Buster Sandbox Analyzer

"Utilities > Sandbox > RegHive > Export to .REG" feature will be available when the analysis is done in "Manual" mode.

Steps to get it enabled:

1) Click "Start Analysis"

2) Click "Finish Analysis" when you are done with the analysis.

3) Click "Malware Analyzer" if you want to get analysis.

4) Click "Options > Cancel Analysis".

In that moment many features that were in gray will be enabled again, between them "Export to .REG".

And that´s all.

Other workaround would be running whatever without BSA and when you terminate all sandboxed applications you run BSA and call "Export to .REG" feature.

Remember that in all cases Sandboxie must be configured to don´t delete sandboxed contents automatically after all sandboxed processes are terminated.

 

Next release (1.50) will include multi-language support.

 

Released Buster Sandbox Analyzer 1.50.

Changes:

+ Added multi-language support
+ Updated LOG_API
+ Fixed several bugs

 

If anyone translates BSA to other language it would be cool if he sends me it so I include it in the package.

 

Can't run it says wpcap.dll isn't found.

 

Use it;
http://www.winpcap.org/

and you must read help pages...

 

Read, at least, the README.TXT included in BSA package, please.

 

You can also take a look at this video tutorial: http://www.youtube.com/watch?v=MXASXoq5akc

 

Thanks.

 

Can I still use sandboxie normally for browsers if I use this?

 

With "this", do you mean WinPCap?

 

Nevermind found out I can with it installed. I am wondering with the configuration of sandboxie to use with BSA.

 

Read the manual. After reading it if you have any question let me know and I will reply you.

 

Next release of Buster Sandbox Analyzer will automatize the process of hiding Sandboxie´s processes. Instead using HideDriver, BSA will use its own driver to hide processes.

 

Released Buster Sandbox Analyzer 1.51.

Changes:

+ Added a custom driver to hide Sandboxie´s processes
+ Removed Hide Driver from package
+ Included new malware behaviour
+ Added File Renamer feature to utilities section
+ Updated LOG_API

 

In BSA 1.51 package, HideDriver has been removed. I have included a custom driver to hide Sandboxie´s processes. This driver can be installed and started by Buster Sandbox Analyzer on demand or automatically.

In order to get the driver working, Buster Sandbox Analyzer must have admin rights.

The driver (BSA.SYS) can be renamed for security purposes to any name.

At least one antivirus vendor detects as malicious the driver. I would be grateful if you submit the driver to those vendors detecting the driver so they remove the false positive.

If anyone has any questions about this or any of the new features (File Renamer) just post a message.

 

Released Buster Sandbox Analyzer 1.52.

Changes:

+ Added support for HTML reports
+ Added a feature to remove sandbox folder contents automatically in manual mode
+ Included new malware behaviour
+ Updated LOG_API
+ Fixed several bugs

 

Released Buster Sandbox Analyzer 1.53.

Changes:

+ Added a new entry section to BSA.DAT: [Process_Code_Injection]
+ Added a new feature to dump executable processes in automatic mode
+ Added a feature that allows the user to select what behaviours must appear in the analysis report
+ Updated “Risk Evaluation Ratings”
+ Included new malware behaviour
+ Updated LOG_API

 

Released Buster Sandbox Analyzer 1.54.

Changes:

+ Added a new entry section to BSA.DAT: [File_Strings]
+ Added a feature to search for defined strings inside analyzed file
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviour
+ Updated LOG_API
+ Added portuguese (Brazil) language translation (thanks to Paulo Guzman)

 

Released Buster Sandbox Analyzer 1.55.

Changes:

+ Added Adobe Malware Classifier information
+ Included new malware behaviour at “Risk Evaluation Ratings”

 

Released Buster Sandbox Analyzer 1.56.

Changes:

+ Added the ability to run multiple analyses at the same time
+ Added new malware behaviours
+ Updated LOG_API
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Added russian language translation (thanks to gjf)

 

Yeah, Finally
Thanks, thanks, thanks...

 

The feature is not perfect yet and needs user testing to verify if it works properly.

AFAIK BSA should be able to separate TCP packets properly (we already knew for UDP packets this is not possible) and assign each one to the right BSA instance. Anyway as I comment, user testing and verifications will be required to be sure.

As I comment in appendix E of the manual, actually Sandboxie does not know what sandbox/process generated an event, so for BSA is not possible to assign the event to the proper instance. What does it mean? It means that BSA could assign a malware behaviour to the wrong report.

This is a small problem as BSA only checks 4 malware behaviours comming from Sandboxie.LOG (the event log generated by Sandboxie)

I hope this problem can be solved in future versions, when tzuk improves the part of Sandboxie that creates event logs.

If you have any doubt about the use of the new feature just let me know.

And of course... I expect feedback!!!

 

Feedback, please!

 

Have just finished reading through this thread, the tool looks really nice and I am excited to give it a try.

Couple of questions that I was not clear on from reading the thread:
1) Does BSA log attempts by the sample to obtain direct disk access? (e.g. MBR/creating partition)
2) Does BSA log attempts by the sample to detect that it is being run in a sandbox/VM?