Buster Sandbox Analyzer

I think BSA already got as better as it can be as malware analyzer.

The only feature I still have in my to-do list is something related to statistics: compilers/packers used, file/av detections, etc.

BSA just downloads the new release. You must update files manually.

 

Thanks for new version Buster_BSA,

I want to ask question about BSA,
Can be dropped files stored in a diffrent folder?

For example, BSA set up malware file automatically. Malware download file. Are the files which is dowloaded stored in sandbox folder(with set up folders) or in a different folder?

I didnt check it yet, Just i cruous when i read change log.

is it for batch mode?

You can add this info "19 vendors from virtustotal.com detected as malware" to Analysis.TXT like Xandora and Anubis.

I like anubis summary raport, it is clean information. I think, you can remove this lines from Analysis.TXT cause Report.TXT have got this info. Clean summary page, is more usefull, i think.

But maybe i am wrong and i have wrong argument.

 

And it is first and unique function, if i am not wrong.

 

No, I took the idea from here:

http://forums.malwr.com/index.php?/topic/45-screenshots/

 

Downloaded, modified, dropped, [...] files are stored at sandbox folder while Sandboxie is running. After the analysis is finished, if the feature is enabled (Keep Sandbox Files), the sandbox folder is copied to report folder.

I hope that replies your question.

I don´t know yet, but probably statistics would be availabled for both manual and automatic modes. In automatic mode for sure.

Just today I was thinking about doing that.

There are no arguments about that. It´s just a taste question.

Report.TXT may include information which is not relevant or malware related, that´s why Analysis.TXT is done.

I will keep it as it´s now.

 

Sure, Extracted files (which is created by malware when installing) and downloaded files are on same folder.
seperate folder is bad idea?
cause we can add downloaded files to malware archive easly. If we can add extracted files our achive quality will lower.

link doesnt work.

 

It´s not possible because it´s difficult to know when a file was dropped and when downloaded.

 

So where on the computer does BSA download the update?

 

\BSADIR\Updates

 

Thanks a lot!

 

Released Buster Sandbox Analyzer 1.43.

Changes:

+ Replaced Buster Sandbox Analyzer with a custom logo. (thanks Antoni)
+ Maintenance release: minor changes.


I almost added all the features I had in the TO-DO list and fixed all known bugs. I just miss adding some statistics but such feature is not prioritary, that´s why this version should be the last one for a while.

 

Thanks

 

Released Buster Sandbox Analyzer 1.44.

Changes:

+Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports
+ Added a feature to minimize BSA when the feature to do video capture is enabled
+ Added a feature to compress to ZIP sandbox folder contents when “Keep Sandbox Files” is enabled
+ Added information related to date of submission in VirusTotal reports
+ Added several improvements
+ Updated LOG_API

 

Reuploaded BSA 1.44 package to fix a bug in LOG_API.

 

Released Buster Sandbox Analyzer 1.45.

Changes:

+ Added a feature to produce reports in PDF format
+ Added support for new malware behaviours: get volume information, alternate data stream creation
+ Updated LOG_API

 

Downloaded, thanks

 

Not always required but always welcomed for nice stuffs Good Job Buster_BSA always a good tool for view analysing

 

Does BSA help with the malware that bypass's Sandboxie ?

If anyone wants a private video of Sandboxie being bypass'd send me a message.

 

Some time ago I proved that making a video fake of Sandboxie being bypassed was the simplest thing to do.

More info here: http://sandboxie.com/phpbb/viewtopic.php?p=56003

 

Reports in TXT are always created. PDF are optionals.

 

Is there any news about upcoming feature?

 

I am working in a new feature but I will not comment about it until it is done.

 

Ok, waiting. curiosity kills the cat

 

Released Buster Sandbox Analyzer 1.46.

Changes:

+ Added a feature to include information from reports into a SQL database
+ Added a custom manager for BSA´s SQL Database
+ Added a feature to load and save settings from file on demand
+ Added a feature to set a number of retries if connection to VirusTotal fails
+ Added a feature to launch automatically Explorer.exe in automatic mode
+ Added a feature to skip already processed files in automatic mode
+ Fixed several bugs

 

There are a lot of things to comment about version 1.46.


Added a feature to include information from reports into a SQL database

With this feature it´s possible to store in a SQL (sqlite 3) database the information from report files and optionally, from analysis reports.

All the information from reports (REPORT.TXT) and optionally from analysis (ANALYSIS.TXT) will be added to database.

It´s mandatory to enable the reporting of SHA256 in order to get this feature working.


Added a custom manager for BSA´s SQL Database

I included a feature to manage the created database in an easy but powerful way.

It has a SQL expression generator with the tables in database, the fields in each table, and five options. (is, is not, is null, is not null and contains)

For people that know SQL, I also included a custom SQL command feature. With this feature you can use your sentences in SQL.

I added a feature to remove entries from database, a predefined query to database and a function to update a record from a report file.

Right-clicking in the table you will get some additional features.


Added a feature to load and save settings from file on demand

With this feature it´s possible to have several different BSA configurations stored in disk and easily switch between them.


Added a feature to set a number of retries if connection to VirusTotal fails

You can configure to don´t make retries if VirusTotal does not respond or choose from 1 to 5 retries.


Added a feature to launch automatically Explorer.exe in automatic mode

Recently I processed a malware that didn´t show the behaviour I expected. First I thought it was due a bug in Sandboxie. The bug existed and tzuk fixed it, but at the end it was not related with the issue.

Ronen analyzed the piece of malware and discovered that the malware was injecting code to explorer.exe. Due the process was not being sandboxed, the malware could not inject the code. When explorer.exe is sandboxed, the malware will behave as it should.

As some trojans may inject code in explorer.exe I decided to include this feature. When enabled BSA will sandbox explorer.exe before the analysis begins.


Added a feature to skip already processed files in automatic mode

When enabled, BSA will check at SQL database if the file was analyzed previously.


Fixed several bugs

As usual, several bugs fixed and other new introduced.