Joe Sandbox Complete executes files and URLs in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities. All activities are compiled into comprehensive and extensive analysis reports.
Analysis reports, which contain key information about potential threats, enable cyber-security professionals to deploy, implement and develop appropriate defense and protections.
Joe Sandbox Complete enables you to install and use Joe Sandbox Desktop, Joe Sandbox Mobile and Joe Sandbox X for in-depth malware analysis on Windows, Android and
Mac OS X.
Joe Sandbox Complete's architecture is modular. It consists of at least one controller machine running Linux and multiple connected analysis machines (with Windows and Android installed) hosted by virtualization products such as VMware or VirtualBox. For analysis on Mac OS X an Apple Mac Mini or Mac Book is required. Files and URLs are send for testing via the Joe Sandbox Complete Web Interface to the controller's server. The Joe Sandbox Complete server stores the submission in a local file database and forwards them to the connected analysis machines, where the submission is then executed.
Joe Sandbox Complete's configurable and efficient dynamic and static analysis engine monitors any activities during the binary program execution and reports behavior data instantly to the controller. Click to read more about Joe Security's unique technologies to analyze binaries.
Evaluating results, statistics, activities and code functions are compiled into a detailed and well structured report.
Joe Sandbox Complete generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.
Joe Sandbox Complete enables analysis of all executable files (including malicious documents) on Windows XP, Windows 7, Windows W7 x64, Windows 10 and Windows 10 x64. Android Application Packages (APK) can be analyzed on all Android versions. In addition Joe Sandbox Complete analyses files on Mac OS X.
Joe Sandbox Complete analyses Office files for Microsoft Word, Excel, Powerpoint, Hangul Hancom (Korean Office) and Ichitaro (Japanese Office). Support for additional Office suites can be easily added.
Joe Sandbox Complete uses a growing set of over 1161+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.
Joe Sandbox Complete enables to use a mix of virtual and physical analysis machines for analysis. Physical devices are very helpful in order to deal with evasive malware which may not run on virtual systems.
Joe Sandbox Complete's Hybrid Code Analysis (HCA) engine identifies code functions based on dynamic memory dumps. HCA enables in-depth analysis of malware by understanding hidden payloads, malicious functionality not seen during runtime analysis. HCA results are highly annotated and connected to dynamic behavior information. Through an advanced algorithm, HCA identifies hidden API calls and hidden strings within codes.
Joe Sandbox Complete generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox Complete also includes extensive library code detection.
Joe Sandbox Complete’s instrumentation engine enables monitoring any method or API call of VBA Macros embedded in Microsoft Office files (doc, docx, docxm, etc). The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions. Moreover customer can add their own Pre and Post hooks to modify function parameters and return values.
Joe Sandbox Complete enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox Complete installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.
Joe Sandbox Complete enables to analyze automatically the network data via Snort. Snort with e.g. Emerging Threats ETOpen/ETPro rules detects malicious IPs, Domains or other network artifacts.
Joe Sandbox Complete allows to use Yara Rules for advanced malware detection. Joe Sandbox Complete forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Complete features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox Complete enables to automatically synchronize with GitHub repositories contain Yara rules.
Joe Sandbox Complete creates various Yara rules based on static, dynamic and hybrid behavior data. The generated Yara rules allow to identify specific malware, malware families and malware variants. Yara Rule Generator uses sophisticated data rating and clustering algorithms.
In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Complete captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic, screenshots, shellcode and strings.
Joe Sandbox Complete reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox Complete reports can be seamlessly integrated with other tools and platforms.
Joe Sandbox Complete delivers an IDA plugin which loads supplementary analysis data such as memory dumps and reconstructed PE files. Moreover the plugin enriches IDA code with dynamic information such as APIs, chunks, strings and function arguments. IDA integration enables to deeply understand und further investigate malicious code with the power of IDA.
Joe Sandbox Complete is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Complete generates a detailed confidence score - outlining how certain the system is about the detection.
Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox Complete allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox Complete offers an advanced OCR based click engine.
Joe Sandbox Complete allows for seamless integration into existing security products. A .NET SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Complete provides a queuing system with load-balancing and prioritization mechanisms. OEM customer have full control over the solution, its generated data and configuration.
Joe Sandbox Complete includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.
Joe Sandbox Complete is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Complete supports multiple analysis machines with different applications/versions installed.
Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Complete.
Joe Sandbox Complete Resources:
Joe Sandbox Complete analyzes all files, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M), PPT(X)(M), HPW (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB, APK (Android Application Package), MACH-O (Mac), DMG (Mac), APP (Mac), XAR (Safari Plugin) on Windows Desktop, Android and Mac OS X based operating systems. Joe Sandbox Complete includes a file type recognition engine which detects over 5000 different files.
Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, screenshot, unpacked PE files and openIOC.
Joe Sandbox Complete uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Complete discovers more behavior than other solutions.
Behavior signatures are tiny scripts to rate data Joe Sandbox Complete captures from the malware. Joe Sandbox Complete extracts system, network, memory, code and browser data. Joe Sandbox Complete includes a steady raising number of signatures.
Joe Sandbox Complete supports all virtualization products, including VirtualBox and VMware ESX.
Yes, Joe Sandbox Complete enalbes to analyze malware on native machines. Therefore you can use directly a PC or laptop from your company as an analysis target.
Windows XP, Windows 7, Windows 7 x64, Windows 8, Windows 10 and Windows 10 x64 with a system language spoken in Europe (German, French, English etc). All Android versions in English language. For Mac OS X the latest operating system.
Joe Sandbox Complete runs on standard hardware with Linux as operating system (e.g. Ubuntu Server). For installation a single server is required. For analysis on Mac OS X and additional Mac Mini or Mac Book.
Yes, Joe Sandbox Complete can be run without any connection to the Internet or our Cloud.
We offer perpetual licenses with a site, country or world-wide scope. Services such as support and upgrades are availabe as an annual renewing license.