Buster Sandbox Analyzer

Hi.

I would like to announce the release of Buster Sandbox Analyzer.

Buster Sandbox Analyzer, or BSA to short it, is a security tool focused in analyzing the behaviour of applications and evaluate the performed actions to say if they act like malware or not.

It works in a similar way to Norman Sandbox Analyzer, but meanwhile Norman´s tool performs the analysis emulating the analyzed programs, BSA uses Sandboxie as environment to run applications.

Other difference would be that Norman performs the analysis without human intervention meanwhile with BSA is the user who runs manually the applications to be analyzed. This has some benefits and some inconvenients.

As benefits we could say that BSA can analyze any type of "application", from executable files, to DOC, XLS, PDF, VBS, BAT, or any other kind of file that can be "executed". Also if an application requires user actions like press a button or accept an agreement this will be possible meanwhile in Norman Sandbox Analyzer (and some other malware analyzers too) this will not be possible.

As inconvenient BSA is unable to analyze automatically large amount of files. Also we must consider that if we don´t take the necessary measures, information from the computer where BSA is being run could leak to Internet.

Other important question is that BSA is freeware. You only must pay Sandboxie´s license which is pretty cheap.

These and other questions are commented in the manual of BSA.

You can follow the development of the tool here:

http://sandboxie.com/phpbb/viewtopic.php?t=6557

You can download the tool from here:

-http://bsa.qnea.de/bsa.rar-


Even if actually Buster Sandbox Analyzer is working as expected in many aspects, it must be said that the project was initiated recently. Therefore the tool still needs improvements and testing until it reachs a certain point of excellence.

I hope some of you will be interested in the tool and from that people, some will be interested in helping to improve it with suggestions, tests, etc.

Regards.

 

Two examples of the analysis and reports produced with Buster Sandbox Analyzer.

Email-Worm.Win32.NetSky.p

Analisis:

Detailed report of suspicious malware actions:

Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe
Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.
Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.
Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.
Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

[ Changes to filesystem ]
* Creates file D:\WINDOWS\AVBgle.exe
* Creates file D:\WINDOWS\base64.tmp

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in
key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"

[ Network services ]
* Looks for an Internet connection.
* Connects to "212.27.42.58 (free.fr)" on port 25.
* Connects to "72.14.221.27 (1e100.net)" on port 25.
* Connects to "64.12.138.153 (aol.com)" on port 25.
* Connects to "72.167.238.201 (secureserver.net)" on port 25.

[ Process/window information ]
* Creates a mutex Bgl_*L*o*o*s*e*.
* Creates a mutex _!MSFTHISTORY!_.
* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
* Creates a mutex d:!documents and settings!test!cookies!.
* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
* Creates a mutex RasPbFile.
* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".


P2P-Worm.Win32.Goldun.a

Analisis:

Detailed report of suspicious malware actions:

Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll
Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName = 6D00630066004300430034002E0064006C006C000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys
Detected backdoor listening on port: 4050
Created a service named: MCFservice
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

[ Changes to filesystem ]
* Creates file D:\WINDOWS\system32\mcfCC4.dll
* Creates file D:\WINDOWS\system32\mcfdrv.sys

[ Changes to registry ]
* Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc
* Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

[ Network services ]
* Backdoor functionality on port 4050.

[ Process/window information ]
* Creates a service named "MCFservice".
* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".

 

Thanks for posting here, I look forward to trying it out

Although I already use a local sandbox, be nice to try out another tool. One online sandbox I've be trying - joebox - is still down.

 

It´s required to read the manual before using the tool because Sandboxie must be configured in order to get it working along with BSA.

 

Okay thanks, I imagined access settings must be configured so I'll have a read.

 

That´s right.

It´s a pretty simple configuration: just 2 lines added to Sandboxie.INI.

In one line we tell Sandboxie to inject the API logger DLL to every sandboxed process.

In other line we allow the communication from sandboxed processes to BSA tool through Sandboxie´s OpenWinClass parameter. That way BSA is able to receive notifications.

 

Looks a nice tool. Not limited to internet or automated. Any 'drawbacks' I suppose are tied to sandboxie limits.

 

Between some of my favourite features are that two you mention: not limited to internet and not automated.

The tool is "yours". You can have it installed in as many computers as you want and you can use it when you want, without any restrictions.

As not being automated, analysis can be improved if the user has the appropiated knowledgment. e.g. you can run a sniffer to capture transmitted packets. Users can make better and more accurate the tool by theirself.

As you mention and it´s commented in the manual, BSA is limited by Sandboxie´s limits and my own limits as coder.

 

okay thanks Buster - time for a play.

 

Come back here after you play with it and leave your comments, please.

I´m still waiting to hear the comments from someone that tried it.

 

Hi Buster it's a good tool and works well with and was a good idea to utilize Sandboxie.

Not comparing your tool with any other but I thought it would remind me a little of SysAnalyer.

Very easy to use, will you add your own monitors - a sniffer...servers, DNS requests, process analyser.

Logging is good, I would of liked an overall report combining everything also.

I like it.

 

From SysAnalyzer I used the API logger into my project but even if I have SysAnalyzer installed in a virtual machine, I never used it, therefore I don´t know if my tool reminds to it or not.

The report format is a copy of Norman´s so it will remind to it.

My plan for the tool is to continue adding malware behaviours. A sniffer is not in my plans because that´s something a user could include by himself.

I decided to separate the different report files on purpose because, as commented in the documentation, Buster Sandbox Analyzer may be used by Sandboxie´s users just to get a report of the changes made to system: files and registry.

Glad you liked it!

If you notice some malware behaviour not included already I´ll be really interested in hearing about it. At the moment that´s the most important aspect to improve in the tool.

 

Did you ever have the chance to try Norman Sandbox Analyzer?

I know that´s not much likely due it´s very restricted to professionals.

 

My comments are all positive

Sure. I do strive to be professional, they let me in

 

Very nice! I am going to use it very often

 

I´m glad you like it.

If you miss anything just let me know.

 

Buster Sandbox Analyzer website can be visited here:

http://bsa.qnea.de/

 

Hi Buster
small typo on http://bsa.qnea.de/
"Analisis and report examples" should say Analysis in English

best wishes

pidbo

 

Ok, thank you!

 

I tried your app & it performed as described.
Although I admire your programming effort, I wonder why are you reinventing the wheel?

the freely available SysInternals Process Monitor utility
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
provides comprehensive reporting, can be set to run at boot (to monitor post-reboot operations by an installer, for instance) and isn't dependent upon the presence of sandboxie.

The "Tools" dropdown in the Process Monitor menu enables you to generate various drill-down reports:
Tools -} Process Activity Summary
Tools -} File Summary
Tools -} Registry Summary
Tools -} Stack Summary
Tools -} Network Summary
Tools -} Cross reference Summary
and prior to creating SaveAs output, you can sort columns and/or filter the data within the live gridview.

ps: check out the handy Process Monitor commandline options

 

Well to me it adds value to Sandboxie, allows user configuration, provides enthousisasts a all in one tool to play with (in stead of configuring a VM set up)


Ehh on the wish list: pre and post difference of for instance autoruns output

 

inka: I just pretend to approach the malware analysis to non advanced users.

Meanwhile Buster Sandbox Analyzer is a malware analyzer for non advanced users, Process Monitor (if we can consider it as a malware analyzer) is not a tool for non advanced users.

Do you imagine your wife, your girlfriend, or your sister learning to catch malwares using Process Monitor? Maybe, but with a lot of work. Instead I could teach them to catch malwares with Buster Sandbox Analyzer in a few hours.

That´s the difference.

Advanced users can use Process Monitor, as commented in the manual, to improve malware analysis.

 

I don´t follow you. Could you explain it, please?

 

I must try this, be good for looking at the behavour of malware samples

 

avira detected buster as a TR-DOWNLOADER TROJAN.