Thursday, October 12, 2017

Joe Sandbox 20 is out!

Happy Release Day!!! A new Joe Sandbox version is out! This is our twentieth release, what a number!

Version 20 is a big release with many improvements, enhancements, and new features. If you have an on-premise installation you can simply upgrade to Joe Sandbox 20 via:

mono joeboxserver --updatefast

In this blog post, we will show some of the enhancements and features of the new release.

74 New Behavior Signatures

We have added a record number of 74 new signatures to Joe Sandbox Desktop, Mobile, X, Complete and Ultimate. Well, the last months have indeed been very busy with WannaCryPetya, WireXCVE-2017-8759 and CCleaner. Our signature set currently includes over 1,414 individual written rules!

Generic Javascript instrumentation

Javascript instrumentation allows to trace, analyze and detect any Javascript method, argument, API call or string. With Javascript instrumentation Joe Sandbox deobfuscates Javascript files and detects hidden evasions:

Javascript instrumentation is the only known technique which covers such fine-grained tracing. Full system emulation or inter-modular call tracing is not able to provide such insights. For more details on the instrumentation engine have a look at our blog post: Generic Javascript Instrumentation.

LIA - Localized Internet Anonymization

Targeted malware often checks for IP geolocation information. For instance, malware targeting a US corporation might check that the IP belongs to a Internet provider in the US. Further, the IP owner can be compared to known blacklists:

To circumvent geolocation checks we added Localized Internet Anonymization (LIA) to Joe Sandbox v20. With LIA Joe Sandbox users can choose from various countries when they submit a sample:

Reboot & Scheduler Simulation

We see more and more payloads which only execute on reboot or on specific days. To analyze those payloads Joe Sandbox v20 comes with an advanced reboot and scheduler simulation:

Please note that Joe Sandbox simulates a reboot in seconds. So the analysis machine is not really rebooted. Other solutions perform a full reboot which takes several minutes.

Web API v2

We completely redesigned our Web API. API v2 has consistent JSON output, excellent error handling, support for Python > 2.7 and is much easier to use. We also rewrote the Python wrapper. You find a complete Python web API implementation in our Github Repository.

Collider Navigation

Thanks to Deep Malware Analysis, Joe Sandbox analysis reports contain a wealth of information. Sometimes it is difficult to navigate inside that massive data. To make navigation easier we added a new control - the collider. The collider is accessible via the top menu bar:

Since the report data is structured hierarchically one can easily move from broad overview to details,  e.g. from behavior signatures to behavior groups, or from dropped files to Yara overview. One can also easily jump from network to execution graphs or processes. 

Android Device Admin Automation

Android malware often requests device administrator privileges. So far Joe Sandbox could not grant device admin privileges to APK.  With v20 this is now possible. We added automation code that clicks through the dialogs:

As a result, the analysis contains more behavior, better detection, and more runtime information.

Threat Intelligence

Joe Sandbox v20 profits from threat intelligence via Joe Sandbox View. Joe Sandbox View is a search engine backed by a collection of high-value IOCs and threat indicators shared by Joe Sandbox Cloud users. Context information is available in a new section in the Joe Sandbox v20 Report:

Final Words

In this blog post we demonstrated some of the big major features, but Joe Sandbox 20 contains many more new features in addition, such as:

  • New Yara section in reports
  • Yara scanning of unpacked PE files
  • A new load balancing script
  • IDA Pro Bridge Plugin support for x64 dumps
  • Support for CRT files
  • Randomization of sample names
  • Dropped file preservation for Android in reflective calls
  • Icons for process startup
  • New cookbook commands for fake printer, fake bookmarks, and fake documents
  • Cookbooks parameters
What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!