Analyze files and extract Indicators of Compromise (IOCs) by interacting with the Joe Sandbox Cloud service.
A Model Context Protocol (MCP) server for interacting with Joe Sandbox Cloud.
This server exposes rich analysis and IOC extraction capabilities from Joe Sandbox and integrates cleanly into any MCP-compatible application (e.g. Claude Desktop, Glama, or custom LLM agents).
uv (Recommended)Clone the repository:
git clone https://github.com/joesecurity/joesandboxMCP.git
cd joesandboxMCP
Install dependencies using uv:
uv venv
uv pip install -e .
Launch the MCP server (see configuration below)
{
"mcpServers": {
"JoeSandbox": {
"command": "uv",
"args": [
"--directory",
"/absolute/path/to/joesandboxMCP",
"run",
"main.py"
],
"env": {
"JBXAPIKEY": "your-jbxcloud-apikey",
"ACCEPTTAC": "SET_TRUE_IF_YOU_ACCEPT"
}
}
}
}
Use of this integration with Joe Sandbox Cloud requires acceptance of the Joe Security Terms and Conditions.
By setting the environment variable ACCEPTTAC=TRUE, you explicitly confirm that you have read and accepted the Terms and Conditions.
The Joe Sandbox MCP server provides a wide range of tools to help you interact with sandbox reports, monitor executions, and extract threat intelligence in a format that's easy for large language models to understand.
Submit files, URLs, websites, or command lines for sandbox analysis.
You can choose whether to wait for results or return immediately and check back later.
Supports various options like internet access, script logging, and archive passwords.
Look up historical submissions using hashes, filenames, detection status, threat names, and more.
Quickly find whether something has already been analyzed.
Get the current status and key metadata for a previously submitted sample.
Includes detection verdict, systems used, and analysis score.
Retrieve high-level reasoning statements generated by the sandbox's AI.
Helpful for understanding complex behavior in plain language.
See which files were dropped during execution and marked as malicious.
Includes hash values, filenames, origin processes, and detection indicators.
Show domains, IP addresses, or URLs contacted during analysis.
Can be filtered to focus only on clearly malicious items or high-confidence detections.
Includes details like IP resolution, geographic hints, communication context, and detection evidence.
Get a summary of key behavioral detections triggered during execution.
Can be filtered to focus only on high impact items.
Visualize the full hierarchy of processes that ran during execution.
Shows parent-child relationships, command lines, and termination info.
Retrieve executable files that were unpacked or decrypted in memory.
Great for identifying payloads not visible in the original file.
Download the full network packet capture recorded during analysis.
Useful for traffic inspection, C2 callbacks, or domain/IP extraction.
List your most recent sandbox submissions and see what systems they ran on, how they scored, and what verdicts were returned.
Retrieve raw memory dumps captured during runtime.
Retrieve all files dropped during analysis.
This project is licensed under the MIT License.
An MCP server for interacting with various NASA APIs and data sources. Requires a NASA API key.
Interact with Honeycomb observability data using the Model Context Protocol.
Query Amazon Bedrock Knowledge Bases using natural language to retrieve relevant information from your data sources.
Interact with Stripe API
Interact with capabilities of the CRIC Wuye AI platform, an intelligent assistant specifically for the property management industry.
Accurate weather forecasts via the AccuWeather API (free tier available).
Interact with Twelve Data APIs to access real-time and historical financial market data for your AI agents.
An MCP server and toolkit for integrating with the commercetools platform APIs.
Interact with your content on the Contentful platform
An MCP server for accessing YouTube Analytics data, powered by the CData JDBC Driver.