Wednesday, February 5, 2020

Joe Sandbox v28 Lapis Lazuli

During this winter, we have not been freezing but rather working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 28 under the code name Lapis Lazuli! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!





Our Joe Sandbox Cloud ProBasic and OEM servers have recently been upgraded to Lapis Lazuli.


If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast


Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Lapis Lazuli features.


304 new Signatures


With these brand new behavior and Yara signatures, Joe Sandbox is able to precisely detect various malware families like Emotet, Trickbot, AgentTesla, NanoCore, Ursnif, HawkEye, AZORult, Remcos, Adwind, Raccoon and many more.





Sigma Support


A major new feature of Lapis Lazuli is the support for Sigma





Sigma is a generic and open signature format to detect malware and other security-related events in log files. With the integration into Joe Sandbox, analysts can use existing Sigma signatures (~330) to detect malicious behavior. 





Further, analysts can write their own signatures and use them in Joe Sandbox as well as in several other ESR tools. Joe Sandbox v28 features a Sigma editor which also allows synchronizing rules directly from Github:










Lapis Lazuli includes 46 new Sigma rules, and the even better news is that Joe Security has made them available for the community:





If you want to learn more about the Joe Sandbox Sigma integration please have a look at this blog post.



18 Malware Configuration Extractors


Malware often includes configuration data such as C&C IPs, domains and modules to load. Lapis Lazuli features 18 extractors for most common malware families:




Configuration Data is shown in at the "Malware Configuration" section in the HTML or PDF report: 






as well as in the malwareconfigs section in the XML or JSON report: 





New Analysis Detail Page


The analysis detail page lists high-level information on the analysis such as the verdict, threat names, and classification. In Lapis Lazuli we completely redesigned it, so that analysts can access all essential data at one glance:




 






Deep .NET Tracing


Today's malware, droppers and other threats targeting Windows come in various "form-factors". These can be an obfuscated Javascript file, a malicious VBA Macro, a JAR payload, etc. In 2019 and early 2020 we have seen an increase in malware using the .NET Framework

Deep .NET Tracing extends Joe Sandbox's multi-technology stack with a very fine-grained tracing technology for samples using the .NET Framework:




With Deep .NET Tracing analysts can understand in detail the inner work of malware samples. Deep .NET tracing needs to be enabled via the Code Analysis tab:






Trace logs including all .NET API calls with arguments can be download from the analysis detail page:








You will find more information about deep .NET tracing in one of our latest blog posts: Dissecting Agent Tesla with Deep .NET Tracing.


Remote Assistance for Joe Sandbox Mobile and Linux


Yes, Lapis Lazuli is bringing Remote Assistance to Joe Sandbox Mobile and Linux. With Remote Assistance you can click through an attack manually by using the mouse and the keyboard:










MITRE ATT&CK mappings for Android and IOS


MITRE ATT&CK mappings already exist for Windows, Linux, and Mac. Lapis Lazuli includes mapping for Android and iOS: 




Final Words


In this blog post we have presented the most important features of Joe Sandbox Lapis Lazuli, but there are some other very interesting features on top:

  • Added threat names to e-mail notifications
  • Added download button for all screenshots
  • Added more processes information
  • Improved IE, FF and Chrome analysis performance
  • Improved Remote Assistance performance in general
  • Improved analysis of Google Drive URLs
  • Improved startup of samples with user permissions

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!