Web API 2.0 Extensions
We extended the REST API 2.0 with the ability to manage users, cookbook and Yara rules. You can create, modify and list all users, cookbooks and Yara rules:
URL Memory Extraction
Fire Opal extracts URLs directly from memory dumps and sends them to
Virustotal or
MetaDefender for detection:
With that feature, Joe Sandbox detects C&C URLs even if they are not called.
Dynamic Data for Hybrid Code Analysis
Dynamic information such as system or API call arguments is now fully passed to our Hybrid Code Analysis engine. As a result, you find function arguments directly in the disassembly section:
This makes reading and understanding the disassembly much easier! Thanks to this feature, we see in the example above that the address of GetTickCount is queried as well as the number of ticks returned by GetTickCount.
Screenshot Thumbnails and Downloads
We added a gallery of all screenshots as thumbnails to the analysis report. This makes it much easier to identify interesting screenshots:
In addition, you can now download a selection of "Interesting Screenshots" only:
Improved VBA Callgraphs
If you activate VBA instrumentation - a technique which enables to extract dynamic information from VBA Macros in Office documents - Joe Sandbox will generate an impressive call graph. With Fire Opal we extended that call graph and added triggers, number of calls and API calls:
Due to that improvement, you can find interesting Macro parts more quickly and understand the structure of the code better.
RTF File Parser
Documents in RTF format are now parsed and malicious objects are detected:
Joe Sandbox Class 2.0
The Fire Opal release includes Joe Sandbox Class 2.0. Class is the code similarity engine of Joe Sandbox. It enables to identify similar samples by looking at code functions. Class 2.0 includes a wide range of new features such as opcode and instruction based similarity searches, a completely redesigned report, as well as various performance improvement:
With Joe Sandbox Class 2.0 analysts find similar samples more quickly, understand which samples are the most similar and why they are similar.
Dialog Box Support for Android
Android samples requesting dynamic permissions have become more frequent. Therefore we added automation support for those dialog boxes:
As a result, Joe Sandbox handles all dialog boxes fully automated.
Final Words
In this blog post, we introduced some of the major features of the Fire Opal release. Furthermore, minor features are:
- Added Windows 10 x64 support to Joe Sandbox Hypervisor as well as a huge performance upgrade
- Added more user-mode API interceptions to Joe Sandbox Hypervisor
- Added a new guide for Remote Assistance
- Added a new cookbook to change the timezone of the analysis machine
- Added a password test for protected office documents
- Added auto dependency installation
- Added support for dynamic instrumentation of dropped APKs
- Added support for decompilation of dropped APKs and DEX files
- Added support for MITM SSL inspection on Android
- Huge performance improvement for documents and URL analysis
- Improved the general analysis performance
- Improved the selection of interesting Android methods
- Improved remote assistance
What is next? We have an amazing pipeline of new technologies and features - stay tuned!