Buster Sandbox Analyzer

1) Yes, it does.

In order to enable this feature you must have at Sandboxie.INI next line:

NotifyDirectDiskAccess=y

That line must be present in every sandbox configuration you use with BSA.

Do not forget that you must have also next lines:

InjectDll=C:\BSA\LOG_API.DLL
OpenWinClass=TFormBSA

2) Yes, it does.

BSA detects a few methods of sandbox/VM detection but not all of them because that would be a really difficult task.

Did you read BSA manual already?

Did you watch this video: http://www.youtube.com/watch?v=MXASXoq5akc?

 

Released Buster Sandbox Analyzer 1.57.

Changes:

+ Added a feature to extract used APIs from dumped files
+ Added a feature to extract strings from dumped files
+ Added new malware behaviour
+ Fixed a bug

 

Ok I've played around with this a little, not with any real malware, just testing tools or normal applications. So far looking really neat, love the simplified display of analysis for someone like me who wants to pretend they know what they're doing

One feature I would like, or maybe I haven't found yet: in the Malware Analyzer window that pops up after analysis finishes, have you considered providing more info with a right click or mouse-over?

For example, I ran MS Excel (2003) in the sandbox, connected to online help, then exit. Analysis showed a positive for (among other things), "Defined registry AutoStart location created or modified". It would be helpful to see the registry key quickly here so I can decide whether it's something evil or not. I know it must be some of the ones e.g. in report.txt, and I know I can probably enable the info to be displayed under the Details tab by changing program settings, but this would help zero in on a specific piece of information at a time.

Speaking of displaying info, I played around with the settings and realised after about 5 minutes that I have to close/re-open BSA for the changes to be applied, I don't know if you consider that a bug or not (if not then there could be a dialogue saying that settings are applied on program restart).

On an unrelated note MS Excel apparently gets a privilege elevation and modifies a bunch of HKLM keys... wouldn't I love to be a macro running in Excel...

I tried the right-click shell integration for BSA, all it seems to do is launch BSA. What would be really neat is if it launches the selected program in SBIE (as well as launching BSA, and maybe automatically starting analysis).

Finally I noticed during install that the winpcap dll files which the readme.txt says can just be copied to system32, can not actually just be copied (says it still can't find the dll - maybe wrong version being looked for? Had to go install winpcap).

Don't mean to say lots of negatives, am very impressed with the program but you just seemed starved for feedback when I read through the thread

 

When displaying analyses I applied the old saying "sometimes less is more", and I think I was right because that way, even people without advanced Windows´s internals knowledge, can understand what´s going on.

Do you mean at "Malicious Actions" tab? No, I never thought about that because I considered such information should be separated, so I placed it at "Details" tab.

Hmmm... "Details" tab is empty? The information you want should be there because with default´s program settings the information should appear.

Anyway, for several reasons, I don´t consider good idea to display detailed information at the "Malicious Actions" tab. That window was designed to give the user a general overview about what bad things a program did. If you want to go in details, then "Details" is the right place to go.

Many settings are applied inmediately after being enabled/disabled. Maybe some of them may required to close/restart the application, but I can not think of any right now.

Could you mention some examples, please?

You have the exclusion lists and other settings can be configured too. If you know certain HKLM keys are created or modified when running MS Excel, you could create a special configuration that you would apply when processing MS Excel files, giving "None" or "Low" risk ratio to the privilege elevation and excluding that bunch of HKLM keys.

That´s a good suggestion! I will try to add a feature that allows launching BSA and performing the analysis automatically.

Hmm... are you running BSA in 32 or 64 bit OS?

I´m really glad with your feedback. Really!

From your comments I got some ideas for future improvements, which was exactly what I wanted.

Thanks!

 

I already included the feature that allows analyzing a sample from Windows Shell automatically.

The feature will be available in next release.

 

Yes, it came up empty. I assumed that although it's an autostart location, it's not a typically malicious one, so wasn't put under details. I will play around with the settings in the reporting options and see what comes up (in my default config I saw that only one of the additional reporting options was enabled, I forget which one).

What I did was enabled every report setting, and then looked at the output and decided to start dialling them back so that I could get the ones I wanted. I discovered that after disabling all of them, I was still getting the same really verbose report! So I think maybe changes are applied without program restart when you enable, but not when you disable.

Yeah, I will play around with that too. It just seemed unnecessary from a security point of view for Excel to get privilege elevation. I think it's great that BSA can let me know what apparently innocent programs are doing under the hood

64-bit Win 7 ultimate.

Yay!

 

You may know that 64-bit OSs have one System32 folder for 64-bit applications and other for 32-bit. You copied the files to the wrong folder (64-bit). It will work the same if you copy the files to the folder where BSA.EXE is located.

Anyway that´s only a patch and if you want accurate results then the installation of WinPCap is mandatory.

 

Is there any chance for tzuk to integrate it with Sandboxie? Just asking

 

Sandboxie is coded in C/C++ and Buster Sandbox Analyzer in Delphi and some tools in other languages like C#, so talk about integration is just impossible.

tzuk said many times that Sandboxie´s purpose is not being a malware analyzer so he will not add such features.

 

Ok so I must be doing something wrong. I have enabled every single option under Additional Report Options (for main files, anyway), but I am missing the
[ General information ] section.

i.e. I can only see:
[ Changes to filesystem ]
[ Changes to registry ]
[ Network services ]
[ Process/window/string information ]

 

In manual mode the [General information] is not present. Run BSA in automatic mode if you want it.

 

Automatic mode isn't working for me. I see all the API Calls, and the progress messages down bottom saying checking file signature, checking VirusTotal etc, and then finally 'Processing finished!'... But I see no results! The Malware Analyzer button is greyed out, and all the options under Viewer are greyed out. I see 2 pop-up windows during the analysis, but they flash up and then close too quickly to see what they are. Tried to do Utilities -> Reports -> Save Report but it says Report.txt not found...

Couple of other weird things I noticed:
- Seems weird that in automatic mode I have to pick a whole folder to recurse through, whereas in manual I can just pick a single file (which matches common usage imo, e.g. check what recently downloaded file does, not whole downloads directory).
- I wonder how come you left the [General] stuff out of manual mode? Seems like an odd design choice. Should at least be an option somewhere to include it.

Think I noticed a bug too: if you go to choose a folder in automatic mode and then click cancel, BSA becomes unusable and you have to quit via task manager.

 

Results are in "Reports" folder.

That´s correct as such options are available only in manual mode.

That 2 pop-up windows are PEiD and Exeinfo. You don´t need to see them. Results will be at report file.

"Save Report" is other feature that only works in manual mode. In automatic mode reports are saved automatically.

If you want to process a single file in automatic mode, then put the file alone in a folder.

In manual mode I do not know what file was executed as it is the user who executes it and not BSA.

I noticed this bug yesterday. It will be fixed in next release.

 

same problem here with Details and View Analysis like Melf
this is Details from version 1.52

Code:

http://img407.imageshack.us/img407/8082/bsa152details.png

and how look like when analyze same malware with 1.57 (same with 1.54, 1.55 & 1.56)

Code:

http://img814.imageshack.us/img814/7307/bsa157details.png

every version is unrared in clean C:\BSA\ folder and run without touch any settings
@ Windows 7 SP1 x64; Sandboxie 3.68 x64

same thing on XP Pro SP3, Sandboxie 3.66 x86 and BSA 1.57

 

Sounds like you have disabled all behaviours. Please take a screenshot of "Utilities > Malware Analyzer > Risk Evaluation Ratings".

No need to take screenshots of the 3 tabs. With one of "Malware Behaviours - 1" will be enough, thanks!

 

Risk Evaluation Ratings (gif with all 3 tabs; 5sec frame delay)

Code:

http://img94.imageshack.us/img94/9105/bsa157rer.gif

 

Hmm... the problem is not where I thought.

I have downloaded BSA 1.57 package, extracted it in a new folder, made a test and I get results in "Details" tab.

Are you using the very same configuration files provided in BSA package and stored in \Config folder?

Are you running something that rises any behaviour? I ask this because if you run something like NOTEPAD.EXE, you will get nothing.

 

Other question... Do you have enabled or disabled next option?

"Options > Report Options > Information > Additional Report Options > Include Risk Evaluation"

If you do not, enable it and check if it makes any difference. I think it should work because if I am not wrong the bug is there. Please, confirm.

 

"Options > Report Options > Information > Additional Report Options > Include Risk Evaluation"

now when i check this option evereything is OK under Detail like in v1.52, thank you

 

There is a bug where I thought. It will be fixed in next release, which I should release today or tomorrow.

Thanks for the bug report!

 

Released Buster Sandbox Analyzer 1.58.

Changes:

+ Added new malware behaviours
+ Added a feature to analyze automatically a file from shell menu
+ Added a feature to generate additional information from analyzed executable files
+ Added the option of deleting analyzed file at “Manage Processed file” feature
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Included Signsrch tool by Luigi Auriemma
+ Updated LOG_API
+ Updated Exeinfo to version 0.0.3.0
+ Fixed several bugs

 

Ok, I've got automatic working now, thanks for your help Buster.

I see you now have the right-click -> Analyze in BSA feature, which makes this *massively* more usable, good stuff!

There's just one more thing to improve usability - is it possible to make BSA display the Malware Analyzer when running the right-click analysis? I know you don't usually do this in automatic analysis mode since you don't know which file was executed, but with the right-click method you do know it... so you can use all the stuff in your 'general info' e.g. signature, file info, virustotal, and in turn run it through your malware algorithm.

That would make things so simple/slick for 'everyday' users who just want to test a particular file they downloaded - they just right-click it and BSA would do its magic for them, no other clicks needed

 

Glad to hear it works!

That was a nice suggestion!

I will consider it.

 

Released Buster Sandbox Analyzer 1.59.

Changes:

+ Updated LOG_API
+ Updated PEiD's USERDB.TXT
+ Fixed several bugs

Note: This version contains important bugfixes.

 

Next release will include JSON format output and URL analysis.