Clicky

Explore Joe Security Cloud Basic Accounts Subscribe to our Newsletters Contact Us
top title background image

Joe Sandbox Ultimate

Automated Deep Malware Analysis targeting Windows, Android or Mac

Joe Sandbox Ultimate Joe Sandbox Ultimate executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and the operating system for suspicious activities. All activities are compiled into comprehensive and extensive analysis reports.

Analysis and classification reports, which contain key information about potential threats, enable cyber-security professionals to deploy, implement and develop appropriate defense and protections.

Joe Sandbox Ultimate enables to use Joe Sandbox Desktop, Joe Sandbox Light, Joe Sandbox Mobile, Joe Sandbox X, Joe Sandbox Class, Joe Sandbox Filter and Joe Sandbox DEC in one powerful product.

Joe Sandbox Ultimate Explained

Joe Sandbox Ultimate Explained

Joe Sandbox Ultimate’s architecture is modular. It consists of at least one controller machine running Linux and multiple connected analysis machines (with Windows and Android installed) hosted by virtualization products such as VMware or VirtualBox.

Files and URLs are uploaded for analysis to Joe Sandbox Ultimate. Joe Sandbox Ultimate first analyzes the file statically with Joe Sandbox Filter. If the file has not been detected as benign it is sent to Joe Sandbox Light, where a high speed coarse grained analysis is performed. Finally if no malicious activities have been found the file is analyzed in-depth with Joe Sandbox Desktop. After dynamic analysis Joe Sandbox Class compares the analysis results to previous results in order to generate a malware similarity report.

Joe Sandbox Ultimate implements an intelligent malware analysis chain, starting with the coarse grained and ending with find grained in-depth analysis. A sample is sent only to the next analysis if Joe Sandbox Ultimate has classified the file as benign or malicious with a high certainty. The intelligent chaining enables to process high volumes of samples in short time.


Request a Joe Sandbox Ultimate demo

Have a look at the behavior analysis reports generated by Joe Sandbox Ultimate or contact Joe Security to schedule a technical presentation and demo.

Comprehensive Reports

Joe Sandbox Ultimate generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.

Comprehensive Reports

All Files on all Platforms

Joe Sandbox Ultimate enables analysis of all executable files (including malicious documents) on Windows 7, Windows W7 x64, Windows 10 and Windows 10 x64. Android Application Packages (APK) can be analyzed on all Android versions. In addition Joe Sandbox Ultimate analyses files on Mac OS X.

All Files on all Platforms

Analysis of Office Files

Joe Sandbox Ultimate analyses Office files for Microsoft Word, Excel, Powerpoint, Hangul Hancom (Korean Office) and Ichitaro (Japanese Office). Support for additional Office suites can be easily added.

Analysis of Office Files

1373+ Generic and Open Behavior Signatures

Joe Sandbox Ultimate uses a growing set of over 1373+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.

1373+ Generic and Open Behavior Signatures

Virtual and Physical Analysis Systems

Joe Sandbox Ultimate enables to use a mix of virtual and physical analysis machines for analysis. Physical devices are very helpful in order to deal with evasive malware which may not run on virtual systems.

Virtual and Physical Analysis Systems

Multilayered System with intelligent Chaining

Joe Sandbox Ultimate implements an intelligent malware analysis chain, starting with coarse grained and ending with in-depth fine grained malware analysis techniques. The intelligent chain enables to sort out uninteresting samples and focus on the most interesting malware samples.

Multilayered System with intelligent Chaining

Analyses Hidden Payloads

Joe Sandbox Ultimate's Hybrid Code Analysis (HCA) engine identifies code functions based on dynamic memory dumps. HCA enables in-depth analysis of malware by understanding hidden payloads, malicious functionality not seen during runtime analysis. HCA results are highly annotated and connected to dynamic behavior information. Through an advanced algorithm, HCA identifies hidden API calls and hidden strings within codes.

Analyses Hidden Payloads

Execution Graphs

Joe Sandbox Ultimate generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox Ultimate also includes extensive library code detection.

Execution Graphs

C-Code Generation

Joe Sandbox Ultimate includes Joe Sandbox DEC, which generates simple C functions from unpacked PE files. The generated C code is easy to understand for security professionals and enables more efficient analysis than the corresponding disassembly code.

C-Code Generation


Dynamic VBA Instrumentation

Joe Sandbox Ultimate’s instrumentation engine enables monitoring any method or API call of VBA Macros embedded in Microsoft Office files (doc, docx, docxm, etc). The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions. Moreover customer can add their own Pre and Post hooks to modify function parameters and return values.

Dynamic VBA Instrumentation

SSL Proxy

Joe Sandbox Ultimate enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox Ultimate installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.

SSL Proxy

IDS Network Analysis

Joe Sandbox Ultimate enables to analyze automatically the network data via Snort and "The Bro Network Security Monitor". Snort with e.g. Emerging Threats ETOpen/ETPro rules detects malicious IPs, Domains or other network artifacts and Files extracted by Bro are automatically uploaded to Joe Sandbox.

IDS Network Analysis

Yara

Joe Sandbox Ultimate allows to use Yara Rules for advanced malware detection. Joe Sandbox Ultimate forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Ultimate features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox Ultimate enables to automatically synchronize with GitHub repositories contain Yara rules.

Yara

Yara Rule Generation

Joe Sandbox Ultimate creates various Yara rules based on static, dynamic and hybrid behavior data. The generated Yara rules allow to identify specific malware, malware families and malware variants. Yara Rule Generator uses sophisticated data rating and clustering algorithms.

Yara Rule Generation

Extensive supplementary Analysis Data

In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Ultimate captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic, screenshots, shellcode and strings.

Extensive supplementary Analysis Data

Reports provided in all relevant Formats

Joe Sandbox Ultimate reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox Ultimate reports can be seamlessly integrated with other tools and platforms.

Reports provided in all relevant Formats

Third Party Integrations

Joe Sandbox Ultimate has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox Ultimate also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox Ultimate in Phantom the Security Automation & Orchestration Platform.

Third Party Integrations

RestFul WEB API

Joe Sandbox Ultimate allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.

RestFul WEB API

Seamless IDA Integration

Joe Sandbox Ultimate delivers an IDA plugin which loads supplementary analysis data such as memory dumps and reconstructed PE files. Moreover the plugin enriches IDA code with dynamic information such as APIs, chunks, strings and function arguments. IDA integration enables to deeply understand und further investigate malicious code with the power of IDA.

Seamless IDA Integration

Classification based on Hybrid Code Analysis

Joe Sandbox Ultimate includes Joe Sandbox Class, which clusters malware into groups that share common behavior. Given a malware sample, Joe Sandbox Class identifies all similar samples and compiles shared code functions into comprehensive Class report.

Classification based on Hybrid Code Analysis

High Detection Precision

Joe Sandbox Ultimate is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Ultimate generates a detailed confidence score - outlining how certain the system is about the detection.

High Detection Precision

Optimized for High Throughput and Scalability

Joe Sandbox Ultimate is optimized for large-scale analysis and can handle up to several thousand samples per day on a single Joe Sandbox Ultimate instance. By scaling up the instances, Joe Sandbox Ultimate enables to analyze large sample sets very quickly.

Optimized for High Throughput and Scalability

Automated User Behavior

Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox Ultimate allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox Ultimate offers an advanced OCR based click engine.

Automated User Behavior

Build for OEM Integration

Joe Sandbox Ultimate allows for seamless integration into existing security products. A .NET SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Ultimate provides a queuing system with load-balancing and prioritization mechanisms. OEM customer have full control over the solution, its generated data and configuration.

Build for OEM Integration

Simplified Management and Control

Joe Sandbox Ultimate includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.

Simplified Management and Control

Flexibility and Customization

Joe Sandbox Ultimate is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Ultimate supports multiple analysis machines with different applications/versions installed.

Flexibility and Customization

Additional Support, Maintenance and Consulting

Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Ultimate.

Additional Support, Maintenance and Consulting
* MAEC and the MAEC logo are trademarks of The MITRE Corporation.

Joe Sandbox Ultimate Resources:

What is the difference between Joe Sandbox Complete and Joe Sandbox Ultimate

Joe Sandbox Ultimate includes the Joe Sandbox Class and Joe Sandbox Filter plugin.

What files does Joe Sandbox Ultimate analyze?

Joe Sandbox Ultimate analyzes all files, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M), PPT(X)(M), HPW (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB, APK (Android Application Package), MACH-O (Mac), DMG (Mac), APP (Mac), XAR (Safari Plugin) on Windows Desktop, Android and Mac OS X based operating systems. Joe Sandbox Ultimate includes a file type recognition engine which detects over 5000 different files.

What report and forensic data does Joe Sandbox Ultimate generate?

Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, screenshot, unpacked PE files and openIOC.

Which analysis technology does Joe Sandbox Ultimate use?

Joe Sandbox Ultimate uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Ultimate discovers more behavior than other solutions.

What are behavior signature?

Behavior signatures are tiny scripts to rate data Joe Sandbox Ultimate captures from the malware. Joe Sandbox Ultimate extracts system, network, memory, code and browser data. Joe Sandbox Ultimate includes a steady raising number of 1373+ signatures.

Which virtualization products run with Joe Sandbox Ultimate?

Joe Sandbox Ultimate supports all virtualization products, including VirtualBox and VMware ESX.

Does Joe Sandbox Ultimate analyze malware on native machines?

Yes, Joe Sandbox Ultimate enalbes to analyze malware on native machines. Therefore you can use directly a PC or laptop from your company as an analysis target.

Which Windows, Android and Mac OS X systems are supported?

Windows 7, Windows 7 x64, Windows 8, Windows 10 and Windows 10 x64 with a system language spoken in Europe (German, French, English etc). All Android versions in English language. For Mac OS X the latest operating system.

What hardware and operating systems do I need to install Joe Sandbox Ultimate?

Joe Sandbox Ultimate runs on standard hardware with Linux as operating system (e.g. Ubuntu Server). For installation a single server is required. For analysis on Mac OS X and additional Mac Mini or Mac Book.

Is Joe Sandbox X a 100% standalone application?

Yes, Joe Sandbox Ultimate can be run without any connection to the Internet or our Cloud.

What types of license do you offer?

We offer perpetual licenses with a site, country or world-wide scope. Services such as support and upgrades are availabe as an annual renewing license.