Generic VBA Instrumentation
VBA instrumentation captures runtime information such as API and method calls for Macro code embedded in Microsoft Office files. With VBA instrumentation cyber security pros can understand VBA code much faster.
Further we added a call graph for the traced VBA code:
The call graph enables security experts to easily spot decryption routines and offers them fast navigation. VBA instrumentation is fully generic, meaning that our customers can add their own instrumentation like, e.g. fake IP addresses (Maxmind checks) or bypass other evasions.
User Automation for Microsoft Office ActiveX and PDF links
Microsoft Office documents with clickable ActiveX objects really have become a major delivery mechanism. Joe Sandbox 17 includes a new cookbook command _JBActivateOfficeActiveX. The command intelligently clicks on ActiveX objects:
Similarly we added new click command _JBClickPDFLinks which clicks on links embedded in PDF files:
On top, we've added a new signature which directly extracts URL links from PDF documents (even from compressed streams).
User Automation for Joe Sandbox X
For the new Joe Sandbox X and Ultimate version we developed a new cookbook command which clicks on buttons (_JBStartAutoInstaller). This fully automates the installation of malware embedded in installers:
Support for Android 6.0 Marshmallow
Joe Sandbox Mobile and Ultimate are now supporting analysis on latest Android 6.0:
Redesigned Web Interface
The web sample submission page of Joe Sandbox 17 has been fully redesigned. We focused 100% on usability. As a result, submitting samples to Joe Sandbox has become very easy:
Besides the submission page, we have also fully redesigned the analysis details view, and added options for bulk Yara uploads.
Behavior Signature Set Increase
Joe Sandbox 17 includes over 40 new behavior signatures. This increases the total signature set to over 1217. Below you can find a non-exhaustive list of new signatures:
- Detect latest Locky variants
- Detect many new evasions (e.g. Word document only with p-code)
- Detect malicious Microsoft Office documents based on VBA instrumentation data
- Detect malicious Microsoft Office documents contain ActiveX objects
- Detect new powershell attacks
- Detect malicious links in PDF documents
- Generic detection for Mac OS X malware
Finally, another major improvement in Joe Sandbox 17 is the optimization of FPs.