Joe Trace is Sysinternal's Process Monitor on Steroids -
a hypervisor-based process monitor built for manual malware analysis.
Joe Trace has the following features:
Joe Trace is designed for the following use-cases:
Sandboxes or dynamic malware analysis systems such as Joe Sandbox are of great help, and a key tool of any CERT, CIRT, SOC or malware analysist. However, in particular cases, analysts need to do a more thorough or longer analysis of a malware sample. What tools do analysts have for this purpose? There are debuggers such as OllyDbg or WinDbg which are often detected by malware and are complex to use. There is Sysinternal's Process Monitor or Rohitab API Monitor which are great tools but are not designed to perform malware analysis and lack many important features.
Joe Trace was built to fill this gap. It is a hypervisor-based API and process monitor tool which was created for the purpose of deep dynamic malware analysis. It is a software tool which can be installed on any Windows 7 or Windows 10 machine to trace any system or user-mode API calls. It captures large amount of raw data - system wide. E.g. all created or modified files are preserved. Memory dumps are captured at various stages during the lifetime of a process. The complete network traffic is stored in a PCAP file. Analysts can also use Yara to detect malware. Joe Trace uses your Yara rules to scan all the raw data and shows you the signature results - live, while you are running the tool. Today's malware employs complex infection schemes using multiple process, LoL-bins and techniques. Joe Trace tackles this by using a built-in process tracking mechanisms and helps analysts to focus on the malware behavior at all stages of an infection. Finally, Joe Trace includes an e-mail based alert feature. This enables users to get notified during long term malware observation about new behaviors such as new C&C connections, config downloads, installation of new malware etc.
Contact Joe Security to schedule a technical presentation or get a trial.
Joe Trace includes a customized hypervisor which uses the latest CPU-virtualization features such as VT-x to trace system calls. A hypervisor is harder to detect by malware and makes it possible to extract more behavior.
Joe Trace traces a vast number of API and system calls, including malware related calls such as NtWriteVirtualMemory, NtSetContextThread, NtQueueAPCThread, and NtUserSetWindowsHookEx. In addition, Joe Trace captures network events, such as DNS queries and answers, and TCP connections.
Joe Trace not only traces events, but also raw data such as all created and modified files, memory dumps of processes (various stages of the process lifetime) and full network traffic (as PCAP). Analysts can access the raw data at any time and perform further analysis.
Joe Trace features a Frida integration. Frida is the dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. Through the customizable Frida integration analysts can trace any usermode API call. Joe Trace's default Frida configuration traces major WinInet API calls, such as InternetOpen, InternetOpenUrl etc.
Joe Trace features a deep Yara integration. Any raw data captured by Joe Trace is scanned with the help of Yara - including memory dumps. Analysts can use the built-in Yara signature repository of Joe Security or use their own rules for malware detection. Signature matches are shown live in the Joe Trace events overview.
Tracing extensive amount of data is great but useless until you have tracking and filtering mechanisms. Joe Trace features various filters from API calls to arguments. To follow malware persisting and installation behavior it includes a malware execution tracking feature. These filters and trackers help malware analysts to focus on the important data.
Long term malware analysis is a big use-case of many CERTs / CIRTs / SOCs. The goal is to extract C&C connections or download of configurations and payloads which happen only after hours or days. Thanks to the e-mail alerting feature in Joe Trace analysts are notified about important events such as Yara hits. As a result they don't have to constantly watch the event overview.
Contact Joe Security to receive a free trial for Joe Trace.
A process monitor traces all system events of all processes on a Windows system. That includes filesystem, registry, memory activites such as created files, created registry keys, allocated memory etc.
Joe Trace is a process monitor using latest CPU virtualization features for event tracing.
Windows 7 x64 and Windows 10 x64.
- Any SOC, CERT, CIRT or malware analyst who wants to deeply analyse malware.
- Any vendors or security team developing and testing Yara signatures
- Intelligence agencies studying APT malware
Sysinternal's process monitor is not designed for malware analysis. It does not capture dropped files, memory dumps or PCAPs. There is also no Yara integration for malware detection. Sysinternal's process monitor also does not use CPU virtualization for event tracing. As a result, it misses many events and is easily bypassed by malware. Finally Joe Trace enables to track the malware execution flow and define e-mail based alerts. These are unique features that Sysinternal's process monitor does not offer.
Yes, your Yara rules will be used to scan all dropped files and memory dumps. Yara siganture matches are directly shown in Joe Trace.
Yes, through the Frida integration you can easily trace any user-mode API.
Joe Trace has an e-Mail based alert functionality. Based on the chosen filter, you get informed as soon as a Yara signature hit or another event triggers.
Per machine basis.
Yes. We also provide discounts for a combined offer.