Detonate File - JoeSecurity V2

The Detonate File using Joe Sandbox Process is designed to streamline and enhance the security assessment of files. This automated system accepts a user-submitted file, sends it for in-depth analysis using Joe Sandbox technology, and returns comprehensive results as attachments to the user. The process is designed to be swift, efficient, and secure, providing users with valuable insights into potential threats and vulnerabilities within their files.

Joe Security · 9 tasks · 5 inputs · 34 outputs

Inputs

  • File — File object of the file to detonate. The File is taken from the context.
  • Timeout — The default duration after which to stop polling and to resume the playbook (in seconds).
  • Systems — Operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat (if no input is provided, the default is w10x64_office)
  • Comments — Comments for the analysis.
  • ReportFileType — The resource type to download. Default is html. Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara

Outputs

  • DBotScore.Vendor — The vendor used to calculate the score.
  • Joe.Analysis.ID — Web ID.
  • Joe.Analysis.Status — Analysis Status.
  • Joe.Analysis.Comments — Analysis Comments.
  • Joe.Analysis.Time — Submitted Time.
  • Joe.Analysis.Runs — Sub-Analysis Information.
  • Joe.Analysis.Result — Analysis Results.
  • Joe.Analysis.Errors — Raised errors during sampling.
  • Joe.Analysis.Systems — Analysis OS.
  • Joe.Analysis.MD5 — MD5 of analysis sample.
  • Joe.Analysis.SHA1 — SHA1 of analysis sample.
  • Joe.Analysis.SHA256 — SHA256 of analysis sample.
  • Joe.Analysis.SampleName — Sample Data, could be a file name or URL.
  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • DBotScore.Score — The actual score.
  • DBotScore.Malicious.Vendor — The vendor used to calculate the score.
  • DBotScore.Malicious.Detections — The sub analysis detection statuses.
  • DBotScore.Malicious.SHA1 — The SHA1 of the file.
  • InfoFile.Name — FileName.
  • InfoFile.EntryID — The EntryID of the sample.
  • InfoFile.Size — File Size.
  • InfoFile.Type — File type e.g. "PE".
  • InfoFile.Info — Basic information of the file.
  • File.Extension — File Extension.
  • InfoFile — Report file object.
  • File — File object.
  • Joe.Analysis — Joe Analysis object.
  • DBotScore — DBotScore object.
  • DBotScore.Malicious — DBotScore Malicious object.
  • File.MD5 — The MD5 hash of the file.
  • File.Name — The full file name.
  • File.SHA1 — The SHA1 hash of the file.
  • File.SHA256 — The SHA256 hash of the file.

Commands used

joe-analysis-info joe-download-report joe-submit-sample

Flowchart

yes yes yes Start Start JoeSecurity Upload File - joe-submit-sample JoeSecurity Upload File joe-submit-sample JoeSecurity Get Report - joe-download-report JoeSecurity Get Report joe-download-report Done Done Is there a File to detonate? Is there a File to detonate? Is JoeSecurity sandbox enabled? Is JoeSecurity sandbox en... JoeSecurity Get Info - joe-analysis-info JoeSecurity Get Info joe-analysis-info Set Context - Set Set Context Set Is the file type supported? Is the file type supported?