Help needed with analysis

Hi everyone,

Can anyone tell me some softwares to be used for malware analysis.

Is Sandboxie life time licenses still available ?

Any alternatives ?

I want to watch which all process are currently communicating via internet and which all are writing data to my HDD. Any tool suggestions ?

 

Thanks ronjor..I was planning to buy Sandboxie...Will the lifetime license be honored by INVINCEA ?

 

Lifetime licenses are honored. And according to this link, you still can get one.

https://www.cleverbridge.com/296/?scope=checkout&cart=28154&coupon=GJP-TBR-BL5

Bo

 

Thanks bo

Can I ask you one doubt ? How effective is Sandboxie against trojans and viruses ? Any personal experience anyone ?

 

I have more than 2 laptops for malware analysis ? Can I install that in those machines with one purchase ? All are personal machines only ? Any one using this license in more than one machine

 

You are welcome Zeroflag.

After more than 5 years using the program, I never seen anything to make me doubt or wonder if Sandboxie is doing the work its supposed to. Nothing gets out of the sandbox unless you allow it, that's what I seen.

But no matter what I am doing, I never stop using SBIE, I am always using SBIE. And for me, due to constantly using Sandboxie, viruses is like they don't exist.

Bo

 

That explains it bo.... Thanks a lot for your time

 

Yes, you can use the lifetime license in more than one computer as long as they are yours.

I am using Sandboxie in two computers and used it on another one that got stolen. All mine, never a problem activating the license. But you should hurry, officially the lifetime license doesn't exist anymore. But the link is still good. So...

Bo

 

Buster Sandbox Analyzer

 

Disclaimer: I'm not a malware expert. Take my advice at your own own risk.

But that said...

I would not rely on Sandboxie for experimenting with malware analysis.

There are three reasons for this.

1. A fair amount of malware is wise to sandboxes, and simply will not run in them, because the authors don't want their Precious analyzed.

2. Even if malware does run in the sandbox, it won't necessarily behave normally. Sandboxie does not recreate every resource on a Windows system; some stuff it just blocks.

3. Sandboxie is adequate protection against occasional driveby attacks, and suchlike. It is not adequate protection against deliberately running malicious binaries inside a sandbox. There are things that can break out of it if the right vulnerabilities are available, e.g. Stuxnet and derivatives.

Short of it is, Sandboxie is a good tool, but not the right one for this job.

I will post more shortly, just wanted to put this on the table ASAP.

 

Disclaimer: I don't do malware analysis as anything more than a very occasional hobby!
Okay. What I know of malware analysis is, there are two basic sides to it, static and dynamic.

Static analysis means you look at the binary package(s) and see what's in them. Typically you would do this with a disassembler, and code analysis tools like Radare or IDA.

To do this you need a working knowledge of x86 (and possibly x86-64) assembly. This not simple. Assembly is pretty much spaghetti code by definition, because its only flow control is through various kinds of GOTO instructions. Knowing the opcodes is less than half of it; you also have to follow the flow of execution around and around and around through the program.

To make matters worse, malware authors (again) don't want their Precious analyzed, so they typically use things like runtime compression to make the real assembly code even harder to get at. More advanced specimens might include other tricks - encryption, weird optimizations, all kinds of code obfuscation tricks.

If you want to get into this though, you should learn some x86(-64) assembly. Fortunately there are a lot of online resources for this stuff, and also free books:
https://github.com/vhf/free-program...r/free-programming-books.md#assembly-language

Radare, the free disassembly and analysis tool, has a free guide too:

http://radare.nopcode.org/y/?p=documentation

And Windows binaries!

http://radare.nopcode.org/y/?p=download#binaries

Unfortunately static analysis is really hard, and sometimes there is no substitute for seeing malware in action. Thus dynamic analysis, i.e. running the nasty and seeing what it does.

I can't even begin to point you in the right direction on that unfortunately. You might want to send PMs to some of the antivirus/antimalware developers here, or maybe open an account on Stack Exchange for this sort of thing.

That's about as much as I can say on this. Good luck!