Joe Sandbox Ultimate's architecture is modular. It consists of at least one controller machine running Linux and multiple connected analysis machines (with Windows and Android installed) hosted by virtualization products such as VMware or VirtualBox.
Files and URLs are uploaded for analysis to Joe Sandbox Ultimate manually, via RESTful Web API or via Joe Sandbox Mail Monitor. Joe Sandbox Ultimate first analyzes the file statically. After that an in-depth analysis is performed with Joe Sandbox Desktop.
Joe Sandbox Ultimate's configurable and efficient dynamic and static analysis engine monitors any activities during the binary program execution. Click to read more about Joe Security's unique technologies to analyze binaries.
The executed behavior of the sample is compiled into a detailed analysis report.
Have a look at the behavior analysis reports generated by Joe Sandbox Ultimate or contact Joe Security to schedule a technical presentation and demo.
Joe Sandbox Ultimate generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.
Joe Sandbox Ultimate enables analysis of all executable files (including malicious documents) on Windows 10 x64 and Windows 11 x64. Android Application Packages (APK) can be analyzed on Android 9 and 13. In addition Joe Sandbox Ultimate analyses files on macOS Monterey and Ventura (Intel and Apple Silicon) and Linux.
Joe Sandbox Ultimate analyses Office files for Microsoft Word, Excel and Powerpoint. Support for additional Office suites can be easily added.
Joe Sandbox Ultimate enables to deeply analyze URLs to detect phishing, drive by downloads, tech scam and more. For phishing detection Joe Sandbox Ultimate browses URLs on a real operating system. Joe Sandbox Ultimate will follow and click interesting links on webpages.
Joe Sandbox Ultimate uses a growing set of over 2565+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.
With Joe Sandbox Ultimate analysts can directly connect to the analysis machine and click manually through complex malware installers or phishing attacks. The remote assistance option is fully embedded in the browser and therefore no additional software has to be installed. Live Data such as behavior, Yara and Sigma signature hits as well as IOCs are shown in real time.
Joe Sandbox Ultimate implements an intelligent malware analysis chain, starting with coarse grained and ending with in-depth fine grained malware analysis techniques. The intelligent chain enables to sort out uninteresting samples and focus on the most interesting malware samples.
Joe Sandbox Ultimate's Hybrid Code Analysis (HCA) engine identifies code functions based on dynamic memory dumps. HCA enables in-depth analysis of malware by understanding hidden payloads, malicious functionality not seen during runtime analysis. HCA results are highly annotated and connected to dynamic behavior information. Through an advanced algorithm, HCA identifies hidden API calls and hidden strings within codes.
Joe Sandbox Ultimate generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox Ultimate also includes extensive library code detection.
Joe Sandbox Ultimate enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox Ultimate installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.
Joe Sandbox Ultimate enables to analyze automatically the network data via Suricata and "The Bro Network Security Monitor". Suricata with e.g. Emerging Threats ETOpen/ETPro rules detects malicious IPs, Domains or other network artifacts and Files extracted by Bro are automatically uploaded to Joe Sandbox.
Joe Sandbox Ultimate allows to use Yara Rules for advanced malware detection. Joe Sandbox Ultimate forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Ultimate features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox Ultimate enables to automatically synchronize with GitHub repositories contain Yara rules.
Joe Sandbox Ultimate allows to use Simga Rules for threat detection. Joe Sandbox currently supports many Sigma events including process_creation and Sysmon. In addition Joe Sandbox Ultimate features a nice web based Sigma Rule editor. Tired of updating your Sigma rules? Joe Sandbox Ultimate enables to automatically synchronize with GitHub repositories contain Simga rules.
In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Ultimate captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic (incl. decrypted HTTPS), screenshots, shellcode and strings.
Joe Sandbox Ultimate reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox Ultimate reports can be seamlessly integrated with other tools and platforms.
Joe Sandbox Ultimate provides a MITRE ATT&CK matrix. With the matrix, analysts can easily compare adversary tactics and techniques. Joe Sandbox Ultimate contains over 2565+ behavior signatures which are mapped to tactics and techniques.
Joe Sandbox Ultimate allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.
Joe Sandbox Ultimate is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Ultimate generates a detailed confidence score - outlining how certain the system is about the detection.
Joe Sandbox Ultimate is optimized for large-scale analysis and can handle up to several thousand samples per day on a single Joe Sandbox Ultimate instance. By scaling up the instances, Joe Sandbox Ultimate enables to analyze large sample sets very quickly.
Joe Sandbox Ultimate allows for seamless integration into existing security products. A .NET SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Ultimate provides a queuing system with load-balancing and prioritization mechanisms. OEM customer have full control over the solution, its generated data and configuration.
Joe Sandbox Ultimate includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.
Joe Sandbox Ultimate is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Ultimate supports multiple analysis machines with different applications/versions installed.
Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Ultimate.