Tuesday, February 13, 2018

Deep Malware Analysis with Joe Sandbox 21 - Sapphire



Now, in the middle of Q1, we are happy to release our newest and greatest Joe Sandbox version with the code name Sapphire!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Sapphire a couple of weeks ago.

If you want to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation now, please perform:

mono joeboxserver.exe --updatefast

In this blog post, we will show some of the enhancements and features of Sapphire.

80 New Behavior Signatures


New signatures including detections for Spectre, Meltdown, various new CVEs, coin miners, DNS hijacker, Loapi and more:

Spectre

DNS Hijacker

Loapi
The new signatures enable analysts to spot and catch the latest security threats!

Remote Assistance


Given the complexity of automating the execution of some malware we added a functionality to provide remote assistance. With remote assistance, analysts can connect to the analysis machine via VNC and start samples manually. Further, they can click away security warnings:

Remote Assistance Option

Connect to Analysis Machine

Perform Remote Assistance

Please note VNC has been directly integrated into the Joe Sandbox Web interface. Therefore it is not required to install any VNC client. Remote Assistance is also very useful to detect credit card scams:





Template based Phishing Detection


We strengthened the phishing detection with a template engine. The template engine searches the phishing page for a known template (usually a brand image):

Phishing Page
Template

Template Match

Template based phishing detection increase chances to catch targeted phishing attacks. Analysts can easily add their own brand templates and images. Interested? Read more about template based phishing detection in our recent blog post.

Analysis Report Improvements


Sapphire includes a lot of new graphics, visualizations and report specific improvements. They all make it easier to understand complex threat data:


API groups per Hybrid Code Analysis function


Call Graph for Hybrid Code Analysis
Per Hybrid Code Analysis function CFG Graph

Restructured Dropped File Section

Please note the entropy, which is very efficient to detect ransomware!

HTTP Sessions
Behavior Graphs for analysis on macOS


Support for analysis on macOS High Sierra


Analyse binaries on the latest macOS version:


Support for analysis on Android 7.1 Nougat


Analyse binaries on the recent Android 7.1 release:


Dynamic Instrumentation for Android


With Dynamic Instrumentation Joe Sandbox instruments and analyses dynamically loaded DEX code, enabling deep insights into the latest Android threads:



Want to learn more about Dynamic Instrumentation? Read more about it in this blog post.

Final Words


In this blog post, we introduced some of the major features of the Sapphire release. Furthermore, minor features are

  • IOC logging via Syslog
  • VT / Metadefender score for analysis overview
  • Redesign of the submission page configuration
  • Integration with Viper
  • Integration with Malsub
  • SSL key extraction
  • Button click list for Android
  • Jbxbalancer API script
  • ACE unpacking
  • Fine-grained status information during analysis
  • Backjumping in the HTML analysis report

What is next? We have an amazing pipeline of new technologies and features! Stay tuned!