Wednesday, November 30, 2016

Joe Sandbox 17

We are proud to release Joe Sandbox 17 today. Below you will find some of the most important features and improvements being added:

Generic VBA Instrumentation


VBA instrumentation captures runtime information such as API and method calls for Macro code embedded in Microsoft Office files. With VBA instrumentation cyber security pros can understand VBA code much faster. 


Further we added a call graph for the traced VBA code:


The call graph enables security experts to easily spot decryption routines and offers them fast navigation. VBA instrumentation is fully generic, meaning that our customers can add their own instrumentation like, e.g. fake IP addresses (Maxmind checks) or bypass other evasions.


User Automation for Microsoft Office ActiveX and PDF links


Microsoft Office documents with clickable ActiveX objects really have become a major delivery mechanism. Joe Sandbox 17 includes a new cookbook command _JBActivateOfficeActiveX. The command intelligently clicks on ActiveX objects:




Similarly we added new click command _JBClickPDFLinks which clicks on links embedded in PDF files: 




On top, we've added a new signature which directly extracts URL links from PDF documents (even from compressed streams).

User Automation for Joe Sandbox X


For the new Joe Sandbox X and Ultimate version we developed a new cookbook command which clicks on buttons (_JBStartAutoInstaller). This fully automates the installation of malware embedded in installers:



Support for Android 6.0 Marshmallow


Joe Sandbox Mobile and Ultimate are now supporting analysis on latest Android 6.0:


Redesigned Web Interface


The web sample submission page of Joe Sandbox 17 has been fully redesigned. We focused 100% on usability. As a result, submitting samples to Joe Sandbox has become very easy:


Besides the submission page, we have also fully redesigned the analysis details view, and added options for bulk Yara uploads.


Behavior Signature Set Increase


Joe Sandbox 17 includes over 40 new behavior signatures. This increases the total signature set to over 1217. Below you can find a non-exhaustive list of new signatures:

  • Detect latest Locky variants
  • Detect many new evasions (e.g. Word document only with p-code)
  • Detect malicious Microsoft Office documents based on VBA instrumentation data
  • Detect malicious Microsoft Office documents contain ActiveX objects
  • Detect new powershell attacks
  • Detect malicious links in PDF documents
  • Generic detection for Mac OS X malware



Finally, another major improvement in Joe Sandbox 17 is the optimization of FPs.

Happy analysis!