Today we release Joe Sandbox 30 under the code name Red Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!
or Ultimate installation right away, please run the following command:
mono joeboxserver.exe --updatefast
Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Red Diamond features.
218 new Signatures
With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like FinSpy, Liquorbot, WellMess, Taurus Stealer, Matiex Keylogger, Elysium Stealer, DCRat, Avaddon Ransomware, Netwalker Ransomware, IOCP Ransomware and many more.
We also updated many signatures to cover the latest variants of malware like BazarLoader, Formbook, Emotet, Phobos, Qbot, NJRat etc.
Mitre Att&ck Sub-Techniques
Joe Sandbox Red Diamond is the first sandbox to officially support Mitre Att&ck Sub-Techniques! We successfully extended our behavior signatures mapping to include Sub-Techniques, giving analysts the most precise information about techniques and procedures:
Joe Sandbox Red Diamond supports Mitre Att&ck Sub Techniques for Windows, macOS, Linux and Android analysis.
New Anti-Evasions
During the last couple of months we detected several new sandbox evasions, such as API and instruction hammering in GuLoader or TrickBot. Red Diamond addresses these evasions with technology which bypasses them. Whenever we develop new bypasses, we first write new detection signatures to classify the behavior:
As a result, Joe Sandbox Red Diamond is able to bypass these new evasions. Further, we have added triggers to catch new related evasions.
Support for large Files
This has been a frequent customer request as up until now, Joe Sandbox had limits related to the upload size of malware binaries. Red Diamond addresses this limit and introduces chunked file upload for the Web Interface as well as the Joe Sandbox RESTful Web API.
We have updated jbxapi.py, the Python wrapper for the restFUL Web API. Our Joe Sandbox customers can simply update to the latest version of jbxapi.py to benefit from larger file support size. No need to change any code or integration.
API Parameter Overwriting & Integration Key Sharing
Joe Sandbox integrates with many different security solutions. You find a list of all supported integrations here. While having so many integration is great, updating integrations with new features is tricky. To solve this issue we introduced API Parameter Overwriting. With this option you can overwrite specific Joe Sandbox settings for samples which are submitted via the API by one of your integrations:
Let's have a look at a use case for API Parameter Overwriting. Assume that an integration is not yet supporting the Joe Sandbox cache option. The cache option will not analyze the same file or URL twice by checking an internal cache. Thanks to API Parameter Overwriting you can enforce that option for all integrations by default. This will save you quota and time since previously analyzed samples will not get analyzed again.
Integration Key Sharing enables you to enforce a specific integration such us VirusTotal, ReversingLabs, Intezer, UrlScan etc to all your users using Joe Sandbox. This is very handy since you don't want to let your Joe Sandbox users deal with integration settings.
Phishing Detection for canvas.com, dropbox.com etc.
Many Phishing pages host initial lures on canvas.com, dropbox.com etc. Those pages use JavaScript heavily and load most content dynamically. This makes phishing detection challenging. In addition, PDF files are often hosted on those pages which link to the real phishing page. Most sandbox solutions are not able to follow a link in a PDF on a dynamic webpage. With Joe Sandbox v30 Red Diamond we solved this challenge:
Better Report Overview
In our last release Joe Sandbox 29 Ocean Jasper we completely redesigned the overview section of the full analyst report for Windows analysis. In Red Diamond we redesigned the overview section in the macOS, Android and Linux report:
Further, we redesigned the overview section of the executive / management report for all architectures:
The new format condenses the most important information to one page and also improves the readability and structure.
Static Mach-O Analysis in Archives
EvilQuest has shown that actors can also be very creative on macOS. The initial DMG sample includes the payload in an additional Mach-O file. Joe Sandbox Red Diamond takes care of that and analyzes Mach-O files in archives and containers:
Static Mach-O information is shown in the Static File Info - Archive DMG section of the analyst report:
Function Logs for Android Analysis
On Android we added function / method logs. Those logs contain a chronological sequence of all traced API calls, with method / class / package name, arguments and the return value:
The logs are available in text format as well as XML:
Function / method logs enable analysts to build machine learning models and understand the malicious behavior at the lowest possible level.
Final Words
In this blog post, we have presented the most important features of Joe Sandbox Red Diamond, but there are some other very interesting features on top:
- Support for VMware Workstation 16
- Unpacking of ALZ Archives
- Android No-Instrumentation Analysis Chaining for Instrumentation Failures
- Bypass for Anti-Analysis SystemCodeIntegrity and GetLastInput/GetTickCount
- Tags visible in the analyst and executive report
- Verdict and Threat Names in e-Mail Alerts
- Duplicate Password Protection
- Faster URL Analysis with Chrome
- Server Logs per Analysis