Buster Sandbox Analyzer

Discussion in 'other anti-malware software' started by Buster_BSA, Nov 29, 2009.

Thread Status:
Not open for further replies.
  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I think BSA already got as better as it can be as malware analyzer.

    The only feature I still have in my to-do list is something related to statistics: compilers/packers used, file/av detections, etc.

    BSA just downloads the new release. You must update files manually.
     
  2. guest

    guest Guest

    Thanks for new version Buster_BSA,

    I want to ask question about BSA,
    Can be dropped files stored in a diffrent folder?

    For example, BSA set up malware file automatically. Malware download file. Are the files which is dowloaded stored in sandbox folder(with set up folders) or in a different folder?

    I didnt check it yet, Just i cruous when i read change log.

    is it for batch mode?


    You can add this info "19 vendors from virtustotal.com detected as malware" to Analysis.TXT like Xandora and Anubis.

    I like anubis summary raport, it is clean information. I think, you can remove this lines from Analysis.TXT cause Report.TXT have got this info. Clean summary page, is more usefull, i think.

    But maybe i am wrong and i have wrong argument.

     
  3. guest

    guest Guest

    And it is first and unique function, if i am not wrong.
     
  4. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
  5. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Downloaded, modified, dropped, [...] files are stored at sandbox folder while Sandboxie is running. After the analysis is finished, if the feature is enabled (Keep Sandbox Files), the sandbox folder is copied to report folder.

    I hope that replies your question.

    I don´t know yet, but probably statistics would be availabled for both manual and automatic modes. In automatic mode for sure.

    Just today I was thinking about doing that.

    There are no arguments about that. It´s just a taste question.

    Report.TXT may include information which is not relevant or malware related, that´s why Analysis.TXT is done.

    I will keep it as it´s now.
     
  6. guest

    guest Guest

    Sure, Extracted files (which is created by malware when installing) and downloaded files are on same folder.
    seperate folder is bad idea?
    cause we can add downloaded files to malware archive easly. If we can add extracted files our achive quality will lower.

    link doesnt work.
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    It´s not possible because it´s difficult to know when a file was dropped and when downloaded.
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    So where on the computer does BSA download the update?
     
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    \BSADIR\Updates
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Thanks a lot!
     
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released Buster Sandbox Analyzer 1.43.

    Changes:

    + Replaced Buster Sandbox Analyzer with a custom logo. (thanks Antoni)
    + Maintenance release: minor changes.


    I almost added all the features I had in the TO-DO list and fixed all known bugs. I just miss adding some statistics but such feature is not prioritary, that´s why this version should be the last one for a while.
     
  12. guest

    guest Guest

    Thanks ;)
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released Buster Sandbox Analyzer 1.44.

    Changes:

    +Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports
    + Added a feature to minimize BSA when the feature to do video capture is enabled
    + Added a feature to compress to ZIP sandbox folder contents when “Keep Sandbox Files” is enabled
    + Added information related to date of submission in VirusTotal reports
    + Added several improvements
    + Updated LOG_API
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Reuploaded BSA 1.44 package to fix a bug in LOG_API.
     
  15. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released Buster Sandbox Analyzer 1.45.

    Changes:

    + Added a feature to produce reports in PDF format
    + Added support for new malware behaviours: get volume information, alternate data stream creation
    + Updated LOG_API
     
  16. guest

    guest Guest

    Downloaded, thanks
     
  17. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,589
    Location:
    Mumbai
    Not always required but always welcomed for nice stuffs :) Good Job Buster_BSA always a good tool for view analysing :D
     
  18. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    39
    Does BSA help with the malware that bypass's Sandboxie ?

    If anyone wants a private video of Sandboxie being bypass'd send me a message.
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Some time ago I proved that making a video fake of Sandboxie being bypassed was the simplest thing to do.

    More info here: http://sandboxie.com/phpbb/viewtopic.php?p=56003
     
  20. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Reports in TXT are always created. PDF are optionals.
     
  21. guest

    guest Guest

    Is there any news about upcoming feature?
     
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I am working in a new feature but I will not comment about it until it is done. :rolleyes:
     
  23. guest

    guest Guest

    Ok, waiting. curiosity kills the cat :)
     
  24. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Released Buster Sandbox Analyzer 1.46.

    Changes:

    + Added a feature to include information from reports into a SQL database
    + Added a custom manager for BSA´s SQL Database
    + Added a feature to load and save settings from file on demand
    + Added a feature to set a number of retries if connection to VirusTotal fails
    + Added a feature to launch automatically Explorer.exe in automatic mode
    + Added a feature to skip already processed files in automatic mode
    + Fixed several bugs
     
  25. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    There are a lot of things to comment about version 1.46.


    Added a feature to include information from reports into a SQL database

    With this feature it´s possible to store in a SQL (sqlite 3) database the information from report files and optionally, from analysis reports.

    All the information from reports (REPORT.TXT) and optionally from analysis (ANALYSIS.TXT) will be added to database.

    It´s mandatory to enable the reporting of SHA256 in order to get this feature working.


    Added a custom manager for BSA´s SQL Database

    I included a feature to manage the created database in an easy but powerful way.

    It has a SQL expression generator with the tables in database, the fields in each table, and five options. (is, is not, is null, is not null and contains)

    For people that know SQL, I also included a custom SQL command feature. With this feature you can use your sentences in SQL.

    I added a feature to remove entries from database, a predefined query to database and a function to update a record from a report file.

    Right-clicking in the table you will get some additional features.


    Added a feature to load and save settings from file on demand

    With this feature it´s possible to have several different BSA configurations stored in disk and easily switch between them.


    Added a feature to set a number of retries if connection to VirusTotal fails

    You can configure to don´t make retries if VirusTotal does not respond or choose from 1 to 5 retries.


    Added a feature to launch automatically Explorer.exe in automatic mode

    Recently I processed a malware that didn´t show the behaviour I expected. First I thought it was due a bug in Sandboxie. The bug existed and tzuk fixed it, but at the end it was not related with the issue.

    Ronen analyzed the piece of malware and discovered that the malware was injecting code to explorer.exe. Due the process was not being sandboxed, the malware could not inject the code. When explorer.exe is sandboxed, the malware will behave as it should.

    As some trojans may inject code in explorer.exe I decided to include this feature. When enabled BSA will sandbox explorer.exe before the analysis begins.


    Added a feature to skip already processed files in automatic mode

    When enabled, BSA will check at SQL database if the file was analyzed previously.


    Fixed several bugs

    As usual, several bugs fixed and other new introduced. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.