Buster Sandbox Analyzer

I thought it was Sandboxie integration.
Ahh I understand now. Btw I noticed that running IE6 in itself rated malware.

 

BSA has its own integration (in Sandboxie style) in Windows shell.

There are no good or bad actions so more important than BSA´s evaluation risk it´s your own evaluation.

You are the only one knowing if certain actions should be performed by the application you are analyzing or not. BSA can not know that.

 

Still looking at new additions? I added some but not so many!

 

Released Buster Sandbox Analyzer 1.16.

Change list:

Added RegHive Explorer feature
Updated LOG_API library

 

Version 1.16 includes RegHive Explorer, a feature that allows to view Windows registry modifications performed by sandboxed applications.

It´s the only feature of its kind as it´s specifically designed to view Sandboxie´s reghive files.

Additionally RegHive Explorer allows to synchronize reghive and Windows registry so we can visualize modifications more easily.

Version 1.16 also includes a new version of LOG_API library. The new DLL has been updated to be compatible with the changes in Sandboxie 3.45.01.

 

Soon I will release Buster Sandbox Analyzer 1.17. This version will improve a bit File Hash and RegHive Explorer features.

After 1.17, new releases should be much more spaced in time as all the features I had planned are included already. New versions should include just bugfixes or small improvements.

If there is interest I could release a special version only for professionals. This version would include next additional features:

* Batch analysis

This feature would allow to generate analysis of files in a folder in an automated way.

* File Extractor

This is a feature I have been working for two years. It allows the extraction of files from setups, installations, embedded files, compressed files, etc.

It supports 7z, ZIP, GZIP, BZIP2, TAR, RAR, CAB, ISO, ARJ, LZH, CHM, Z, CPIO, RPM, DEB, NSIS, ACE, EML, Inno Setup, Microsoft SZDD, Microsoft TNEF, RTF, Gentee, Setup Factory, RapSFX, Thraex´s Astrum InstallWizard, SEA, Instyler, BInstall, Cexe, Quick Batch File Compiler, WScript, Smart Install Maker, Stubbie SFX Extractor, ... virtually all executable installers.

* LOG_API library source code

The source code could be modified in order to add new APIs to log or customize the output.

If anyone is interested contact me at my mail.

 

Cool, and thanks!!
I just recently started using Sandboxie and this looks like the perfect companion piece. Since it's coming soon I'll wait for 1.17 before I start trying it out.

Thanks again!

 

mvario: I have found a bug in "RegHive Explorer" feature and version 1.17 may be delayed more time than I thought initially. Therefore I suggest you download version 1.16 and start playing with it.

Don´t forget to read carefully the PDF manual and follow the instructions. Pay special attention to the notes in red. They are important to get the most accurate results.

 

The bug was more simple to fix than I thought so I should release BSA 1.17 this week.

 

Keep up the great work Buster. Much appreciated

 

Released Buster Sandbox Analyzer 1.17.

Change list:

Improved File Hash and RegHive Explorer features
Fixed bugs in Buster Sandbox Analyzer, File Hash and RegHive Explorer features

soccerfan: Thanks for the thumb up!

 

Thanks much! I'll be checking it out.

-Mike

 

Still nothing?

 

Since some malware checks to see if VM is in use, if yes do not install infector, I wonder if it is possible for BSA to log VM checks by websites or software installs?

Would this yield usefull information to the malware analyser even if this technique is used by legitimate software vendors as well?

 

Some time ago I was doing some research in order to add VM presence checks but then I got busy with other thing and I didn´t do any research about that anymore.

Does anyone have a list of methods used by malwares to check for VM presence?

Yes, of course, it would be usefull.

 

Anyone else interested in seeing VM presence check logging added to BSA?

Maybe use the research you put into BSA to make a Surfing Awareness Tool also combined with SandboxIE. Something that will tell a user " During this session there have been n changes to system files. There have been n changes to the Registry. Would you like to save a log of your session modifications for analysis?"
The log would be like a map that can help a non technical user see where their surfing behavior is risky, with security improvement suggestions/tips.
Basically the same internally as BSA but externally designed to help point out possible weaknesses for non tehnical users.

 

If you don´t talk about testing security products you don´t get any attention here.

 

That's O.K. Any testing I have done is minor and just baby steps for me.

I have intentionally tested, for my self, Defensewall, Prevx, Hitman Pro with one in the wild infection. It can not be considered a valid test.
Malware was not detected by 98% of AV at Virus Total, then did submit to Avira and Defensewall.
My Findings, Prevx and Hitman Pro were great at preventing the infection, detecting it on download.
What I couldn't tell you is what was changed and where once the malware was running.
Something like BSA, if it were available at the time, would have given me a better picture of what happens.

My previous post was really an attempt to keep the BSA discussion active.

Does BSA detect/log low level hardware access?

 

Mine too, but don´t say it to anyone.

BSA has no interest in if the hardware is accessed or not. That doesn´t help to detect malware activity.

 

Is anyone into pcap malware analysis?

 

Released Buster Sandbox Analyzer 1.19.

Change list:

Added Pcap Explorer feature
Improved the packet sniffer
Updated Buster Sandbox Analyzer
Updated LOG_API library

 

The new release (1.19) improves very much the internet packet sniffer.

Old packet sniffer was not working on Windows Vista and it may fail in other OSs.

The new packet sniffer uses WinPCap for capturing packets (http://www.winpcap.org) so WinPCap must be installed to get packets captured.

Old packet sniffer was capturing packets from both sandboxed and unsandboxed applications.

The new packet sniffer only captures TCP traffic coming from sandboxed applications.

UDP traffic is captured from both sandboxed and unsandboxed applications. I could not find a solution to avoid this.

Old packet sniffer was unable to show what application generated each packet.

The new packet sniffer shows what application generated the packet.

It´s also possible to save to file captured packets. This feature can be used to do forensic network analysis.
Captured files are Wireshark and NetworkMiner compatibles.

All these features improve BSA´s analysis capabilities a lot.

Apart a feature named Pcap Explorer has been introduced in the new release.

Pcap Explorer is a forensic network analysis tool. It´s able to open .pcap files generated by BSA, Wireshark, or NetworkMiner.

This features shows packet information and can follow a TCP session as Wireshark does. It´s also able to filter packets by user defined parameters.

http transmitted files and mail attachments can be extracted automatically to disk.

It can display information like URLs requests or DNSs queried.

Packet contents can be searched by text strings or hexadecimal bytes.

For managing big .pcap files, Pcap Explorer has a feature named "Pcap Splitter". A smaller .pcap file can be saved filtering contents by user specified information.

Buster Sandbox Analyzer has been fine tuned to report less false positives.

 

Anyone trying the new packet sniffer could give some feedback, please?

 

If malware uses CreateFile API to open \Device\Harddisk0\DR0 for write access or trying to access the hard disk directly via \\.\PhysicalDrive0 I am interested in knowing.

 

With the new packet sniffer and running one of my samples I'm getting lots of "Open Process winlogon.exe" which aren't there with the older version.