Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Security's Blog

Deep Malware Analysis with Joe Sandbox 22 - Mountain Crystal

Published on: 28.05.2018


Now, at the end of Q2, we are happy to release our newest and greatest Joe Sandbox version with the code name Mountain Crystal!






Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Mountain Crystal a couple of weeks ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXComplete and Ultimate installation right away, then please run the following command:


mono joeboxserver.exe --updatefast

In this blog post, we will present some of the enhancements and new features of Joe Sandbox Mountain Crystal.


111 New Behavior Signatures


New signatures include detections for Process Doppelgänging, early Bird Code Injection, Tinynuke, Grandcrab, GravityRAT, Cobalt Strike Beacon, Gootkit, Crossrider  and more:






The new signatures enable analysts to spot and catch the latest security threats!

Java tracing for Java Archive (JAR) files


Malware written in Java has become very popular. Current malware analysis solutions can only trace Windows System and API calls. Therefore, Java API calls are hidden. To analyze Java APIs we added JAR Tracing to Mountain Crystal:


With JAR Tracing Joe Sandbox generically extracts the Adwind RAT configuration.



JAR Tracing also enables to detect any Java RAT for instance by analyzing the unpacking behavior:


Read more about JAR tracing in our recent blog post: Deep Analysis of Java Archives


Java Decompilation


JAR Tracing is great, however, for malware analysts, the source code is even better. That is why Mountain Crystal also decompiles JAR archives to source code:





The source code easily reveals all the details about the payloads, execution conditions, C&C communication and more.

Read more about JAR Decompilation in our recent blog post: Deep Analysis of Java Archives


Favicon based Phishing Detection


We further extend our template based Phishing Detection by using the Favicon of web pages. Favicons are the tiny little images you see in your browser tab. Phishing pages often reuse the original icons:





Favicon based Phishing Detection strengthens Joe Sandbox ability to generically detect password fishing. 

Behavior Animation


Wouldn't it be nice to see what is happing from a process, dropped files and network perspective? Mountain Crystal includes a new feature called Behavior Animation. In the screenshot section of the report, simply click in the center to start the animation:





On the right side, you will see the system behavior popping up. You can also easily use the slider on the left to jump to a later time. Behavior Animation also works for analysis on MacOS:




Final Words


In this blog post, we introduced some of the major features of the Mountain Crystal release. Furthermore, minor features are

  • New cookbook commands to start a sample as a user or with different integrity levels
  • New example cookbook to start a sample with different keyboard layouts
  • Stop Internet option for Android and Mac analysis
  • Logging of system power state
  • New sleep evasion based on sleep loops
  • Fast install mode for VMware
  • URL section in the report
  • Scanning of URLs with Virustotal and Metadefender
  • Javascript unpacking in PDF files
  • Ability to edit tags 
  • Slider to easily change the analysis time
  • Option to pass arguments to sample for Mac analysis
  • URL analysis on Mac
  • Recursive unpacking of EML and MSG files

What is next? We have an amazing pipeline of new technologies and features! Stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!