Today we release Joe Sandbox 29 under the code name Ocean Jasper! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!
or Ultimate installation right away, please run the following command:
mono joeboxserver.exe --updatefast
Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Ocean Jasper features.
447 new Signatures
With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like MassLogger, Bazar(team9 loader), Octopus Scanner, Devilshadow, Kaiji, Exile RAT, Crimson RAT, CloudSnooper, Lucifer Stealer, Wildlogger keylogger, DarkNexus, Blackclaw ransomware, Nefilim, Pedo Ransomware, Payday Ransomware, Avaddon Ransomware and many more.
A major new feature of Ocean Jasper is the ReversingLabs integration. ReversingLabs TitaniumCloud customers can add their username and API to Joe Sandbox and increase the detection precision:
Joe Sandbox Ocean Jasper checks all samples and dropped files against ReversingLabs TitaniumCloud.
Another great feature of Ocean Jasper is the urlscan.io (A sandbox for the web) integration. With the integration enabled Joe Sandbox customer will benefit from increased precision for phishing detection:
Excel Macro 4.0 Extractor and Deobfuscator
Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catch-up and detect them properly. We, therefore, decided to add a full extractor and deobfuscator to Joe Sandbox v29. The deobfuscated code can be found in the full report under Static - Macro 4.0:
Ocean Jasper also includes several signatures to detect malicious Excel 4.0 macros:
Enhanced Phishing Detection
We have enhanced our Phishing Detection in multiple areas. First, we added a new detection technology based on Internet Explorer cache files. The appearance of a specific image on a foreign web page is a good indicator for phishing. Thanks to the Internet Explorer caching we can easily blacklist images.
The Microsoft phishing page uses the following image resources:
In the Internet Explorer cache those resources can be easily found and blacklisted:
Secondly, AI-based Phishing detection has been made available for Remote Assistance (Live Interaction). This enables analysts to detect phishing pages for cases where link browsing is hard to automate:
Easy submission of Malware Bundles
Sometimes analysts come across a malware sample that only runs with dependencies file, e.g. a malware.exe requiring a DLL in the same folder. Previously, analysts were required to submit cookbook for launching the malware.exe together with the DLL. With Ocean Jasper this is now becoming super easy - with a new file dialog:
Better Report Overview
We have completely redesigned the overview part of the full analyst report in Ocean Jasper. Analysts can now see all the key information at one glance:
Android 9.0 Support
Ocean Jasper comes with Android 9.0 support:
In this blog post, we have presented the most important features of Joe Sandbox Ocean Jasper, but there are some other very interesting features on top:
- Added analysis mode to boost performance
- Added support for Windows 10 build 1903 and 1909
- Added analysis and execution of DMG pre-install scripts (Zoom)
- Added Yara scanning for unpacked AutoIt binaries
- Added download-all option to the Web interface
- Improved config extractor for Emotet
- Improved performance for Remote Assistance
- Large performance optimization for RDTSC time evasions
- Large FP optimization for phishing detection