Joe's Sandbox
Author: Stefan Waldvogel
Solve a BTLO challenge with Joe's sandbox
Overview
This article is about Joe's Sandbox, and we use a BTLO challenge to see a "real-world" malicious script. BTLO is a training platform for blue knowledge. If you want to become a SOC Analyst, you can use this platform to brush up your hands-on ability.
You need a *.edu email or a corporate email to create an account at Joe's. If you do not have a professional email, you can still follow this guide with this link: www.joesandbox.com/analysis/416466/0/html
Let us get ready
First, you need a free login for BTLO. You get it here: blueteamlabs.online/ and we do a modified version of the "Malicious PowerShell Analysis" module.
This article is about Joe's Sandbox, and we use a BTLO challenge to see a "real-world" malicious script. BTLO is a training platform for blue knowledge. If you want to become a SOC Analyst, you can use this platform to brush up your hands-on ability.
You need a *.edu email or a corporate email to create an account at Joe's. If you do not have a professional email, you can still follow this guide with this link: www.joesandbox.com/analysis/416466/0/html
Let us get ready
First, you need a free login for BTLO. You get it here: blueteamlabs.online/ and we do a modified version of the "Malicious PowerShell Analysis" module.
If you want to do that lab with the questions as the main focus and you need help, you can use Bohan's guide (bohansec.com/2021/04/30/Maclious-Powershell-Analysis-Video-Only/).
This guide focuses on Joe's Sandbox, and we just take the provided Powershell script and compare it to the questions.
Create an account for Joe's Sandbox
If you are a student, you do not have a problem creating an account. You can use your student email. Joe's Sandbox does not accept Gmail and other private accounts. The link to create an account is here: www.joesandbox.com/register
This guide focuses on Joe's Sandbox, and we just take the provided Powershell script and compare it to the questions.
Create an account for Joe's Sandbox
If you are a student, you do not have a problem creating an account. You can use your student email. Joe's Sandbox does not accept Gmail and other private accounts. The link to create an account is here: www.joesandbox.com/register
Now we have everything to start and we can go back to BTLO.
Download the file
Download the provided zip file and unzip it. The password is btlo.
Download the file
Download the provided zip file and unzip it. The password is btlo.
Do not run this thing on your machine!
The next step is to rename the file extension for the ps_script.txt file. Right now, the ending is txt, and it should be .ps1
The next step is to rename the file extension for the ps_script.txt file. Right now, the ending is txt, and it should be .ps1
The reason is, if we upload this file to Joe's sandbox as a txt, notepad will open the script and not PowerShell. We need PowerShell to see the cool features.
You might ask, why BTLO deliver it as txt? The reason is: This script contains Emotet, a dangerous banking Trojan.
Again, do not run this file on your machine!
Upload the file
You might ask, why BTLO deliver it as txt? The reason is: This script contains Emotet, a dangerous banking Trojan.
Again, do not run this file on your machine!
Upload the file
Sign-In and upload the file (1) for a Windows machine (2). Joe's Sandbox offers a lot of features. Most of them are available in the free version.
The red headline shows the most active threats, and you can click these and learn more about malware.
Right now, you hear a lot about AgentTesla.
Scroll down and click "Analyze." This takes time; we have to wait at least 2 minutes.
The red headline shows the most active threats, and you can click these and learn more about malware.
Right now, you hear a lot about AgentTesla.
Scroll down and click "Analyze." This takes time; we have to wait at least 2 minutes.
During your waiting time, check the status. We use an up-to-date Windows10 machine with some software on it. With the pro version, you can change this, but for our purpose, this is fine.
The results
The result looks like the following picture. The first impression, it is malicious, it is a Trojan, and it has evader features. The score is 100/100, and therefore, this script is not lovely.
You can click IOCs, and you see some connections. Switch back to Engines.
Click "Full Report," and we see more details.
The result looks like the following picture. The first impression, it is malicious, it is a Trojan, and it has evader features. The score is 100/100, and therefore, this script is not lovely.
You can click IOCs, and you see some connections. Switch back to Engines.
Click "Full Report," and we see more details.
Let us go through the output. The Overview section gives you a bigger idea. On the left side, you have some data for a report. Under Infos, you see small items representing a feature. Connection, injections, and more.
The Detection area gives you an idea about the general behavior. A score of 100% and a confidence of 100% is a strong indicator for a malicious file.
The Detection area gives you an idea about the general behavior. A score of 100% and a confidence of 100% is a strong indicator for a malicious file.
The following two fields go a bit more in detail. We see the reason why Joe's sandbox thinks this is malicious.
Most red signatures are based on URLs and domains. This malware talks a lot, and it detects a long PowerShell command. Not all long PowerShell commands are malicious. An admin could use scripts to improve something.
The Classification is an excellent example of a high-level view. If you have to talk to an executive, take this picture and explain the situation in easy words.
An executive will make a decision and is usually not interested in all the technical details. He or she thinks about business impact/profit/consequences, and that is it.
-> What about PII? Are passwords compromised? What about credit card information? Is the business impacted, and if yes, how can you bring the company back (fast as possible)? Interruption? How long do you need to fix the problem?
You are most likely not a business person, but you work for a company whose primary goal is to make money. If you talk to your technical colleagues, you talk technical. If you speak to a boss, you might have to prepare and answer business or related legal questions.
As a beginner in Cybersecurity, you might not answer these questions but think about them because you have to answer those questions one day. You want to move up!
Most red signatures are based on URLs and domains. This malware talks a lot, and it detects a long PowerShell command. Not all long PowerShell commands are malicious. An admin could use scripts to improve something.
The Classification is an excellent example of a high-level view. If you have to talk to an executive, take this picture and explain the situation in easy words.
An executive will make a decision and is usually not interested in all the technical details. He or she thinks about business impact/profit/consequences, and that is it.
-> What about PII? Are passwords compromised? What about credit card information? Is the business impacted, and if yes, how can you bring the company back (fast as possible)? Interruption? How long do you need to fix the problem?
You are most likely not a business person, but you work for a company whose primary goal is to make money. If you talk to your technical colleagues, you talk technical. If you speak to a boss, you might have to prepare and answer business or related legal questions.
As a beginner in Cybersecurity, you might not answer these questions but think about them because you have to answer those questions one day. You want to move up!
I will not talk about all areas, but some interesting things. If you work in Cybersecurity, you need to know more about the Mitre Att&ck Matrix. You can find the link here: attack.mitre.org/matrices/enterprise/
This matrix is interactive. You can click on "Process Injection" and learn more about the details. The Mitre framework gives you a big idea about all possible options and techniques. If you are a defender, you can use this matrix to improve your security. This script does a lot of things. Let us take "Command and Scripting Interpreter."
Click the field, and you see the related Mitre topic in detail.
This matrix is interactive. You can click on "Process Injection" and learn more about the details. The Mitre framework gives you a big idea about all possible options and techniques. If you are a defender, you can use this matrix to improve your security. This script does a lot of things. Let us take "Command and Scripting Interpreter."
Click the field, and you see the related Mitre topic in detail.
|
|
Do you want to defend your company against this? The provided information is not enough, but the Mitre link gives you everything including an area for mitigation techniques.
We can dive a bit into this topic and pick "Code Signing".
Now, you can read more about code signing, and the "Use" field gives you a hint on how to fix this issue. In this case, Mitre suggests setting a PowerShell execution policy. This feature will improve the security, and the script cannot run anymore. You can enforce this change quickly via a policy, and all computers are protected.
Sounds good? Everything has a price. If you work with developers, this small change might be a bad idea because developers cannot work anymore. If you work with people in an office, this idea might work very well.
If you do a change, think about the consequences. This is one reason why Cybersecurity does have few entry-level jobs. Each change to improve security has an impact, and you need to know the risks before you enforce a change.
The following section is my favorite section:
Sounds good? Everything has a price. If you work with developers, this small change might be a bad idea because developers cannot work anymore. If you work with people in an office, this idea might work very well.
If you do a change, think about the consequences. This is one reason why Cybersecurity does have few entry-level jobs. Each change to improve security has an impact, and you need to know the risks before you enforce a change.
The following section is my favorite section:
This small picture (the original) is interactive and contains every single exciting feature of this malware. It is a visual analysis of the behavior. You see how many files are created and registry entries. You get malicious IPs and more.
This map is interactive. If you want to know more about a detail, just click on it. Try to look around.
Just for fun, we can try to find some BTLO answers.
This map is interactive. If you want to know more about a detail, just click on it. Try to look around.
Just for fun, we can try to find some BTLO answers.
We can use Joe's search feature (right corner).
The other answers are harder to find, and for some of them, we need the pro version. I do not have it, but we can use Cyberchef to decode the Powershell.
Conclusion
I hope you had fun with this small PowerShell and discovered more features. Did you see the difference between a lab like BTLO and a real sandbox?
The BTLO txt file was static, but we brought the file back to life. Now we see much more details, and you can watch a video about the behavior.
-> If you do labs, try to move on and get more out of it. There is so much more to discover. A lab is not about points, it is about getting knowledge.
Conclusion
I hope you had fun with this small PowerShell and discovered more features. Did you see the difference between a lab like BTLO and a real sandbox?
The BTLO txt file was static, but we brought the file back to life. Now we see much more details, and you can watch a video about the behavior.
-> If you do labs, try to move on and get more out of it. There is so much more to discover. A lab is not about points, it is about getting knowledge.
© 2021. This work is licensed under a CC BY-SA 4.0 license