Thursday, June 18, 2020

Joe Sandbox v29 - Ocean Jasper

Today we release Joe Sandbox 29 under the code name Ocean Jasper! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!





Our Joe Sandbox Cloud ProBasic and OEM servers have recently been upgraded to Ocean Jasper.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast
Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Ocean Jasper features.


447 new Signatures


With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like MassLogger, Bazar(team9 loader), Octopus Scanner, Devilshadow, Kaiji, Exile RAT, Crimson RAT, CloudSnooper, Lucifer Stealer, Wildlogger keylogger, DarkNexus, Blackclaw ransomware, Nefilim, Pedo Ransomware, Payday Ransomware, Avaddon Ransomware and many more.




ReversingLabs Integration


A major new feature of Ocean Jasper is the ReversingLabs integration. ReversingLabs TitaniumCloud customers can add their username and API to Joe Sandbox and increase the detection precision:






Joe Sandbox Ocean Jasper checks all samples and dropped files against ReversingLabs TitaniumCloud.



Urlscan.io Integration


Another great feature of Ocean Jasper is the urlscan.io (integration. With the integration enabled Joe Sandbox customer will benefit from increased precision for phishing detection:












Excel Macro 4.0 Extractor and Deobfuscator


Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catch-up and detect them properly. We, therefore, decided to add a full extractor and deobfuscator to Joe Sandbox v29. The deobfuscated code can be found in the full report under Static - Macro 4.0:





Ocean Jasper also includes several signatures to detect malicious Excel 4.0 macros:





Enhanced Phishing Detection


We have enhanced our Phishing Detection in multiple areas. First, we added a new detection technology based on Internet Explorer cache files. The appearance of a specific image on a foreign web page is a good indicator for phishing. Thanks to the Internet Explorer caching we can easily blacklist images.




The Microsoft phishing page uses the following image resources:


In the Internet Explorer cache those resources can be easily found and blacklisted: 





Secondly, AI-based Phishing detection has been made available for Remote Assistance (Live Interaction). This enables analysts to detect phishing pages for cases where link browsing is hard to automate:








Easy submission of Malware Bundles


Sometimes analysts come across a malware sample that only runs with dependencies file, e.g. a malware.exe requiring a DLL in the same folder. Previously, analysts were required to submit cookbook for launching the malware.exe together with the DLL. With Ocean Jasper this is now becoming super easy - with a new file dialog:





Better Report Overview


We have completely redesigned the overview part of the full analyst report in Ocean Jasper. Analysts can now see all the key information at one glance:







Android 9.0 Support


Ocean Jasper comes with Android 9.0 support:




Final Words


In this blog post, we have presented the most important features of Joe Sandbox Ocean Jasper, but there are some other very interesting features on top:

  • Added analysis mode to boost performance
  • Added support for Windows 10 build 1903 and 1909
  • Added analysis and execution of DMG pre-install scripts (Zoom)
  • Added Yara scanning for unpacked AutoIt binaries
  • Added download-all option to the Web interface
  • Improved config extractor for Emotet
  • Improved performance for Remote Assistance
  • Large performance optimization for RDTSC time evasions
  • Large FP optimization for phishing detection

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!