Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox v32 - Black Diamond

Published on: 28.06.2021

Today we release Joe Sandbox 32 under the code name Black Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!

Our Joe Sandbox Cloud ProBasic and OEM servers have been recently upgraded to Black Diamond.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXLinuxComplete 

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast


Even though we are delighted about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Diamond features.

310 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like Klingon RAT, XCCSET, MapperState, Facefish, Silver Sparrow, Vovalex, Parasite, DearCry, MauriGo, Bloody Stealer and many more. In addition, we added 40 new malware configuration extractors, e.g. for Darkside, SystemBC, RevengeRAT, Clipboard Hyjacker, FatalRat, GrandSteal, AveMaria, just to name a few:

Malware configuration data includes often all C&C as well as other major threat intelligence data (targeted extension for ransomware, ports, login data etc.). It is therefore the malware analyst's gold data as there is nothing better. 

Live Data for Interactive Analysis

The biggest feature of Joe Sandbox Black Diamond is Live Data for Interactive Analysis on Windows. We added Live Interaction back in 2018 and now extended if with real time behavior, Yara and Sigma signature information:

Malware analyst get instant results for their Yara rules which are applied to all artifacts including dropped files and memory dumps. The same applies to Sigma and Behavior rules. Besides signatures, there is live data for IOCs such as Domains, URLs and IPs:

The detection, verdict and process tree is also updated during the behavior analysis. Analysts have the freedom to extend or stop the analysis anytime.

Thanks to live data analysts no longer have to wait for signature and IOC results. They get them instantly!

Interactive Analysis on macOS

Joe Sandbox currently supports interactive analysis on Windows, Android and Linux. With Black Diamond we also added it to macOS:

Malware Hunters can use interactive analysis on macOS to click through complex installers or phishing attacks. 

EVTX Downloads

More and more tools use Windows EVTX / Event Viewer logs for detection. Sigma is just one example. We therefore added EVTX files as an additional download:

Joe Sandbox users can download the full EVTX files and feed them into other tools. 

Customizable Yara Rules

Black Diamond brings some additional benefits for malware analysts which use Yara together with Joe Sandbox. Joe Sandbox runs customer uploaded Yara rules on all artifacts such as dropped files, memory dumps, HTML DOM, PCAP, unpacked PE files etc. With customizable Yara rules, analysts can now influence the Joe Sandbox detection score, the threat name, as well as the MITRE ATT&CK mapping, by using specific meta tags:

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Black Diamond, but there are some other very interesting features on top:

  • Added AI Phishing Detection to cover phishing attacks starting with a PDF lure
  • Added DLL reload detection
  • Added threat name to browser / email notification
  • Added SSL key log download
  • Added PDF executive report
  • Added info icons to report
  • Added similarity check for PDF phishing detection
  • Added image shot hash phishing detection
  • Added detection of terminated processes
  • Added detection of #UD exceptions
  • Improved Sigma integration

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!