Joe Security's Blog
Joe Sandbox 5.0.0
Published on: 23.03.2012
After a long time of development we released today version 5.0.0 of Joe Sandbox.
Among lot of small improvements and enhancements the major change is a
brand new usermode hooking engine which is capable of hooking every
function (included none exported / imported function, fully
configurable) in usermode code. Currently the engine enables Joe Sandbox to capture exploit specific behavior in Internet Explorer. For example the engine
captures all compiled Java Script Code (fully deobfuscated) or all
writes to the HTML DOM tree. The data lets us write specific behavior
signature to detect browser exploit, exploit kits and other browser
specific attacks:
Below you find a link to a report which was generated by using the
browse cookbook. The browse cookbook visits a webpage inside the
sandbox:
Joe Sandbox 5.0.0 Blackhole Analysis
As you see inside the signature summary section, shellcode has been found and the browser downloads flash and PDF files. In addition large junks of executable memory have been allocated. Further you see that an IFRAME has been injected which then redirects to page which downloads the PDF file, which obviously contains an exploit to drop and register a DLL (wpbt0.dll). If you are browsing through the report and especially the "Browser Activites" section it becomes clear that the malicious behavior is the source of the infamous Black Hole Exploit Kit.
Joe Sandbox 5.0.0 is available for all our standalone and web service customers.