Thursday, May 2, 2019

Introducing Joe Sandbox ML

Today we bring you amazing news. Joe Sandbox now features its own Machine Learning and Artificial Intelligence based static detection engine: Joe Sandbox ML.

Joe Sandbox ML is a plug-in which integrates seamlessly into Joe Sandbox Desktop, Joe Sandbox Complete, Joe Sandbox Ultimate, and Joe Sandbox Cloud. With Joe Sandbox ML, Joe Sandbox Desktop, Complete and Ultimate benefit from enhanced detection capabilities:

Dynamic plus static is the best

Combining dynamic and static analysis is extremely powerful. Dynamic analysis detects threats based on the behavior and is resilient against packing and code obfuscation. However, malware can evade dynamic analysis by delaying or hindering execution. Malware may also not execute because the C&C server has been taken down or downloads are no longer reachable from the Internet. Finally, it might also not work due to the wrong operating system or framework versions. Those samples are ideal targets for static detection.

Sample 56KHL48745.exe which was recently uploaded to Cloud Basic is a perfect example. The file crashed due to a .NET interoperability issue:

As a result, no malicious behavior is detected. However, Joe Sandbox ML detects the initial sample as well as the unpacked PE files:

In consequence, Joe Sandbox successfully identifies the sample as malware:

In addition to the original sample, Joe Sandbox ML also scans the unpacked PE files as well as any dropped, modified or created files. 

While other ML engines only support PE files, Joe Sandbox ML has wide support for different file formats including PDFs, Office Documents and ELF files. 

Are you worried about the performance impact? Joe Sandbox ML is extremely fast and makes its decision within milliseconds. 

Joe Sandbox more powerful than ever

Joe Sandbox ML substantially increases the malware detection efficiency of Joe Sandbox. If a sample does not show any malicious behavior there is still a good chance that Joe Sandbox detects it thanks to the help of Joe Sandbox ML.

Joe Sandbox ML is applied to all captured file artifacts and features a wide range of file formats (not just PE files). 

