Joe Sandbox is a multi technology platform which uses instrumentation, simulation, hardware virtualization, hybrid and graph - static and dynamic analysis. Rather than focus on one technology Joe Sandbox combines the best parts of multiple techniques. This enables deep analysis, excellent detection and big evasion resistance.
Hypervisor based Inspection (HBI) uses latest hardware virtualization technologies of modern CPUs, to place stealth break points anywhere in the operating system or malware code. Stealth breakpoints capure information about any API being called, no matter if it is in usermode or kernelmode. Further HBI enables security experts to trace any cross module calls and trace other sensitive events, like debug register modification, cpuid instuction execution and many others. HBI is fully stealth and malware cannot detect its presence. HBI is not tied to a specific hypervisor such as KVM or XEN and can run even on bare metal machines. HBI is fully configurable by our customers.
Learn more about this powerful technology from our blog posts: Level Up: Introducing Hypervisor based Inspection in Joe Sandbox, Decrypting C&C traffic with Hypervisor based Inspection and Analyzing Gozi's Anti-Analysis Tricks with Joe Sandbox Hypervisor 2.0.
Dynamic Generic Instrumentation (DGI) modifies codes in order to log and change runtime information. DGI allows users to control API, method and function calls including complex arguments, return values as well as object values. Beside the deep inspection of runtime data, DGI is an excellent technique to fight evasion such as sleeps, logic bombs or environment checks. DGI enables the analyst to fully modify or fake arguments, return values as well as the status of objects. Further DGI is stealthy and very hard to detect by malware. Second only to instruction traces, DGI captures the most fine-grained dynamic information possible. DGI enables cyber security pros to provide their own custom instrumentation hooks.
Hybrid Code Analysis (HCA) combines dynamic and static program analysis while retaining the main benefits of both techniques: context awareness, resilience against code obfuscation such as packing and self-modifying code on the one hand, and code analysis completion on the other hand. It makes possible to understand evasions against malware analysis systems including sleeps, logic bombs and system fingerprinting. Moreover, it allows discovering hidden behavior – dormant functionality which is executed only under rare conditions. Hybrid Code Analysis enables security professionals to understand the complete malware behavior, not just the installation.
Check out the latest malware analysis reports to see the Hybrid Code Analysis at work and learn more about this powerful technology from our blog posts: New Sandbox Evasion Tricks spot, Finding a DGA in less than one Minute and Joe Sandbox aware Malware? Certainly not! But surely!.
Execution Graph Analysis (EGA) generates highly condensed control flow graphs, so called Execution Graphs to visualize codes detected by Hybrid Code Analysis. Execution Graphs highlight the full logical behavior of the malware and include additional runtime information such as execution status, signature matches, key decisions, unpacked code and richest paths. Execution Graph Analysis detects evasions against malware analysis systems completely automated, without any human intervention. Furthermore EGA rates the behavior by looking at API chains, execution coverage and loops.
Check out the latest malware analysis reports to see the Execution Graph Analysis at work and learn more about its capabilities in our blog post: The Power of Execution Graphs.
Joe Security has one of the most extensive generic Behavior Signature set. The set consisting of over 2135+ signatures covers multiple platforms including Windows, Android, macOS, iOS and Linux. Behavior Signatures help detecting, classifying and summarizing malicious behavior, dangerous code and evasions. Joe Sandbox applies each signature to an enormous amount of captured data, ranging from operating system to network, browser, memory, file, binary and screen data.
Besides Behavior Signatures Joe Security actively maintains its own Yara (210+) and Sigma (31+) repository.
Check out our latest malware analysis reports for behavior signature results.
While Hybrid Code Analysis and behavior signatures detect evasive threats, Cookbooks enable users to easily influence and change the malware's behavior automatically. With Cookbooks, security professionals can change the environment, simulate operating system events or modify the operating system behavior. Cookbooks provide the opportunity to completely customize the analysis procedure including malware startup, analysis duration and analysis chaining on multiple systems. The Cookbook technology makes Joe Sandbox the most flexible and customizable malware analysis system in the industry.
Check out our blog posts to see Cookbooks in action: Nymaim - evading Sandboxes with API hammering and Joe Sandbox aware Malware? Certainly not! But surely!.