Wednesday, October 2, 2019

Joe Sandbox 27.0.0 - Red Agate is out!

Over the last couple of months, we have been listening to your feedback and working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 27 under the code name Red Agate! This release is packed with brand new features and improvements, designed to make malware analysis deeper and more precise than ever!

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Red Agate recently.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Agate features.

163 new Behavior Signatures

With these brand new signatures, Joe Sandbox is able to precisely detect various malware families like MegaCortex, Dridex, Ryuk, CresentCore, NetWire, Watchbog, Necro and many more.

2986 Community Yara Rules

There is a big number of community Yara rules out there. We took all of them and built a selection by checking them for performance and FPs. The final selection of 2'986 rules has been included in Red Agate and greatly increases detection and malware classification capabilities in Joe Sandbox.

47 Custom Yara rules

Red Agate also includes 47 new custom rules. Those rules are written by Joe Security's threat intelligence analysts and extend the community rules:

Web Push Notifications

The Web Interface now features Push Notifications. Push notifications are very useful in notifying end-users as soon as an analysis is finished or an analyzer is ready for remote assistance:

Joe Sandbox will ask you to enable Push Notifications once during submission, and you can also enable or disable it later on in your user settings. 

Threat Names

Threat Names have been added in order to easily identify which threat has been detected by Joe Sandbox. Threat Names are shown in the analysis overview page as well as inside the report:

Intelligent Analysis

Particular samples often require command-line arguments properly execute and show malicious behavior. Others need to be run as part of a service. For these specific cases, Joe Sandbox will automatically re-analyze the sample with the right action, tremendously increasing the execution success.

Joe Sandbox Detect

Joe Sandbox Detect is a powerful endpoint client which detects suspicious files delivered via targeted attacks or spear-phishing campaigns. It directly leverages the power of Joe Sandbox Red Agate.

If you want to learn more about Joe Sandbox Detect please have a look at this blog post.

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Red Agate, but there are some other very interesting features on top:

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, September 3, 2019

Joe Sandbox + Carbon Black

We are happy to release today the Joe Sandbox - Carbon Black connector! With the connector, Carbon Black Response users benefit from automated deep malware analysis with Joe Sandbox. The connector will submit suspicious files detected by Carbon Black to Joe Sandbox for deeper analysis and will import the generated threat intelligence data into Carbon Black.

You find our Carbon Black connector as well as the installation guide in our Github repository:

Deep Threat Intelligence

Once you have completed the installation you can search for malicious detections via the Binary Search. Click on Add Criteria and then select Joe Sandbox Score:

The Joe Sandbox Score is an indicator of how the behavior has been rated by Joe Sandbox. 0 means no malicious behavior while 100 is very malicious. In the new form, you can define if you would like to search for all binaries with e.g. a Joe Sandbox Score higher or equal than X:

A score bigger or equal to 50 means the sample shows malicious behavior. For our current example Carbon Black found a binary with a score higher or equal than 50 on one endpoint:

Clicking on the hash link provides us with more information on the binary:

We have the Joe Sandbox Score of 100 at the top right. Via the View on joesandbox link we can open up the analysis report:

Since we know now that this is Agent Tesla we can easily block the binary thanks to Carbon Black on all our endpoints with a single click:


Wouldn't it be nice to automatically be alerted as soon as Carbon Black detects a new binary on the endpoint and Joe Sandbox detects it as malicious? This you can achieve by creating a Watchlist. To create one, open Watchlists on the main menu and then use the query "cb.q.alliance_score_joesandbox=[50 TO *]":

Finally, select how you would like to get alerted. 

Joe Sandbox and Carbon Black - a powerful combination

Thanks to the Joe Sandbox Carbon Black connector, cyber security analysts using Carbon Black benefit from deep malware analysis done by Joe Sandbox. This enables to detect and block zero-day and targeted attacks.

Do you want to try Joe Sandbox and use the Joe Sandbox Carbon Black connector? Request a free Joe Sandbox Cloud Pro trial now!

Tuesday, August 20, 2019

Joe Sandbox Detect - the Cloud backed Endpoint Sensor

Today, we are proud to show-case Joe Sandbox Detect. In a nutshell, Joe Sandbox Detect is a configurable endpoint sensor with Joe Sandbox Cloud as its backend. What is an endpoint sensor and why does my organization need it? This blog post addresses those questions.

Endpoint Overloading

Detecting malware on endpoints is a hard job. Endpoint security vendors have to make sure not to consume too many resources, not to interrupt end-users, do not weaken the security and not do conflict with other endpoint security tools. This, of course, limits the effectiveness of malware detection. 

Holy Cloud

The best solution to escape those limitations is to move the malware detection to the Cloud. As a result, the agent is light-weight, with very little resource consumption, high security, and compatibility. The malware detection in the Cloud has access to massive computing resources and will not slow down the endpoint. This design increases the effectiveness of malware detection massively.

Joe Sandbox Detect is a slim endpoint sensor which utilizes Joe Sandbox Cloud for malware detection. Joe Sandbox is the industries deepest malware analysis engine. It uses a combination of static and dynamic malware analysis (sandboxing) to detect even the most sophisticated malware.

Malware Entry Points

Deep malware analysis is great but it also takes time to analyze a file in depth. Thus, it is not possible to analyze any files on an endpoint. To address this challenge Joe Sandbox Detect includes configurable filters. By default, those filters select only files which might contain code and are created by applications which are known for malware entry points (e-mail clients, web browsers, etc).

Filters can be set during installation via command-line arguments.

Notifications and Alerts

Let us assume a user has opened a potential malicious Microsoft Word document via Thunderbird or Outlook:

Joe Sandbox Detect is monitoring e-mail clients for the creation of Microsoft Office documents. Therefore Ferreria's Quote.doc is uploaded for deep inspection to Joe Sandbox Cloud. Joe Sandbox Cloud analyzes the file and once completed will first alert the security team. Joe Sandbox Cloud includes configurable filters for alerts. For instance, the security team can enable that only for malicious detections an alert is sent or only for certain file types:

The security team can also access the analysis data including IOCs and see from which endpoint and application the file origins:

IOCs can be used to block malware on endpoints and search other endpoints for existing infections. Detailed behavior information enables to understand if the threat has spyware, spreading or ransomware functionality. 

After alerting the security team the end-user is also notified. This notification is configurable and can also be disabled. End-users can also open the management report which contains only high-level information:

Privacy - Encrypted Analysis

Because Joe Sandbox Detect might also analyze documents which contain confidential information privacy is extremely important. We recently outlined in a blog post what privacy features Joe Sandbox Cloud implements. Encrypted Analysis is one of these features which also Joe Sandbox Detect uses. Whenever Joe Sandbox Detect uploads a file and the analysis is completed Joe Sandbox Cloud encrypts all data including the file, IOCs, reports, etc. with a random password. Encrypted analyses are indicated with the small lock icon:

The password for encryption is only kept on the end-point. Therefore, Joe Security cannot access the analysis data anymore. Security teams can decide to use a unique password for encryption for all their endpoints during the installation of Joe Sandbox Detect. End-users can also copy the password and share it with the security team on purpose:

Encrypted analyses provide the strongest privacy and are a unique feature of Joe Sandbox Cloud. You don't trust cloud services at all? Joe Security also offers on-premise products which work with Joe Sandbox Detect as good as with Joe Sandbox Cloud.

Manual Submissions

Automated analysis is great but there is also the use case where an end-user detects a malicious e-mail and is not opening the attachments and he still wants to check if he is right. To address this Joe Sandbox Detect includes an optional small bar which shows up on the Desktop. End-users can drag and drop e-mails to this bar for analysis by Joe Sandbox Detect:

This also works for files on USB sticks. The same alerts and notifications are sent as if it were an automated analysis. Analyses are also encrypted. 

Enhancing your Endpoint Security

Joe Sandbox Detect is a unique endpoint sensor with the following feature set:

  • Leverages Joe Sandbox Cloud for in-depth malware analysis
  • Configurable filters to define what is analyzed and what not
  • Extensive alerting for SOCs
  • Complete privacy due to encrypted analyses
  • Extremely low resource consumption
  • Compatible with any other endpoint security solution
  • Convenient manual submissions
  • Parameterized MSI installer for easy deployment

Want to try Joe Sandbox Detect and test its malware detection capabilities? Contact us today for a trial or an in-depth technical demo!

Tuesday, July 23, 2019

Security and Data Privacy in Joe Sandbox Cloud

Cloud based solutions, especially in the malware detection and analysis field, are well known to use and exploit the uploaded data for commercial purposes. For instance, any malware sample uploaded to the World's most popular online virus scanner can be shared with third parties including customers, antivirus vendors etc.

At Joe Security, we take data privacy extremely seriously. By default, Joe Security does not share any malware sample or any IOCs with third parties. In addition, we have implemented various technical privacy protection measures for Joe Sandbox Cloud that we will present in this blog post.

Infrastructure and Server Security 

Major parts of Joe Sandbox Cloud Pro are hosted in data centers which feature DIN ISO/IEC 27001 certification. The certification proves that the data center operator will uphold strict information security standards. E.g. there is strong access control to access our servers.

We monitor all our servers for physical and virtual intrusions, do regular security patches and backups. Joe Sandbox Cloud Pro has failover capability since we run a shadow copy of the complete system. To prevent DDoS attacks our Cloud is protected by one of the largest web proxy and content delivery networks. We imply least privilege access on our servers via permissions, containers, and virtualization. Professional penetration tests are run on our server infrastructure on a regular basis.

Data Privacy

All malware samples, as well as any analysis results such as IOCs and behavior information are private. The data is encrypted at rest and we grant full access rights to our customers to their data. This includes deletion access. Once a customer deletes an analysis, all data is securely deleted in near real time! 

Configurable Data Retention Policy

To make deletion even easier, Joe Sandbox Cloud Pro features a configurable data retention policy. When you submit a malware sample for analysis you can define how long Joe Sandbox Cloud shall keep the sample and the associated data until it is deleted:

You can set a value of 1 which will result in automated data deletion after one day. The date of deletion is visible in the analysis detail overview:

Encryption of Analysis Data

Another data protection feature we recently introduced is analysis encryption. Customers can specify a password during the submission of the malware sample. This password is used to encrypt (AES-256) all data including the sample and all associated information post-analysis. The password is then erased from the Joe Sandbox Cloud server. As a result, only the customer can decrypt the data. The malware sample and analysis data stay unencrypted only during the analysis. 

Encryption of analysis data provides the strongest possible data protection for an automated malware analysis solution. 

Web Security

Let us also have a look at the Web security of Joe Sandbox Cloud Pro. It is protected by a WAF (Web Application Firewall) and uses HTTPS / TLS 1.2 for transport encryption (SSL Labs grade A). All passwords are salted and stored hashed. The web application database encrypts sensitive fields, so direct database access does not help. Users can enable two-factor authentication as well as security alerts to monitor access. Accounts are locked if the wrong password is entered too many times (password brute force attack prevention). To test all this we let third-parties perform regular penetration tests of the web application. 

Best in Class Protection

Security and privacy are key features of an automated malware analysis system. If malware samples or IOCs are leaked the bad guys instantly know that you detected their attack - killing the possibility of an active investigation. 

As this blog post proves, Joe Sandbox Cloud Pro features a variety of best in class security and privacy protections. The configurable data retention policy, as well as the encryption of analysis data, are very unique and increase the privacy protection of your data. 

Want to try Joe Sandbox and test the data privacy features? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Tuesday, May 28, 2019

Joe Sandbox 26.0.0 - Aquamarine is ready!

We continue our endeavors to make Joe Sandbox the world's best malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 26 under the code name Aquamarine! This release is packed with brand new features and interesting enhancements based on our customers' precious feedback.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Aquamarine recently.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 
or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Aquamarine features.

108 new Behavior Signatures

With 108 new signatures, Joe Sandbox precisely detects the latest threats and evasions! This includes detection of SmokeLoader, xRAT, CobInt, AZORult, LockerGoga, MALXMR, OceanLotus v2, and more:

Report Tour

Sharing is caring! All the Joe Sandbox v26 behavior reports include a new feature which enables every analyst to add comments to the report. This way, you can build a Report Tour which outlines your interpretation of the analysis results. You can then easily share this new custom report with your colleagues and the security community:

Find more information on the Report Tour in one of our recent blog posts.

RDTSC Anti Evasion

RDTSC is a special CPU instruction which queries the Time Stamp Counter (TSC), a 64-bit register present on all x86/64 processors. The time stamp counter allows a very fine grained time measurement. Malware often uses RDTSC to detect virtual machines. For instance, the special CPU instruction CPUID is interrupted by a virtual machine. Due to that, execution takes longer than on real hardware. The difference in execution time is measured with the help of RDTSC:

Joe Sandbox v26 includes a new technology which bypasses virtualization detections that use RDTSC for execution time measurement:

As a result, malware is no longer able to detect virtualization. 

Locale Customization

The number of malware which only executes their payload on specific targets is increasing. In the last months we have seen more and more malware which checks the keyboard language, the locale (a language setting of Windows) as well as the localization setting (e.g. the country):

To make these malware samples execute their payload, we have added new locale submission settings:

Command Line Submission

More and more attacks no longer start with malware, but rather a domain controller is breached and a Powershell command line is launched by the attacker on all end-points. To cover this scenario we added a new Command Line submission option to Joe Sandbox Aquamarine:

Note: Please don't mix this up with the option for command line arguments. That option adds an additional argument to a submitted sample (e.g. sample.exe \install). 

The command line submission together with PowerShell Script Block Logging (enabled on all Windows 10 analysis by default) also helps to deobfuscate command lines:

New Reports

We added a couple of new analysis reports, which are interesting for deep investigation, IOC extraction and hunting:

The Function Logs Reports contains all the low-level system call and Win32 API events in chronological order:

The AMSI Log Report contains raw data extracted via the Microsoft Anti Malware Scan Interface:

The Event Log Report is an XML file containing all Windows Event Logs:

Finally, the PowerShell Event Log is an XML file containing all Events related to PowerShell including Script Block Logging:

MacOS Mojave Support

We added support for macOS Mojave:

This enables customers to run macOS malware on the latest macOS operating system. 

Joe Sandbox ML

Dynamic analysis, also known as Sandboxing, is great, but combining dynamic and static analysis is even better. This is why we have added Joe Sandbox ML, which is available as a plugin for Joe Sandbox Aquamarine. Joe Sandbox ML is a static file parser which uses latest AI and machine learning techniques to detect malware:

With Joe Sandbox ML Joe Sandbox detects more malware, especially if the malware does not show any malicious behavior (e.g. because the payload is no longer available on the C&C).

You can find more information on Joe Sandbox ML in one of our recent blog posts.

Final Words

In this blog post, we introduced some of the major features of the Aquamarine release. Furthermore, minor features are:
  • Drag & Drop support for Sample Upload
  • Opcode based Yara rule downloads in report
  • Option to extend analysis time for Remote Assistance
  • Improved decoupling of the web application from the back end
  • New submission routes in Web API
  • SHA-1 and SHA-256 thumbprint for PE Authenticode certificates
  • STrace analysis for Android native binaries
  • Improved MITRE ATT&CK mapping

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!