User Guide

Synapse-Joe-Sandbox User Guide

Synapse-Joe-Sandbox adds new Storm commands to allow you to query the Joe Sandbox API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> joe.sandbox.setup.apikey --self myapikey
Setting Joe Sandbox API key for the current user.

Submit a file for analysis

Lift a file:bytes node, submit it for analysis and ingest the results:

> file:bytes#myfile | joe.sandbox.submit --yield
file:bytes=sha256:9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
        .created = 2024/12/20 18:05:38.417
        :md5 = 87a10ed1116fb1ac0506ce4183df04a9
        :mime:pe:imphash = aa81c1b260a0efe3cd2c26c7046b78ed
        :name = vx96q26nmi.dll
        :sha1 = 246028de73848e1df9494bedbbda3d86631cbbce
        :sha256 = 9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
        :sha512 = e44bedbe6dd8c41bbc65834a2ecd15655ec9e07c51e8d59508335e08f3979be8c127c5f3a0be03f32a18ce2ba5df4faead8d1b8ff7794adbd877141c4bf473ee
        :size = 262656
        #rep.joe.sandbox.cobaltstrike
        #rep.joe.sandbox.malicious

Search for existing analyses

Search for analyses by md5 hash:

> joe.sandbox.analysis.search --md5 d3e34b11550fbb94e53537b27197ab32
2909663 - R3j5TJAIqw.exe
    md5:            d3e34b11550fbb94e53537b27197ab32
    sha1:           86574bb8ea6286a5fb63346377a390364792077e
    sha256:         1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
    submitted:      2023-01-18 15:58:08
    detection:      malicious
    threat name:    AgentTesla, zgRAT
    classification: troj.spyw.evad

Search for analyses with a detection status of “malicious”:

> joe.sandbox.analysis.search --detection malicious
2918496 - WlO4f0ekrz
    md5:            7e218eed1af2db84a75912df15723daf
    sha1:           57ade91ca0b30cd87e0188699c03f122bc1533d1
    sha256:         1e1c070a0f2d2545be43e14814124b18bb46f458fb7f66e51c6a6a426f8ad4da
    submitted:      2023-01-23 21:03:01
    detection:      malicious
    threat name:    Njrat
    classification: troj.evad

2909900 - dfzqetpu9l
    md5:            912dddad1a02d4a0eb35bbe0e9c1f6e5
    sha1:           86f8c32d0110992c3a6ee9760b0733e7661ff8a1
    sha256:         5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
    submitted:      2023-01-18 17:32:30
    detection:      malicious
    threat name:    Unknown
    classification: evad

2909879 - DfzQetpU9L
    md5:            912dddad1a02d4a0eb35bbe0e9c1f6e5
    sha1:           86f8c32d0110992c3a6ee9760b0733e7661ff8a1
    sha256:         5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
    submitted:      2023-01-18 17:18:29
    detection:      malicious
    threat name:    Unknown
    classification: evad

2909663 - R3j5TJAIqw.exe
    md5:            d3e34b11550fbb94e53537b27197ab32
    sha1:           86574bb8ea6286a5fb63346377a390364792077e
    sha256:         1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
    submitted:      2023-01-18 15:58:08
    detection:      malicious
    threat name:    AgentTesla, zgRAT
    classification: troj.spyw.evad

Search for analyses containing “Njrat” in the md5, sha1, sha256, filename, threat name, URL, tags or comments:

> joe.sandbox.analysis.search --q Njrat
2918496 - WlO4f0ekrz
    md5:            7e218eed1af2db84a75912df15723daf
    sha1:           57ade91ca0b30cd87e0188699c03f122bc1533d1
    sha256:         1e1c070a0f2d2545be43e14814124b18bb46f458fb7f66e51c6a6a426f8ad4da
    submitted:      2023-01-23 21:03:01
    detection:      malicious
    threat name:    Njrat
    classification: troj.evad

Specify an analysis by ID and ingest the report:

> joe.sandbox.analysis.search --webid 2909663 --ingest --yield
file:bytes=sha256:1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
        .created = 2024/12/20 18:05:49.760
        :md5 = d3e34b11550fbb94e53537b27197ab32
        :mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
        :name = r3j5tjaiqw.exe
        :sha1 = 86574bb8ea6286a5fb63346377a390364792077e
        :sha256 = 1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
        :sha512 = 34928fe0f4aecb03a178ed454b742fb87b81b3b341d8d199e6dce0eb3b94a6ace13393170c53042d858e3c81b18462d59b65d1d4f7bc67492dbfb03ac23c6dfc
        :size = 825856
        #rep.joe.sandbox.agenttesla
        #rep.joe.sandbox.malicious
        #rep.joe.sandbox.zgrat

Use of meta:source nodes

Synapse-Joe-Sandbox uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Joe Sandbox API.

> meta:source=68b444a8c5d347e023f4ed956bdedcbe
meta:source=68b444a8c5d347e023f4ed956bdedcbe
        .created = 2024/12/20 18:05:07.663
        :name = joe sandbox api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Joe-Sandbox. The following example shows how to filter the results of a query to include only results observed by Synapse-Joe-Sandbox:

> it:sec:c2:config +{ <(seen)- meta:source=68b444a8c5d347e023f4ed956bdedcbe }
it:sec:c2:config=5386052ef9dd7c862fcf4d8f7624cecc
        .created = 2024/12/20 18:05:48.277
        :family = cobaltstrike
        :file = sha256:9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
        :raw = {"BeaconType": ["HTTP"], "Port": 80, "SleepTime": 5000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "gov7on24news.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", "HttpPostUri": "/N4215/adj/amzn.us.sr.aps", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
        #rep.joe.sandbox.cobaltstrike