Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Sandbox Desktop

Automated Deep Malware Analysis for targeting Windows platforms

Joe Sandbox Desktop executes files and URLs fully automated in a controlled environment and monitors the behavior of applications and operating systems for suspicious activities. All activities are compiled into comprehensive and extensive analysis reports.

Analysis reports, which contain key information about potential threats, enable cyber-security professionals to deploy, implement and develop appropriate defense and protections.

Joe Sandbox Desktop enables you to install and use Joe Sandbox in your lab. Joe Sandbox Desktop analyzes any malware targeting Windows based operating systems.
Joe Sandbox Desktop

Joe Sandbox Desktop Explained

Joe Sandbox Desktop Explained

Joe Sandbox Desktop's architecture is modular. It consists of at least one controller machine running Linux and multiple connected analysis machines (with Windows installed) hosted by virtualization products such as VMware or VirtualBox. Users or the RESTFul API send files and URLs for analysis via the Joe Sandbox Desktop Web Interface to the controller's server. The Joe Sandbox Desktop server stores the sample in a local file database and forwards them to the connected analysis machines, where the sample is then executed.

Joe Sandbox Desktop's configurable and efficient dynamic and static analysis engine monitors any activities during the binary program execution. Click to read more about Joe Security's unique technologies to analyze binaries.

The executed behavior of the sample is compiled into a detailed analysis report.


Request a Joe Sandbox Desktop demo

Have a look at the behavior analysis reports generated by Joe Sandbox Desktop or contact Joe Security to schedule a technical presentation and demo.

Comprehensive Reports

Joe Sandbox Desktop generates very detailed analysis reports about system, network, browser and tampering/code manipulation behavior. The report includes evaluations and additional data about strings, domains and file structures. Matching generic signatures highlight suspicious and malicious key behavior. Classification and threat scores help to detect sophisticated cyber-attacks quickly. A context based search enables to quickly navigate.

Comprehensive Reports

All Files on all Platforms

Joe Sandbox Desktop enables analysis of all executable files (including malicious documents) on Windows W7 x64, Windows 10 x64 and Windows 11 x64.

All Files on all Platforms

Analysis of Office Files

Joe Sandbox Desktop analyses Office files for Microsoft Word, Excel and Powerpoint. Support for additional Office suites can be easily added.

Analysis of Office Files

Deep URL Analysis

Joe Sandbox Desktop enables to deeply analyze URLs to detect phishing, drive by downloads, tech scam and more. For phising detection Joe Sandbox Desktop uses an AI based template matching approach. Joe Sandbox Desktop will follow and click interesting links on browsed webpages.

Deep URL Analysis

1522+ Generic and Open Behavior Signatures

Joe Sandbox Desktop uses a growing set of over 1522+ generic Behavior Signatures to detect and classify malicious behavior activities such as Exploiting and Shellcode (for malicious documents), Persistence, Boot Survival, Spreading, Data Spying and Leakage and C&C Communication. Behavior Signatures are extendable and customizable and optionally are shared within a community.

1522+ Generic and Open Behavior Signatures

Interact with the Analysis Machine

With Joe Sandbox Desktop analysts can directly connect to the analysis machine and click manually through complex malware installers or phishing attacks. The remote assistance option is fully embedded in the browser and therefore no additional software has to be installed. Live Data such as behavior, Yara and Sigma signature hits as well as IOCs are shown in real time.

Interact with the Analysis Machine

Yara

Joe Sandbox Desktop allows to use Yara Rules for advanced malware detection. Joe Sandbox Desktop forwards all samples, downloaded files, resources as well as memory dumps to Yara. In addition Joe Sandbox Desktop features a nice web based Yara Rule editor. Tired of updating Yara rules? Joe Sandbox Desktop enables to automatically synchronize with GitHub repositories contain Yara rules.

Yara

Sigma

Joe Sandbox Desktop allows to use Simga Rules for threat detection. Joe Sandbox currently supports many Sigma events including process_creation and Sysmon. In addition Joe Sandbox Desktop features a nice web based Sigma Rule editor. Tired of updating your Sigma rules? Joe Sandbox Desktop enables to automatically synchronize with GitHub repositories contain Simga rules.

Sigma

Yara Rule Generation

Joe Sandbox Desktop creates various Yara rules based on static, dynamic and hybrid behavior data. The generated Yara rules allow to identify specific malware, malware families and malware variants. Yara Rule Generator uses sophisticated data rating and clustering algorithms.

Yara Rule Generation


Dynamic VBA Instrumentation

Joe Sandbox Desktop’s instrumentation engine enables monitoring any method or API call of VBA Macros embedded in Microsoft Office files (doc, docx, docxm, etc). The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions. Moreover customer can add their own Pre and Post hooks to modify function parameters and return values.

Dynamic VBA Instrumentation


Dynamic JS Instrumentation

Joe Sandbox Desktop’s instrumentation engine enables monitoring any method or API call (including arguments, returns etc) of a Javascript file. The extracted dynamic information allows to detect and understand decrypted routines (via colored call graph), payload URLs and evasions.

Dynamic JS Instrumentation


Dynamic JAR Instrumentation

Joe Sandbox Desktop’s instrumentation engine enables monitoring Java API calls (including arguments, returns etc) of a JAR file. The extracted dynamic information allows to detect and understand Java malware such as JRAT or Adwind RAT.

Dynamic JAR Instrumentation


AI-based Phishing Detection

Joe Sandbox Desktop’s detects Phishing pages by using an AI based template matching approach. Customers can easily add additional templates to detect Phishing of their Web portals. Template matching based Phishing has very low false negative and false positive rates.

AI-based Phishing Detection

Analyses Hidden Payloads

Joe Sandbox Desktop's Hybrid Code Analysis (HCA) engine identifies code functions based on dynamic memory dumps. HCA enables in-depth analysis of malware by understanding hidden payloads, malicious functionality not seen during runtime analysis. HCA results are highly annotated and connected to dynamic behavior information. Through an advanced algorithm, HCA identifies hidden API calls and hidden strings within codes.

Analyses Hidden Payloads

Execution Graphs

Joe Sandbox Desktop generates highly condensed control flow graphs, so called Execution Graphs. Execution Graphs enable to detect evasions against malware analysis systems. Furthermore Execution Graphs allow to rate the behavior by looking at API chains, execution coverage and loops. Joe Sandbox Desktop also includes extensive library code detection.

Execution Graphs

SSL Proxy

Joe Sandbox Desktop enables to inspect HTTPS traffic. Similiar to a next generation firewall Joe Sandbox Desktop installs a MITM SSL Proxy which intercepts and analyzes any SSL traffic. This allows to inspect malicious HTTPS C&C traffic which is often used in APTs.

SSL Proxy

IDS Network Analysis

Joe Sandbox Desktop enables to analyze automatically the network data via Snort and "The Bro Network Security Monitor". Snort with e.g. Emerging Threats ETOpen/ETPro rules detects malicious IPs, Domains or other network artifacts and Files extracted by Bro are automatically uploaded to Joe Sandbox.

IDS Network Analysis

Extensive supplementary Analysis Data

In addition to analysis reports in HTML, XML and JSON formats, Joe Sandbox Desktop captures and generates supplementary data. This includes created files, unpacked PE files, memory dumps, PCAP of the captured network traffic (incl. decrypted HTTPS), screenshots, shellcode and strings.

Extensive supplementary Analysis Data

Reports provided in all relevant Formats

Joe Sandbox Desktop reports are provided in all relevant export formats, ranging from common data exchange formats (XML, JSON) and document types (HTML, PDF) to malware security standards such as MAEC, CybOX, MISP and OpenIOC. Therefore, Joe Sandbox Desktop reports can be seamlessly integrated with other tools and platforms.

Reports provided in all relevant Formats

MITRE ATT&CK

Joe Sandbox Desktop provides a MITRE ATT&CK matrix. With the matrix, analysts can easily compare adversary tactics and techniques. Joe Sandbox Desktop contains over 2437+ behavior signatures which are mapped to tactics and techniques.

MITRE ATT&CK

Third Party Integrations

Joe Sandbox Desktop has many Third Party Integrations. Detection results from Virustotal and MetaDefender are visualized in the analysis report. Joe Sandbox Desktop also integrates with Incident Response Solutions such as TheHive, Fame, MISP and CRITs. You can also use Joe Sandbox Desktop in the Security Automation & Orchestration Platform Phantom and Demisto. We also offer integration with additional tools such as Viper and Malsub.

Third Party Integrations

RestFul WEB API

Joe Sandbox Desktop allows for seamless integration into existing threat intelligence systems. It has a simple RestFul WEB API which enables file upload, analysis data download, searches, filters, alerts and more. Example scripts in Python allow a fast integration.

RestFul WEB API

Seamless IDA Integration

Joe Sandbox Desktop delivers an IDA plugin which loads supplementary analysis data such as memory dumps and reconstructed PE files. Moreover the plugin enriches IDA code with dynamic information such as APIs, chunks, strings and function arguments. IDA integration enables to deeply understand und further investigate malicious code with the power of IDA.

Seamless IDA Integration

High Detection Precision

Joe Sandbox Desktop is tuned to detect malicious samples with high precision. Extensive tests have shown an average false positive rate < 2% and false negative rate < 6% for PE files. Besides the detection status (clean, suspicious or malicious) Joe Sandbox Desktop generates a detailed confidence score - outlining how certain the system is about the detection.

High Detection Precision

Automated User Behavior

Through predefined and configurable Cookbooks - special scripts submitted as second input - Joe Sandbox Desktop allows for performing advanced use cases on the analysis machine. Cookbook scripts describe an analysis procedure and allow any possible user behavior to be automated. Browsing a URL with IE, Firefox or Chrome, logging into an email account, or running a file with special arguments are just a few examples of the existing Cookbooks included. To click through any installer Joe Sandbox Desktop offers an advanced OCR based click engine.

Automated User Behavior

Build for OEM Integration

Joe Sandbox Desktop allows for seamless integration into existing security products. A .NET SDK, serving interfaces for automated file submissions and processors for handling generated analysis data is included. For bulk file submissions, Joe Sandbox Desktop provides a queuing system with load-balancing and prioritization mechanisms. OEM customer have full control over the solution, its generated data and configuration.

Build for OEM Integration

Simplified Management and Control

Joe Sandbox Desktop includes an intuitive web interface with features such as file and URL uploads, cookbook editor, user management and bulk upload/download and mail/syslog notifications.

Simplified Management and Control

Flexibility and Customization

Joe Sandbox Desktop is built as a modular and scalable system with many settings for advanced tuning. With its open SDK, behavior signatures and cookbooks, it enables performing advanced use cases to serve organizations' specific needs. Joe Sandbox Desktop supports multiple analysis machines with different applications/versions installed.

Flexibility and Customization

Additional Support, Maintenance and Consulting

Joe Security provides excellent services, such as system installations, training, maintenance, customization and expert knowledge as an supplemental package to Joe Sandbox Desktop.

Additional Support, Maintenance and Consulting

Request a Joe Sandbox Desktop demo

Have a look at the behavior analysis reports generated by Joe Sandbox Desktop or contact Joe Security to schedule a technical presentation and demo.

* MAEC and the MAEC logo are trademarks of The MITRE Corporation.

What files does Joe Sandbox Desktop analyze?

Joe Sandbox Desktop analyzes any files, including EXE, DLL, PIF, CMD, BAT, COM, SCR, CPL, PDF, DOC(X)(M), XLS(X)(M)(B), PPT(X)(M), HWP (Hangul Korean), JTD (Ichitaro Japan), RFT, XPI, CRX (Chrome Plugin), EML (Email), MSG (Email), CHM, JS, JSE, VBS, VBE, LNK, JAR (Java), PS1 (Powershell), ZIP, 7Z, RAR, ZLIB, ASP(X), PNG, JPEG, GIF, HTML, HTM, XHTML, SHTML. Joe Sandbox Desktop includes a file type recognition engine which detects over 5000 different files.

What report and forensic data does Joe Sandbox Desktop generate?

Behavior reports in HTML, PDF, XML and JSON, dropped or downloaded files, memory dumps, strings, PCAP, screenshot, unpacked PE files, yara rules and openIOC.

Which analysis technology does Joe Sandbox Desktop use?

Joe Sandbox Desktop uses a wide range of analysis technologies including dynamic, static as well as hybrid. Due to the use of several analysis techniques Joe Sandbox Desktop discovers more behavior than other solutions.

What are behavior signature?

Behavior signatures are tiny scripts to rate data Joe Sandbox Desktop captures from the malware. Joe Sandbox Desktop extracts system, network, memory, code and browser data. Joe Sandbox Desktop includes a steady raising number of 1522+ signatures.

Which virtualization products run with Joe Sandbox Desktop?

Joe Sandbox Desktop supports VMware ESXi.

Which Windows systems are supported?

Windows 10 x64 and Windows 11 x64 with a system language spoken in Europe (German, French, English etc).

What hardware and operating systems do I need to install Joe Sandbox Desktop?

Joe Sandbox Desktop runs on standard hardware with Linux as operating system (e.g. Ubuntu Server). For installation a single server is required.

Is Joe Sandbox Desktop a 100% standalone application?

Yes, Joe Sandbox Desktop can be run without any connection to the Internet or our Cloud.