Joebox

Submit

Please have a look into the changelog to be informed what has changed since a new release.

Submit module for amun.
Submit module for nepenthes.

---

Howto

Submission

There are three possiblities for a valid submission:

• A script (*.jbs)
• A binary file which is either a:
  • Dll (*.dll)
  • Any exectuable (*.exe, *.pif, *.scr, *.doc, *.ppt, *.xls, *.html, *.bat, ...)
  • Driver (*.sys)
• Or a binarie (*.dll or *.exe or *.sys and a script (.jbs)

The filename length is limited to 50 chars.

You can either upload a script or choose one of the existing setup options! If you choose one of the option Joebox simulates the corresponding actions. As example Joebox tries to login into a hotmail, gmail and yahoo account.

Scripting

Joebox scripts (*.jbs) are AutoIt scripts which have to begin with the keyword Script and end with EndScript. Please have a look to the AutoIt wiki if you are not familiar with this great scripting language. The following commands can be used inside a script to control Joebox:

• _JBStartAnalysis()

Starts the behaviour analysis, if it is not already running.


• _JBStopAnalysis()

Stops the behaviour analysis, if it was started before.


• _JBDelAnalysisState()

Joebox includes every process or driver into the analysis which was started after the behaviour analysis was started. If you stop the analysis and start it again Joebox tries to resume the analysis by including the processes and drivers if the still exist. If you would like to prevent that delete the analysis state. This function can be called only if the behaviour analysis is stopped.


• _JBAddTopWindowToAnalysis()

Adds the top window to the analysis state. Can only be called if the behaviour analysis is not running. If you start the behaviour analysis after calling this function the process of the top most window will be analysed automatically. Use this function to not analyse the extensive startup behaviour of applications.


• _JBAddProcessToAnalysis($process)

Adds the process identified by the file name (e.g. explorer.exe) to the analysis state. Again you can only call this function if the behaviour analysis is not running.


• _JBLoadProvidedBin()

Loads the binary if have uploaded one.


• _JBStartSniffer()

Starts the network analysis, if it is not already running.


• _JBStopSniffer()

Stops the network analysis, if it was started before.


• _JBComment($comment)

Adds a comment into the chronological section in the result report. Use this function to add markers if you would like to see how the malware reactes if you simulate user interactions.


• _JBBuildBehaviourBaseLine($name)

Creates a new baseline of the behaviour which was analysed before. The behaviour analysis have to be stopped befor using this command.


• _JBCreateDiffOfBase($name1,$name2,$name3)

If you created two baselines use this function to create the difference set of the two baselines. This let you remove uninterested data and see how malware have affected other programs. (e.g. start internet explorer = baseline1, start malware and start internet explorer again = baseline2, the difference set will show you what the malware does because the internet explorer was started, but not the behaviour of the internet explorer).


• _JBReboot()

Reboots the system. This function is not usable in the online version.


• _JBCleanup()

Restores the system to a clean state. This function is not usable in the online version too.

Example script: example.jbs
Example report: report.zip

Attention: you have exactly 4 minutes for performing script actions.