Today, we are proud to release Joe Sandbox 41 under the code name Charoite! This release is packed with many new detection signatures and important features to make Joe Sandbox even better.
Our Joe Sandbox Cloud Pro, Basic, and OEM servers have recently been upgraded to Charoite.
If you wish to upgrade your on-premise Joe Sandbox installation, please follow the instructions in the chapter on "Updating" in the user guide which you find in our customer portal.
307 new Signatures
Charoite comes with a very large number of new Yara and Behavior signatures to detect new malware families like SpiceRAT, Diamorphine, AlphaSeed, Mallox, HZ Rat, CTHULHU STEALER, Banshee, Stealer, BeaverTail, CVE-2024-7262, SMERT, Kematian Stealer, Cronus, ByteVaultX,LethalLock and many more. In addition, we added 13 new Malware Configuration Extractors, e.g. for Meterpreter, Xehookstealer, Warmcookie, Ztrat, Urelas, Atlantidastealer, Donex, Vipkeylogger, Evilproxy, Greatnessphishingkit, Simdastealer, Coppershrimp and Originbotnet, to name a few. We also started adding config extractors for Phishing PaaS such as Tycoon2FA:
COM tracing
VBS, JS and VBA files often use COM (component object model) calls to perform malicious actions. COM calls are difficult to trace but with Joe Sandbox v41 malware analysts can see all COM calls performed by a suspicious process. Let us have a look at this VBA file:
It is highly obfuscated. Therefore its purpose is hard to understand. COM calls can be found in the COM Activities:
Looking at the calls we instantly find that the script calls the Windows Scripting Host Run function in order to call Powershell.
Suricata Integration
We have integrated Suricata IDS into Joe Sandbox Charoite. Suricata replaces Snort, as it offers superior performance in malware analysis, with better handling of complex traffic patterns and improved detection capabilities.
Key Highlights are :
Suricata scans network traffic in all analyses across all architectures, also during Live Interaction.
Easily enable the Emerging Threat OPEN or PRO ruleset for immediate and up-to-date threat detection .
Possibility to add your own Suricata custom rules (see web app: Editor > Suricata).
Rules which hit are shown in the Network Behavior - Suricata IDS Alerts and Suricata Signatures:
Browser Javascript Report
Besides malicious software, phishing is one of biggest threat for enterprises. Hence phishing detection plays a key at Joe Security. Most phishing pages use suspicious Javascript code. With v41 we introduce a new report which makes all executed Javascript code available to the malware analyst:
Final Words
In this blog post, we have presented the most important features of Joe Sandbox Charoite, but there are some other interesting features on top:
Added 1 new string extractor
Added API for security log
Added coverage for NtQueueApcThreadEx2
Added coverage for connect, nanosleep, shutdown, reboot, truncate on Linux
Improved Firefox performance
Improved prevention of various VM detections
Improved phishing detection
Improved QR code detection & extraction
Improved process whitelisting
Improved URL analysis link selection