Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

The Power of Cookbooks - generic HTTPS Analysis

Published on: 05.06.2014

Besides Hybrid Code Analysis, one of the top features of Joe Sandbox is the Cookbook technology. Cookbooks? Sounds like cooking. That is correct, Cookbooks lets one "cook" the malware. To be more precise, they enable to describe a malware analysis procedure in great detail. Below you see a very simple Cookbook for analysis on Windows:

Cookbooks are written in AutoIt, which is a BASIC like programming language which has been designed to automate tasks on Windows based operating systems. AutoIt offers a huge set of functionality from browsers (IE, FF, Chrome) to windows, files, registry controlling. In addition to that, one can call Joe Sandbox commands - starting with _JB. Joe Sandbox offers an extensive set of commands letting one play around with malware samples. The simple Cookbook sample above analyses a sample on a Windows XP system. For anti-VM it randomizes artifacts which are unique on the virtual machine. It also simulates mouse clicks and launches tools for GUI click simulation. Lets have look at a more complex Cookbook:

Rather than one analysis, the Cookbook above consists of two analyses which are some how connected. We call that Cookbook chaining. The second analysis starting at line 40 is only executed if during the first analysis HTTPS traffic has been detected. To connect two analyses one can use the _JBChainCookbook command. _JBChainCookbook has directly access to the generated behavior report and uses an XPATH expression for evaluation. In the sample above it checks if there are some TCP packets on port 443. If true the second analysis is started, if false the analysis is finished.

Let us assume that we analyze a malware sample which uses HTTPS for C&C communicate. Since HTTPS is encrypted, we do not see the clear text data sent through the tunnel. In order to get that data, we have implemented a cool technique which is based on our API patching framework. Within the second analysis, line 55 you find the command _JBForceHTTP. _JBForceHTTP is implemented as:

_JBAddAPIPatch has the following function signature:

The commands enables to fake input arguments for any API call. So assuming the malware calls InternetConnectA(12, "", 443, "", "", INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, NULL) the API patch will substitute the second input parameter with 80. _JBForceHTTP patches all important input arguments in order to force HTTP. As a result the WININET subsystem makes a normal HTTP connection rather than a HTTPS and we can analyze the protocol without any problems. This is working very well, as an example - browsing https://www.google.ch with IE demonstrates:

IE still believes it is using HTTPS but it is not true as the network analysis proves. Of course the technique also works well with malware using HTTPS.

Analysis example without _JBForceHTTP for a recent sample:

With HTTP force enabled:

Full analysis report available at: report - c77dd48c57156a20f0e32022e489546e.

Using Cookbook chaining to analyze HTTPS malware is just one example of many. Other use cases are:

  • Analyse on VM, if sample is idling, analyze again on native machine
  • Analyse on VM, if sample is idling, analyze again and show more user behavior
  • Analyse on VM, if sample sleeps, analyse again and patch sleep
  • Analyse, if domain is down or blocked analyze again with a different DNS server 
Generally, Cookbooks have more and more become a very important tool in Joe Sandbox to fight advanced malware. The flexiblity with this technology is unmatched. Beside _JBForceHTTP there are additional commands like:

  • _JBReboot
  • _JBShortenSleepsGreaterThan
  • _JBComment
  • _JBCreateSlice
  • _JBLowerOfficeSecurity and _JBLowerIESecurity
  • _JBAddProxyToIE
Interested to try out the Cookbook technology? Send us a mail and we well setup a test account for you on Joe Sandbox Cloud!