Joe Security's Blog
Joe Sandbox v32 - Black Diamond
Published on: 28.06.2021
Today we release Joe Sandbox 32 under the code name Black Diamond! This release is packed with brand new features and improvements, designed to make malware analysis more convenient, faster and more precise!
If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete
or Ultimate installation right away, please run the following command:
mono joeboxserver.exe --updatefast
Even though we are delighted about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Black Diamond features.
310 new Signatures
With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like Klingon RAT, XCCSET, MapperState, Facefish, Silver Sparrow, Vovalex, Parasite, DearCry, MauriGo, Bloody Stealer and many more. In addition, we added 40 new malware configuration extractors, e.g. for Darkside, SystemBC, RevengeRAT, Clipboard Hyjacker, FatalRat, GrandSteal, AveMaria, just to name a few:
Malware configuration data includes often all C&C as well as other major threat intelligence data (targeted extension for ransomware, ports, login data etc.). It is therefore the malware analyst's gold data as there is nothing better.
Live Data for Interactive Analysis
The biggest feature of Joe Sandbox Black Diamond is Live Data for Interactive Analysis on Windows. We added Live Interaction back in 2018 and now extended if with real time behavior, Yara and Sigma signature information:
Malware analyst get instant results for their Yara rules which are applied to all artifacts including dropped files and memory dumps. The same applies to Sigma and Behavior rules. Besides signatures, there is live data for IOCs such as Domains, URLs and IPs:
The detection, verdict and process tree is also updated during the behavior analysis. Analysts have the freedom to extend or stop the analysis anytime.
Thanks to live data analysts no longer have to wait for signature and IOC results. They get them instantly!
Interactive Analysis on macOS
Joe Sandbox currently supports interactive analysis on Windows, Android and Linux. With Black Diamond we also added it to macOS:
Malware Hunters can use interactive analysis on macOS to click through complex installers or phishing attacks.
EVTX Downloads
More and more tools use Windows EVTX / Event Viewer logs for detection. Sigma is just one example. We therefore added EVTX files as an additional download:
Joe Sandbox users can download the full EVTX files and feed them into other tools.
Customizable Yara Rules
Black Diamond brings some additional benefits for malware analysts which use Yara together with Joe Sandbox. Joe Sandbox runs customer uploaded Yara rules on all artifacts such as dropped files, memory dumps, HTML DOM, PCAP, unpacked PE files etc. With customizable Yara rules, analysts can now influence the Joe Sandbox detection score, the threat name, as well as the MITRE ATT&CK mapping, by using specific meta tags:
Final Words
In this blog post, we have presented the most important features of Joe Sandbox Black Diamond, but there are some other very interesting features on top:
- Added AI Phishing Detection to cover phishing attacks starting with a PDF lure
- Added DLL reload detection
- Added threat name to browser / email notification
- Added SSL key log download
- Added PDF executive report
- Added info icons to report
- Added similarity check for PDF phishing detection
- Added image shot hash phishing detection
- Added detection of terminated processes
- Added detection of #UD exceptions
- Improved Sigma integration
Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!