Buster Sandbox Analyzer

[jumper1]

Thanks for your work. I find BSA and Sandboxie the best possible combination for viruses analysis and I have written a lot about this. I'm waiting to update BSA to work with Sandboxie 4.0.4.

[Buster]

Thanks for your work. I find BSA and Sandboxie the best possible combination for viruses analysis and I have written a lot about this. I'm waiting to update BSA to work with Sandboxie 4.0.4.

I discontinued BSA because I consider Sandboxie 4.x is not suitable for malware analysis anymore. I suggest you use BSA + Sandboxie 3.76.

[JohnJohn]

What (if there is any at all) SB and Buster versions I can currently use to analyze both x32 and x64 applications on a windows 7 x64?

[Buster]

Sandboxie 3.76 and BSA 1.88 should work fine.

The 64-bit version of LOG_API works fine in the systems I have tested. If in your system is not working fine try to uninstall software until it works. If it does not work even uninstalling everything then I guess there is some kind of incompatibility. In this case there is nothing to do because BSA has been discontinued and I will not do more fixes to LOG_API.

[JohnJohn]

Thanks a lot Buster.
I am just starting to use BAS and I think it is really useful.
I also noted that analysis of windows apps like calc or notepad, will still generate behaviour flags (looks for debugger,..etc). Is that normal?

[Buster]

Thanks a lot Buster.
I am just starting to use BAS and I think it is really useful.
I also noted that analysis of windows apps like calc or notepad, will still generate behaviour flags (looks for debugger,..etc). Is that normal?

Yes, it is.

[taltamir]

I'm trying last bsa program release, but I'm forced to copy wpcap.dll and packet.dll from PCAP folder to bsa folder.

Only in this way I can open the executable (BSA.EXE) without dialog errors (packet.dll / wpcap.dll not present).

I have this bug with Windows XP x86 and Windows 7 x64.

It´s not a bug, that´s the way how it works.

If you read the manual (BSA.PDF) you will see that BSA uses WinPCap to capture network traffic. It´s recommended to install WinPCap because it´s very necessary for analysis.

As explained in the readme (README.TXT) if for any reason (I don´t see any valid reason to don´t do it) you don´t want to install WinPCap then you must copy WPCAP.DLL and PACKET.DLL from PCAP folder to Windows\System32 folder.

Don´t know if copying the files to BSA folder you override the errors too. If it works, that´s ok.

This post took me a while to track, had to use google to search this thread for wpcap.dll (the built in search only found the thread but didn't specify which of the 60+ pages it is).

Anyways, I check on
http://bsa.isoftware.nl/
in the section titled installation and it most certainly DOES NOT state you need to install WinPCap. You should really add this to the instructions, and while at it, edit it into the instructions on the first page in this thread.

[Buster]

I made two small changes to BSA 1.88:

The first change consists that at Windows Shell if you right-click a file and select "Analyze in BSA", only that file will be analyzed. If you want to analyze a folder, then select the folder, right-click it and select "Analyze in BSA".

The second change consists that from command line you can analyze just one file using the modifier "-i" or "-file". Example:

Code: Select all

bsa.exe -s 30 -i c:\test\notepad.exe

You can get the updated release from here.

[Buster]

I found the malware that made my decission to discontinue BSA after the change in Sandboxie from 3.x to 4.x line.

Here you have the analysis report made with Sandboxie 3.76:

Code: Select all

Report generated with Buster Sandbox Analyzer 1.88 at 21:23:28 on 04/03/2014

Detailed report of suspicious malware actions:

Changed wallpaper
Checked for Avira security software presence
Checked for debuggers
Checked for Task Manager software presence
Checked for The Hacker security software presence
Code injection in process: C:\Windows\SysWOW64\cmd.exe
Code injection in process: C:\Windows\SysWOW64\ctfmon.exe
Created a mutex named: AMResourceMutex3
Created a mutex named: eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2078868383-453426656-4049437542-1000
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created process: C:\Windows\system32\cmd.exe, "C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll" (exit) else (del /f "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll"), c:\m\test
Created process: C:\Windows\system32\ctfmon.exe, ctfmon.exe, null
Defined registry AutoStart location created or modified: machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations = \??\C:\Documents and Settings\User\ \1.dll
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Detected Anti-Malware Analyzer routine: Disk information query
Detected Anti-Malware Analyzer routine: Sandboxie detection
Detected desktop switch attempt
Enumerated running processes
Got input locale identifiers
Got system default language ID
Got user name information
Internet connection: Connects to "192.162.136.67" on port 80
Internet connection: Connects to "78.46.86.137" on port 80
Listed all entry names in a remote access phone book
Looked up the external IP address
Monitorized screen
Opened a service named: rasman
Opened a service named: Sens
Traces of Max++

And here you have the report made with Sandboxie 4.09.01:

Code: Select all

Report generated with Buster Sandbox Analyzer 1.88 at 21:25:13 on 04/03/2014

Detailed report of suspicious malware actions:

Checked for Avira security software presence
Checked for debuggers
Checked for Task Manager software presence
Checked for The Hacker security software presence
Code injection in process: C:\Windows\SysWOW64\cmd.exe
Created a mutex named: AMResourceMutex3
Created a mutex named: eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2078868383-453426656-4049437542-1000
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created process: C:\Windows\system32\cmd.exe, "C:\Windows\system32\cmd.exe" /q /c for /l %i in (1, 1, 4000000000) do if not exist "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll" (exit) else (del /f "C:\Documents and Settings\User\Ðàáî÷èé ñòîë\1.dll"), c:\m\test
Defined registry AutoStart location created or modified: machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Control\SESSION MANAGER\PendingFileRenameOperations = \??\C:\Documents and Settings\User\ \1.dll
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\Update = C:\Users\Buster\AppData\Roaming\1.dll
Detected Anti-Malware Analyzer routine: Disk information query
Detected Anti-Malware Analyzer routine: Sandboxie detection
Detected desktop switch attempt
Enumerated running processes
Got input locale identifiers
Got system default language ID
Got user name information
Internet connection: Connects to "192.162.136.67" on port 80
Internet connection: Connects to "78.46.86.137" on port 80
Listed all entry names in a remote access phone book
Looked up the external IP address
Monitorized screen
Opened a service named: rasman
Opened a service named: Sens
Traces of Max++

[Buster]

Comparing analysis reports from Sandboxie 3.76 and 4.09.01 we can see there are only 2 differences: wallpaper change and ctfmon.exe process creation. The rest is the same.

So I would say Sandboxie 4.09.01 seems to be good enough to work with BSA.

Anyway BSA development will continue stopped as TO-DO list is empty.

[Buster]

Released update 2 for version 1.88.

The new update is available here.

[Buster]

Released update 3 for version 1.88.

The new update is available here.

Changes:

+ Fixed a bug.

+ Fixed FileVersion information.

[Buster]

Released update 4 for version 1.88.

The new update is available here.

Changes:

+ Fixed a bug related to "Take Screenshots" feature.

[Buster]

After the fix made by Invincea team to injection mechanism I reconsidered my decission of discontinuing Buster Sandbox Analyzer development and decided to continue with the project, but I have been just fixing bugs because the TO-DO list was empty... until now.

Reviewing Joe Security´s blog (http://joe4security.blogspot.com) I found two interesting articles:

"Detect generically ransomware" (http://joe4security.blogspot.com.es/201 ... -with.html) and "Detecting malware by using the application icon" (http://joe4security.blogspot.com.es/201 ... ation.html).

The idea behind "Detect generically ransomware" is to extract keywords like "police", "ukash" or "paysafecard" from images (screenshots) using OCR technology and if keywords are found, make a generic malware detection.

With this idea on mind I added a feature which works like that. Obviously the user must enable the feature which allows to take screenshots. Then you can enable the feature processing screenshots, extracting words using OCR technology and looking for keywords stored in database (OCR.DAT).

The OCR technology is provided by Transym Computer Services through their software named TOCR. I decided to use it because it works better than other solutions and it provides a ready to use interface for Delphi.

Pros of this approach: Feeding detection keywords is pretty simple. You just need to open a text editor and write keywords, one per line.

Contras of this approach: OCR technology is not 100% accurate and depending of the screenshot more or less information can be retrieved.

The idea behind "Detecting malware by using the application icon" is that some malware try to fool the user giving to executable files the icon of known applications like Word, Acrobat Reader, etc. You can take a look to an example here:



For this malware detection approach a special type of hash is required because a traditional hash like MD5 could be fooled very easily just changing the icon slightly. 1 different byte would mean a totally differente hash. Therefore the algorithm must be able to detect similar images.

I decided to use pHash (perceptual hash) (http://phash.org/) created by Evan Klinger, but I did not stop at Joe Security´s idea. I thought I could detect malwares not just comparing similar file icons, but also similar GUIs. So my idea was to implement pHash comparision for file icon but also for screenshots.

Pros of this approach: Malwares showing same or similar GUIs will be detected. Also malwares having a misleading file icon will be detected too.

Contras of this approach: The feature must be feeded with misleading file icons and known malware GUI screenshots, which represents a research work.

[Bellzemos]

I'm glad that you are continuing with the BSA project, thank you!