Spider charts, Deep OLE, 950+ and more

Over the last couple of weeks, we have been very busy and have added new features to Joe Sandbox. In this post, we are going to show you our favorites. These features cross the complete space of malware analysis analysis and include new visualizations, analysis and more.

Generic Classification

In order to quickly determine the malicious payload we have added a spider chart visualization to the analysis report:

Joe Sandbox also generates a new classification label:

All classification figures are available in the Joe Sandbox reports (XML, JSON) as raw formats.  The complete classification algorithm is open and therefore enables customized tuning. Our spider charts help to quickly determine the type of the malware without requiring any in-depth technical understanding of the malware. By clicking on the malware icons you can get a detailed description. Besides the spider chart, we also introduced new pie charts for many analysis data as well as for the famous behavior graphs:

Example report:

• Joe Sandbox 13 Analysis 439bee4cbe16605193aa73e7bb75b731

Deep Static Analysis of OLE files

The static analysis includes code analysis and deobfuscation for VB macros. Documents with VB macros have become a common way to deliver payload to the end user system. With the new static code analysis deep analysis and detection of such malware is possible. 

WMI Analysis

WMI is an extensive interface on Windows to query information about the system. It is also difficult to intercept and analysis. Therefore, it is often used by malware to detect and fingerprint the analysis system. With the latest release of Joe Sandbox all WMI activity is captured.

Inspection of HTTPS Traffic

Full HTTPS traffic inspection has been added to Joe Sandbox Cloud. HTTPS analysis is also possible for URL analysis with IE.

950+ Behavior Signatures 

We have developed many new behavior signatures. Our complete set has currently over 950 signatures. Many of the new signatures are highly advanced:

USB Fake Drive

Want to see if malware infects USB drives? Want to see if malware spreads via network shares? No problem! We have functionality to create a USB fake drive:

Network shares are simulated with our Adaptive Internet Simulation Technology:

The features outlined are just a selection. There are various other extensions and improvements which were developed. We have also planned some great new features for 2016! So watch out!