Today, we are proud to release Joe Sandbox 44 under the code name Smoke Quartz ! This release is packed with many new detection signatures and important features to improve Joe Sandbox.
Our Joe Sandbox Cloud Pro, Basic, and OEM servers have recently been upgraded to Smoke Quartz.
If you wish to upgrade your on-premise Joe Sandbox installation, please follow the instructions in the chapter on "Updating" in the user guide which you find in our customer portal.
339 new Signatures
Smoke Quartz comes with a very large number of new Yara and Behavior signatures to detect new malware families like TrashAgent, UDPGangster, ArliaiBot, ChromElevator, Sicari Ransomware, DeskRAT, Apollo Logger, SHub Stealer, DriverFixer0428, DigitStealer, Aisuru, Heaven Stealer, TOLLBOOTH and Scarface Stealer and many more. In addition, we added 19 new Malware Configuration Extractors, e.g. for Salat Stealer, Aura Stealer, MeshAgent, GhostSock, Spark RAT, Xorium Stealer, Zetarat, RevoltRAT, Kittysocks5, QQPass, ApolloAgent, Raven Stealer, Sakula RAT, Gravity RAT, Memalpha Stealer, Wall Stealer to name a few:
SOCKS / HTTP Proxy Support
Phishing detection has become increasingly difficult, mainly due to IP-based reputation systems and bot detection mechanisms. When a sandbox accesses a suspected phishing page, the server evaluates the IP address and, based on its reputation and bot score, decides whether to deliver the real payload or a benign response.
To address these evasion techniques, SOCKS and HTTP proxy support has been added to Joe Sandbox v44. This feature is available exclusively in Joe Sandbox Cloud Pro.
By leveraging residential proxies with a low bot score and high IP reputation, analysts can significantly increase the likelihood of retrieving and analyzing the genuine phishing payload.
Please note that proxies are generally more effective than VPNs, as they are harder for phishing infrastructure to detect.
Module Proxy Detection
We added proxy detection to better identify evasive DLL loading techniques used by malware. Certain DLLs commonly associated with C2 beacons (e.g., wininet, netapi, dpapi) may be loaded in a way that hides suspicious call stacks. Attackers bypass detection by proxying kernel32!LoadLibrary calls through ntdll or by using ThreadPool worker threads to perform the load asynchronously. This results in apparently clean call stacks without obvious indicators of compromise. Proxy detection exposes these indirect loading paths. This is important because it reveals stealthy execution techniques that would otherwise evade behavioral analysis.
Support for macOS Sonoma and Sequoia
Joe Sandbox v44 now supports macOS Sonoma and Sequoia, giving customers access to a more up-to-date macOS analysis environment.
Microsoft Sentinel Integration
We added an integration that connects Joe Sandbox analysis and threat intelligence with Microsoft Sentinel, Microsoft’s cloud-native SIEM/SOAR. It allows suspicious artifacts such as files, URLs, or email attachments to be analyzed by Joe Sandbox directly from Sentinel workflows. The results of these analyses are fed back into Sentinel to enrich incidents with deep behavioral context. Indicators of compromise extracted from the analysis can be used for detection and threat intelligence correlation. This integration helps automate investigation and response processes. It improves analyst efficiency by reducing manual analysis steps. Overall, it strengthens Microsoft Sentinel with advanced malware analysis and actionable threat context.
You find the integration
here.
Final Words
In this blog post, we highlighted the most important features of Joe Sandbox Smoke Quartz. These core improvements mark a significant step forward in automation, detection, and usability.
Beyond the features covered here, Smoke Quartz also includes a variety of other enhancements and refinements.
Added stdin capture for processes
Improved SSL inspection for bundled Node.js binaries
Improved QR code reader
Improved prevention of various VM detections
Together, all these advancements ensure that analysts and security teams can investigate threats more efficiently, uncover deeper insights, and stay one step ahead in the ever-evolving malware landscape.
