Buster Sandbox Analyzer

In reports, additional information like file length, file hash, file entropy, etc., is showed for created files. For modified files no information is added.

Should I change this behaviour and treat the same both new created and modified files or keep it as is now?

I was thinking that at least VirusTotal information should be showed for modified files.

 

Released Buster Sandbox Analyzer 1.41.


Changes:

+ Usability improvement: hashes (MD5, SHA1, SHA256) showed in reports can be selected individually
+ In automatic mode, when “Keep Sandbox files” is enabled, empty folders and files will be removed
+ Added an option to include information for modified files in reports
+ Fixed several bugs

 

Is it possible to get the 'verdict' back about the sandboxed files doing something suspicious that looks similiar to malicious activities?

 

Sorry but I don´t follow you. Could you rephrase and ellaborate it a bit more, please?

 

There used to be a verdict after malware analyzer mode was entered (after closing the watched sandboxed). The verdict would tell if there were suspicious actions performed by the sandboxed installation file (i.e. malware downloaded off MDL).

 

Now, BSA provides a list of suspicious actions... but doesn't say in red that the file is probably malicious. Correct me if I'm wrong, but I thought I read it was removed in a previous version. It's really neat for the basic users!

 

Ok, now I understand what you mean.

In "Utilities > Malware Analyzer > Risk Evaluation Ratings" you have the list of suspicious actions and you can configure the level of dangerousness of each action.

Then in "Utilities > Malware Analyzer > Risk Evaluation Calculator" you can configure the amount of performed suspicious actions to reach a risk level.

BSA package includes a default configuration for both features.

In order to include the risk level you must enable:

Options > Common Analysis Options > Reports > Additional Reports > Include Risk Evaluation

 

And well? Any comment?

 

Yes xD
Have you ever propose to the sandboxie developer to integrate your tool into sandboxie? I think that it would be a great addition.

 

"Options > Common Analysis Options > Reports > Additional Reports > Include Risk Evaluation"

Thanks. Exactly what I was looking for. I love the analyzer you've constructed!

 

tzuk will not do that.

 

Glad you like it.

 

Why? have you asked him? your tool is so great

 

You just need to read Sandboxie´s forum a bit, specially the "feature request", to know that.

 

Well I don't use sandboxie, but I have to say: you developed a great analyzer

 

Thanks!

Did you try it?

 

No just scrolled through the release history at sbie forum to get an idea of the actions it monitors. This was impressive by itself

 

Kees, you should go back to Sandboxie. It is pretty epic now with full x64 support! Add Busters' masterpiece and you're as safe as can be!

 

I have a very simple vertualisation mechanism. It is a hot swappeable disk. Just put in an test windows OS. Start Microsoft Windows system state monitor. Run the malware in a real environment. Look what reg and file changes it has made and blast the test-disk image back to its initial state with imaging software.

I can do with GesWall everything people do with SBIE only GeSWall and PowerBroker use less than 0.01% CPU together while protecting my ass

 

Released Buster Sandbox Analyzer 1.42.

Changes:

+ Added a feature to capture screen in video (VLC installation required)
+ Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required)
+ Fixed a bug

 

Comparative of malware analyzers​

Comodo Instant Malware Analysis

Code:

• File Info
Name   Value
Size   10240
MD5   afb7773a0af4f0ebcd22d19cdabb7f66
SHA1   f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
SHA256   21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
Process   Exited
• Keys Created
• Keys Changed
• Keys Deleted
• Values Created
• Values Changed
• Values Deleted
• Directories Created
• Directories Changed
• Directories Deleted
• Files Created
Name   Size   Last Write Time   Creation Time   Last Access Time   Attr
C:\Documents and Settings\User\Local Settings\Temp\sys3.exe   10240   2009.01.09 10:54:20.453   2009.01.09 10:54:22.890   2009.01.09 10:54:22.890   0x20
C:\Documents and Settings\User\Local Settings\Temp\systm.txt   18   2009.01.09 10:54:22.875   2009.01.09 10:54:22.843   2009.01.09 10:54:22.843   0x20
• Files Changed
• Files Deleted
Name   Size   Last Write Time   Creation Time   Last Access Time   Attr
C:\TEST\sample.exe   10240   2009.01.09 10:54:20.453   2009.01.09 10:53:58.578   2009.01.09 10:53:58.578   0x20
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
• Processes Terminated
• Threads Created
PId   Process Name   TId   Start   Start Mem   Win32 Start   Win32 Start Mem
0x348   svchost.exe   0x784   0x7c810856   MEM_IMAGE   0x7c910760   MEM_IMAGE
• Modules Loaded
• Windows Api Calls
PId   Image Name   Address   Function ( Parameters ) | Return Value
0xd8   C:\TEST\sample.exe   0x2aa0158f   CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\DOCUME~1\User\LOCALS~1\Temp\\sys3.exe", bFailIfExists: 0x1)|0x1
• DNS Queries
• HTTP Queries
• Verdict
Auto Analysis Verdict
Suspicious++
• Description
Suspicious Actions Detected
Copies self to other locations
Deletes self

ThreatExpert

Code:

Submission details:
        Submission received: 4 September 2011, 19:19:29
        Processing time: 14 min 12 sec
        Submitted sample:
            File MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66
            File SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC
            Filesize: 10.240 bytes

 
Technical Details:

 
   File System Modifications

    The following files were created in the system:

#   Filename(s)   File Size   File Hash
1    %Temp%\sys3.exe
[file and pathname of the sample #1]    10.240 bytes    MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66
SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC
2    %Temp%\systm.txt    32 bytes    MD5: 0x46525D5665EB34AD79F2B75FF27A8659
SHA-1: 0x83C7AA2AF8CCD12F45D116ADDF7295EB3217FB0A

    Note:
        %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Xandora

Code:

File Details
MD5   afb7773a0af4f0ebcd22d19cdabb7f66
SHA-1   f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
First Received   2011-09-05 08:36:00
Last Received   2011-09-05 08:36:00
Size (bytes)   10240
Weightage   71
virustotal.com   19 vendors detected
 
Static File Header
read more
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4DDA3D47 Mon May 23 18:56:07 2011
Subsystem: 2 (Windows GUI)
Image Base: 2AA00000 Size: 00005000
Code Base: 00001000 Size: 00000C00
Data Base: 00002000 Size: 00001800
Entry Point: 00001600 (file offset 00000A00)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00000C00 Flags: C0040020 (CRW)
2: .data RVA: 00002000 Offset: 00001000 Size: 00001400 Flags: C0000040 (DRW)
3: .rsrc RVA: 00004000 Offset: 00002400 Size: 00000400 Flags: 40000040 (DR)
 
virustotal.com Output
read more
19 vendors from virtustotal.com detected as malware

    HEUR:Trojan.Win32.Generic
    avariantofWin32/MBRlock.D
    Heuristic.gen
    Win32:MBRlock-B
    Suspicious

 
Registry Change
read more
The following Registry Keys were changed

    software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
    software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
    software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
    software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
    software_Microsoft_Windows_NT_CurrentVersion_AeDebug

Norman Sandbox Analyzer

Code:

TEST.EX_ : Not detected by Sandbox (Signature: NO_VIRUS)


 [ DetectionInfo ]
   * Filename: C:\analyzer\scan\TEST.EX_.
   * Sandbox name: NO_MALWARE
   * Signature name: NO_VIRUS.
   * Compressed: NO.
   * TLS hooks: NO.
   * Executable type: Application.
   * Executable file structure: OK.
   * Filetype: PE_I386.

 [ General information ]
   * File length:        10240 bytes.
   * MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66.
   * SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc.

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\TEMP\systm.txt.
   * Creates file C:\WINDOWS\TEMP\sys3.exe.
   * Deletes file C:\sample.exe.

 [ Process/window information ]
   * Creates process "sys3.exe".
   * Checks if privilege "SeShutdownPrivilege" is available.
   * Enables privilege SeShutdownPrivilege.

 [ Signature Scanning ]
   * C:\sample.exe (10240 bytes) : no signature detection.
   * C:\WINDOWS\TEMP\systm.txt (13 bytes) : no signature detection.
   * C:\WINDOWS\TEMP\sys3.exe (10240 bytes) : no signature detection.

 

Anubis

Code:

                  ___                __    _                         
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\       
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho       
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs       
      -:+hhdhyys/-                                           -\syyhdhh+:-     
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-   
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++-
 +++++++++//yy+/:                                             :\+yy\\+++++++++
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for TEST.EX_
                   MD5: afb7773a0af4f0ebcd22d19cdabb7f66
[#############################################################################]

Summary:
    - Write to foreign memory areas:
        This executable tampers with the execution of another process.

    - AV Hit:
        This executable is detected by an antivirus software.

    - Execution did not terminate correctly:
        The executable crashed.

    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- TEST.EX_.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
    - sys3.exe
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        112 s
        Report created:     09/04/11, 23:57:30 UTC
        Termination reason: All tracked processes have exited
        Program version:    1.75.3394


[#############################################################################]
    2. TEST.EX_.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        TEST.EX_.exe
        MD5:             afb7773a0af4f0ebcd22d19cdabb7f66
        SHA-1:           f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
        File Size:       10240 Bytes
        Command Line:    "C:\TEST.EX_.exe"
        Process-status
        at analysis end: dead
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ],
               Base Address: [0x73D90000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]

[=============================================================================]
    Ikarus Virus Scanner
[=============================================================================]
        Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254)

[=============================================================================]
    2.a) TEST.EX_.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time


[=============================================================================]
    2.b) TEST.EX_.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ PHYSICALDRIVE0 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]
        File Name: [ PHYSICALDRIVE0 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
        File Name: [ C:\TEST.EX_.exe ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\CRTDLL.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) TEST.EX_.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ], Command Line: [  ]
        Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ], Command Line: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]



[#############################################################################]
    3. sys3.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by TEST.EX_.exe
        Filename:        sys3.exe
        MD5:             afb7773a0af4f0ebcd22d19cdabb7f66
        SHA-1:           f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
        File Size:       10240 Bytes
        Command Line:    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe
        Process-status
        at analysis end: dead
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ],
               Base Address: [0x73D90000 ], Size: [0x00027000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
               Base Address: [0x5B860000 ], Size: [0x00055000 ]
        Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
               Base Address: [0x76360000 ], Size: [0x00010000 ]

[=============================================================================]
    Ikarus Virus Scanner
[=============================================================================]
        Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254)

[=============================================================================]
    3.a) sys3.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\Setup ],
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability ],
             Value Name: [ ShutdownReasonUI ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
             Value Name: [ ComputerName ], Value: [ PC ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time


[=============================================================================]
    3.b) sys3.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\TEST.EX_.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\CRTDLL.dll ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]



[#############################################################################]
                       International Secure Systems Lab                       
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: anubis@iseclab.org

 

Buster Sandbox Analyzer

Report.TXT

Code:

Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011

 [ General information ]
   * File name: c:\m\test\test.exe
   * File length: 10240 bytes
   * File signature (PEiD): Borland Delphi 3.0 (???) *
   * Digital signature: Unsigned
   * MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66
   * SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
   * SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
   * VirusTotal detections:
      AntiVir: TR/Crypt.XPACK.Gen
      Avast: Win32:MBRlock-B
      Avast5: Win32:MBRlock-B
      AVG: unknown virus Win32/DH.AA53594850
      BitDefender: Gen:Variant.Kazy.31729
      ByteHero: Virus.Win32.Heur.l
      DrWeb: Trojan.MBRlock.12
      Emsisoft: Trojan-Ransom.Win32.Mbro!IK
      F-Secure: Gen:Variant.Kazy.31729
      GData: Gen:Variant.Kazy.31729
      Ikarus: Trojan-Ransom.Win32.Mbro
      Jiangmin: Trojan/MBro.h
      Kaspersky: HEUR:Trojan.Win32.Generic
      Microsoft: Trojan:Win32/Ransom.DV
      NOD32: a variant of Win32/MBRlock.D
      nProtect: Gen:Variant.Kazy.31729
      Panda: Suspicious file
      Rising: Suspicious
      TheHacker: Trojan/MBRlock.d
      TrendMicro: PAK_Generic.001
      TrendMicro-HouseCall: PAK_Generic.001
      VBA32: Trojan.Ransom.5705
      VIPRE: Trojan.Win32.Generic!BT
      VirusBuster: Trojan.MBRLocker.Gen

 [ Changes to filesystem ]
   * Deletes file C:\M\TEST\TEST.EXE
   * Creates file C:\Documents and Settings\Administrador\Configuración local\Temp\sys3.exe
     File length: 10240 bytes
     File signature (PEiD): Borland Delphi 3.0 (???) *
     Digital signature: Unsigned
     MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66
     SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
     SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
     VirusTotal detections:
      AntiVir: TR/Crypt.XPACK.Gen
      Avast: Win32:MBRlock-B
      Avast5: Win32:MBRlock-B
      AVG: unknown virus Win32/DH.AA53594850
      BitDefender: Gen:Variant.Kazy.31729
      ByteHero: Virus.Win32.Heur.l
      DrWeb: Trojan.MBRlock.12
      Emsisoft: Trojan-Ransom.Win32.Mbro!IK
      F-Secure: Gen:Variant.Kazy.31729
      GData: Gen:Variant.Kazy.31729
      Ikarus: Trojan-Ransom.Win32.Mbro
      Jiangmin: Trojan/MBro.h
      Kaspersky: HEUR:Trojan.Win32.Generic
      Microsoft: Trojan:Win32/Ransom.DV
      NOD32: a variant of Win32/MBRlock.D
      nProtect: Gen:Variant.Kazy.31729
      Panda: Suspicious file
      Rising: Suspicious
      TheHacker: Trojan/MBRlock.d
      TrendMicro: PAK_Generic.001
      TrendMicro-HouseCall: PAK_Generic.001
      VBA32: Trojan.Ransom.5705
      VIPRE: Trojan.Win32.Generic!BT
      VirusBuster: Trojan.MBRLocker.Gen
   * Creates file C:\Documents and Settings\Administrador\Configuración local\Temp\systm.txt
     File length: 18 bytes
     MD5 hash: 56f96e284ebf1b3fbc78c70eae09d2ca
     SHA1 hash: 940b172e63ad2c8e65eb8a48b459e11cc3196211
     SHA256 hash: f6248d82a67be08f8fab93862504eabad0b3a8db57775ed0674459e2fcde961e

 [ Changes to registry ]
   * No changes

 [ Process/window information ]
   * Enables process privileges.
   * Creates process "C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null)".
   * Writes directly to disk.
   * Ends Windows session.

Analysis.TXT

Code:

Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011

Detailed report of suspicious malware actions:

Created file in defined folder: C:\Documents and Settings\Administrador\Configuración local\Temp\systm.txt
Created process: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null)
Defined file type created: C:\Documents and Settings\Administrador\Configuración local\Temp\sys3.exe
Detected direct disk write attempt
Detected process privilege elevation
Ends Windows session
File deleted itself

Risk evaluation result: High

 

As you can see, Buster Sandbox Analyzer is the only malware analyzer that correctly reports that the analyzed sample tried to end windows session (Reboot/Power off) and write directly to disk (format/write to MBR/...).

In this case the sample is a MBR infector which reboots after infection.

 

Wow!! Getting better and better! I like it a lot!

How exactly do I auto-update? It says a new version is available, and it downloads... but why doesn't it install itself? I tried restarting program but still 1.41.