Monday, February 1, 2021

Joe Sandbox v31 - Emerald

Today we release Joe Sandbox 31 under the code name Emerald! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!






Our Joe Sandbox Cloud ProBasic and OEM servers have been recently upgraded to Emerald.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast

 

Even though we are delighted about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Emerald features.


213 new Signatures


With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FickerStealer, SnakeKeylogger, Egregor, Babuk, Novter, TriumphLoader, Wapomi, Citadel, ModiLoader, Strongpity, Ranzylocker, RunningRAT, Vaggen, Nitol, ElectroRAT, Lazagne and many more. In addition we added more malware configuration extractors, e.g. for FormBook:






We also added detection signatures for the backdoors used in the Solarwinds breach such as SUNBURST and SUPERNOVA:



IOC Reports


Say hello to our brand new IOC report! This report gives you a concise overview of all the IOCs found in an analysis. The report is available in HTML (direct link on the analysis page) as well as XML and JSON:





For each IOC analysis details, all matching behavior signatures and Mitre Att&ck techniques are listed:




The IOC Report is very extensive and includes:

  • All contacted IPs, Domains and URLs
  • All created or modified files
  • All created or modified registry keys
  • All processes
  • All memory dumps
  • All DOM trees (from URL / phishing detection)
For multi run analysis, e.g. if an analyst upload the same sample to multiple analyzers, the IOC report will include all IOCs from all analyses. 

Compliance Score


Application Validation - the process of testing a software for compliance or potential backdoors before installing it on the endpoint, is an important task for security analysts. With Joe Sandbox v30 we introduced large file support - analysts are able to upload samples up to 500MB. With Joe Sandbox v31 we added several new signature to measure the compliance of software installers:



In addition the report includes a new compliance score for quick identification:




URL Analysis with Chrome


Internet Explorer, the default browser for Joe Sandbox URL analysis, is deprecated and doesn't work on modern webpages. As a result Joe Sandbox v31 comes with support for URL analysis with Chrome. Chrome successfully browses phishing pages on modern webpages. Analysts can choose between IE and Chrome from the submission tab:




URL analysis in Chrome is fully automated. Joe Sandbox will follow links and uses the AI based phishing detection engine. Analysts can also use remote assistance / live interaction to browse manually a URL in Chrome:




An additional benefit for URL analysis with Chrome is that you can download the HTML DOM tree which is used for phishing detection:




Memory Dumping for macOS and Linux


Memory dumps are a great source for detection since they contain the unpacked code. We introduced memory dumping for Windows several years ago and now also added it to the macOS and Linux analyzers. Here you find some detections on memory dumps for Linux / macOS analysis of recent threats:






 

SSO Support


Single Sign On is a very convenient enterprise feature enabling end-users to login to multiple sites with the same password. With Joe Sandbox v31 Emerald we implement SSO support with OpenID Connect. This enables to connect Joe Sandbox to an Identity Provider (IdP) which handles the authentication. 


Final Words


In this blog post, we have presented the most important features of Joe Sandbox Emerald, but there are some other very interesting features on top:

  • Integration with SlashNext
  • Parsing of IOCs from malware configuration data
  • Additional OCR based phishing detection
  • Option to start sample automatically during Remote Assistance / Live Interaction
  • Download of DOM trees for URL analysis
  • Intelligent analysis time extension
  • Unpacking support for XZ archives
  • Support for vSphere SDK API
  • Configurable RDTSC NOP patching

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!