We are happy to announce the release of Joe Sandbox 18, our most advanced Deep Malware Analysis engine. In this blog post we will share some of the most interesting new features we have implemented.
VBA Macro Winapi Instrumentation
Samples using Winapi (native or normal ones) calls inside a Microsoft Office Macro are now instrumented and logged:
A malware family using Winapi calls in Macros is Hancitor
SCAE Library Code Detection
We added library code detection to SCAE (Static Code Analysis Engine) and EGA (Execution Graph Analysis):
The EGA nodes are shown with a lower opacity, making it easier to distinguish between malware code and library code. Further, you can see the corresponding library function name:
We saw an increase of malware samples dropping executable files which are not being started. In most of the cases, this is linked to the autostart functionality of the operating system. If the sandbox doesn't reboot the dropped file, it will be only analyzed statically and not also dynamically. This is not an issue for Joe Sandbox 18, which can automatically launch not executed, dropped PE files:
By the way, Joe Sandbox 18 successfully handles all kind of archives, including zip, 7zip, rar, tar, ace, bzip as well as saved e-mails like MSG and EML. It even handles recursively packed archives and emails, e.g. a zipped MSG with a rar attachment.
GitHub based Yara Rules
Tired of updating your Yara rules manually? No problem, just add a Github repository! Joe Sandbox will take care of the synchronization:
OCR Click Engine for latest HTML droppers
The use of HTML droppers is increasing and to be able to execute them, you have to fully automate Internet Explorer. Joe Sandbox includes an extensive OCR based Click Engine that will automatically click on strings identified by the OCR:
Our engine now calculates a confidence score per sample:
This enables analysts to better understand the detection score. There is also a new detection status "Unknown" for samples the system cannot execute.
Deep OLE Analysis for Mac OS X
Joe Sandbox X
now benefits from our massive signatures database to detect malicious OLE / Macros targeting Mac OS X users:
Static Analysis of dropped DEX on Android
Over the past months, Android malware dropping, loading and then executing the new code has been on the rise. To prevent being analyzed, the code is deleted right after it has been loaded. The latest Joe Sandbox Mobile
version prevents the deletion and therefore enhances deep analysis of dynamically loaded DEX code: