Now, at the end of Q2, we are happy to release our newest and greatest Joe Sandbox version with the code name Mountain Crystal!
Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Mountain Crystal a couple of weeks ago.
If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete and Ultimate installation right away, then please run the following command:
mono joeboxserver.exe --updatefast
In this blog post, we will present some of the enhancements and new features of Joe Sandbox Mountain Crystal.
111 New Behavior Signatures
New signatures include detections for Process Doppelgänging, early Bird Code Injection, Tinynuke, Grandcrab, GravityRAT, Cobalt Strike Beacon, Gootkit, Crossrider and more:
The new signatures enable analysts to spot and catch the latest security threats!
Java tracing for Java Archive (JAR) files
Malware written in Java has become very popular. Current malware analysis solutions can only trace Windows System and API calls. Therefore, Java API calls are hidden. To analyze Java APIs we added JAR Tracing to Mountain Crystal:
With JAR Tracing Joe Sandbox generically extracts the Adwind RAT configuration.
JAR Tracing also enables to detect any Java RAT for instance by analyzing the unpacking behavior:
JAR Tracing is great, however, for malware analysts, the source code is even better. That is why Mountain Crystal also decompiles JAR archives to source code:
The source code easily reveals all the details about the payloads, execution conditions, C&C communication and more.
Favicon based Phishing Detection
We further extend our template based Phishing Detection by using the Favicon of web pages. Favicons are the tiny little images you see in your browser tab. Phishing pages often reuse the original icons:
Favicon based Phishing Detection strengthens Joe Sandbox ability to generically detect password fishing.
Wouldn't it be nice to see what is happing from a process, dropped files and network perspective? Mountain Crystal includes a new feature called Behavior Animation. In the screenshot section of the report, simply click in the center to start the animation:
On the right side, you will see the system behavior popping up. You can also easily use the slider on the left to jump to a later time. Behavior Animation also works for analysis on MacOS:
In this blog post, we introduced some of the major features of the Mountain Crystal release. Furthermore, minor features are
- New cookbook commands to start a sample as a user or with different integrity levels
- New example cookbook to start a sample with different keyboard layouts
- Stop Internet option for Android and Mac analysis
- Logging of system power state
- New sleep evasion based on sleep loops
- Fast install mode for VMware
- URL section in the report
- Scanning of URLs with Virustotal and Metadefender
- Ability to edit tags
- Slider to easily change the analysis time
- Option to pass arguments to sample for Mac analysis
- URL analysis on Mac
- Recursive unpacking of EML and MSG files
What is next? We have an amazing pipeline of new technologies and features! Stay tuned!