Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox v39 Ruby

Published on: 30.01.2024


Today, we are proud to release Joe Sandbox 39 under the code name Ruby! This release is packed with many new detection signatures and important features to make Joe Sandbox even better.





Our Joe Sandbox Cloud ProBasic, and OEM servers have recently been upgraded to Ruby.

If you wish to upgrade your on-premise Joe Sandbox installation right away, please read the Update Guide that you received via our e-mailing list. You can also find the Update Guide in our customer portal. 


287 new Signatures


Ruby comes with a high number of new Yara and Behavior signatures to detect new malware families like SpectralBlur, PureLand Stealer, KANDYKORN RAT, Hatef Wiper, JaskaGO, Clay Stealer, LambLoad, IronWind, Brook RAT, HazyLoad, PureLog Stealer, LostTrustEncoded, Golden Axe, Tisak and LiveTeam and many more. In addition, we added 5 new Malware Configuration Extractors, e.g. ToxicEye, Neconyd, meduzastealer, poshc2, diceloader to name a few:




Improved OCR Capabilities



For Phishing Joe Sandbox relays on a rich set of different technologies. OCR (Optical Character Recognition) is one of them. In Joe Sandbox 39 we upgraded the engine to have more precise results. The outcome is better phishing detection - especially for initial phishing lures:





Support for Android 13


Joe Sandbox Ruby enables analysts to investigate APKs (Android Application Packages) on latest Android 13:






Multi-File Submission for macOS and Linux


We see more and more malware samples which require other files as dependency. If the sample is detonated without the dependencies it won't run and no malicious behavior is analyzed. Joe Sandbox v39 brings now multi-file submission for macOS and Linux. To use multi-file submission simply drag&drop your sample together with the dependencies to the upload mask:





Memory Dumping for Apple Silicon (ARM64)


Joe Sandbox has brought macOS analysis functionality for Apple Silicon in Joe Sandbox v38. With this release Memory Dumping has been added. Memory dumps greatly increases the chance to detect the malware family:




User Menu Redesign


In Ruby we completely redesigned the user menu, making it easier to understand and granting faster access to most important elements of the sandbox:




Final Words


In this blog post, we have presented the most important features of Joe Sandbox Ruby, but there are some other interesting features on top:

  • Added powershell upload script
  • Added PE file section hash
  • Added automated Cloudflare challenges bypass
  • Added ETW RPC tracing to improve process trees
  • Added LOOKUP events for Apple Silicon (ARM64)
  • Added web UI CLI submission support
  • Added cookbook command _JBMoveBinLoadingDirectory
  • Added support of PROVIDEDBIN placeholder in _JBRunCmd* cookbook commands
  • Improved DMG extraction and static analysis
  • Improved HTTP session displaying in report HTML

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!