Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox v40 Tourmaline

Published on: 30.04.2024


Today, we are proud to release Joe Sandbox 40 under the code name Tourmaline! This release is packed with many new detection signatures and important features to make Joe Sandbox even better.





Our Joe Sandbox Cloud ProBasic, and OEM servers have recently been upgraded to Tourmaline.


If you wish to upgrade your on-premise Joe Sandbox installation right away, please read the Update Guide that you received via our e-mailing list. You can also find the Update Guide in our customer portal. 


186 new Signatures


Tourmaline comes with a large number of new Yara and Behavior signatures to detect new malware families like UPSTYLE, Latrodectus, TutorialRAT, ClipWallet, CleanUp Loader, AcidPour, Meethub, Xdealer, Zardoor and many more. In addition, we added 8 new Malware Configuration Extractors, e.g. PikabotGCleanerLatrodectus, Nightingale Stealer, AltraClipper, to name a few:









Direct / Indirect System Call Detection


Malware samples have the option to call a Windows API, but also more difficult path, to directly call functionality in the kernel via system calls. The later case is used by malware to bypass AV and EDR. With Tourmaline we added detections for this defense evasion:




Usually the executed direct / indirect system calls are related to process and memory injection behavior since these behaviors are well covered by EDR and AV solutions.

PyInstaller Decompilation


Python allows fast prototyping and with PyInstaller, Python runs on Windows without any Python preinstalls. Hence PyInstaller has become very popular for stealers. With Joe Sandbox v40 we added automated unpacking and decompilation of PyInstaller based samples





The decompiled code can be downloaded from the analysis detail page. Here is a function which steals the cookie and logins from Chrome & Edge:





Support for Ubuntu 22


With Tourmaline cyber security analysts can detonate Linux samples on Ubuntu 16, Ubuntu 20 and now also Ubuntu 22. A good example is Dinodas RAT:






Download and Execute Option for Linux


URLs pointing to a bash script are very common in Linux world. Attacks usually start with such a link. Joe Sandbox v40 provides a convenient way of submitting such links:





Final Words


In this blog post, we have presented the most important features of Joe Sandbox Tourmaline, but there are some other interesting features on top:

  • Added support to analyze MSIX file (installer clicking)
  • Added simple dylib loading (for Big Sur onwards)
  • Added symbol meta data in Mach-O static parsing
  • Improved selection of most interesting screenshots
  • Improved Yara rule validation
  • Improved malformed DNS detection
  • Improved Firefox browsing performance
  • Improved prevention of various VM detections (boot count, secure boot etc)
  • Improved sleep handling for ELF binaries written in Go
  • Improved memory dumping on Apple Silicon (ARM64)
  • Improved detection on in-memory-only code execution on macOS
  • Improved Mach-O static file parsing

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!