Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox v41 Charoite

Published on: 17.09.2024


Today, we are proud to release Joe Sandbox 41 under the code name Charoite! This release is packed with many new detection signatures and important features to make Joe Sandbox even better.




Our
 Joe Sandbox Cloud ProBasic, and OEM servers have 
recently been upgraded to Charoite.


If you wish to upgrade your on-premise Joe Sandbox installation, please follow the instructions in the chapter on "Updating" in the user guide which you find in our customer portal. 

307 new Signatures


Charoite comes with a very large number of new Yara and Behavior signatures to detect new malware families like SpiceRAT, Diamorphine, AlphaSeed, Mallox, HZ Rat, CTHULHU STEALER, Banshee, Stealer, BeaverTail, CVE-2024-7262, SMERT, Kematian Stealer, Cronus, ByteVaultX,LethalLock and many more. In addition, we added 13 new Malware Configuration Extractors, e.g. for Meterpreter, Xehookstealer, Warmcookie, ZtratUrelas, Atlantidastealer, Donex, Vipkeylogger, Evilproxy, Greatnessphishingkit, Simdastealer, Coppershrimp and Originbotnet, to name a few. We also started adding config extractors for Phishing PaaS such as Tycoon2FA:





COM tracing


VBS, JS and VBA files often use COM (component object model) calls to perform malicious actions. COM calls are difficult to trace but with Joe Sandbox v41 malware analysts can see all COM calls performed by a suspicious process. Let us have a look at this VBA file:





It is highly obfuscated. Therefore its purpose is hard to understand. COM calls can be found in the COM Activities:
 





Looking at the calls we instantly find that the script calls the Windows Scripting Host Run function in order to call Powershell. 


Suricata Integration


We have integrated Suricata IDS into Joe Sandbox Charoite. Suricata replaces Snort, as it offers superior performance in malware analysis, with better handling of complex traffic patterns and improved detection capabilities.

Key Highlights are :

  • Suricata scans network traffic in all analyses across all architectures, also during Live Interaction.

  • Easily enable the Emerging Threat OPEN or PRO ruleset for immediate and up-to-date threat detection .

  • Possibility to add your own Suricata custom rules (see web app: Editor > Suricata).


Rules which hit are shown in the Network Behavior - Suricata IDS Alerts and Suricata Signatures:




Browser Javascript Report

Besides malicious software, phishing is one of biggest threat for enterprises. Hence phishing detection plays a key at Joe Security. Most phishing pages use suspicious Javascript code. With v41 we introduce a new report which makes all executed Javascript code available to the malware analyst:



Final Words


In this blog post, we have presented the most important features of Joe Sandbox Charoite, but there are some other interesting features on top:

  • Added 1 new string extractor

  • Added API for security log

  • Added coverage for NtQueueApcThreadEx2

  • Added coverage for connect, nanosleep, shutdown, reboot, truncate on Linux

  • Improved Firefox performance

  • Improved prevention of various VM detections

  • Improved phishing detection

  • Improved QR code detection & extraction

  • Improved process whitelisting

  • Improved URL analysis link selection


Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!