Posted: Tue Sep 03, 2013 3:52 pm
Thanks for your work. I find BSA and Sandboxie the best possible combination for viruses analysis and I have written a lot about this. I'm waiting to update BSA to work with Sandboxie 4.0.4.
Support Forum for Sandboxie
https://forums.sandboxie.com/phpBB3/
https://forums.sandboxie.com/phpBB3/viewtopic.php?f=22&t=6557
I discontinued BSA because I consider Sandboxie 4.x is not suitable for malware analysis anymore. I suggest you use BSA + Sandboxie 3.76.jumper1 wrote:Thanks for your work. I find BSA and Sandboxie the best possible combination for viruses analysis and I have written a lot about this. I'm waiting to update BSA to work with Sandboxie 4.0.4.
Yes, it is.JohnJohn wrote:Thanks a lot Buster.
I am just starting to use BAS and I think it is really useful.
I also noted that analysis of windows apps like calc or notepad, will still generate behaviour flags (looks for debugger,..etc). Is that normal?
This post took me a while to track, had to use google to search this thread for wpcap.dll (the built in search only found the thread but didn't specify which of the 60+ pages it is).Buster wrote:It´s not a bug, that´s the way how it works.Max100 wrote:I'm trying last bsa program release, but I'm forced to copy wpcap.dll and packet.dll from PCAP folder to bsa folder.
Only in this way I can open the executable (BSA.EXE) without dialog errors (packet.dll / wpcap.dll not present).
I have this bug with Windows XP x86 and Windows 7 x64.
If you read the manual (BSA.PDF) you will see that BSA uses WinPCap to capture network traffic. It´s recommended to install WinPCap because it´s very necessary for analysis.
As explained in the readme (README.TXT) if for any reason (I don´t see any valid reason to don´t do it) you don´t want to install WinPCap then you must copy WPCAP.DLL and PACKET.DLL from PCAP folder to Windows\System32 folder.
Don´t know if copying the files to BSA folder you override the errors too. If it works, that´s ok.
Code: Select all
bsa.exe -s 30 -i c:\test\notepad.exe
Code: Select all
Report generated with Buster Sandbox Analyzer 1.88 at 21:23:28 on 04/03/2014
Detailed report of suspicious malware actions:
Changed wallpaper
Checked for Avira security software presence
Checked for debuggers
Checked for Task Manager software presence
Checked for The Hacker security software presence
Code injection in process: C:\Windows\SysWOW64\cmd.exe
Code injection in process: C:\Windows\SysWOW64\ctfmon.exe
Created a mutex named: AMResourceMutex3
Created a mutex named: eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2078868383-453426656-4049437542-1000
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created process: C:\Windows\system32\cmd.exe, "C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll" (exit) else (del /f "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll"), c:\m\test
Created process: C:\Windows\system32\ctfmon.exe, ctfmon.exe, null
Defined registry AutoStart location created or modified: machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations = \??\C:\Documents and Settings\User\ \1.dll
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Detected Anti-Malware Analyzer routine: Disk information query
Detected Anti-Malware Analyzer routine: Sandboxie detection
Detected desktop switch attempt
Enumerated running processes
Got input locale identifiers
Got system default language ID
Got user name information
Internet connection: Connects to "192.162.136.67" on port 80
Internet connection: Connects to "78.46.86.137" on port 80
Listed all entry names in a remote access phone book
Looked up the external IP address
Monitorized screen
Opened a service named: rasman
Opened a service named: Sens
Traces of Max++
Code: Select all
Report generated with Buster Sandbox Analyzer 1.88 at 21:25:13 on 04/03/2014
Detailed report of suspicious malware actions:
Checked for Avira security software presence
Checked for debuggers
Checked for Task Manager software presence
Checked for The Hacker security software presence
Code injection in process: C:\Windows\SysWOW64\cmd.exe
Created a mutex named: AMResourceMutex3
Created a mutex named: eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2078868383-453426656-4049437542-1000
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created process: C:\Windows\system32\cmd.exe, "C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll" (exit) else (del /f "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll"), c:\m\test
Defined registry AutoStart location created or modified: machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations = \??\C:\Documents and Settings\User\ \1.dll
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Detected Anti-Malware Analyzer routine: Disk information query
Detected Anti-Malware Analyzer routine: Sandboxie detection
Detected desktop switch attempt
Enumerated running processes
Got input locale identifiers
Got system default language ID
Got user name information
Internet connection: Connects to "192.162.136.67" on port 80
Internet connection: Connects to "78.46.86.137" on port 80
Listed all entry names in a remote access phone book
Looked up the external IP address
Monitorized screen
Opened a service named: rasman
Opened a service named: Sens
Traces of Max++