Detonate and Analyze File - JoeSecurity Deprecated

Deprecated. Use the joe-submit-sample command instead.

Joe Security · 9 tasks · 20 inputs · 84 outputs

Inputs

  • File — File object of the file to detonate. The file is taken from the context.
  • Interval — Duration for executing the pooling (in minutes).
  • Timeout — The duration after which to stop pooling and to resume the playbook (in minutes).
  • Systems — Comma-separated list of operating systems to run the analysis on. Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat
  • Comments — Comments for the analysis.
  • InternetAccess — Enable internet access (boolean). True= internet access (default), False= no internet access.
  • ReportFileType — The resource type to download. Default is html. Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara
  • Cookbook — Uploads a cookbook together with the sample. Needs to be a file-like object or a tuple in the format (filename, file-like object).
  • FullDisplay — If set to true, will display the full indicators and dbot_scores. If set to false, will display only the summary.
  • Tags — A comma-separated list of tags to be added to the analysis.
  • SSLInspection — Whether to enable SSL inspection.
  • HybridCodeAnalysis — Whether to enable hybrid code analysis.
  • FastMode — Whether to enable fast mode. Focuses on fast analysis and detection versus deep forensic analysis.
  • CommandLineArgument — A command line argument is to be passed to the sample.
  • LiveInteraction — Whether to enable live interaction.
  • DocumentPassword — The document password.
  • ArchivePassword — An archive password.
  • EmailNotification — Send an email notification once the analysis completes.
  • StartAsNormalUser — Whether to start the analysis as a normal user.
  • EncryptWithPassword — The password to encrypt the analysis with.

Outputs

  • DBotScore.Vendor — The vendor used to calculate the score.
  • Joe.Analysis.ID — Web ID.
  • Joe.Analysis.Status — Analysis status.
  • Joe.Analysis.Comments — Analysis comments.
  • Joe.Analysis.Time — Submitted time.
  • Joe.Analysis.Runs — Sub-Analysis information.
  • Joe.Analysis.Result — Analysis results.
  • Joe.Analysis.Errors — Raised errors during sampling.
  • Joe.Analysis.Systems — Analysis operating system.
  • Joe.Analysis.MD5 — MD5 hash of analysis sample.
  • Joe.Analysis.SHA1 — SHA1 hash of analysis sample.
  • Joe.Analysis.SHA256 — SHA256 hash of analysis sample.
  • Joe.Analysis.SampleName — Sample data. Can be a file name or URL.
  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • DBotScore.Score — The actual score.
  • DBotScore.Malicious.Vendor — The vendor used to calculate the score.
  • DBotScore.Malicious.Detections — The sub-analysis detection statuses.
  • DBotScore.Malicious.SHA1 — The SHA1 hash of the file.
  • InfoFile.Name — File name.
  • InfoFile.EntryID — The entry ID of the sample.
  • InfoFile.Size — File size.
  • InfoFile.Type — File type, e.g., "PE".
  • InfoFile.Info — Basic information of the file.
  • File.Extension — File extension.
  • InfoFile — Report file object.
  • File — File object.
  • Joe.Analysis — Joe Analysis object.
  • DBotScore — DBotScore object.
  • DBotScore.Malicious — DBotScore malicious object.
  • DBotScore.Reliability — Reliability of the score.
  • File.Hashes — The hashes of the file.
  • File.Hashes.type — Types of the hashes.
  • File.Hashes.value — Hash value.
  • File.MD5 — MD5 hash value.
  • File.Name — File name.
  • File.SHA1 — SHA1 hash value.
  • File.SHA256 — SHA256 hash value.
  • Joe.Analysis.analysisid — Joe Security Sandbox analysis ID value.
  • Joe.Analysis.classification — Joe Security Sandbox analysis classification.
  • Joe.Analysis.comments — Joe Security Sandbox analysis comments (if any).
  • Joe.Analysis.detection — Joe Security Sandbox analysis detection.
  • Joe.Analysis.duration — Joe Security Sandbox analysis duration.
  • Joe.Analysis.encrypted — Joe Security Sandbox value that indicates if the results are encrypted.
  • Joe.Analysis.filename — The filename information listed in the analysis.
  • Joe.Analysis.md5 — MD5 hash value.
  • Joe.Analysis.score — Joe Security Sandbox score for the analysis.
  • Joe.Analysis.scriptname — Joe Security Sandbox analysis script name.
  • Joe.Analysis.sha1 — SHA1 hash value.
  • Joe.Analysis.sha256 — SHA256 hash value.
  • Joe.Analysis.status — Analysis status in Joe Security Sandbox.
  • Joe.Analysis.threatname — Threat name associated with the Joe Security Sandbox analysis verdict.
  • Joe.Analysis.time — Analysis time.
  • Joe.Analysis.webid — WebID value for the analysis in Joe Security Sandbox.
  • Joe.Analysis.runs — Analysis running information.
  • Joe.Analysis.runs.detection — Detection in that particular run.
  • Joe.Analysis.runs.error — Indicates if any errors occurred during the analysis.
  • Joe.Analysis.runs.score — Analysis score for that particular run.
  • Joe.Analysis.runs.sigma — Sigma value.
  • Joe.Analysis.runs.snort — Any snort detected rules.
  • Joe.Analysis.runs.system — The system that was involved in the analysis.
  • Joe.Analysis.runs.yara — Detected YARA rules.
  • Joe.Submission.most_relevant_analysis — Joe Security Sandbox most relevant analysis information.
  • Joe.Submission.most_relevant_analysis.detection — Joe Security Sandbox most relevant analysis detection.
  • Joe.Submission.most_relevant_analysis.score — Joe Security Sandbox most relevant analysis score.
  • Joe.Submission.most_relevant_analysis.webid — Joe Security Sandbox most relevant analysis web ID.
  • Joe.Submission — Joe Security Sandbox submission information.
  • Joe.Submission.name — Joe Security Sandbox submission name.
  • Joe.Submission.status — Joe Security Sandbox submission status.
  • Joe.Submission.submission_id — Joe Security Sandbox submission submission ID.
  • Joe.Submission.time — Joe Security Sandbox submission time.
  • Joe — Joe Secuirity Sandbox information.
  • Joe.AccountQuota — The account quota.
  • Joe.AccountQuota.quota.daily — The current daily quota information.
  • Joe.AccountQuota.quota.daily.current — The current daily quota.
  • Joe.AccountQuota.quota.daily.limit — The daily quota limit.
  • Joe.AccountQuota.quota.daily.remaining — The remaining daily quota.
  • Joe.AccountQuota.quota.monthly — The remaining monthly quota information.
  • Joe.AccountQuota.quota.monthly.current — The current monthly quota.
  • Joe.AccountQuota.quota.monthly.limit — The monthly quota limit.
  • Joe.AccountQuota.quota.monthly.remaining — The remaining monthly quota.
  • Joe.AccountQuota.type — The quota type.
  • Joe.ServerStatus.Online — The server status.
  • Joe.ServerStatus — Joe Security Sandbox server status.

Commands used

joe-get-account-quota joe-is-online joe-submit-sample

Flowchart

yes yes yes yes Start Start Done Done Is there a File to detonate? Is there a File to detonate? Is JoeSecurity sandbox enabled? - IsIntegrationAvailable Is JoeSecurity sandbox en... IsIntegrationAvailable Detonate File - Joe Security Sandbox - joe-submit-sample Detonate File - Joe Secur... joe-submit-sample Check Joe Security Sandbox Quota - joe-get-account-quota Check Joe Security Sandbo... joe-get-account-quota Is there enough quota for submission? Is there enough quota for... Get Joe Sandbox Status - joe-is-online Get Joe Sandbox Status joe-is-online Check if Joe Security is online Check if Joe Security is ...