buttons, instant search, highlighting, and more:

Analysts can even filter event classes, event names, and API arguments among other details. Malware execution tracking and the extensive filtering possibilities are ideal for finding the needle in the haystack.

E-Mail Alerts

A very important use case for malware analysts is long-term malware analysis. Sandboxes usually run a sample for up to ten minutes. Some malware might not exhibit interesting behavior such as the downloading of the payload, C&C call-outs, or config downloads during this limited analysis time. Joe Trace fills this gap. However, it is painful to regularly check Joe Trace for new events. To remove this pain Joe Trace offers alerts:

An alert can be an e-Mail that Joe Trace sends you every five minutes in case new events have been filtered. The e-mail includes the Yara signature matches as well as some statistics about new events:

In case e-mail is not your favorite alerting mechanism, you can script a notification via the command line alert option. Alerts are very handy since you can relax and wait to get a notification as soon as a Yara signature detected a new config or payload being downloaded. This makes long-term malware observation super simple. 

Joe Trace - the Process Monitor on Steroids

As this blog post demonstrates Joe Trace is truly unique and will raise the bar for manual dynamic malware analysis tools! To the best of our knowledge, there is no comparable tool on the market with a similar feature set. Below you find a compressed list of all the features of Joe Trace:

  • Hypervisor-based stealthy system call tracing (VMx)
  • Tracing of processes, threads, files, registries, network,
    memory and driver system events among others
  • Customizable user-mode API tracing based on Frida
  • Extensive system-wide raw data capturing like network traffic (PCAP),
    dropped files and memory dumps
  • Deep Yara integration for malware detection (live raw data scanning)
  • Extensive filtering including malware execution tracking
  • Quick searching and event highlighting
  • E-mail and command alerting on filter hits
  • Event exporting capabilities to different formats like CSV, XML and JSON
  • Tree-based process overview with highlighting of interesting processes

Finally, we would like to highlight that Joe Lab, Joe Security's new cloud-based malware analysis lab can be equipped with Joe Trace as a default analysis tool. Joe Lab and Joe Trace perfectly work together and offer SOCs, CERTs and CIRTS an ideal tool for manual malware analysis. 

You liked this blog post and would like to try Joe Trace? Then don't wait and contact us for a trial!

Tuesday, March 3, 2020

Joe Lab - the Cloud-based Malware Analysis Lab

Today we have fantastic news for you! We release Joe Lab - a brand new service from Joe Security! 

In a nutshell, Joe Lab is a Cloud-based malware analysis lab. A malware analysis lab is a key infrastructure for CERTs, CIRTS, SOCs and malware analysts to securely analyze malware and exploits, or test Yara rules. A malware analysis lab usually consists of several bare metal laptops or PCs which are fully separated from the corporate network. The lab machines are connected to an anonymized Internet line or use Internet simulation. Further, lab machines can be easily wiped and restored to a baseline. 

Setting up a malware analysis lab is a lot of effort and includes several big challenges:

  • Network segregation from the corporate network, so that malware cannot spread or cause harm.
  • Secure transfer of malware and analysis results from and to the lab. Usually, corporate endpoints are not allowed to store or access malware files. 
  • Reset lab machines to a known good state or baseline - to wipe any malware infection and start a new case.
  • Anonymized Internet access for the lab, so that malware authors cannot track you.
  • Fake Internet simulation to test very sensitive malware.
  • Secure access to the Lab via remote desktop or other RDP protocol, so that malware is not able to infect your endpoint.
  • Maintain bare metal lab machines - virtual machines are easily detected by malware.

Joe Lab solves all those challenges and sets the effort of setting up a lab infrastructure to zero. Here are some of the features of Joe Lab:

Fully Cloud-Based

Joe Lab is completely located in the Cloud. The infrastructure is not located in your network. You, therefore, have very strong network segregation. Joe Lab is directly integrated into Joe Sandbox Cloud Pro and you find it in the top navigation bar:

Depending on your subscription level you get access to one or several lab machines:

Secure File System Access

At any time you can access the full file system of the lab machines via the browser. You can upload or download malware and analysis results:

Any file transfer happens over HTTPS.

Reset to Clean State

Joe Lab includes a feature to reset the lab machine to a clean state (known good state). The disk wiping is done completely automated. Within minutes, you get access again to a clean machine:

Anonymized Internet Access

With Joe Lab, all lab machines have access to an anonymized Internet line. You can choose the exit point/country from several options:

This feature is very beneficial if you analyze country-aware malware samples. You also have the option to completely disable Internet access or use Internet Simulation.

Secure Access

If you want to access the lab machine you can do so directly from the browser by clicking the Remote Desktop button:

You get full access to the lab machine and can start analyzing malware samples. Copy and paste functionality is available via the clipboard manager:

Bare Metal Lab Machines

All lab machines are bare metal - physical laptops or PCs. No virtual machine is used:

Therefore, bad luck for malware that detects virtual machines!

Joe Lab - One of its kind

To the best of our knowledge, Joe Lab is the industry's first and only Cloud-based malware analysis lab. With Joe Lab, CERTs, CIRTS, SOCs and malware analysts no longer have the burden to setup a malware analysis lab. Further Joe Lab combines the best features of a malware analysis lab, including an anonymized Internet line, fake Internet, and resettable bare metal lab machines. 

Would you like to try Joe Lab? Then don't wait and contact us for a trial!

Tuesday, February 25, 2020

Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor

As usual, at Joe Security we keep a close eye on evasive samples. Some days ago we detected an interesting Azorult sample on Cloud Basic (MD5: ff17014cbb249e173309a9e1251e4574). In this blog post, we will use Joe Sandbox Hypervisor together with the Function Log to understand the evasion techniques in this sample.

Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques, Hypervisor inspects a program more deeply and extracts more behavior data. Hypervisor can also run on bare metal. We already blogged about using Hypervisor in an analysis of Gozi's evasions technique here.

The Function Log is a new low-level report generated by Joe Sandbox. It contains all API calls (user-mode APIs and system calls). It can be found in the low-level report section:


The first evasion check starts at 0042B690 and checks for debuggers with kernel32!IsDebuggerPresent and ntdll!ZwQueryInformationProcess (ProcessDebugFlags):

All API calls are dynamically resolved as the call to GetProcAddress right before NtQueryInformationProcess proves. This hinders code analysis as the calls are known during runtime only.

Time Evasion

What follows is a sleep based evasion. Azorults verifies if a sandbox modifies the kernel32!Sleep API value by cross-checking the elapsed time via the kernel32!GetTickCount API:

Sleep value modification is often done by sandboxes to bypass sleeping malware, e.g. if the malware sleeps longer than the execution time before the payload is started. Some sandboxes modify even very small values or forget to modify other time sources such as the tick count. This weakness is exploited by Azorult:

Dummy API Calls

If the previous checks succeed, Azorult continues to perform various dummy API calls, including calling kernel32!Beep:

Right after that, various API calls are done in a random order. As a result, the function logs differ from analysis to analysis. Next, there is a random amount of API calls to kernel32!VirtualAlloc:

Dummy API calls are added to the malware in order to delay the execution in a sandbox. If the delay is longer than the analysis time the sandbox will not detect any malicious behavior.

Environment Checks

The anti-analysis checks are not yet complete. After the dummy API calls, Azorult continues with an available RAM check:

If there is less than 3GB available it stops execution. Next, it checks the screen resolution via user32!GetDesktopWindow and user32!GetWindowRect:

If the screen resolution is below 1152 x 864 it will fail. Finally, as the last check, it looks for known sandbox processes via kernel32!CreateToolhelp32Snapshot:

The process comparison list looks interesting. Qemu-ga.exe is likely related to Cmd.exe, notepad.exe and python.exe are often used by malware analysts. Azorult does not use any API such as strcmp, strstr or similir but rather a built-in function:

This makes it hard for a sandbox to detect the process check. 

Detecting Sandbox Evasions

Thanks to the deep analysis of Joe Sandbox Hypervsior several existing and some new behavior rules catch the evasion:

Joe Sandbox Hypervisor

As this analysis proves, today's evasion techniques are more stealthy than ever. Thanks to the Function Log and Joe Sandbox Hypervisor, malware analysts can detect and understand any evasion - no matter how stealthy it is:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!