Today we release Joe Sandbox 35 under the code name Citrine! This release is packed with many new detection signatures and interesting features to make malware detection even more precise!
or Ultimate installation right away, please run the following command:
mono joeboxserver.exe --updatefast
215 new Signatures
With these brand new Yara and Behavior signatures, Joe Sandbox is able to precisely detect various new malware families like syslogk, BlackBasta, Record Stealer, Symbiote, SVCReady, PrivateLoader, BPFDoor, BumbleBee and many more. In addition, we added 9 Malware Configuration Extractors, e.g. Allcome Clipbanker, Plead, ColdStealer, Jrat, QVoid Stealer, BlackGuard and Colibri, to just name a few:
We have also added coverage to detect latest Microsoft Office RCE Follina/CVE-2022-30190:
Custom Snort rules
Citrine brings custom Snort rules to Joe Sandbox. Snort rules enable analysts to detect malicious patterns in network traffic. Snort rules can now be added also directly via the web app in the Snort Editor:
Snort rule hits are shown in all analysis reports as well as Live Interaction & Results:
Snort rules are applied to the full network capture but also the decrypted HTTPS traffic! This helps to detect malware even in covert communication.
Redesign of Submission Page
We completely redesigned and tidied up the submission page. Important options have been made more prominent, while advanced settings which are not required everyday are initially hidden. This makes it much easier to navigate the page.
Finally you can save your submission settings directly on this page using the green button at the end.
PCAP with single decrypted SSL / unified Traffic
Newly available as a download:
Video Capture
Analysts can now download a video capture of the full analysis. The video gives a more fine grained view compared to the already existing screenshots, enabling the analyst to see more exactly what happens:
LNK File Parser
LNK files are now statically parsed. All information is shown in the "Static File Info" section:
Citrine includes a static parser to extract Macro 4.0 code. Joe Sandbox already extracts Macro 4.0 code dynamically, however some Excel documents do not start correctly. Thanks to the static parser we still can detect suspicious codes: