Detonate File From URL - JoeSecurity Deprecated

Deprecated. Use the joe-submit-sample command instead.

Joe Security · 7 tasks · 7 inputs · 14 outputs

Inputs

  • FileURL — URL of the web file to detonate. The FileUrl is taken from the context.
  • Interval — Duration for executing the pooling (in minutes)
  • Timeout — The duration after which to stop pooling and to resume the playbook (in minutes)
  • Systems — Operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat
  • Comments — Comments for the analysis.
  • InternetAccess — Enable internet access (boolean). True= internet access (default), False= no internet access.
  • ReportFileType — The resource type to download. Default is html. Supported values are: html, lighthtml, executive, pdf, classhtml, xml, lightxml, classxml, clusterxml, irxml, json, jsonfixed, lightjson, lightjsonfixed, irjson, irjsonfixed, shoots (screenshots), openioc, maec, misp, graphreports, memstrings, binstrings, sample, cookbook, bins (dropped files), unpackpe (unpacked PE files), unpack, ida, pcap, pcapslim, memdumps, yara

Outputs

  • File.Malicious.Vendor — For malicious files, the vendor that made the decision
  • File.Name — Filename (only in case of report type=json)
  • File.Size — File size (only in case of report type=json)
  • File.MD5 — MD5 hash of the file (only in case of report type=json)
  • File.SHA1 — SHA1 hash of the file (only in case of report type=json)
  • File.Type — File type e.g. "PE" (only in case of report type=json)
  • File.SHA256 — SHA256 hash of the file (only in case of report type=json)
  • File.EntryID — The Entry ID of the sample
  • File.Malicious.Description — For malicious files, the reason for the vendor to make the decision
  • DBotScore.Indicator — The indicator that was tested (only in case of report type=json).
  • DBotScore.Type — The indicator type (only in case of report type=json).
  • DBotScore.Vendor — The vendor used to calculate the score (only in case of report type=json).
  • IP.Address — IP's relevant to the sample
  • DBotScore.Score — The actual score (only in case of report type=json).

Commands used

joe-analysis-submit-sample joe-download-report

Flowchart

yes yes Start Start JoeSecurity Upload File - joe-analysis-submit-sample JoeSecurity Upload File joe-analysis-submit-sample GenericPolling - GenericPolling GenericPolling GenericPolling JoeSecurity Get Report - joe-download-report JoeSecurity Get Report joe-download-report Done Done Is there a File to detonate? Is there a File to detonate? Is JoeSecurity sandbox enabled? Is JoeSecurity sandbox en...