Rather than focus on a single technique Joe Sandbox uses a best features of a wide range of technologies including instrumentation, simulation, hardware virtualization, hybrid and graph analysis. This unique combination enables insane deep analysis, excellent detection and big evasion resistance.
Hypervisor based Inspection (HBI) uses latest hardware virtualization technologies of modern CPUs, to place stealth break points anywhere in the operating system or malware code. Stealth breakpoints capure information about any API being called, no matter if it is in usermode or kernelmode. Further HBI enables security experts to trace any cross module calls and trace other sensitive events, like debug register modification, cpuid instuction execution and many others. HBI is fully stealth and malware cannot detect its presence. HBI is not tied to a specific hypervisor such as KVM or XEN and can run even on bare metal machines. HBI is fully configurable by our customers.
Generic Static Instrumentation (GSI) modifies codes in order to log and change runtime information. GSI allows users to control API, method and function calls including complex arguments, return values as well as object values. Beside the deep inspection of runtime data, GSI is an excellent technique to fight evasion such as sleeps, logic bombs or environment checks. GSI enables the analyst to fully modify or fake arguments, return values as well as the status of objects. Further GSI is stealthy and very hard to detect by malware. Second only to instruction traces, GSI captures the most fine-grained dynamic information possible. GSI enables cyber security pros to provide their own custom instrumentation hooks.
Have a look at Joe Sandbox Mobile which uses DEX based instrumentation or at Joe Sandbox Ultimate that takes advantage of VBA instrumentation: Generic VBA Instrumentation for Microsoft Office Documents.
Hybrid Code Analysis (HCA) combines dynamic and static program analysis while retaining the main benefits of both techniques: context awareness, resilience against code obfuscation such as packing and self-modifying code on the one hand, and code analysis completion on the other hand. It makes possible to understand evasions against malware analysis systems including sleeps, logic bombs and system fingerprinting. Moreover, it allows discovering hidden behavior – dormant functionality which is executed only under rare conditions. Hybrid Code Analysis enables security professionals to understand the complete malware behavior, not just the installation.
Check out the latest malware analysis reports to see the Hybrid Code Analysis at work and learn more about this powerful technology from our blog posts: New Sandbox Evasion Tricks spot, Finding a DGA in less than one Minute and Joe Sandbox aware Malware? Certainly not! But surely!.
Execution Graph Analysis (EGA) generates highly condensed control flow graphs, so called Execution Graphs to visualize codes detected by Hybrid Code Analysis. Execution Graphs highlight the full logical behavior of the malware and include additional runtime information such as execution status, signature matches, key decisions, unpacked code and richest paths. Execution Graph Analysis detects evasions against malware analysis systems completely automated, without any human intervention. Furthermore EGA rates the behavior by looking at API chains, execution coverage and loops.
Check out the latest malware analysis reports to see the Execution Graph Analysis at work and learn more about its capabilities in our blog post: The Power of Execution Graphs.
AIS acts as a configurable firewall between the Joe Sandbox malware analysis system and the Internet. AIS is smart! It monitors network traffic and decides which packets to let through, and which ones to block.
With this unique technology, AIS prevents leakage of sensitive system information, such as ids and hardware tokens. In addition, AIS provides powerful features such as user-controlled DNS answers and faking HTTP POST answers.
Analyzing a sample in Joe Sandbox using AIS technology, provides an in-depth view of the malware behavior without the risks of unlimited internet access.
Joe Security has one of the most extensive generic Behavior Signature set. The set consisting of over 1284+ signatures covers multiple platforms including Windows, Android, Mac OS X and iOS. Behavior Signatures help detecting, classifying and summarizing malicious behavior, dangerous code and evasions. Joe Sandbox applies each signature to an enormous amount of captured data, ranging from operating system to network, browser, memory, file, binary and screen data.
Check out our latest malware analysis reports for behavior signature results.
While Hybrid Code Analysis and behavior signatures detect evasive threats, Cookbooks enable users to easily influence and change the malware's behavior automatically. With Cookbooks, security professionals can change the environment, simulate operating system events or modify the operating system behavior. Cookbooks provide the opportunity to completely customize the analysis procedure including malware startup, analysis duration and analysis chaining on multiple systems. The Cookbook technology makes Joe Sandbox the most flexible and customizable malware analysis system in the industry.
Check out our blog posts to see Cookbooks in action: Nymaim - evading Sandboxes with API hammering and Joe Sandbox aware Malware? Certainly not! But surely!.