Buster Sandbox Analyzer

CreateFile API is already logged by LOG_API library.

 

Could you share the sample?

I will take a look at it.

 

No probs, one of those microjoin exploits that drops just about everything except the kitchen sink.

If I hide winlogon.exe through HideDriver.sys then I don't see those repetitive lines.

A typo when wanting to delete a hidden process - Deleate.

 

Hide Processes is not mine.

http://www.codeproject.com/KB/system/hide-driver.aspx

 

How have you been? I noticed you were "out of business" for almost a month or so.

I hope you get the time to review 1.19 version.

 

Everything seems to be working fine now with the latest version.

The new packet sniffer is good in that it shows which exe connects out to where.

 

Wow, really complex tool, i don't understand a thing

 

What´s the problem: Sandboxie or BSA?

 

Hi!

Today I have discovered your impressive tool.

Easy to configure, easy to run, the results are very easy to understand... and FREE!!!!

Good work!!

Congratulations

 

Thank you very much for your kind words!

If you find any bug or you have any feature request or suggestion you can post it here or at Sandboxie´s forum, in BSA´s development thread:
http://sandboxie.com/phpbb/viewtopic.php?t=6557

One question: Previously to use BSA for first time, were you a Sandboxie user already? If yes, for how long?

Regards.

 

Hi!

I will help writting a post if i find any bug or any problem using it.

I started to use sandboxie more or less 1 year ago.

CU

 

That´s what I thought: you had experience using Sandboxie already.

I consider that it´s not likely that someone that never used Sandboxie will use BSA. I´m considering to make video tutorials to try to solve that problem.

 

Nobody else can give me feedback from the new sniffer?

 

Next BSA release (1.20) will show on LOG_API.TXT what program made the API call. This feature can be used by malware analyzers to get information more exact about the analyzed stuff.

It will also contain a feature to parse Capture-BAT log files. This feature comes from the suggestions received by malware analysts some weeks ago.

As you know BSA is limited by Sandboxie´s limits which are related to security questions. So to improve BSA´s analysis capabilities I have introduced support for other malware analysis tool: Capture-BAT.

https://www.honeynet.org/node/315

BSA will parse Capture-BAT log and .pcap file (when available) and will generate a report and an analysis from them.

Capture-BAT log parser feature will use the same rules defined for BSA in BSA.DAT.

Capture-BAT is a good tool but it misses logging some information that could be useful to generate more accurate results. Sadly Capture-BAT development seems to be stopped. Maybe if enough people mail the author asking to continue developing the tool he may reconsider it. Send me a PM if you are interested in helping to get Capture-BAT being developed again.

 

Released Buster Sandbox Analyzer 1.20.

Change list:

Added Capture-BAT Log Analyzer feature.
Fixed bugs in Buster Sandbox Analyzer.
Updated LOG_API library.

 

Version 1.20 fixes several bugs:

DNS Queries not logged when the network is configured in DHCP, duplicated entries in the API logger window, one malicious behaviour missed, SetValueKey and DeleteValueKey were being missed from API call log, ...


New version also introduces new features:

Capture-BAT Log Analyzer.

LOG_API library will show the name of the application that made the API call.

Local network traffic can be configured to be sniffed or not.

 

Nobody else can provide feedback of the new packet sniffer?

 

Released Buster Sandbox Analyzer 1.21.

Change list:

Changes in BSA.DAT:
Added [Custom_Folder_Entries] section.
Upated [File_Types_Modified] section to [File_Types_Created_Modified].
Updated Capture-BAT Log Analyzer feature.
Updated malware analysis in Buster Sandbox Analyzer.

 

Buster,

How often do you encounter malware that behaves differently in Sandboxie due to Sandboxie detection routines?

 

I don´t analyze a lot of malwares every week, just 5 or 6 usually, so my statistics of malware detecting Sandboxie are not very relevant.

In my experience that kind of malwares appear not so often, around 1 out of 10.

This question should be replied by someone analyzing thousand malwares every week.

 

Until recently, I was testing about 100 samples per week (from MDL/Malc0de/Viruswatch) and found none with Sandboxie detection routines. I do have a crypter that supposedly works against Sandboxie but have not tested it. For now, if you find that sandboxed malware fails to work properly, the OS is the problem. XP is the preferred platform for testing malware sandboxed (or not).

 

Thank you for the replies .

 

Due popular demand I decided to include the automatic analysis on next release.

Each sample will be run for a user specified time and during that time malware processes can run alone, without user interaction, or user-attended.

When the time experies Sandboxie´s processes will be terminated and the reports will be generated.

I have nice plans for this feature so it can be configured to make it more flexible and powerful.

 

News about the automatic analysis mode:

It will process any kind of file type: EXE, PDF, XLS, ...

If the file type is associated to a program, then the program will be launched. e.g.: .PDF files associated to Adobe Acrobat Reader. Depends of the program if the processed file is opened automatically or not.

If the file type is not associated to any program then we receive the message telling that Windows can not open the file.

It´s up to the users make the appropiate associations.

Automatic analysis feature will save network traffic (when BSA is properly configured for that) .pcap file in report folder.

Additionally the user can configure BSA to save a copy of sandbox folder contents. That way we can easily get a copy of dropped components.

 

Buster Sandbox Analyzer 1.22 is almost ready to be released.

It will include the automatic malware analysis feature and also an updated LOG_API library which fixes some problems that appeared due recent changes in Sandboxie.