Joebox
Analyse your Malware on Windows simply and quickly.
Submit
Please have a look into the changelog to be informed what has changed since a new release.
Submit module for amun.
Submit module for nepenthes.
Please note: Joebox does not automatically unpack .zip, .rar or any other compressed archive. Please submit the binary executable itself!
By submitting data to Joebox you agree to the following terms and conditions.
There are three possiblities for a valid submission:
The filename length is limited to 50 chars.
There are three upload possiblites. Normally you just upload a single binary and Joebox uses its default script which executes the binary and waits. Next you can upload a single script without a binary, for instance to visit a web page. And finally you have the option to upload a script and a binary together to custom actions.
Scripting
Joebox scripts (*.jbs) are AutoIt scripts which have to begin with the keyword Script and end with EndScript. Please have a look to the AutoIt wiki if you are not familiar with this great scripting language. The following commands can be used inside a script to control Joebox:
Example script: example.jbs
Attention: you have exactly 4 minutes for performing script actions.
Please have a look into the changelog to be informed what has changed since a new release.
Submit module for amun.
Submit module for nepenthes.
Please note: Joebox does not automatically unpack .zip, .rar or any other compressed archive. Please submit the binary executable itself!
If you care about security, upload pe-files without any extension, Joebox interprets them as pe-files automatically!
By submitting data to Joebox you agree to the following terms and conditions.
Howto
SubmissionThere are three possiblities for a valid submission:
- A script (*.jbs)
- A binary file which is either a:
- Dll (*.dll)
- Any exectuable (*.exe, *.pif, *.scr, *.doc, *.ppt, *.xls, *.html, *.bat, ...)
- Driver (*.sys)
- Or a binary (any extension, but not .jbs) and a script (.jbs)
The filename length is limited to 50 chars.
There are three upload possiblites. Normally you just upload a single binary and Joebox uses its default script which executes the binary and waits. Next you can upload a single script without a binary, for instance to visit a web page. And finally you have the option to upload a script and a binary together to custom actions.
Scripting
Joebox scripts (*.jbs) are AutoIt scripts which have to begin with the keyword Script and end with EndScript. Please have a look to the AutoIt wiki if you are not familiar with this great scripting language. The following commands can be used inside a script to control Joebox:
- _JBStartAnalysis()
- _JBStopAnalysis()
- _JBDelAnalysisState()
- _JBAddTopWindowToAnalysis()
- _JBAddProcessToAnalysis($process)
- _JBLoadProvidedBin()
- _JBStartSniffer()
- _JBStopSniffer()
- _JBComment($comment)
- _JBBuildBehaviourBaseLine($name)
- _JBCreateDiffOfBase($name1,$name2,$name3)
- _JBReboot()
- _JBCleanup()
- _JBSetSystem($name)
Starts the behaviour analysis, if it is not already running.
Stops the behaviour analysis, if it was started before.
Joebox includes every process or driver into the analysis which was started after the behaviour analysis was started. If you stop the analysis and start it again Joebox tries to resume the analysis by including the processes and drivers if the still exist. If you would like to prevent that delete the analysis state. This function can be called only if the behaviour analysis is stopped.
Adds the top window to the analysis state. Can only be called if the behaviour analysis is not running. If you start the behaviour analysis after calling this function the process of the top most window will be analysed automatically. Use this function to not analyse the extensive startup behaviour of applications.
Adds the process identified by the file name (e.g. explorer.exe) to the analysis state. Again you can only call this function if the behaviour analysis is not running.
Loads the binary if have uploaded one.
Starts the network analysis, if it is not already running.
Stops the network analysis, if it was started before.
Adds a comment into the chronological section in the result report. Use this function to add markers if you would like to see how the malware reactes if you simulate user interactions.
Creates a new baseline of the behaviour which was analysed before. The behaviour analysis have to be stopped befor using this command.
If you created two baselines use this function to create the difference set of the two baselines. This let you remove uninterested data and see how malware have affected other programs. (e.g. start internet explorer = baseline1, start malware and start internet explorer again = baseline2, the difference set will show you what the malware does because the internet explorer was started, but not the behaviour of the internet explorer).
Reboots the system. This function is not usable in the online version.
Restores the system to a clean state. This function is not usable in the online version too.
Sets the target system. Valid values are xp, vista and w7.
Example script: example.jbs
Attention: you have exactly 4 minutes for performing script actions.