Tuesday, June 24, 2014

El Jefe v2.1 Release

It has been a couple of weeks since our last communication but the team is working hard to make El Jefe your first and best choice for threat analysis.

Today's release, while technically a minor release, has many new features.

Cuckoo configuration is not only fully integrated into our WebUI, but we also modified the implementation to allow you to use remote Virtual Machines! El Jefe now lets you configure where and how you want to run the sample inside the sandbox, allowing you to properly use it to look at more complex malware problems.
Configure a remote Sandbox Virtual Machine


For example, assume that you are ahead of the curve and you are using El Jefe to monitor your C-level executives. Each of these will probably have their own software set-up, operating system, etc. Once you find a potential threat (manually, or using the built in El Jefe heuristics), you will want to understand the penetration behavior of the sample in the exact same environment it was run in on the executive's computer. That's why you set up a different Virtual Machine to mimic each executive's personal environment and you can have the whole process run through El Jefe.

Select the right Sandbox Virtual Machine to run your sample


We want to be as open as possible and give you the freedom to interface El Jefe in new and powerful ways that we have not even thought of. That's why we built a plugin to allow you to use COSEINC's  CAMAL instead of Cuckoo to get even more accurate results from your sandbox. (Kudos to Thomas and the COSEINC team for their fast response and an excellent product!)
Integration with CAMAL


El Jefe clients are now fully configured via the El Jefe UI, which will certainly make your life easier when deploying across your user-base.
Set-up your client completely from the WebUI


El Jefe clients now support proxies - which is obviously important for those of you in large enterprises.

People seem to love the Event filter, so we've started adding more features to it. You can now trigger an email warning and send suspicious binaries directly to sandbox analysis. This is just an example, of course. Our new API is easy enough to learn that you can create your own event filter in less than 20 minutes - which is important if you are in the middle of an Incident. Fast reaction times when facing custom malware and an advanced penetration team are often the only hope of your IR team for containing an ongoing compromise.

In case you didn't notice, El Jefe is released by Immunity under the GPL v3 license. But, just in case, we now let you know in every file. Source code to El Jefe (for both the client and the server) is provided on the website and will soon be moved to a GitHub repository.

We also put together an installer for RHEL (widely used in enterprises) along with the Ubuntu one to make everything install automatically and we have a beautifully crafted PDF with a step by step guide on how to install El Jefe.

Whether you're currently responding to an incident or you think you may someday want to respond to an incident, we think installing and getting to know El Jefe is a great first step for you. It's Free, and it works, and it's only getting better.

Of course, we welcome any of your feedback - send it to support@immunityinc.com and we'll be happy to respond!

Download it here
sha1sum: b8ee361ecf67e76ec0888e570153f76b15dfcea5  eljefe2.1.release.tar.gz

2 comments:

Evrard de TORCY said...

Hi,

Great job with the Cuckoo Sandbox.

But I was trying to install with the insta_ubuntu.sh on Debian Wheeze and it send me an error : on manage.py syncdb -> AttributeError: 'module' object has no attribut 'BinaryField'

Do you already seen this error and known how solve it ?

Thanks,
Evrard

Nico Waisman said...

Evrard,
It's seem that the problem is that debian is installing an older version of Django. ElJefe works with Django 1.6 and above.

The installer is for Ubuntu, we never try it installing it on Debian.

Try the following:
sudo apt-get install python-pip
sudo pip install Django==1.6.2

Let us know!