Analyze Malware & Phishing More Deeply Than Ever Before
Equip your CERT, CIRT, SOC, or IR team with deep automated and analyst-driven malware and phishing analysis in one platform.
- AI detected phishing page
- AI detected landing page (webpage, office document or email)
- AI detected suspicious elements in Email header
- Joe Sandbox AI detected malicious Email
- AI detected malicious page (phishing or scam)
- Document exploit detected (droppes PE files)
- Detected Locky Ransomware
- Detected Gozi e-Banking trojan
- Detected Trickbot e-Banking trojan (based on config)
- Detected GrandCrab Ransomware
- Found Process Doppelgänging injection technique
- Detected Kronos e-Bankin malware
- CPUID based timing evasion detected
- Detected Nanocore Rat
- Detected macOS CrescentCore
- Mounts NFS shares which might bypass GateKeeper
- Detected unpacking (overwrites its own PE header)
- Writes Mach-O files to hidden directories
- Modifies the hosts file
- Allocates memory in foreign processes
- Contains functionality to write to remote processes
- Contains functionality to read the PEB
- Writes to foreign memory regions
- Tries to detect sandboxes and other dynamic analysis tools
- Contains functionality to detect virtual machines (IN, VMware)
- Contains functionality to detect virtual machines (SGDT)
- Deletes itself after installation
- Allocates memory in foreign processes
- Found API chain indicative of sandbox detection
- Suspicious heap spray patterns found (NOP-sled)
- Document exploit detected (process start blacklist hit)
- Drops PE files to the windows directory (C:\Windows)
- May sleep (evasive loops) to hinder dynamic analysis
- Performs DNS lookups
- Contains VNC / remote desktop functionality
- Downloads files from webservers via HTTP
- May use AES for encryption and decryption
- Modifies existing windows services
- Contains functionality to create system tasks
- PE file contains sections with non-standard names
- Binary may include packed or encrypted data
- PE file contains an invalid checksum
- PE sections with suspicious entropy found
- Creates driver files
- Deletes Windows files
- Reads the hosts file
- Tries to load missing DLLs
- Enables driver privileges
- Posts data to webserver
- Spawns processes
- Uses HTTP for connecting to the internet
- Contains functionality to enumerate / list files inside a directory
- Contains functionality to enum processes or threads
- Contains functionality to load and extract PE file embedded resources
- Creates temporary files
- Contains functionality to enum processes or threads
- Accesses external storage location
- Urls found in memory or binary data
- Creates files
- Reads ini files
Try Our Solutions for Free
See how Joe Sandbox and Joe Reverser can help you:
- Detect and analyze malware and phishing threats quickly across multiple operating systems
- Reveal hidden behavior with interactive, analyst-driven malware analysis
- Explore comprehensive analysis reports shared by the wider security community
Trusted by Leading Enterprises
60K+ Active Community Users
Why Customers Choose Joe Security
“Joe Sandbox has proven to be vital in our daily operations, supporting the malware analysis work our team relies on every day.”
“A powerful and versatile sandbox solution with live sandbox observation, reports from different perspectives, and a user-friendly workflow.”
“Helps us protect the organization from malware threats by scanning files and URLs with live interaction on multiple platforms.”
“A dynamic malware analysis sandbox that supports day-to-day analysis work with strong performance and a user-friendly analyst experience.”
Feature Highlights
Deep Analysis
Get exceptionally deep malware analysis, whether you prefer full automation or hands-on investigation. Move from static to dynamic analysis, from dynamic to hybrid code analysis, and from hybrid analysis to agentic reverse engineering. Instrumentation, hooking, hardware virtualization, emulation, AI and machine learning help expose behavior that simpler analysis misses, with detailed reports showing the results in practice.
All Platforms and All Environments
Analyze threats across Windows 10, Windows 11, Android, macOS and Linux, with controlled environments for files, URLs, emails, documents, scripts and installers. Run analysis on virtual or physical machines, choose different patch levels, software stacks and tools, and use Joe Lab when analysts need dedicated bare-metal validation or saved investigation states.
Phishing and URL Analysis
Deeply analyze URLs, redirects, rendered web pages and email artifacts to uncover phishing, drive-by downloads and other web-based threats. A real browser on a real operating system visits each URL, while GenAI-assisted interaction can explore links in pages, PDFs, EML and MSG files. Analysts can also browse suspicious pages manually with live interaction.
Live Interaction and Evidence
Work inside the analysis environment while detections update in real time. Analysts can browse, install software and investigate malware or phishing pages manually while watching YARA hits, Sigma matches, behavior signatures and IOCs. The resulting evidence includes screenshots, video, memory dumps, DOM trees, PCAP and detailed reports.
Our Products
- Dynamically executes files and URLs in controlled Windows, macOS and Linux analysis environments
- Produces behavior, screenshots, detections, IOCs and downloadable reports
- Keeps samples and analysis data private, with no third-party sample sharing
- Includes the Joe Sandbox Cloud Pro plugin capabilities for phishing, ML, endpoint intake, email intake and evasive malware
- Automatically reverse-engineers files and analyzes URLs and emails for phishing threats
- Dynamically selects reverse engineering and malware analysis tools for each task
- Generates comprehensive reports with readable findings and an interactive Q&A interface
- Reveals functionality beyond the partial view provided by dynamic analysis
- Dedicated Windows 10 and Windows 11 x64 bare-metal machines, not virtual machines
- Browser-based VNC and full web-based file system access for hands-on investigation
- Configurable anonymized Internet access, Internet simulation, PCAP and screenshots
- Save machine states and reset to a known good state for repeated analysis and detection testing
Security and Privacy
Customer Data Protection
- Logical or physical Tenant Separation
- Encryption In-Transit (TLS 1.2)
- Encryption At Rest (AES-128 or AES-256)
Customer Data Control
- Configurable Data Retention (1 - 30 days max)
- Secure deletion at any time (manual or via API)
- Encryption of Analyses with Customer-provided passwords
Cloud Security
- Redundant Infrastructure (Joe Sandbox Cloud Pro)
- DDOS Protection & WAF
- SSO, 2FA, security log and vulnerability scanning
Innovative Technology
Try Our Solutions for Free
See how Joe Sandbox and Joe Reverser can help you:
- Detect and analyze malware and phishing threats quickly across multiple operating systems
- Reveal hidden behavior with interactive, analyst-driven malware analysis
- Explore comprehensive analysis reports shared by the wider security community