LIA - Localized Internet Anonymization
Targeted malware often checks for IP geolocation information. For instance, malware targeting a US corporation might check that the IP belongs to a Internet provider in the US. Further, the IP owner can be compared to known blacklists:
To circumvent geolocation checks we added Localized Internet Anonymization (LIA) to Joe Sandbox v20. With LIA Joe Sandbox users can choose from various countries when they submit a sample:
Reboot & Scheduler Simulation
We see more and more payloads which only execute on reboot or on specific days. To analyze those payloads Joe Sandbox v20 comes with an advanced reboot and scheduler simulation:
Web API v2
We completely redesigned our Web API. API v2 has consistent JSON output, excellent error handling, support for Python > 2.7 and is much easier to use. We also rewrote the Python wrapper. You find a complete Python web API implementation in our Github Repository
Thanks to Deep Malware Analysis, Joe Sandbox analysis reports contain a wealth of information. Sometimes it is difficult to navigate inside that massive data. To make navigation easier we added a new control - the collider. The collider is accessible via the top menu bar:
Since the report data is structured hierarchically one can easily move from broad overview to details, e.g. from behavior signatures to behavior groups, or from dropped files to Yara overview. One can also easily jump from network to execution graphs or processes.
Android Device Admin Automation
Android malware often requests device administrator privileges. So far Joe Sandbox could not grant device admin privileges to APK. With v20 this is now possible. We added automation code that clicks through the dialogs:
As a result, the analysis contains more behavior, better detection, and more runtime information.
Joe Sandbox v20 profits from threat intelligence via Joe Sandbox View
. Joe Sandbox View is a search engine backed by a collection of high-value IO
Cs and threat indicators shared by Joe Sandbox Cloud users. Context information is available in a new section in the Joe Sandbox v20 Report:
In this blog post we demonstrated some of the big major features, but Joe Sandbox 20 contains many more new features in addition, such as:
- New Yara section in reports
- Yara scanning of unpacked PE files
- A new load balancing script
- IDA Pro Bridge Plugin support for x64 dumps
- Support for CRT files
- Randomization of sample names
- Dropped file preservation for Android in reflective calls
- Icons for process startup
- New cookbook commands for fake printer, fake bookmarks, and fake documents
- Cookbooks parameters
What is next? We have an amazing pipeline of new technologies and features! Stay tuned!
Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic
or contact us for an in-depth technical demo!