Detonate File From URL - JoeSecurity

Detonates one or more remote files using the Joe Security sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. This type of analysis is available for Windows only and works only for direct download links.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • Joe Security

Scripts

This playbook does not use any scripts.

Commands

  • joe-analysis-submit-sample
  • joe-download-report

Playbook Inputs


NameDescriptionDefault ValueRequired
FileURLThe URL of the web file to detonate. The FileUrl is taken from the context.-Optional
IntervalThe duration for executing the pooling (in minutes).1Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).15Optional
SystemsThe operating system to run the analysis on (comma-separated). Supported values are: w7, w7x64, w7_1, w7_2, w7native, android2, android3, mac1, w7l, w7x64l, w10, android4, w7x64native, w7_3, w10native, android5native_1, w7_4, w7_5, w10x64, w7x64_hvm, android6, iphone1, w7_sec, macvm, w7_lang_packs, w7x64native_hvm, lnxubuntu1, lnxcentos1, android7_nougat.-Optional
CommentsThe comments for the analysis.-Optional
InternetAccessWhether internet access is enabled (boolean). The default is "True". "True" means there is internet access. False means there is no internet access.TrueOptional
ReportFileTypeThe resource type to download. The default is "html". The spported values are, "html", "lighthtml", "executive", "pdf", "classhtml", "xml", "lightxml", "classxml", "clusterxml", "irxml", "json", "jsonfixed", "lightjson", "lightjsonfixed", "irjson", "irjsonfixed", "shoots" (screenshots), "openioc", "maec", "misp", "graphreports", "memstrings", "binstrings", "sample", "cookbook", "bins" (dropped files), 'unpackpe" (unpacked PE files), "unpack", "ida", "pcap", "pcapslim", "memdumps", or "yara".htmlOptional

Playbook Outputs


PathDescriptionType
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.NameThe filename (only in case of report type=json).string
File.SizeThe file size (only in case of report type=json).number
File.MD5The MD5 hash of the file (only in case of report type=json).string
File.SHA1The SHA1 hash of the file (only in case of report type=json).string
File.TypeThe file type. For example, "PE" (only in case of report type=json).string
File.SHA256The SHA256 hash of the file (only in case of report type=json).string
File.EntryIDThe Entry ID of the sample.string
File.Malicious.DescriptionThe reason for the vendor to make the decision that the file is malicious.string
DBotScore.IndicatorThe indicator that was tested (only in case of report type=json).string
DBotScore.TypeThe indicator type (only in case of report type=json).string
DBotScore.VendorThe vendor used to calculate the score (only in case of report type=json).string
IP.AddressThe IP addresses's relevant to the sample.string
DBotScore.ScoreThe actual score (only in case of report type=json).number

Playbook Image


Detonate_File_From_URL_JoeSecurity