WEBVTT 00:07.340 --> 00:08.240 Welcome. 00:08.240 --> 00:12.080 Today we're going to mess around with Joe Sandbox the cloud basic. 00:12.080 --> 00:19.280 Now the sandbox environment provides us a way to actually look at files that we suspect, or URLs that 00:19.280 --> 00:23.270 we suspect of having malware or malicious intent behind them. 00:23.270 --> 00:27.290 Now, Joe Sandbox has a free registration that you can go through. 00:27.320 --> 00:32.330 However, you have to have an enterprise email address associated with it. 00:32.540 --> 00:39.080 The important thing to know for Cisa is what Joe Sandbox actually does, which was a deep malware analysis 00:39.080 --> 00:40.970 of files and URLs. 00:40.970 --> 00:47.330 However, let's take a closer look at it today as we go through it now not having an enterprise available 00:47.330 --> 00:48.200 email address. 00:48.200 --> 00:53.840 If you try to register into it, it's going to ask you for all this great information and then you have 00:53.840 --> 00:55.310 to register it now. 00:55.310 --> 00:57.980 I registered on my own account. 00:57.980 --> 01:01.610 However, it still hasn't come in and that was over two weeks ago. 01:01.610 --> 01:06.710 So they are a little bit slow or they didn't approve my account because of whatever reason. 01:06.740 --> 01:11.060 However, that's okay for what we need to do for Sisa. 01:11.090 --> 01:13.250 We can do some basic analysis. 01:13.250 --> 01:19.010 If you look over here at the very top hand sign, we can do windows, Mac, Android, Linux, and advanced 01:19.160 --> 01:22.520 inspection of different malware applications. 01:22.550 --> 01:27.260 And we can provide our file and then we can browse the URL if we so choose. 01:27.260 --> 01:31.370 However, like I said, we don't need that for what we can get out of Joe Sandbox. 01:31.370 --> 01:39.200 If I hit this little results button right here, it takes me to a page that shows me everything that 01:39.200 --> 01:43.100 I need to know about Joe Sandbox to pass my Cisa exam. 01:43.100 --> 01:45.860 We're just going to grab one of these malicious ones right here. 01:45.860 --> 01:47.000 I'm going to click on it. 01:47.030 --> 01:48.350 It's going to open up a new page. 01:48.350 --> 01:51.740 And it's going to go through and provide me some different information. 01:51.740 --> 01:54.110 We can see here that the invoice is paid. 01:54.110 --> 01:56.030 It provides us that HTML code. 01:56.030 --> 01:57.890 We can see the submission time. 01:57.890 --> 02:03.900 We can identify it as an HTML publisher, and if I scroll down, I can click the engine as well as the 02:03.900 --> 02:04.830 IOCs. 02:04.830 --> 02:09.870 I'm going to click those IOCs, and you can see that it provides me the IP address associated with the 02:09.870 --> 02:10.710 malware. 02:10.740 --> 02:16.620 It also provides many different detection methodologies that is green and green and clean. 02:16.620 --> 02:20.730 So if I click on this we can identify this as our malicious IP address. 02:20.730 --> 02:27.300 We can identify the different domain, the specific URLs associated with it as well as the drop files 02:27.300 --> 02:28.260 associated with it. 02:28.290 --> 02:33.510 If I scroll back up and I go back to the engines, we can see that it has a score of 84. 02:33.510 --> 02:38.070 And I can look at the full report, the management report or the IOC report. 02:38.070 --> 02:42.660 I'm going to hit the full report because that's going to provide me everything included. 02:42.780 --> 02:45.810 I can see here that it gives me general information. 02:45.810 --> 02:48.930 The detection algorithm points it as malicious. 02:48.930 --> 02:52.800 The different signatures that it's identified as well as the classification. 02:52.800 --> 02:54.780 Now I love this chart. 02:54.780 --> 03:01.830 It provides me a very well detailed synopsis of pointing to the different actions associated with it. 03:01.830 --> 03:08.610 And from here I can see that it's clearly a phishing email with a dab of Trojan in for good measure. 03:08.640 --> 03:12.240 If I scroll down, I can see here the signatures. 03:12.240 --> 03:13.590 Well, I didn't even come with their signatures. 03:13.590 --> 03:15.540 But you see the signatures detected. 03:15.690 --> 03:18.960 If I scroll down some more, I can see the process tree again. 03:18.990 --> 03:26.430 More signatures and the specific csvs associated with it, and some more juicy information, all attributed 03:26.430 --> 03:29.010 to this great platform. 03:29.430 --> 03:31.650 I gotta tell you, I like Joe Sandbox. 03:31.650 --> 03:39.720 I wish that they would provide the input for more than just a purely enterprise environment, but it 03:39.720 --> 03:43.200 is what it is and there's still a lot of great information there. 03:43.200 --> 03:48.180 I would definitely become acquainted with it for your CSA exam, but again, you don't need to have 03:48.180 --> 03:49.560 access to look through the records. 03:49.560 --> 03:56.310 And that's what I would utilize just to get a flavor of what's going on in preparation of your CSA exam. 03:56.310 --> 03:57.480 I hope this was helpful. 03:57.480 --> 03:59.400 And next time we'll see you.