Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Security's Blog

Joe Sandbox 25 - Tiger's Eye is out!

Published on: 18.02.2019


For the last three months, we have been working on Joe Sandbox's 25th version, released today under the code name Tiger's Eye! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.





Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Tiger's Eye a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileX, LinuxComplete 
or Ultimate installation right away, please run the following command:


mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Tiger's Eye features.



Nearly 100 new Behavior Signatures


With the latest signatures update, Joe Sandbox precisely detects the latest threats and evasions! New signatures include detection of ExileRAT, LuckyCat RAT, LokiBot, Anubis Loader, and more:





Optical Character Recognition (OCR) for Analysis of Office Documents

Malicious Office documents very often contain images and text used to convince the victim to enable macros or lower security settings. Thanks to the new OCR extraction of Office document content, Joe Sandbox Tiger's Eye can detect those lures:





This detection is very helpful to find malicious documents which contain old exploits that no longer work on recent Office versions.

Generic Unpacking Detection

99% of all malware today is packed. Tiger's Eye comes with a new signature to detect PE file overwriting and dynamic code loading within malware:





You can find more information about generic unpacking detection in one of our recent blog posts.

Microsoft Anti Malware Scan Interface (AMSI) Integration


Joe Sandbox v25 is able to use the Anti Malware Scan Interface of Microsoft. When adding the new cookbook command _JBEnableAMSI() Joe Sandbox will capture all AMSI buffer outputs. Through this, Joe Sandbox v25 can unpack and deobfuscate malicious Javascript, VBS, Powershell and Microsoft Office Macros:




You can find more information on the AMSI integration in one of our recent blog posts.

New Submission Options


Would you like to analyze a malware sample which requires a command line argument? No problem, Tiger's Eye includes a new submission option for that:





Besides the command line argument option there is also a new option to specify an archive password. Let us assume you keep all malware in password protected Zip archives to prevent that your local Antivirus agent deletes the files. You can now add that password as a submission option and Joe Sandbox will extract the file automatically on submission:




JA3 Support


JA3 is a method for creating SSL/TLS client fingerprints that can be easily shared for threat intelligence. You find the JA3 fingerprints in the network section - HTTPS packages:



Joe Sandbox Mail Monitor 2.0.0


The Tiger's Eye release contains Joe Sandbox Mail Monitor 2.0.0 with a row of new features and improvements. Firstly, Mail Monitor is now able to send a notification when an email has been received:





Secondly, Mail Monitor 2.0.0 enables to send summary notifications which bundle several analyses (attachments and links):






Finally, the configuration interface has been revamped. You can find more information on Joe Sandbox Mail Monitor 2.0.0 in one of our recent blog posts.

Joe Sandbox Class 3.0.0


Tiger's Eye also comes with Joe Sandbox Class 3.0.0 which includes a new engine that uses Joe Sandbox's massive behavior signature set for similarity analysis. One big benefit of this is that Class 3.0.0 allows detecting similar samples on Windows, Android, macOS, and Linux. Another benefit is that the similarity algorithm is independent of the programming language of the malware. 

The similarity is visualized in the full report with a graph and as well as with a list of similar samples. Below you can find some similarity graphs of recent samples:


LokiBot Graph (Windows)

LokiBot Variants (Windows)



Anubis e-Banking Trojan (Android)
Retefe (macOS)
For a deeper technical overview on Joe Sandbox Class 3.0.0 please check out this blog posts.

Android 8.0


We added support for Android 8.0. As a result, you can analyze Android malware on Android 8.0 Oreo:


Motion Simulation

Recent Android malware contains new evasions which are based on motion triggers. Only if the Android device receives motion data (e.g gyroscope) the payload of the malware is executed:



In order to activate such payloads, we added the cookbook command _JBSimulateMotion(). This command simulates up to 200 steps. 

Confidence Score


Android analysis now also includes a confidence score. The confidence score tells how sure Joe Sandbox is about the detection. The detection verdict combined with the confidence score delivers very precise detections:



Final Words


In this blog post, we introduced some of the major features of the Tiger's Eye release. Furthermore, minor features are:

  • Added whitelisting based on the National Software Reference Library (NSRL)
  • Added COM based Office automation
  • Added PCAP download to report
  • Added dropped binaries, memory dumps and unpacked files download to report
  • Added ssdeep hash
  • Added PE rich header information
  • Added icons to the behavior graph
  • Added WMI anti evasions
  • Added INetSim support for VMware Workstation and ESXi
  • Added an option to generate secondary forensic data to the web interface and web API
  • Added extraction for Android AD frameworks
  • Added a search for the source code report
  • Improved (up to 40%) performance of fast mode (previously named hyper mode)

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!