User Guide
Synapse-Joe-Sandbox User Guide
Synapse-Joe-Sandbox adds new Storm commands to allow you to query the Joe Sandbox API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> joe.sandbox.setup.apikey --self myapikey
Setting Joe Sandbox API key for the current user.
Submit a file for analysis
Lift a file:bytes node, submit it for analysis and ingest the results:
> file:bytes#myfile | joe.sandbox.submit --yield
file:bytes=sha256:9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
.created = 2024/04/22 19:57:14.049
:md5 = 87a10ed1116fb1ac0506ce4183df04a9
:mime:pe:imphash = aa81c1b260a0efe3cd2c26c7046b78ed
:name = vx96q26nmi.dll
:sha1 = 246028de73848e1df9494bedbbda3d86631cbbce
:sha256 = 9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
:sha512 = e44bedbe6dd8c41bbc65834a2ecd15655ec9e07c51e8d59508335e08f3979be8c127c5f3a0be03f32a18ce2ba5df4faead8d1b8ff7794adbd877141c4bf473ee
:size = 262656
#rep.joe.sandbox.cobaltstrike
#rep.joe.sandbox.malicious
Search for existing analyses
Search for analyses by md5 hash:
> joe.sandbox.analysis.search --md5 d3e34b11550fbb94e53537b27197ab32
2909663 - R3j5TJAIqw.exe
md5: d3e34b11550fbb94e53537b27197ab32
sha1: 86574bb8ea6286a5fb63346377a390364792077e
sha256: 1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
submitted: 2023-01-18 15:58:08
detection: malicious
threat name: AgentTesla, zgRAT
classification: troj.spyw.evad
Search for analyses with a detection status of “malicious”:
> joe.sandbox.analysis.search --detection malicious
2918496 - WlO4f0ekrz
md5: 7e218eed1af2db84a75912df15723daf
sha1: 57ade91ca0b30cd87e0188699c03f122bc1533d1
sha256: 1e1c070a0f2d2545be43e14814124b18bb46f458fb7f66e51c6a6a426f8ad4da
submitted: 2023-01-23 21:03:01
detection: malicious
threat name: Njrat
classification: troj.evad
2909900 - dfzqetpu9l
md5: 912dddad1a02d4a0eb35bbe0e9c1f6e5
sha1: 86f8c32d0110992c3a6ee9760b0733e7661ff8a1
sha256: 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
submitted: 2023-01-18 17:32:30
detection: malicious
threat name: Unknown
classification: evad
2909879 - DfzQetpU9L
md5: 912dddad1a02d4a0eb35bbe0e9c1f6e5
sha1: 86f8c32d0110992c3a6ee9760b0733e7661ff8a1
sha256: 5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
submitted: 2023-01-18 17:18:29
detection: malicious
threat name: Unknown
classification: evad
2909663 - R3j5TJAIqw.exe
md5: d3e34b11550fbb94e53537b27197ab32
sha1: 86574bb8ea6286a5fb63346377a390364792077e
sha256: 1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
submitted: 2023-01-18 15:58:08
detection: malicious
threat name: AgentTesla, zgRAT
classification: troj.spyw.evad
Search for analyses containing “Njrat” in the md5, sha1, sha256, filename, threat name, URL, tags or comments:
> joe.sandbox.analysis.search --q Njrat
2918496 - WlO4f0ekrz
md5: 7e218eed1af2db84a75912df15723daf
sha1: 57ade91ca0b30cd87e0188699c03f122bc1533d1
sha256: 1e1c070a0f2d2545be43e14814124b18bb46f458fb7f66e51c6a6a426f8ad4da
submitted: 2023-01-23 21:03:01
detection: malicious
threat name: Njrat
classification: troj.evad
Specify an analysis by ID and ingest the report:
> joe.sandbox.analysis.search --webid 2909663 --ingest --yield
file:bytes=sha256:1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
.created = 2024/04/22 19:57:24.583
:md5 = d3e34b11550fbb94e53537b27197ab32
:mime:pe:imphash = f34d5f2d4577ed6d9ceec516c1f5a744
:name = r3j5tjaiqw.exe
:sha1 = 86574bb8ea6286a5fb63346377a390364792077e
:sha256 = 1af68da9f45784f66b14b6760be4ab60486049e3aa41a8bbd35a95a1ef4faa1c
:sha512 = 34928fe0f4aecb03a178ed454b742fb87b81b3b341d8d199e6dce0eb3b94a6ace13393170c53042d858e3c81b18462d59b65d1d4f7bc67492dbfb03ac23c6dfc
:size = 825856
#rep.joe.sandbox.agenttesla
#rep.joe.sandbox.malicious
#rep.joe.sandbox.zgrat
Use of meta:source nodes
Synapse-Joe-Sandbox uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Joe Sandbox API.
> meta:source=68b444a8c5d347e023f4ed956bdedcbe
meta:source=68b444a8c5d347e023f4ed956bdedcbe
.created = 2024/04/22 19:56:43.686
:name = joe sandbox api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Joe-Sandbox. The following example shows how to filter the results of a query to include only results observed by Synapse-Joe-Sandbox:
> it:sec:c2:config +{ <(seen)- meta:source=68b444a8c5d347e023f4ed956bdedcbe }
it:sec:c2:config=5386052ef9dd7c862fcf4d8f7624cecc
.created = 2024/04/22 19:57:23.201
:family = cobaltstrike
:file = sha256:9996a843c7920961f3c0aed3b4f8ab266a5625d9d5f273ac21d6b1cc1b869459
:raw = {"BeaconType": ["HTTP"], "Port": 80, "SleepTime": 5000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "gov7on24news.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", "HttpPostUri": "/N4215/adj/amzn.us.sr.aps", "Malleable_C2_Instructions": [], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
#rep.joe.sandbox.cobaltstrike