Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Sandbox A1

The World's most powerful Appliance to perform Deep Malware Analysis on Bare Metal.

Joe Sandbox A1 Joe Sandbox A1 is a powerful standalone appliance based on NUC hardware running the latest version of Joe Sandbox Desktop. Joe Sandbox A1 features:

  Bare metal analysis / golden hardware
  Hypervisor based Inspection
  Mini rack system
  Fully standalone
  Up to 200 analyses per day
  Full root access to the system

Joe Sandbox A1 enables cyber-security professionals to perform Deep Malware Analysis without any installation effort and extreme privacy. Samples will not leave the hardware.

Joe Sandbox A1 Explained

Joe Sandbox A1 Explained

Joe Sandbox A1 is the world's first malware analysis appliance which enables to analyze on bare metal. Malware analysis systems often use virtual machines which are easily detectable by malware. Joe Sandbox A1 uses NUC hardware to analyze malware and does not depend on VirtualBox, VMware or KVM.

The A1 appliance is using Joe Sandbox's latest Hypervisor based Inspection technology which enables stealth malware analysis of any operating system activity.

Joe Sandbox A1 has a minimal form factor of 1U with a size of only 145(W)x195(D)x44.5(H)mm fitting into any server rack or LAB infrastructure. Customers get full root access to the system and the Joe Sandbox Desktop configuration.


Request a Joe Sandbox A1 demo

Have a look at the behavior analysis reports generated by Joe Sandbox A1 or contact Joe Security to schedule a technical presentation and demo.

Ready to Go Appliance

Joe Sandbox A1 is shipped as a ready to go appliance. No software installation or configuration is necessary. You get access to the web interface of Joe Sandbox A1 as well as full root access.

Ready to Go Appliance

Golden Hardware - Analysis on Bare Metal

Joe Sandbox A1 runs and analyses malware on bare metal hardware. Joe Sandbox A1 does not use any virtualization solution like KVM, VirtualBox, XEN or VMware. Since malware is run on real hardware malware cannot detect any virtual machine.

Golden Hardware - Analysis on Bare Metal

Small Form Factor

Joe Sandbox A1 has a small form factor of only 145(W)x195(D)x44.5(H)mm. It fits into any sever rack. In addition Joe Sandbox A1 produces little noise and therefore can be used directly in your LAB.

Small Form Factor

Hypervisor Based Inspection

Joe Sandbox A1 includes Joe Sandbox Hypervisor and benefits from all its features including usermode, kernel, system call and memory monitoring, stealth and high efficiency.

Hypervisor Based Inspection

Comprehensive Reports

Joe Sandbox A1 generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.

Comprehensive Reports

968+ Generic and Open Behavior Signatures

Joe Sandbox A1 uses a growing set of over 968+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.

968+ Generic and Open Behavior Signatures

Yara

Joe Sandbox A1 allows to use Yara Rules for advanced malware detection. Joe Sandbox A1 forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox A1 features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox A1 enables to automatically synchronize with GitHub repositories contain Yara rules.

Yara

Yara Rule Generation

Joe Sandbox A1 creates various Yara rules based on static, dynamic and hybrid behavior data. The generated Yara rules allow to identify specific malware, malware families and malware variants. Yara Rule Generator uses sophisticated data rating and clustering algorithms.

Yara Rule Generation


Dynamic VBA Instrumentation

Joe Sandbox A1’s instrumentation engine enables monitoring any method or API call of VBA Macros embedded in Microsoft Office files (doc, docx, docxm, etc). The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions. Moreover customer can add their own Pre and Post hooks to modify function parameters and return values.

Dynamic VBA Instrumentation


Dynamic JS Instrumentation

Joe Sandbox A1’s instrumentation engine enables monitoring any method or API call (including arguments, returns etc) of a Javascript file. The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions.

Dynamic JS Instrumentation

Analyses Hidden Payloads

Joe Sandbox A1's Hybrid Code Analysis (HCA) engine identifies code functions based on dynamic memory dumps. HCA enables in-depth analysis of malware by understanding hidden payloads, malicious functionality not seen during runtime analysis. HCA results are highly annotated and connected to dynamic behavior information. Through an advanced algorithm, HCA identifies hidden API calls and hidden strings within codes.

Analyses Hidden Payloads

Execution Graphs

Joe Sandbox A1 generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox A1 also includes extensive library code detection.

Execution Graphs

SSL Proxy

Joe Sandbox A1 enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox A1 installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.

SSL Proxy

IDS Network Analysis

Joe Sandbox A1 enables to analyze automatically the network data via Snort and "The Bro Network Security Monitor". Snort with e.g. Emerging Threats ETOpen/ETPro rules detects malicious IPs, Domains or other network artifacts and Files extracted by Bro are automatically uploaded to Joe Sandbox.

IDS Network Analysis

Extensive supplementary Analysis Data

In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox A1 captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic, screenshots, shellcode and strings.

Extensive supplementary Analysis Data

Reports provided in all relevant Formats

Joe Sandbox A1 reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox A1 reports can be seamlessly integrated with other tools and platforms.

Reports provided in all relevant Formats

Third Party Integrations

Joe Sandbox A1 has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox A1 also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox A1 in Phantom the Security Automation & Orchestration Platform. We also offer integration with additional tools such as Viper and Malsub.

Third Party Integrations

RestFul WEB API

Joe Sandbox A1 allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.

RestFul WEB API

Seamless IDA Integration

Joe Sandbox A1 delivers an IDA plugin which loads supplementary analysis data such as memory dumps and reconstructed PE files. Moreover the plugin enriches IDA code with dynamic information such as APIs, chunks, strings and function arguments. IDA integration enables to deeply understand und further investigate malicious code with the power of IDA.

Seamless IDA Integration

High Detection Precision

Joe Sandbox A1 is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox A1 generates a detailed confidence score - outlining how certain the system is about the detection.

High Detection Precision

Automated User Behavior

Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox A1 allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox A1 offers an advanced OCR based click engine.

Automated User Behavior

Simplified Management and Control

Joe Sandbox A1 includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.

Simplified Management and Control

Flexibility and Customization

Joe Sandbox A1 is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox A1 supports multiple analysis machines with different applications/versions installed.

Flexibility and Customization

Additional Support, Maintenance and Consulting

Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox A1.

Additional Support, Maintenance and Consulting

Request a Joe Sandbox A1 demo

Have a look at the behavior analysis reports generated by Joe Sandbox A1 or contact Joe Security to schedule a technical presentation and demo.

* MAEC and the MAEC logo are trademarks of The MITRE Corporation.

What files does Joe Sandbox A1 analyze?

Joe Sandbox A1 analyzes any file type, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M), PPT(X)(M), HWP (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB. Joe Sandbox A1 includes a file type recognition engine which detects over 5000 different files.

What report and forensic data does Joe Sandbox A1 generate?

Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, screenshot, unpacked PE files, yara rules and openIOC.

Which analysis technology does Joe Sandbox A1 use?

Joe Sandbox A1 uses a Hypervisor based Inspection.

What are behavior signatures?

Behavior signatures are small scripts to rate data Joe Sandbox A1 captures from the malware. Joe Sandbox A1 extracts system, network, memory, code and browser data. Joe Sandbox A1 includes a steadily increasing number of currently 968+ signatures.

Does Joe Sandbox A1 analyze malware on bare metal?

Yes, Joe Sandbox A1 enables to analyze malware on native machines. Malware often detects virtual machines, and therefore A1 is able to detect more malware.

Which Windows systems are supported?

Windows 7 x64 (English).

Is Joe Sandbox A1 a 100% standalone application?

Yes, Joe Sandbox A1 can be run without any connection to the Internet or our Cloud.

What is the size of the appliance?

1U with a size of only 145(W)x195(D)x44.5(H)mm.

On what hardware is A1 based?

An Intel i5 NUC.