Analysis of Code4HK with Joe Sandbox Mobile

    As the media and several tech companies already outlined a fake smartphone app is being used to remotely monitor pro-democracy protesters in Hong Kong. We came accross the corresponding malware via our APK Analyzer (www.apk-analyzer.net):


    A full analysis can be downloaded here:

    The Joe Sandbox Mobile analysis is very nice and shows all spying and control payloads of the trojan. Rather then explaining all details we just add here some interesting report cuttings:















    Generic Keylogger Detection with Joe Sandbox X

    In our last blog post we have demonstrated some of the features of our new product Joe Sandbox X by analyzing the recent malware "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1). It has been extensively shown how the malware installs itself and that one of its core payload is a keylogger.

    In this post, two new cool features are presented. In combination they allow the payload detection of the xslcmd malware:




    As the signature summary outlines we have added a signature to detect keyloggers generically. Let's have a look how this works.
     
    Beside the installer (PID 236, sample-cmd) and the launch agent process (PID 241, clipboardd), the startup section of the report also lists the TextEdit.app process (PID 253):



    This is actually a process that was started by a Cookbook. As you might already know, Cookbooks are a powerful technology that enables the customization of the analysis procedure in order to influence and change the malware's behaviour. Here is the Cookbook used for the current analysis:


    After loading the sample with the _JBLoadProvidedBin, the text editor is opened with the _JBRunCmd. Then the Cookbook simulates some low-level keyboard strokes via _JBSimulateKeyboardStrokes. In this case, the keyboard numbers/letters "0deconinput0" are typed in. The screenshot reveals the launched text editor and the simulated user input:


    By having a closer look at the launch agent process clipboardd (PID 241) running in the background, it can be observed that the simulated keyboard strokes are written to a log file residing in the user's home directory:


    So to generically detect keyloggers Joe Sandbox X uses a Cookbook to simulate keystrokes and then looks with behaviour signatures for typed key sequences written to files. If such a sequence is found it is obvious that the malware captures and stores keys:


    We are aware that the signature can be evaded. However, due to the agility of Joe Sandbox X it is easy to quickly spot and detect new behaviours. The detection of key loggers is just one of many use cases of _JB Cookbook commands. _JBRunCmd allows the analyst to execute arbitrary (shell) commands which often helps to combat evasive malware. 

    Full analysis report for xslcmd:

    Joe Sandbox X: Automated Dynamic Malware Analysis on Mac OS X

    We are proud to present today Joe Sandbox X - the first automated dynamic malware analysis system for Mac OS X. As with all of our productsJoe Sandbox X executes files in a controlled environment and monitors the behavior of applications for suspicious activities. All activities are compiled into a comprehensive and extensive analysis report.

    There are currently only a moderate number of known malware targeting Mac OS X systems. However, we at Joe Security think that the number of unknown Mac threats is high and since many companies are moving to the Mac world, Mac OS X will become more and more a hot target.

    To show some of the features of Joe Sandbox X, we have analyzed a recent malware named "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1) that was deteced by FireEye about two weeks ago (VirusTotal 0 score 0/55 at detection time, 12/55, date of this blog post).

    Joe Sandbox X uses the same report format as Joe Sandbox Desktop and Joe Sandbox Mobile, so it is likely that you are familiar with the report structure. Let us walk through the report. From the behavior analysis report we see that the sample has opened a terminal window:



    Currently, Joe Sandbox X includes about 100 behavior signatures which rate and classify the behavior. The signature summary already gives a nice overview concerning some of the key functionalities of the malware:



    Static analysis which includes a Mach-O parser shows other interesting facts:


    The sample is able to run on three different architectures (Power PC, i386 and x86_64). Usually, Mach-O files only run on one or two architectures. It is likely that three architectures are supported to extend the number of potential target systems.

    Next, the comprehensive process overview shows the child and overlayed (forked then execve'd) processes of the initial sample as well as other processes started during analysis time:


    After startup the sample spawns the launchctl command which is often used to load a launch agent or launch daemon (service processes). The sample also starts itself again (see PID 275). Looking at the behavior of this process reveals its purpose:


    As the report excerpt outlines the sample deletes itself. Looking further down the startup shows that a launch agent process named "clipboardd" is started:



    Clipboardd starts the command "sw_vers" twice. Sw_vers prints version information about the operating system:



    Looking at the "sample-xslcmd" process (see PID 271) in more detail reveals that one of the created files is a plist file in the user's launch agent directory. This file is a necessary file when creating a launch agent and controls some of the launch agent' settings.


    The content of the plist file outlines that the launch agent is not started on system boot (XML tag false), where the other setting ensures that the launch agent keeps running. Also the dropped "clipboardd" file is executable (check out the Mach-O magic header bytes CAFEBABE):



    The launch agent is explicitly started with "launchctl load":



    Looking at the "clipboardd " process (see PID 274) in more detail shows that besides other activites two directories are created: ".fontset" and "BackupData". ".fontset" is hidden on Mac OS X systems due to the point prefix. In the "BackupData" a log file is created containing the term "##Terminal##".


    This is likely a log file of a keylogger (due to the suspicious name). Joe Sandbox X also enables to interact with the analysis machine, so we were able to run the sample again, simulate some user behavior and check the file content in order to verify our assumption:



    The service also tries to open the three files "pxupdate.ini", "chkdiska.dat", and "chkdiskc.dat". These files did not exist so the open calls were not successful.


    It is likely that these are configuration files and that the sample checks if the files exist to prevent reinfection. Finally, two hidden files named ".got" are created in the "Desktop" and "Documents" directory of the user.


    As some of the signatures already detected, the sample is actively communicating with the Internet. The included world map shows at a glance which countries have been contacted:



    When looking at the HTTP traffic, one can see the HTTP POST requests performed on a non-standard port to the fake host "www.appleupdate.biz":


    As this blog post outlines Joe Sandbox X enables to quickly understand and detect threats which target Mac systems. We continue our development to increase the number of signatures and also capture more behavior. Joe Sandbox X will be also available in Joe Sandbox Cloud, Joe Sandbox Complete, and Joe Sandbox Ultimate.

    Full analysis report for xslcmd:


    Joe Sandbox 10: Analysing unpacked PE Files and Memory Dumps with IDA

    As you know the current Joe Sandbox version is 9.0.0 which we released in the end of March 2014. Since then we have implemented a set of very cool new features which we are going to release soon with Joe Sandbox 10. Some of them are outlined in this blog post.

    Let us have a look at a recent Retefe e-banking trojan (MD5: 894c20f0d97c5a1dee106331e00abd48):


    Compared to some other well known e-banking Trojans such as Zeus, SpyEye or Citadel - Retefe does not intercept network traffic directly on the host. It also does not install any malicious code. Rather it configures a rogue DNS server on the victim system. As a result the bad guys control DNS resolution and can redirect to their fake banking webpage. However nearly all e-banking portals use HTTPS today. So a vicitm would notice that there is no HTTPS or a certificate error:


    In order to stay hidden Retefe installs on the vicitm system its own root certificate. Thus the browser trusts the rogue HTTPS certificate.

    As some initial cuttings from the Joe Sandbox report shows, Hybrid Code Analyis (HCA) has detected the function which installs the rouge root certificate:



    Central API to load a certificate is CertCreateCertificateContext. It creates a certificate context directly from a byte pointer:


    Wouldn't it be great to extract the certificate to block it generically? To do so we have to find the value of ecx. Joe Sandbox 10 includes a generic PE unpacker engine. As new supplementary analysis data it generates unpacked PE files one can directly load and run with a disassembler:


    Let us open the unpacked PE file and jump to the certificate function (some paths have been removed to improve simplicity):


    IDA's Graph View is very powerful and helps to quickly detect that the pbCertEncoded pointer is located at the address [436FC8+4]. Since Joe Sandbox captures memory dumps during runtime we can now easily find the corresponding dump, locate and extract the certificate:



    Joe Sandbox's PE unpacking engine is sophisticated but it is not always possible to extract a valid unpacked PE file. Sometimes we even do not have a PE file at all. This is especially true for shellcode and injected codes. Let us have a look at the analysis of a malicious Word document (MD5: b9f33467d0856e18129aca8f997eeaf8, 25/54 on Virustotal):



    After exploiting Zeus is dropped. Zeus is known to inject its payload into explorer.exe. If we look at Hybrid Code Analysis (HCA) results for explorer.exe we find a reference to Joe Sandbox IDA plugin file:


    The file is a definition of all Hybrid Code Analysis data Joe Sandbox has captured for the given process. We have developed a plugin for IDA to directly load memory dumps:


    The plugin creates a new segment, adds entrypoints, strings and functions:



    With the hot-key ALT-J one can load dynamic behavior data captured by Joe Sandbox. This is extremly helpful since IDA does not detect any API calls since the code is not part of a PE file:

    Of course the plugin works great to also analyze shellcode with IDA (blue prefixes outline dynamic code execution):



    Adding runtime data such as strings and API arguments to a disassembly output is exactly one of the ideas behind Hybrid Code Analysis. Runtime data helps to understand the disassembly more efficiently and enables to detect non-executed / dormant codes.

    The Joe Sandbox IDA plugin, as well as the unpack engine will be available for all Joe Sandbox Desktop, Complete and Light customers in the Joe Sandbox 10 release.

    Full analysis reports: