Wednesday, April 17, 2019

Deep Behavior Reports - how to find the needle in the haystack


Joe Sandbox is known to provide the industry's deepest and richest behavior reports. While it is beneficial to have a massive amount of information on the malware execution, this also has its downsides. For instance, it is difficult to get an overview, find interesting data or share findings with colleagues or with other teams. Joe Security has taken the challenge and implemented various tools and features to make behavior reports easier to understand and navigate despite their huge size. In this blog post, we are going to walk you through some of them.

Report Search


On average, a Joe Sandbox HTML report is between ten and 32 Megabyte big. This is a considerable amount of data that includes dynamic behavior, static information, network behavior, execution graphs, disassembly, decompiled C code and much more. Having the possibility to search easily through this ocean of data is mandatory. For this purpose we added a search tool at the bottom right of the analysis page:



If you click on the magnifier a search bar will open. You can search the report for any string longer than 4 chars:



You can even search for strings inside graphs and diagrams:


If you click on a search result, the browser will jump to the report section containing those strings. In addition, the search result is highlighted with a yellow border:


The report search is very fast and you usually get the results back in under one second.

Collider Navigation


Getting an overview of what is inside a Joe Sandbox report is difficult. To address this problem we have created the so-called collider navigation. You access the navigation on the top right:


If you click on it you will see the following snail shell-like chart:


The report has a hierarchical structure, which is represented by this collider. The inner circle segments contain the top sections. Each section has inner sections which then again have inner sections. If you move your mouse over a specific segment of the report, it will show you the data inside of that structure. For instance, the section System Behavior contains Analysis Processes:



Or the Static File Info contains Static PE Info which contains the Data Directories:


As you can see, the collider navigation makes it very easy to get an overview of the structure of a report and allows you to navigate it quickly. If you click on a section the browser will jump to the corresponding data:



Interactive Tour


Let us assume that you read a Joe Sandbox report and you made some interesting findings that you would like to share with another team or colleague. Of course, you could take some screenshots, but a screenshot is static and you cannot copy text or include context. In order to address this limitation, we created the Interactive Tour. Think of the Interactive Tour as a way to directly add comments to the report. Once done, you can share the report and everybody can see and navigate your comments. 

You can find the Interactive Tour on the top right corner of each report:


If you click on it the Tour menu opens:



With the Select Element button you  can select interesting data and right afterwards add a title and description:



By clicking the Add Step, you can add a second comment:


By using the two small error buttons you can change the order of the comments. Once finished click Export:



Add a title for the Interactive Tour and then click Export Report Tour. This will download a new report HTML which includes your comments. If you open the new report file, the tour directly starts:



The menu on the bottom can be used to navigate through the comments:



As this small tutorial shows, it is very simple to add Interactive Tours. This enables you to easily mark or comment on interesting findings and then share that knowledge.

Here are three examples of reports with an Interactive Tour:


Conclusion


Joe Sandbox behavior reports provide a wealth of interesting data. This can be sometimes intimidating. Luckily, we have developed the three features described above to remove the friction. Thanks to the report search tool, analysts can now quickly search for any data in the report. The collider navigation enables them to get a fast overview of all the data inside of the report and navigate through quickly. Interactive Tours enable analysts to annotate interesting data inside reports and share these annotations with their colleagues and teams.