Tuesday, June 6, 2017

Joe Sandbox 19 is out!


We have good news: Joe Sandbox version 19 is out! This is a big release with many improvements, enhancements, and new features. If you are an on-premise customer you can simply upgrade to Joe Sandbox 19 via:

mono joeboxserver --updatefast

In this blog post, we will outline some of the enhancements and new features of v19.

Phishing Detection


Phishing is a growing trend, and many products have very poor detection for it. Therefore we added a behavior based Phishing detection to v19. How does it work? Joe Sandbox will browse URLs in IE and then store the DOM. The same is done for iframes as well as links found on the page. The DOM array is then evaluated by using several new behavior signatures:





For more in-depth analysis, customers can also access the raw DOM data.


Joe Sandbox Uploader

With Joe Sandbox 19 you get a convenient desktop tool which enables you to easily upload files and URLs to Joe Sandbox from Windows and Mac OS systems:



.NET Decompilation 

Over the last months, we saw a huge increase of malware & packers written in .NET (C# or Visual Basic .NET). Joe Sandbox v19 includes an extensive decompilation engine for .NET. All decompiled .NET samples are being uploaded to Joe Sandbox together with the dropped or downloaded files during execution. The decompiled code can be downloaded via the web interface:




.NET Decompilation also contributes to detection via behavior signatures:


Offline Snort / ET PCAP analysis


Are you a big fan of Emerging Threats rules and want to have them included in the Joe Sandbox behavior report? With v19 you get it:


Together with the Snort / ET PCAP analysis we also added detection of malicious files and IPs:



80 New Behavior Signatures

We added many new behavior signatures, in particular to detect new Mac Malware (e.g. Proton B and Snake aka Turla), Phishing, Ransomware and .NET Malware:






UI & User Automation

More and more samples require user automation. Microsoft Office documents are a good example. The same applies for Mac OS samples. We added several enhancements to our user automation to successfully handle the latest tricks:



Please note that Joe Sandbox uses an advanced OCR based clicking engine to detect some of the UI elements. 

Minor Features

The following additional minor features are part of the v19 release:

Interested in Joe Sandbox v19? Let us know and we schedule an in-depth technical presentation and demo!

Want to see Joe Sandbox v19 live? Visit us at Blackhat USA Las Vegas booth  IC69 Innovation City.