Joe Sandbox Cloud is a web service based on Joe Sandbox Ultimate, hosted by Joe Security. The web service enables cyber-security professionals to upload files and URLs for testing, downloadable analysis reports and other threat intelligence data.
Joe Sandbox Cloud generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.
Joe Sandbox Cloud enables analysis of all executable files (including malicious documents) on Windows 7, Windows W7 x64, Windows 10 and Windows 10 x64. Android Application Packages (APK) can be analyzed on all Android versions. In addition Joe Sandbox Cloud analyses files on macOS, Linux and iOS.
Joe Sandbox Cloud analyses Office files for Microsoft Word, Excel, Powerpoint, Hangul Hancom (Korean Office) and Ichitaro (Japanese Office). Support for additional Office suites can be easily added.
Joe Sandbox Cloud uses a growing set of over 2089+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.
Joe Sandbox Cloud enables to use a mix of virtual and physical analysis machines for analysis. Physical devices are very helpful in order to deal with evasive malware which may not run on virtual systems.
With Joe Sandbox Cloud analysts can directly connect to the analysis machine and click manually through complex malware installers or phishing attacks. The remote assistance option is fully embedded in the browser and therefore no additional software has to be installed.
Joe Sandbox Cloud includes LIA. LIA enables to route all traffic through a selected country. This allows to analyze country-aware malware.
Joe Sandbox Cloud implements an intelligent malware analysis chain, starting with coarse grained and ending with in-depth fine grained malware analysis techniques. The intelligent chain enables to sort out uninteresting samples and focus on the most interesting malware samples.
Joe Sandbox Cloud includes Mail Monitor, which automatically analyses emails. Mail Monitor downloads all newly received emails from a configured email account and submits them to Joe Sandbox Cloud. All attachments and URLs are inspected separately.
Joe Sandbox Cloud generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox Cloud also includes extensive library code detection.
Joe Sandbox Cloud’s instrumentation engine enables monitoring any method or API call of VBA Macros embedded in Microsoft Office files (doc, docx, docxm, etc). The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions. Moreover customer can add their own Pre and Post hooks to modify function parameters and return values.
Joe Sandbox Cloud’s instrumentation engine enables monitoring Java API calls (including arguments, returns etc) of a JAR file. The extracted dynamic information allows to detect and understand Java malware such as JRAT or Adwind RAT.
Joe Sandbox Cloud’s detects Phishing pages by using an AI based template matching approach. Customers can easily add additional templates to detect Phishing of their Web portals. Template matching based Phishing has very low false negative and false positive rates.
Joe Sandbox Ultimate includes Joe Sandbox DEC, which generates simple C functions from unpacked PE files. The generated C code is easy to understand for security professionals and enables more efficient analysis than the corresponding disassembly code.
Joe Sandbox Cloud enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox Cloud installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.
Joe Sandbox Cloud allows to use Yara Rules for advanced malware detection. Joe Sandbox Cloud forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Cloud features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox Cloud enables to automatically synchronize with GitHub repositories contain Yara rules.
Joe Sandbox Cloud allows to use Simga Rules for threat detection. Joe Sandbox currently supports many Sigma events including process_creation and Sysmon. In addition Joe Sandbox Cloud features a nice web based Sigma Rule editor. Tired of updating your Sigma rules? Joe Sandbox Cloud enables to automatically synchronize with GitHub repositories contain Simga rules.
Joe Sandbox Cloud creates various Yara rules based on static, dynamic and hybrid behavior data. The generated Yara rules allow to identify specific malware, malware families and malware variants. Yara Rule Generator uses sophisticated data rating and clustering algorithms.
In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Cloud captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic, screenshots, shellcode and strings.
Joe Sandbox Cloud reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox Cloud reports can be seamlessly integrated with other tools and platforms.
Joe Sandbox Cloud includes the threat intelligence database Joe Sandbox View. View provides threat intelligence context and enables to perform very deep search queries such as assembly instructions, argument values of APIs but also classic IOCs such as IPs, domains, HTTP, dropped files etc.
Joe Sandbox Cloud has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox Cloud also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox Cloud in the Security Automation & Orchestration Platform Phantom and Demisto. We also offer integration with additional tools such as Viper and Malsub.
Joe Sandbox Cloud allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.
Joe Sandbox Cloud delivers an IDA plugin which loads supplementary analysis data such as memory dumps and reconstructed PE files. Moreover the plugin enriches IDA code with dynamic information such as APIs, chunks, strings and function arguments. IDA integration enables to deeply understand und further investigate malicious code with the power of IDA.
Joe Sandbox Cloud is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Cloud generates a detailed confidence score - outlining how certain the system is about the detection.
Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox Cloud allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox Cloud offers an advanced OCR based click engine.
Joe Sandbox Cloud Resources:
|Private Accounts, no Sample or Analysis Result Sharing|
|Multi Tenancy, Data is always tied to one User|
|Full Sample Privacy, no Third Party or Cloud Lookups|
|Get access to the REST WEB API|
|Download Executive Report|
|Download HTML Report|
|Download JSON Report|
|Download XML Report|
|Download PDF Report|
|Download PCAP (Network Traffic)|
|Download created / dropped Files|
|Download String Files|
|Download MISP Report|
|Download MAEC Report|
|Download unpacked PE Files|
|Download memory Dumps (and analyze them in IDA with the Joe Sandbox bridge plugin)|
|Analysis on Linux CentOS 7|
|Analysis on Linux Ubuntu 16.04|
|Analysis on Android 4.4|
|Analysis on Android 5.1|
|Analysis on Android 5.1 Native|
|Analysis on Android 6.0|
|Analysis on Android 7.1|
|Analysis on Android 8.1|
|Analysis on macOS High Sierra|
|Analysis on iOS 7.1|
|Analysis on Native Machines|
|Analysis on Windows 7|
|Analysis on Windows 7 x64|
|Analysis on Windows 10|
|Analysis on Windows 10 x64|
|Test different Application Versions (Acrobat, Office, Chrome, Firefox, IE, Flash, Java)|
|Inspect and analyze encrypted HTTPS traffic|
|Submit Cookbooks to automate advanced User Behavior|
|Use Hybrid Code Analysis (HCA)|
|Use Execution Graph Analysis (EGA)|
|Use Yara to check memory dumps, samples and downloaded files|
|Use the Joe Sandbox IDA Bridge Plugin to load and annotate memory dumps|
|Download Yara rules and generate Yara super rules to identify malware families and variants|
|Use Joe Sandbox Detect|
|Use Joe Sandbox Class|
|Use Joe Sandbox DEC (Hybrid Decompilation) for C-code generation|
|Use Hypervisor based Inspection|
|Use Joe Sandbox Mail Monitor, periodically scans Mail accounts for malware|
|Use Joe Sandbox ML|
|Max file upload size||100MB||100MB||100MB||100MB||200MB|
|Number of Accounts included||1||1||5||5||5|
|Analyses volume per month||10||100||Up to several 100k|
Swiss Francs / year
For Joe Sandbox Cloud Pro accounts we do not share any samples or any analysis results with anyone. We also do not make any backups of it. Your uploaded samples and analysis results are fully private. The samples are not uploaded to Virustotal or any third party service!
Joe Sandbox Cloud analyzes all files, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M), PPT(X)(M), HWP (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB, APK (Android Application Package), MACH-O (Mac), DMG (Mac), APP (Mac), XAR (Safari Plugin) on Windows Desktop, Android, macOS and iOS based operating systems. Joe Sandbox Cloud includes a file type recognition engine which detects over 5000 different files.
Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, yara rules, screenshot, unpacked PE files, openIOC, MISP and MAEC.
Joe Sandbox Cloud uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Cloud discovers more behavior than other solutions.
Behavior signatures are tiny scripts to rate data Joe Sandbox Cloud captures from the malware. Joe Sandbox Cloud extracts system, network, memory, code and browser data. Joe Sandbox Cloud includes a steady raising number of 2089+ signatures.
No, this feature is only available in our in-house products, e.g. Joe Sandbox Ultimate.
Yes, Joe Sandbox Cloud enables to analyze malware on native machines.
Windows 7, Windows 7 x64, Windows 10, Windows 10 x64, Android 4.2 - 8.1, macOS High Sierra, Ubuntu 16.04 x64, CentOS 7.5 and iOS 7.1.2 (iPhone 4).
Yes, there is an extensive REST based Web API.
Yes, your rules are evaluated against submitted files, dropped / downloaded files, memory dumps and pcaps.
Joe Sandbox Cloud is offered as a subscription based service.