This product is one of our SC Lab Approved products and we use it regularly in the lab especially when we do an analysis for the Threat Hunter Blog. It is a fully automated cloud-based sandbox/analysis environment. The most obvious benefit from Joe is the reporting. It is clear, detailed and you can select several formats from pdf, to html, to xml and several others.
When you open the report from a scan you see immediately the level of maliciousness, the confidence in the analysis from 5% to 99% and an easy to read classification graph. This tells you in broad terms what the malware does in a radar-style graph. There are three levels within the graph: clean, suspicious and malicious. Within those levels, Joe analyzes in nine categories that describe the functionality of the sample: ransomware, spreading, phishing, banker, Trojan/bot, adware, spyware, exploiter, and evader.
We submitted our sample - cryptowall 3.0 - and the classification graph told us that it was malicious for ransomware, evasion and exploiting. It was suspicious for spyware. The opening analysis showed that it was malicious with a 99% confidence. Following the classification graph Joe offers additional analysis advice. For example, our sample sleeps for a long time and we were advised to re-analyze using Joe's "Bypass long sleeps" cookbook. Cookbooks add extra functionality and are easy to download or you can build your own.
Next comes the signature overview. This, really, is the heart of the tool. It is a donut graph that shows an overview of the detailed analysis. In our case it showed functionality and signatures for spam, exploits, networking, data obfuscation and several others including such things as obfuscation, anti-debugging and malware analysis system evasion. Clicking on any section of the graph takes you directly to the signature section with detailed results for that signature.
We clicked on networking and were taken to the networking signature which showed the URLs that Joe had extracted from the binary data during its static analysis. It looks in the binary statically and in the memory dynamically. In our sample, it found several URLs. Clicking on operating system protection evasion we find that the sample contains several mechanisms for code injection including injecting a PE file into a foreign process and modifying the context of a thread in another process. It shows a graph next to each signature that gauges the maliciousness of the signature group and in our case, the protection evasion was deemed particularly malicious.
Submitting to Joe Sandbox is simple. You need only drag your sample into the tool, answer a few questions telling Joe what you want it to do and wait, usually less than five minutes. The, download your analysis and start interpreting the results. The tool uses multiple techniques to avoid evasion resistance, perform both static and dynamic analysis and offer excellent granularity in analysis. Like most products of this type, Joe does the analysis leaving you to do the interpretation. However, we have found in using this tool in a production environment that it offers far more in the way of analytics than any sandbox we've tested.
The web site is excellent and there is a free version so you can get a good idea of what Joe is all about. Additionally, there are sample reports of the analysis of quite a few well-known malwares and ransomwares. Pricing is very flexible, depending upon such things as the services you need and how many samples per month you plan to submit. Support, like pricing, is tailored to the customer's needs. We have made this tool one of our SC Lab Approved, so look for a review of it after a year of use.
