Buster Sandbox Analyzer

I see your tool got a great review on Raymond.cc's blog. Congrats
http://www.raymond.cc/blog/archives/2010/07/30/buster-sandbox-analyzer-makes-sandboxie-stronger/

 

Thank you!

 

For screen capture, I have found another method.
int 5

http://oopweb.com/Assembly/Documents/ArtOfAssembly/Volume/Chapter_17/CH17-2.html

 

Reading the pdf manual included in the BSA folder I found the requirements to get BSA running.
It was fairly simple and not at all difficult or overly complex.

1. Add the necessary entries to Sandboxie configure file.
2. Close and delete contents of any Sandbox instances.
3. Running as Admin, start BSA.exe, from the bsa folder in the root of the drive. ex. C:\bsa\BSA.exe
4. Press "Start Analyzing"
5. Start what you want to monitor in Sandboxie. ex. opera.exe or firefox.exe
6. Perform any or all necessary functions.
7. Right click, Sandboxie tray icon, Terminate All Programs.
8. Press "Stop Analyzing"
9. New window opens, you can view processes as well as any reports generated.
10. Press "Malware Analysis" to help determine the type of malicious activity present.

I have an issue with Firefox.
Originally I had the wrong sandbox folder location in BSA, resolved that.
Now Firefox, when starting claims a process is already running.
The issue only occurs with Firefox and only after pressing "Start Analyze".
Starting Firefox in Sandboxie without analyzing with BSA does not create the process is already running issue.
I switched to Opera and everything runs fine but get 302 redirects and other bugs.

Vista SP2
Sandboxie 3.46
Buster Sandbox Analyzer 1.23
Firefox version is 3.6.8

 

as i am new to this sandboxing stuff.....can u tell me how to run Email-Worm.Win32.NetSky.p in sandboxie.......wen i tried this a window pop's up saying "Window's cant open this file" .......can u help me with this pls.......

 

Code:

[B]Quote from Buster_BSA:[/B] Two examples of the analysis and reports produced with Buster Sandbox Analyzer.

[U][B]Email-Worm.Win32.NetSky.p[/B][/U]

Analisis:

Detailed report of suspicious malware actions:

Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe
Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.
Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.
Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.
Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

 [ Changes to filesystem ]
   * Creates file D:\WINDOWS\AVBgle.exe
   * Creates file D:\WINDOWS\base64.tmp

 [ Changes to registry ]
   * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
   * Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
   * Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in
key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"

 [ Network services ]
   * Looks for an Internet connection.
   * Connects to "212.27.42.58 (free.fr)" on port 25.
   * Connects to "72.14.221.27 (1e100.net)" on port 25.
   * Connects to "64.12.138.153 (aol.com)" on port 25.
   * Connects to "72.167.238.201 (secureserver.net)" on port 25.

 [ Process/window information ]
   * Creates a mutex Bgl_*L*o*o*s*e*.
   * Creates a mutex _!MSFTHISTORY!_.
   * Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
   * Creates a mutex d:!documents and settings!test!cookies!.
   * Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
   * Creates a mutex RasPbFile.
   * Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".


[U][B]P2P-Worm.Win32.Goldun.a[/B][/U]

Analisis:

Detailed report of suspicious malware actions:

Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll
Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName = 6D00630066004300430034002E0064006C006C000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys
Detected backdoor listening on port: 4050
Created a service named: MCFservice
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

 [ Changes to filesystem ]
   * Creates file D:\WINDOWS\system32\mcfCC4.dll
   * Creates file D:\WINDOWS\system32\mcfdrv.sys

 [ Changes to registry ]
   * Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
   * Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc
   * Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
   * Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
   * Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
   * Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

 [ Network services ]
   * Backdoor functionality on port 4050.

 [ Process/window information ]
   * Creates a service named "MCFservice".
   * Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".

Hi Buster,
You are doing a great job for the security research community. Ur tool is great.

Can u tell me how to run the worms which u have given ur post in sandboxie, because the two worm didnt have any proper file format...... which application shld i use to run these files......Are these files executable

And also tell me if i need to take any precautions for running these worms in the sandboxies..........

Waiting for ur reply
Thanks.

 

PE Header

can anybody tell me how to extract Portable executable(PE) header from the VX heaven malware collection using python library "pefile"........... ?? or by any other PE extractor...

 

Hello Karthy, you should try posting your question here;
http://www.python-forum.org/pythonforum/index.php
Also reading the library documentation might help

 

I´m afraid I can not help you. Your sample seems to be corrupted or maybe it was quarantined.

I will support your doubts/questions about BSA but this is out of the scope of this thread.

Regards.

 

actually my doubt is, the two worm which u have mentioned in chapter 7 of ur pdf explaining Buster sandbox analyzer didnt have any proper file format......so, whenever i run those files in sandbox a window will come and ask me to choose which application to use to open the file......this is wat i am asking , how to run those two files in ur example..... as u can see one worm has a .p file format ......

 

Thanks for ur reply.

Can we run buster sandbox analyzer from command line i.e without the GUI......?

 

Can we run buster sandbox analyzer from command line i.e without the GUI......?

 

No, BSA is a GUI tool.

 

Released BSA 1.24.

No major changes this time; just a few minor additions and a bugfix.

* Added help inside BSA through a .CHM file.

* BSA will not modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SbieSvc value

* Fixed a bug when processing in automatic mode.

 

Released BSA 1.25.

+ Added an utility to load DLL files.

+ Added some checkings to avoid problems with the use of the tool.

+ Fixed a bug.

 

No questions or feature requests for BSA?

 

What about making it more web orientated?

Add reports to a database, classify malwares after behavior, get VT scanning details and so on, so it will be easy to get a lot of information about files

 

There are enough web oriented malware analyzers. I want to keep BSA as a personal malware analyzer.

 

Have you considered calculating entropy for the files created/modified?

 

From the online manual:

"Must pay"? Is that accurate?

 

That´s something I can consider.

 

More accurate would be to say "you should pay..."

 

Released BSA 1.26:


+ Added new entry to BSA.DAT

+ BSA will remember last used Sandbox folder

+ Improved the method to detect Sandboxie´s presence

+ Fixed some bugs

 

I have coded already the function to calculate the entropy of a file. (Shannon´s entropy)

I will give the possibility of including such information for the created/modified Win32 files.

I would like to include a label saying "Compressed/Encrypted" or "Not compressed/Encrypted" based in the entropy´s %.

Question: From what % of entropy should I consider a file is compressed/encrypted?

 

Thank you Buster_BSA . I tried BSA for the first time yesterday, and so I'd also like to thank you for BSA.

The paper "Using Entropy Analysis to Find Encrypted and Packed Malware" (hxxp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf) has some stats that I think would be very helpful. Another interesting paper is "Classification of Packed Executables for Accurate Computer Virus Detection." The code for that paper is found at http://sites.google.com/site/robertoperdisci2/code. There are other related academic papers out there; I'll list some of them if you wish.