Although it's summertime and the livin' is easy, we have been working hard to deliver Joe Sandbox v23 under the code name Black Opal! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.
Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Black Opal a couple of days ago.
If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Complete
and Ultimate installation right away, then please run the following command:
mono joeboxserver.exe --updatefast
Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Opal features.
Joe Sandbox Linux 1.0.0 is now officially available for purchase! With Joe Sandbox Linux you can analyze threats targeting Ubuntu as well as CentOS.
For more details as well as latest analyses of Linux malware please have a look at our recent blog post.
31 New Behavior Signatures
New signatures include detection of Kronos, Hermes, FlawedAmmyy, new UAC bypasses, Agent Tesla, Empire, OSXDummy, XMRig and more:
AI-based Phishing Detection
We further enhanced our template based phishing detection. Instead of relying only on a template matching technique, Joe Sandbox now employs several techniques (including logo region detection, perceptual hashing, and feature detection). We used machine learning to combine the results of all techniques to minimize false positives:
STIX v2 Report
Do you use Structured Threat Information Expression (STIX) as a standard for IOCs or does your threat intelligence solution support STIX? If so, integration with Joe Sandbox has become very easy since Black Opal generates extensive STIX v2 reports (in addition to MAEC, OpenIOC and MISP):
The STIX report includes all major detections and IOCs such as dropped files, processes, domains, and IPs.
Windows 10 x64 1803 Support
Joe Sandbox x23 Black Opal analyzes malware on the latest Windows 10 version!
We have also added Windows 10 support for Joe Sandbox Hypervisor:
Thus, you can analyze threats with Hypervisor based Inspection on Windows 10!
IDA Pro 7.1 Support
IDA Pro 7.1 is now officially supported by the Joe Sandbox Bridge Plugin. The plugin allows to load memory dumps into IDA Pro and enrich it with dynamic information:
Web API v2 Enhancements
With Black Opal we added several new APIs to the RESTful Web API. This includes cookbook and Yara upload, download, deletion, and listing:
As a result, you now can fully automate Yara and Cookbook handling via the API.
Sysmon Logs Extraction
We added a new cookbook to easily extract Sysmon Logs via Joe Sandbox:
Black Opal decompiles Android Application Packages (APK). As a result, there are several new downloads for Android analyses:
Inside the full Android report you can easily navigate to the source code:
In this blog post, we introduced some of the major features of the Black Opal release. Furthermore, minor features are:
- ContentSettings-Ms support on Windows 7
- Option to change the keyboard layout through the Web GUI
- Option to start samples as a normal user through the Web GUI
- Option to enable Anti-Evasion for data-aware samples through the Web GUI
- Support for Unicode file names (Chinese, Japanese and Korean)
- Security alerts (login, PW change etc)
- Setup code for cookbooks
- Major speed up for Internet Explorer analysis
- General analysis speed up
- Automated Yara rule validation & conflict resolving
What is next? We have an amazing pipeline of new technologies and features - stay tuned!