Joe Security's Blog
Scorch Malware with Joe Sandbox Fire Opal
Published on: 06.11.2018
We're nearing the end of 2018 and with that, we proudly release the latest Joe Sandbox update: version 24 - code name Fire Opal! This release is packed with an enormous amount of new features and interesting enhancements that will skyrocket the analysis power of Joe Sandbox.
Our Joe Sandbox Cloud Pro, Basic and OEM servers have already been upgraded to Fire Opal a couple of days ago.
Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Fire Opal features.
Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Fire Opal features.
77 New Behavior Signatures
With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of Gootkit, GrandCrab, AZORult, Darkcomet RAT and more:
Ubuntu 18.04 TLS Support
Joe Sandbox now runs on the latest and most secure Ubuntu LTS Server operating system - Bionic Beaver 18.04 LTS. Ubuntu guarantees security updates until the year 2023 for this release:
MITRE ATT&CK™
We have completely mapped over 1,800 behavior signatures of Joe Sandbox to Mitre's adversary tactics and techniques. For each analysis you now get the Mitre ATT&ck matrix and can easily compare different malware samples based on their tactics:
VMware ESXi 6.7 Cloning
Fire Opal adds support to install and run Joe Sandbox on VMware ESXi 6.7. In addition, we implemented cloning for ESXi. With cloning you can easily scale up Joe Sandbox by using a single shell command:
For detailed information, please have a look at our recent blog post about Clone Wars - Zero Effort Scaling.
INetSim Support
You have a critical sample and don't want to analyze it with a real Internet connection, but still want to see the network traffic it initiates? No problem! Fire Opal adds support to connect Joe Sandbox to INetSim - the industry standard for Internet simulation:
With INetSim malware samples cannot cause any harm to any third party since no live Internet connection is granted.
TOR connect / disconnect
You want to grant Internet access to the analysis machine but want to do it an anonymized way? Fire Opal comes with an automated Tor connector. By using a single shell command your system is configured to route all malicious traffic through Tor:
Web API 2.0 Extensions
We extended the REST API 2.0 with the ability to manage users, cookbook and Yara rules. You can create, modify and list all users, cookbooks and Yara rules:
URL Memory Extraction
Fire Opal extracts URLs directly from memory dumps and sends them to Virustotal or MetaDefender for detection:
With that feature, Joe Sandbox detects C&C URLs even if they are not called.
With that feature, Joe Sandbox detects C&C URLs even if they are not called.
Dynamic Data for Hybrid Code Analysis
Dynamic information such as system or API call arguments is now fully passed to our Hybrid Code Analysis engine. As a result, you find function arguments directly in the disassembly section:
This makes reading and understanding the disassembly much easier! Thanks to this feature, we see in the example above that the address of GetTickCount is queried as well as the number of ticks returned by GetTickCount.
Screenshot Thumbnails and Downloads
We added a gallery of all screenshots as thumbnails to the analysis report. This makes it much easier to identify interesting screenshots:
In addition, you can now download a selection of "Interesting Screenshots" only:
Improved VBA Callgraphs
If you activate VBA instrumentation - a technique which enables to extract dynamic information from VBA Macros in Office documents - Joe Sandbox will generate an impressive call graph. With Fire Opal we extended that call graph and added triggers, number of calls and API calls:
Due to that improvement, you can find interesting Macro parts more quickly and understand the structure of the code better.
RTF File Parser
Documents in RTF format are now parsed and malicious objects are detected:
Joe Sandbox Class 2.0
The Fire Opal release includes Joe Sandbox Class 2.0. Class is the code similarity engine of Joe Sandbox. It enables to identify similar samples by looking at code functions. Class 2.0 includes a wide range of new features such as opcode and instruction based similarity searches, a completely redesigned report, as well as various performance improvement:
With Joe Sandbox Class 2.0 analysts find similar samples more quickly, understand which samples are the most similar and why they are similar.
Read more about it on our blog on Hunting for similar Samples with Joe Sandbox Class 2.0.
Dialog Box Support for Android
Android samples requesting dynamic permissions have become more frequent. Therefore we added automation support for those dialog boxes:
As a result, Joe Sandbox handles all dialog boxes fully automated.
Final Words
In this blog post, we introduced some of the major features of the Fire Opal release. Furthermore, minor features are:
- Added Windows 10 x64 support to Joe Sandbox Hypervisor as well as a huge performance upgrade
- Added more user-mode API interceptions to Joe Sandbox Hypervisor
- Added a new guide for Remote Assistance
- Added a new cookbook to change the timezone of the analysis machine
- Added a password test for protected office documents
- Added auto dependency installation
- Added support for dynamic instrumentation of dropped APKs
- Added support for decompilation of dropped APKs and DEX files
- Added support for MITM SSL inspection on Android
- Huge performance improvement for documents and URL analysis
- Improved the general analysis performance
- Improved the selection of interesting Android methods
- Improved remote assistance
What is next? We have an amazing pipeline of new technologies and features - stay tuned!
Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!