Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Live Interaction and Results

Published on: 03.05.2022


 



In this blog post we are going to outline a new and exciting technology we have built some time ago and have extended over time. The technology enables analysts to directly interact with the analyzer and in addition get live data on detection rules, verdicts, IOCs etc. 





Why is this a great feature and useful for analysts? 

Manual Analysis


Joe Sandbox features various technologies to automate user behavior. Here is a good example:








Full Analysis Report: https://www.joesandbox.com/analysis/288399/0/html#overview

This is a multi stage phisher. The sample URL points to a downloadable PDF. The PDF file itself contains another link which points to the final phishing page. Joe Sandbox is able to automate all the user behavior actions such as downloading the PDF file, clicking on the link, browse the page etc. However user behavior automation has its limit. Please check out the following analysis:





Full Analysis Report: https://www.joesandbox.com/analysis/617931/0/html#overview

The phishing page starts with a real legit CAPTCHA. A CAPTCHA's purpose is to "tell Humans and Computers Apart Automatically". Joe Sandbox (Computer) cannot solve CAPTCHAs. Here Live Interaction and Results comes into play. The analyst can directly solve the CAPTCHA manually:






Full Analysis Report: https://www.joesandbox.com/analysis/618889/0/html


And successfully reaches the final phishing page!

Besides manual phishing analysis, analysts have the full freedom to do any other manual task including:

  • Safely extract attachments or open saved e-Mails such as EML or MSG
  • Securely browse of a suspicious page
  • Change system settings prior to launching the sample
  • Upload and use additional analysis tools 
  • Start a program in a custom way, e.g. with a specific command line

Yara, Sigma and Snort Results


Live Interaction and Results provides analysts a wide range of dynamic data and the option to write and upload custom detection rules for that data. Most important are Yara, Sigma and Snort rules. Analysts can upload their rules in the corresponding editors:














The uploaded rules are directly applied to live Results during Live Interaction:




Yara rules are applied to all dropped files, memory dumps, the DOM tree, unpacked PE files etc. 

Snort rules are applied to the entire network traffic including the decrypted network traffic. Sigma rules are applied to various behavior indicators such as created processes, files etc. 

Thanks to custom detection rules analysts can easily develop new rules and enhance the overall detection. 


Fast Analysis


With Live Interaction and Results, analysts get forensic malware analysis results in near real-time. Traditional sandboxes detonate samples initially for a default time of one or two minutes. In the next step, analytics are run on the gathered dynamic data, resulting in the final reports displayed to the analysts. 

So the analyst has to wait a couple of minutes until he receives the verdict as well as IOCs. As you know during an active investigation every minute counts!





Conclusion


Thanks to Live Interaction and Results, analysts can manually interact with the analyzer to quickly solve complex phishing attacks and perform manual malware analysis tasks.

Live Results provides analysts with near real time data such as Yara, Sigma and Snort detections, IOCs and much more. 

Analysts can easily upload their own Yara, Sigma and Snort rules for development purpose and extended detection capabilities. 

Interested in testing Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!