Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Joe Sandbox 23 - Black Opal is out!

Published on: 31.07.2018

Although it's summertime and the livin' is easy, we have been working hard to deliver Joe Sandbox v23 under the code name Black Opal! This release is packed with brand new features and interesting enhancements that make Joe Sandbox more powerful than ever.

Our Joe Sandbox Cloud ProBasic and OEM servers have already been upgraded to Black Opal a couple of days ago.

If you wish to upgrade your on-premise Joe Sandbox DesktopMobileXComplete 
and Ultimate installation right away, then please run the following command:

mono joeboxserver.exe --updatefast

Even though we're excited about every aspect of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Opal features.

Linux Support

Joe Sandbox Linux 1.0.0 is now officially available for purchase! With Joe Sandbox Linux you can analyze threats targeting Ubuntu as well as CentOS. 

For more details as well as latest analyses of Linux malware please have a look at our recent blog post.

31 New Behavior Signatures

New signatures include detection of Kronos, Hermes, FlawedAmmyy, new UAC bypasses, Agent Tesla, Empire, OSXDummy, XMRig and more:

AI-based Phishing Detection

We further enhanced our template based phishing detection. Instead of relying only on a template matching technique, Joe Sandbox now employs several techniques (including logo region detection, perceptual hashing, and feature detection). We used machine learning to combine the results of all techniques to minimize false positives:

STIX v2 Report

Do you use Structured Threat Information Expression (STIX) as a standard for IOCs or does your threat intelligence solution support STIX? If so, integration with Joe Sandbox has become very easy since Black Opal generates extensive STIX v2 reports (in addition to MAEC, OpenIOC and MISP):

The STIX report includes all major detections and IOCs such as dropped files, processes, domains, and IPs.

Windows 10 x64 1803 Support

Joe Sandbox x23 Black Opal analyzes malware on the latest Windows 10 version!

We have also added Windows 10 support for Joe Sandbox Hypervisor:

Thus, you can analyze threats with Hypervisor based Inspection on Windows 10!

IDA Pro 7.1 Support

IDA Pro 7.1 is now officially supported by the Joe Sandbox Bridge Plugin. The plugin allows to load memory dumps into IDA Pro and enrich it with dynamic information:

Web API v2 Enhancements

With Black Opal we added several new APIs to the RESTful Web API. This includes cookbook and Yara upload, download, deletion, and listing:

As a result, you now can fully automate Yara and Cookbook handling via the API.

Sysmon Logs Extraction

We added a new cookbook to easily extract Sysmon Logs via Joe Sandbox:

For detailed information please have a look at our recent blog post about Sysmon logs.

Android Decompilation

Black Opal decompiles Android Application Packages (APK). As a result, there are several new downloads for Android analyses:

Inside the full Android report you can easily navigate to the source code:

Final Words

In this blog post, we introduced some of the major features of the Black Opal release. Furthermore, minor features are:

  • ContentSettings-Ms support on Windows 7
  • Option to change the keyboard layout through the Web GUI
  • Option to start samples as a normal user through the Web GUI
  • Option to enable Anti-Evasion for data-aware samples through the Web GUI
  • Support for Unicode file names (Chinese, Japanese and Korean)
  • Security alerts (login, PW change etc)
  • Setup code for cookbooks
  • Major speed up for Internet Explorer analysis
  • General analysis speed up
  • Automated Yara rule validation & conflict resolving

What is next? We have an amazing pipeline of new technologies and features - stay tuned! 

Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!