During this winter, we have not been freezing but rather working hard to provide you with the world's most powerful malware analysis system for Windows, macOS, Android, Linux and iOS. Today we release Joe Sandbox 28 under the code name Lapis Lazuli! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!
or Ultimate installation right away, please run the following command:
mono joeboxserver.exe --updatefast
Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Lapis Lazuli features.
304 new Signatures
With these brand new behavior and Yara signatures, Joe Sandbox is able to precisely detect various malware families like Emotet, Trickbot, AgentTesla, NanoCore, Ursnif, HawkEye, AZORult, Remcos, Adwind, Raccoon and many more.
A major new feature of Lapis Lazuli is the support for Sigma.
If you want to learn more about the Joe Sandbox Sigma integration please have a look at this blog post.
Sigma is a generic and open signature format to detect malware and other security-related events in log files. With the integration into Joe Sandbox, analysts can use existing Sigma signatures (~330) to detect malicious behavior.
Further, analysts can write their own signatures and use them in Joe Sandbox as well as in several other ESR tools. Joe Sandbox v28 features a Sigma editor which also allows synchronizing rules directly from Github:
Lapis Lazuli includes 46 new Sigma rules, and the even better news is that Joe Security has made them available for the community:
18 Malware Configuration Extractors
Malware often includes configuration data such as C&C IPs, domains and modules to load. Lapis Lazuli features 18 extractors for most common malware families:
Configuration Data is shown in at the "Malware Configuration" section in the HTML or PDF report:
as well as in the malwareconfigs section in the XML or JSON report:
New Analysis Detail Page
The analysis detail page lists high-level information on the analysis such as the verdict, threat names, and classification. In Lapis Lazuli we completely redesigned it, so that analysts can access all essential data at one glance:
Deep .NET Tracing
Deep .NET Tracing extends Joe Sandbox's multi-technology stack with a very fine-grained tracing technology for samples using the .NET Framework:
With Deep .NET Tracing analysts can understand in detail the inner work of malware samples. Deep .NET tracing needs to be enabled via the Code Analysis tab:
Trace logs including all .NET API calls with arguments can be download from the analysis detail page:
You will find more information about deep .NET tracing in one of our latest blog posts: Dissecting Agent Tesla with Deep .NET Tracing.
Remote Assistance for Joe Sandbox Mobile and Linux
Yes, Lapis Lazuli is bringing Remote Assistance to Joe Sandbox Mobile and Linux. With Remote Assistance you can click through an attack manually by using the mouse and the keyboard:
MITRE ATT&CK mappings for Android and IOS
MITRE ATT&CK mappings already exist for Windows, Linux, and Mac. Lapis Lazuli includes mapping for Android and iOS:
In this blog post we have presented the most important features of Joe Sandbox Lapis Lazuli, but there are some other very interesting features on top:
- Added threat names to e-mail notifications
- Added download button for all screenshots
- Added more processes information
- Improved IE, FF and Chrome analysis performance
- Improved Remote Assistance performance in general
- Improved analysis of Google Drive URLs
- Improved startup of samples with user permissions