Sandboxie Forum - Buster Sandbox Analyzer (6557)

Bellzemos:

Thu May 09, 2013 4:02 pm

Thank you, I will use it without LOG API. And I imported a high resolution icon from the BSA 1.81 which I saved before. :)

Buster:

Thu May 09, 2013 1:22 pm

]]>Quoting Bellzemos: ]]>That's gotta be out of some DOS game, I don't know which one though. :) If I delete the LOG API injections from the TestBox I will be still able to see all the file changes and internet connections when trying programs with BSA, right? Another thing - in the latest BSA version the program icon is in very low resolution, could you fix that please? ]]> It is from "The secret of Monkey Island". If you do not inject LOG_API you still will be able to see file/registry and internet connections. 1.88 was last release, so I will not change program�s icon.

Bellzemos:

Thu May 09, 2013 12:37 pm

That's gotta be out of some DOS game, I don't know which one though. :) If I delete the LOG API injections from the TestBox I will be still able to see all the file changes and internet connections when trying programs with BSA, right? Another thing - in the latest BSA version the program icon is in very low resolution, could you fix that please?

Buster:

Wed May 08, 2013 2:01 pm

[img:cf66a15b1f]http://lparchive.org/The-Secret-of-Monkey-Island/Update%2035/39-somi_1605.gif[/img:cf66a15b1f]

Bellzemos:

Wed May 08, 2013 1:26 pm

Anyone? Pretty please? :)

Bellzemos:

Tue May 07, 2013 9:00 am

I can't say that for sure. The update from v7 to v8 was some time ago, it could be that I didn't use the BSA & TestBox in that time, I'm not sure though. Could please anyone who is using Avast AV try to run Windows Explorer in a sandbox for BSA to confirm if Avast is the problem? Thank you in advance!

Buster:

Tue May 07, 2013 8:39 am

In the DefaultBox you are not injecting LOG_API. If you say the setup was working fine until you updated to Avast v8, then it is logic to think the problem is related to that.

Bellzemos:

Tue May 07, 2013 8:00 am

Nothing that I can think of, could it be the update to Avast v8? So I have the latest stable/official versions of Avast and Sandboxie running on Windows 7 SP1 x64. The crash report is up there, I really don't know what could it be and why Windows Explorer is able to run sandboxed in the DefaultBox but crashes in the TestBox (the settings of both are up in the Sandboxie.ini).

Buster:

Tue May 07, 2013 5:57 am

]]>Quoting Bellzemos: ]]>I never had to stop Avast to make BSA & Sandboxie work before. ]]> What did you change with respect to other times?

Bellzemos:

Mon May 06, 2013 10:20 pm

I never had to stop Avast to make BSA & Sandboxie work before. I don't want to disable my AV. My PC is idle when I try the TestBox.

Buster:

Mon May 06, 2013 9:44 pm

I give the same reply I gave before: Stop other programs you may be running and try again.

Bellzemos:

Mon May 06, 2013 7:54 pm

I tought you meant if there were any other programs running in the sandbox, sorry. My AV runs outside of the sandbox of course. Can you help please?

Buster:

Mon May 06, 2013 7:39 pm

]]>Quoting Bellzemos: ]]>Is it possible that there's some kind of incompatibility? I use Avast AV. ]]> When I suggested a software incompatibility you replied [quote:56d1252b14]There are no other programs running at the time.[/quote:56d1252b14] Now you say Avast is running. :?:

Bellzemos:

Mon May 06, 2013 11:40 am

Is it possible that there's some kind of incompatibility? I use Avast AV. It has to be something about the USER32.dll? Can you please suggest anything I could try? I would like to be able to use BSA for testing. Thank you.

Bellzemos:

Sun May 05, 2013 8:17 pm

Here's the crash report, if it's any help: Problem signature: Problem Event Name: APPCRASH Application Name: explorer.exe Application Version: 6.1.7601.17567 Application Timestamp: 4d672ee4 Fault Module Name: USER32.dll Fault Module Version: 6.1.7601.17514 Fault Module Timestamp: 4ce7c9f1 Exception Code: c000001d Exception Offset: 0000000000005357 OS Version: 6.1.7601.2.1.0.256.1 Locale ID: 1060 Additional Information 1: 6e02 Additional Information 2: 6e0208eaa474bcf8ecb1ba7bbf9d75b6 Additional Information 3: 4998 Additional Information 4: 49981cd8963576229a5f3a28ca3c8498

Buster:

Sun May 05, 2013 7:54 pm

No idea what could be the problem, sorry.

Bellzemos:

Sun May 05, 2013 12:02 pm

Here is my Sandboxie.ini, you can see the DefaultBox configuration - I am able to run Windows Explorer sandboxed in the DefaultBox. At the end of the file is the TestBox configuration - if I try to run Windows Explorer in the TestBox it crashes before it even opens. I have probably set something wrong? Please help. [GlobalSettings] Template=nVidia_Stereoscopic3D Template=Avast_Antivirus ActivationPrompt=n ExperimentalProtection64Bit=y [DefaultBox] ConfigLevel=7 Template=PaleMoon_Force Template=Waterfox_Force Template=Maxthon2_Force Template=Opera_Force Template=SeaMonkey_Force Template=Iron_Force Template=Dragon_Force Template=Chrome_Force Template=Firefox_Force Template=IExplore_Force Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=D:\Temp RecoverFolder=%Desktop% Enabled=y AutoDelete=y NeverDelete=n ForceFolder=C:\Program Files (x86)\Skype ForceFolder=C:\Program Files (x86)\VirusTotalUploader2 DropAdminRights=y [UserSettings_0C880214] SbieCtrl_UserName=bellzemos SbieCtrl_NextUpdateCheck=1555555555 SbieCtrl_UpdateCheckNotify=n SbieCtrl_ShowWelcome=n SbieCtrl_HideWindowNotify=n SbieCtrl_ActiveView=40021 SbieCtrl_EnableLogonStart=y SbieCtrl_EnableAutoStart=y SbieCtrl_AddDesktopIcon=n SbieCtrl_AddQuickLaunchIcon=y SbieCtrl_AddContextMenu=y SbieCtrl_AddSendToMenu=y SbieCtrl_TerminateNotify=n SbieCtrl_AutoApplySettings=y SbieCtrl_SettingChangeNotify=n SbieCtrl_TerminateWarn=n SbieCtrl_HideMessage=1304,wisptis.exe SbieCtrl_ShouldDeleteNotify=n SbieCtrl_ColWidthProcName=250 SbieCtrl_ColWidthProcId=70 SbieCtrl_ColWidthProcTitle=310 SbieCtrl_WindowCoords=1267,733,652,438 SbieCtrl_ShortcutNotify=n SbieCtrl_BoxExpandedView=DefaultBox,DisabledInternet,GameBox,ProgramBox,TestBox [TestBox] ConfigLevel=7 Template=Maxthon2_Force Template=Opera_Force Template=SeaMonkey_Force Template=Iron_Force Template=Dragon_Force Template=Chrome_Force Template=Firefox_Force Template=IExplore_Force Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore Enabled=y InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL InjectDll64=C:\BSA\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y NeverDelete=n BoxNameTitle=y BorderColor=#00FFFF,off NotifyInternetAccessDenied=y DropAdminRights=y

Buster:

Sun May 05, 2013 8:58 am

Yes, post it.

Bellzemos:

Sun May 05, 2013 3:24 am

]]>Quoting Buster: ]]> ]]>Quoting Bellzemos: ]]>Hello! I noticed that I was unable to run Windows Explorer (it simply crashes) in a TestBox (the one I use with BSA), I updated BSA to the latest 1.88 version and the problem is still here. I use Sandboxie 3.76 in Windows 7 x64. Can you help please? ]]> Probably it is caused due a compatibility problem with other software. Stop other programs you may be running and try again. ]]> There are no other programs running at the time. I use the right-click, run sandboxed and it crashes. If I use it on a .TXT file it works, if I do it on the Windows Explorer shortcut it crashes. What could it be? Should I post my Sandboxie.ini for the TestBox I use with BSA?

Buster:

Sat May 04, 2013 10:13 pm

]]>Quoting Bellzemos: ]]>Hello! I noticed that I was unable to run Windows Explorer (it simply crashes) in a TestBox (the one I use with BSA), I updated BSA to the latest 1.88 version and the problem is still here. I use Sandboxie 3.76 in Windows 7 x64. Can you help please? ]]> Probably it is caused due a compatibility problem with other software. Stop other programs you may be running and try again.

Bellzemos:

Sat May 04, 2013 9:42 pm

Hello! I noticed that I was unable to run Windows Explorer (it simply crashes) in a TestBox (the one I use with BSA), I updated BSA to the latest 1.88 version and the problem is still here. I use Sandboxie 3.76 in Windows 7 x64. Can you help please?

Buster:

Sun Apr 21, 2013 7:49 pm

Released Buster Sandbox Analyzer 1.88 - Final Release Changes: + Added support for MAEC 3.0 reports + Fixed VirusTotal report information

TonyKlein:

Tue Mar 05, 2013 9:11 am

Rats. The main reason I purchased SandboxIE in the first place was in order to be able to analyze malware with BSA... :roll:

Buster:

Mon Mar 04, 2013 6:02 pm

Ok, let�s move on. BSA will be discontinued.

tzuk:

Mon Mar 04, 2013 4:02 pm

That is an implementation detail of the way Sandboxie works in version 4 and is irrelevant to this discussion. I am certain that the vast majority of your malware samples will continue to run just like in Sandboxie version 3. We are talking here about a few fringe samples which fail because they use esoteric aspects of Windows that are not simulated correctly by Sandboxie. You would have to provide support for that in BSA. That is the correct long term solution in my opinion. Alternatively accept that Sandboxie version 4, just like version 3, is not going to be able to run all types of malware, and some malware will fail to run under Sandboxie. Nothing has changed in principle, and this entire discussion serves no point.

Buster:

Mon Mar 04, 2013 3:44 pm

Sandboxie version 4 replaces user token for the sandboxed processes with an access with no privileges. For that reason required data will not be available and sandboxed processes that can not work without them will fail. At this point there is nothing BSA/LOG_API can fix because there is nothing to fix and emulating everything is not an option.

tzuk:

Mon Mar 04, 2013 3:33 pm

I am making the decision based on my experience that nothing is "just this once", and nothing has a zero cost. And in any case my position is the request itself is wrong. Continued release of versions 3 of Sandboxie is not the correct long term solution to your problem. Your problem is that Sandboxie is not providing a perfect execution environment for malware, and the correct long term solution is to have BSA provide the missing functionality that is needed to accomplish that.

Buster:

Mon Mar 04, 2013 2:22 pm

]]>Quoting tzuk: ]]>You're asking me to releasing another Sandboxie version based on version 3 now, and more versions in the future. Who knows what kind of a support load that's going to end up being? ]]> I promise that near to none. ]]>Quoting tzuk: ]]>Maybe a Windows Update a couple of months from now would break Sandboxie 3 on Windows 7, but not affect Sandboxie 4. Would I then have to spend time fixing Sandboxie 3 because you're relying on it? ]]> In that case I would suggest BSA users to uninstall the windows update breaking Sandboxie. If that update was totally necessary then I would say: ok, this is the end of BSA. ]]>Quoting tzuk: ]]>What if it turns out 50% of the people using BSA are also using some other security software X, and this security software X changes in the next version in a way which is no longer compatible with Sandboxie version 3, but fine with Sandboxie version 4. Do I spend time to fix that issue in Sandboxie version 3 because you're relying on it for BSA? ]]> In that case I would say to BSA users they must decide: use BSA or use the other security software X. ]]>Quoting tzuk: ]]>You know I appreciate all the work you've done with BSA and I think it's a fine tool. But what you're asking here in my opinion is a black hole of time investment for me, and I am sorry but -- again -- the answer is no. ]]> Fine, but I just want to remark you are taking your decission based in supositions and things that may or not happen and telling the time investment is going to be big when in fact it would be very low because you already made the fixes for the bugs. So if time investment is the only reason to say no, please reconsider the answer because the reason is wrong.

tzuk:

Mon Mar 04, 2013 2:15 pm

You're asking me to releasing another Sandboxie version based on version 3 now, and more versions in the future. Who knows what kind of a support load that's going to end up being? Maybe a Windows Update a couple of months from now would break Sandboxie 3 on Windows 7, but not affect Sandboxie 4. Would I then have to spend time fixing Sandboxie 3 because you're relying on it? What if it turns out 50% of the people using BSA are also using some other security software X, and this security software X changes in the next version in a way which is no longer compatible with Sandboxie version 3, but fine with Sandboxie version 4. Do I spend time to fix that issue in Sandboxie version 3 because you're relying on it for BSA? You know I appreciate all the work you've done with BSA and I think it's a fine tool. But what you're asking here in my opinion is a black hole of time investment for me, and I am sorry but -- again -- the answer is no.

Buster:

Mon Mar 04, 2013 10:52 am

I do not pretend to argue but this time is you who is misleading things. I repeat: I am not requesting a line of old version 3 releases. I am requesting: + 3 bugfixes in version 3.76 (fixes you already made for version 4.01.02) + A feature request (no hurry with it) + Keep the door open to the possibility of fixing other bugs I may find. And I want to remark this is just a possibility. Maybe I never find any other problem so with the 3 bugfixes would be enough and you would not have to release any other version 3 update ever. For the sake of clarity: with "other bugs I may find" I mean things like the logoff issue with the malware I sent you. I am not talking about compatibility software. Obviously this version would be for people interested in running BSA and analyze malware and rest of people will use Sandboxie 4 versions. And obviously this solution would not last forever because Windows 9 will be released in some years and then most probably Sandboxie 3 will not be compatible, but I think BSA users can live with that until then.

tzuk:

Mon Mar 04, 2013 10:40 am

Buster, I don't appreciate the misrepresentation you're doing here. The changes I've made to the underlying architecture are not the reason that one of your malware samples doesn't work. Or more correctly: Such a change could have gone into version 3 at any time. I really don't see the point of going through all of this again. You know my position is that I'm not going to spend time to make Sandboxie be able to run malware for the sake of running malware. This would not be in the best interest of most people using Sandboxie and expect it to protect them. If even one malware, which would potentially steal data, would fail to run under Sandboxie, then it is a win for people who use Sandboxie. Therefore I suggested that you should extend BSA to provide whatever compatibility tweaks that you need to make your malware samples run correctly in case where they fail under Sandboxie. That you refuse to do this, for reasons that you don't seem to want to go into here, is your decision. But I think it is not reasonable that you request that I accomodate you by continuing to maintain a line of old version 3 releases.

Buster:

Mon Mar 04, 2013 10:19 am

Note: Ronen did major changes to Sandboxie�s underlying architecture due PatchGuard technology. As he commented: [quote:dbebd736b9]to mitigate the risk that a future update to Windows 7 will include the new PatchGuard, and break compatibility with Sandboxie[/quote:dbebd736b9] Meanwhile this update does not happen, Sandboxie version 3.x would be a valid option for malware analysis. Even maybe this update never happens. Therefore I consider well worth keeping the door open to small updates from time to time to version 3.76 so Sandboxie and BSA can continue being a nice association.

Buster:

Mon Mar 04, 2013 10:06 am

]]>Quoting tzuk: ]]>We already discussed all of this in email so I'm not sure why you are trying to restart the discussion here. ]]> I do not pretend to restart any discussion. I am just doing a public request for the benefit of BSA users and you can blame me if you want just because I pretend you make a public statement about your decission. :roll: ]]>Quoting tzuk: ]]>But for the benefit of readers, my position is that I disagree with Buster's conclusion that Sandboxie version 4 is not useful for BSA. ]]> That malwares fail to run properly due new restrictions in Sandboxie version 4 is a fact that has no discussion. I tested two malwares with Sandboxie version 4 and one works and other fails: that is a 50% of success and for me that is not acceptable when in Sandboxie version 3 most malwares run fine or at least to an acceptable point. As emulation from LOG_API is not an option for the reasons I explained by mail, I keep thinking Sandboxie 4 is not suitable for malware analysis. ]]>Quoting tzuk: ]]>Therefore, it does not make sense to me that I should maintain a line of version 3 releases in parallel with newer version 4 releases. On a more practical note, maintaining old version 3 would be a considerable time investment, at the expense of improving version 4. ]]> I did not request you keep maintaining old version 3. I just requested: 3 bugfixes and a feature. That�s all. I did not request that if a software does not run fine in version 3 you update it to get it working. You can continue with Sandboxie version 4 production line and forget about version 3 line. I am just saying that in the future I may request a bugfix, but that�s all. The time investment I am requesting is near to null as you already fixed the bugs I mentioned and if in the future I request a bugfix for version 3 you probably will solve it in no time. I consider my request is fairly reasonable.

tzuk:

Mon Mar 04, 2013 9:53 am

We already discussed all of this in email so I'm not sure why you are trying to restart the discussion here. But for the benefit of readers, my position is that I disagree with Buster's conclusion that Sandboxie version 4 is not useful for BSA. Therefore, it does not make sense to me that I should maintain a line of version 3 releases in parallel with newer version 4 releases. On a more practical note, maintaining old version 3 would be a considerable time investment, at the expense of improving version 4.

Buster:

Mon Mar 04, 2013 7:19 am

Ronen: I know Sandboxie 3.x line will be discontinued but I would like to request a last release in consideration for BSA users including next fixes: + Bug related to the malware I reported which disables logoff + WMI not working on Windows 8 + API information being truncated It would be nice if additionally you hook NtQueryInformationProcess (ProcessImageFileName) as you do with NtQueryObject in order to return faked path instead real one. I would make of this Sandboxie 3.76 bugfixed version the official release to be used with BSA on last release. Also as I mentioned by mail, if you consider updating 3.x from time to time I would reconsider my decission of stopping BSA development.

Buster:

Sat Mar 02, 2013 10:48 pm

After a few tests with Sandboxie version 4 and due the major changes to underlying architecture I have considered Sandboxie is not suitable for malware analysis anymore, therefore Buster Sandbox Analyzer development will be discontinued. I pretend releasing a last BSA version including a fix to support new VirusTotal information and hopefully MAEC report format. I want to thank Ronen for all the support he has bringed all these years.

Buster:

Fri Feb 15, 2013 4:47 pm

Could you tell me what is the last BSA version working fine, please? I made a test here and it is working fine.

Sahil:

Fri Feb 15, 2013 4:34 pm

]]>Quoting Buster: ]]> I did not change anything in the APK analyzer code. Other person had a similar problem and he solved it updating to Java 7 Update 13. Try updating and let me know if it works again, please. ]]> Sorry for my late reply. I am already using the latest version of java (jre). The apk problem has revealed itself since the latest 2-3 versions of bsa.

Night Prowler: Re: Official BSA site address still valid?

Thu Feb 14, 2013 10:08 am

]]>Quoting Buster: ]]> ]]>Quoting Night Prowler: ]]>I've tried to reach the official site http://bsa.isoftware.nl mentioned in the first post, but all I get is an error message (Server not found). Is there a new homepage and where can I find it? ]]> The server is up and working but I do not know why some people can not reach it. I suggest you try using other DNS. Anyway you can download the tool from here: http://bsa.novirusthanks.org/downloads/bsa.rar All the information contained in the site is contained in BSA manual, under "Docs" folder. The only information not contained is a video tutorial available here: http://www.youtube.com/watch?v=MXASXoq5akc&feature=player_embedded ]]> Thank you very much for the hint, Buster. I entered the public Google DNS server (8.8.8.8) to give it a try -- and now I can access your homepage.

Buster:

Thu Feb 14, 2013 9:16 am

A problem processing VirusTotal information has been reported in other forum. The problem has been solved and next BSA release will contain the fix.

Buster: Re: Official BSA site address still valid?

Thu Feb 14, 2013 9:15 am

]]>Quoting Night Prowler: ]]>I've tried to reach the official site http://bsa.isoftware.nl mentioned in the first post, but all I get is an error message (Server not found). Is there a new homepage and where can I find it? ]]> The server is up and working but I do not know why some people can not reach it. I suggest you try using other DNS. Anyway you can download the tool from here: http://bsa.novirusthanks.org/downloads/bsa.rar All the information contained in the site is contained in BSA manual, under "Docs" folder. The only information not contained is a video tutorial available here: http://www.youtube.com/watch?v=MXASXoq5akc&feature=player_embedded

Night Prowler: Official BSA site address still valid?

Thu Feb 14, 2013 8:43 am

Hello, I've tried to reach the official site http://bsa.isoftware.nl mentioned in the first post, but all I get is an error message (Server not found). Is there a new homepage and where can I find it? Thanks a lot Night Prowler

Buster:

Wed Feb 13, 2013 8:15 am

]]>Quoting Sahil: ]]>Thanks for the new version. The apk analyzer seems to be broken. Its not analyzing them. Kindly have a look ]]> I did not change anything in the APK analyzer code. Other person had a similar problem and he solved it updating to Java 7 Update 13. Try updating and let me know if it works again, please.

Sahil:

Wed Feb 13, 2013 7:36 am

Hi Buster Thanks for the new version. The apk analyzer seems to be broken. Its not analyzing them. Kindly have a look

Buster:

Tue Feb 12, 2013 7:56 am

Released Buster Sandbox Analyzer 1.87. Changes: + Added new malware behaviors + Included new malware behaviours at �Risk Evaluation Ratings� + Improved �Include VirusTotal Malware Information of Dropped Files� feature + Updated XML and Json format schemas + Updated LOG_API + Updated BSA.DAT + Fixed several bugs

Buster:

Fri Feb 08, 2013 3:52 pm

]]>Quoting maya: ]]>Was playing with 1.8.6 since last week. Kinda of disappointed when api logging didn't work and thought that might because of the engine update. Just noticed your message about Sandboxie version, updated mine to 3.76 and api logging is now working perfectly. And I noticed it can fully scan the behavior of that upclicker sample now. Great work, Buster. ]]> tzuk is aware of the logging problem due a bug in Sandboxie 4.01 and about other issues too I reported to him. As soon as he releases a new beta, the new version should be more stable and work better with BSA. Thanks for your feedback and kind words related to upclicker sample.

maya:

Fri Feb 08, 2013 3:33 pm

]]>Quoting Buster: ]]>With Sandboxie version 3.76 API logging works fine. ]]> Was playing with 1.8.6 since last week. Kinda of disappointed when api logging didn't work and thought that might because of the engine update. Just noticed your message about Sandboxie version, updated mine to 3.76 and api logging is now working perfectly. And I noticed it can fully scan the behavior of that upclicker sample now. Great work, Buster.

Buster:

Tue Feb 05, 2013 10:08 am

With Sandboxie version 3.76 API logging works fine.

Buster:

Mon Feb 04, 2013 6:24 pm

Today I tried BSA under Windows 8 myself and I must say that there are some issues: * WinPCap: it will not install directly. You must use a workaround: http://forums.xbconnect.com/showthread.php?t=18158 * LOG_API: actually LOG_API is not working and BSA is unable to log API calls. This issue will be reviewed soon.

Buster:

Tue Jan 29, 2013 1:22 pm

Released Buster Sandbox Analyzer 1.86. Changes: + LOG_API completely rewritten and improved + Added �Use Deep Dump Method� feature + Added �Send a Return Every 10 seconds� feature + Added a feature to show all logged APIs + Added a feature to save connection information to HTML file in �Pcap Explorer� feature + Added new malware behaviors + Included new malware behaviours at �Risk Evaluation Ratings� + Updated �Process Explorer� feature + Updated BSA.DAT + Updated PeID�s USERDB.TXT + Updated Exeinfo�s Ext_Detector.DLL + Fixed several bugs

Buster:

Tue Jan 29, 2013 1:22 pm

Glad to hear it works fine. :wink:

Sahil:

Tue Jan 29, 2013 11:31 am

This works great :D :D :D Thanks a lot Buster for this program

Buster:

Tue Jan 29, 2013 9:33 am

Download it from here: http://www.woodmann.com/virusbuster/bsa.rar

Sahil:

Tue Jan 29, 2013 7:33 am

Rapidshare says "Download permission denied by uploader. (0b67c2f5)" :(

Buster:

Mon Jan 28, 2013 3:41 pm

Sahil: let me know if it works fine as soon as you try the new version, please.

Buster:

Mon Jan 28, 2013 3:37 pm

I will annouce the new release when the archive is up in the official repository site, meanwhile you can download the file from here: www.woodmann.com/virusbuster/bsa.rar

Sahil: :)

Sun Jan 27, 2013 9:35 pm

Wow. Thanks I am eagerly waiting for the new dll :)

Buster:

Thu Jan 24, 2013 11:29 pm

Sahil: Good news. The new DLL is almost ready. I will be doing tests next days and next week I will release BSA 1.86 containing the new version.

Sahil:

Fri Jan 18, 2013 4:42 pm

Thanks for your help. Hope the new dll is released soon.

Buster:

Fri Jan 18, 2013 2:52 pm

There is a conflict between LOG_API and other software installed in your computer or a problem in LOG_API. I can not know what the problem can be. LOG_API is being rewritten from scratch. You will have to wait until the new version is released to see the issue is resolved. I can not say when the new LOG_API will be ready, sorry. Meanwhile you can use BSA if you remove those lines from configuration file.

Sahil: Re: BAS 1.85 not working!!!

Fri Jan 18, 2013 1:24 pm

]]>Quoting Buster: ]]>Install Sandboxie 3.76 and let me know if it works. Make a test sandboxing notepad.exe, please, and let me know results. ]]> Uninstalled v3.81 -> restarted windows 8 64 bit -> installed v3.76 -> edited configuration file and tried running notepad.exe in sandbox, but it fails to start. But if I remove the code lines i.e [code:1:2769acc4f2]InjectDll=C:\bsa\LOG_API\64\LOG_API32.DLL InjectDll64=C:\bsa\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ProcessLimit1=20 ProcessLimit2=30[/code:1:2769acc4f2] notepad.exe runs successfully in sandboxie. What should I do?

Buster: Re: BAS 1.85 not working!!!

Fri Jan 18, 2013 9:51 am

]]>Quoting Sahil: ]]>I am new to BSA. Whenever I try running a file using sandboxie v3.81.07 (64 bit) after configuring it for BSA, the file wont run in the sandbox. My configuration file is as follows: ]]> Install Sandboxie 3.76 and let me know if it works. Make a test sandboxing notepad.exe, please, and let me know results.

Sahil: BAS 1.85 not working!!!

Fri Jan 18, 2013 6:58 am

I am new to BSA. Whenever I try running a file using sandboxie v3.81.07 (64 bit) after configuring it for BSA, the file wont run in the sandbox. My configuration file is as follows: [code:1:96294737dc][DefaultBox] ConfigLevel=7 AutoRecover=y Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% BorderColor=#00FFFF,off Enabled=y BoxNameTitle=n NeverDelete=n InjectDll=C:\bsa\LOG_API\64\LOG_API32.DLL InjectDll64=C:\bsa\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ProcessLimit1=20 ProcessLimit2=30 [UserSettings_0C7C0212] SbieCtrl_HideMessage=* ...[/code:1:96294737dc]

Buster:

Fri Jan 11, 2013 7:16 pm

Yes, that�s the right sample, the problem in this case is a limitation in Sandboxie/BSA. From manual: "Buster Sandbox Analyzer will be unable to watch code injection in certain system processes because they are running out of the sandbox and Sandboxie will not allow it.". If you take a look to this analysis of the malware: http://volatility-labs.blogspot.com.es/2012/12/what-do-upclicker-poison-ivy-cuckoo-and.html you will read: "The API monitor logs were also expanded to include explorer.exe this time, since Upclicker was allowed to inject code into explorer.". That means the malware is injecting code into explorer and then running code from there. You can try this: Run BSA in manual mode analysis and first run sandboxed an instance of explorer.exe. Then run sandboxed the malware. Let it run for a while and then terminate all sandboxed processes and finish analysis. You will see that this time more actions are performed. Or you can try this: Go to "Editor > Configuration Files > Edit Custom Applications Launch List" and add "c:\windows\explorer.exe" Then enable "Options > Automatic Analysis Options > Launch Custom Applications". Analyze the malware. I am going to ask help to Ronen to try to find a way to execute injected code. That would improve analysis.

maya:

Fri Jan 11, 2013 6:31 pm

First to make sure we are talking about the same sample, the md5 of the sample I tested is 0xce69dee5307d58db4e2a6fdbcbf87e9d. This is the result I got from BSA analysis of that sample (Analysis.txt) ------------------------------------------------------------------------ Report generated with Buster Sandbox Analyzer 1.85 at 22:14;41 on 10/01/2013 Detailed report of suspicious malware actions: Installs a hook procedure that monitors mouse messages -------------------------------------------------------------------------- As mentioned in previous post, I used automatic analysis, with timeout set to 1 minute. I was wondering whether I need to change some of the settings. BTW, I checked "Take Screenshots" under Options->"Automatic Analysis Options" and didn't find any screenshot under reports folder. Anything else I need to set to make that option work? Thank you very much for your responses. BSA is a great tool, I just want to get the best out of it.

Buster:

Thu Jan 10, 2013 4:43 pm

]]>Quoting maya: ]]>Did you test that one on the upclicker sample? ]]> Yes, of course! And it was not easy to get the right sample. People from FireEye did not include the MD5 of the sample in the article and I got two wrong samples until I got the good one. ]]>Quoting maya: ]]>I set it to run in automatic mode with timeout set to 1 minute. It just reported monitoring mouse messages. ]]> What do you mean? Remember that BSA only simulates the left click button under specific circumstances, not always.

maya:

Thu Jan 10, 2013 4:06 pm

Did you test that one on the upclicker sample? I set it to run in automatic mode with timeout set to 1 minute. It just reported monitoring mouse messages.

Buster:

Thu Jan 10, 2013 3:55 pm

]]>Quoting maya: ]]>Buster, just tried out the new version, quite stable compared with previous version I was using (1.8.1). ]]> Yes, version 1.85 makes really a difference in stability terms compared to previous versions. ]]>Quoting maya: ]]>I read about a new type of malware that monitors the mouse movement and won't perform any activity until the left button is clicked and released. ]]> Right, Trojan.Upclicker. http://blog.fireeye.com/research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html ]]>Quoting maya: ]]>Feelings are that this might become common in future malware. I was wondering then if a feature can be added into BSA that simulate mouse movement and button click when the sample being analyzed is not performed any activity. ]]> Mouse movement was something already performed in automatic analysis mode since a few versions ago. In version 1.85 I added a checking and under specific circumstances BSA automatically simulates a left mouse clicking as anti-anti-vm trick. :wink:

maya:

Thu Jan 10, 2013 3:44 pm

Buster, just tried out the new version, quite stable compared with previous version I was using (1.8.1). One question, I selected screenshot option, but didn't see any screenshot for a couple of samples I tried. I read about a new type of malware that monitors the mouse movement and won't perform any activity until the left button is clicked and released. Feelings are that this might become common in future malware. I was wondering then if a feature can be added into BSA that simulate mouse movement and button click when the sample being analyzed is not performed any activity. Thanks. :D

Buster:

Mon Jan 07, 2013 7:17 pm

I also can confirm that the problem with RegHive being locked is gone.

Buster:

Mon Jan 07, 2013 6:37 pm

The days before I released BSA 1.85 I was testing the tool with a few thousand malware samples. I do that from time to time to check for bugs, specially when I introduce important changes in the code, as it was the case with version 1.85. Counting the samples I have already processed in the past and the ones used to test version 1.85, probably I have used +100.000 samples for testing. After BSA 1.85 release I have continued testing with the set of samples I picked to check that version. I usually test with 3 instances of BSA, so I can test more samples in the same time. I noticed one of the BSA instances was not running, so I have stopped the other 2 running instances and checked the sample that was running when the BSA instance stopped working. After 100.000 samples processed, I have found other bug in BSA thanks to a sample. The sample was setting as creation date of a file the year 30332 or something like that, and the Delphi function SystemTimeToDateTime did not like the value and caused the application to crash. On every BSA release I fix a few bugs, sometimes I just find only one and others three or four. After 85 versions released, BSA still has bugs here and there. :oops: So stay tuned and report me any problem you find.

Buster:

Sun Jan 06, 2013 7:46 pm

Released Buster Sandbox Analyzed 1.85. Changes: +Added a feature to run silently setups if possible in automatic mode +Added a feature to view malware analysis on finish in manual mode +Added a feature to save connection information to CSV file in �Pcap Explorer� feature +Added a feature to refresh BSA window +Removed several program dependencies (REG.EXE, STRINGS.EXE, �) +DAT files move to �DATA� folder +Improved �File Strings� feature +Updated BSA.DAT +Updated LOG_API +Fixed several bugs

Buster:

Sun Jan 06, 2013 1:30 am

Meanwhile the file is not up in the server you can download the new version from here: http://rapidshare.com/files/3956133659/BSA185.RAR or here: http://www.woodmann.com/virusbuster/bsa.rar List of changes: + Added a feature to run silently setups if possible in automatic mode Options > Automatic Analysis Options > Setups > Run Silently if possible. Used to run installation setups in silent mode (no user intervention required) when possible. Note: BSA uses Exeinfo to identify installation setups. Note: Inside �\DATA\SETUPS.DAT� there is a list of installer identifications and the associated command line to run the installer in silent mode. The list can be modified in order to add, modify or remove installers. The format of SETUPS.DAT is: string_to_identify_installer||arguments_to_include Greetings to Brian for the idea and the research. + Added a feature to view malware analysis on finish in manual mode Options > Manual Analysis Options > View Malware Analysis On Finish Used to see malware analysis results after analysis is finished. Remember that after closing malware analysis results window you can see it again clicking in: View > View Analysis Fields + Added a feature to save connection information to CSV file in �Pcap Explorer� feature Used to save to a CSV file type the information related to connections. + Added a feature to refresh BSA window Certain sandboxed applications will mess with BSA window in a way that hides it. You can refresh the window to try to get BSA window visible again right-clicking BSA window at taskbar and selecting "Refresh". Additionally from version 1.85, BSA will keep the position (the position it had before analysis starts) during analysis in automatic mode. + Removed several program dependencies (REG.EXE, STRINGS.EXE, �) BSA should run more smoothly from version 1.85 because I removed some dependencies it had from several third part tools, mainly REG.EXE to get registry information and STRINGS.EXE to retrieve strings in files. As a side effect from these changes, I would say (I am not able to confirm it yet) the problem with Sandboxie�s RegHive getting locked is gone. That means BSA is able to process large amounts of files without being interrupted. + DAT files moved to �DATA� folder From version 1.85, BSA expects DAT files inside "\BSA\DATA" folder. DAT files are: API.DAT APK.DAT BSA.DAT BSA_USER.DAT CHECKIP.DAT MALICIOUS-DOMAINS.DAT SETUPS.DAT + Improved �File Strings� feature The feature is now faster than it was before and an option to sort strings alphabetically has been added. + Updated BSA.DAT + Updated LOG_API + Russian and Portuguese (Brazilian) have been updated. + Fixed several bugs

Buster:

Sat Jan 05, 2013 9:05 pm

Buster Sandbox Analyzer 1.85 is going to be oficially announced as soon as I get the archive online at novirusthanks.org server. 1.85 version can be considered as a major update. It�s more stable and runs more smoothly than previous versions because I have removed several program dependecies (REG.EXE to extract info from registry, STRINGS.EXE to extract strings from files, ...) and now I use code directly from BSA application. I will do more comments when it is out.

Buster:

Fri Dec 28, 2012 11:08 am

]]>Quoting sanaru: ]]>The log api file exists at that location, like I said, notepad.exe works fine. How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app. ]]> May I get the app so I can take a closer look and see what�s wrong?

sanaru:

Fri Dec 28, 2012 8:51 am

]]>Quoting Buster: ]]> What is your OS? Is it 32 or 64 bit? ]]> Windows 7 64-bit, running a 32-bit application.

Buster:

Thu Dec 27, 2012 10:16 pm

]]>Quoting sanaru: ]]>This tool does seem great. I have installed and configured it and it works wonderfully on notepad.exe. But when I run it on my target app, the app crashes on startup. It is caused by this line: InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL The log api file exists at that location, like I said, notepad.exe works fine. How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app. ]]> What is your OS? Is it 32 or 64 bit?

sanaru:

Thu Dec 27, 2012 8:59 pm

This tool does seem great. I have installed and configured it and it works wonderfully on notepad.exe. But when I run it on my target app, the app crashes on startup. It is caused by this line: InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL The log api file exists at that location, like I said, notepad.exe works fine. How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app.

Buster:

Thu Dec 27, 2012 5:35 pm

BSA 1.85 will have a feature at "Manual Analysis Options" to allow seeing malware analysis after analysis is finished.

Buster: Re: No Malware analysis button

Thu Dec 27, 2012 5:33 pm

]]>Quoting JMJ: ]]>Installed yesterday on XP SP3 with fresh install of Sandboxie both downloaded yesterday I see the start analysis button which at the end of a run changes to finish analysis but I don't see and malware analysis button What data can I collect to assist, or did I miis something in the install ? ]]> Analysis button was removed in a recent release. Now when you click "Finish Analysis" the malware analysis is performed automatically (before you had to click in "Malware Analysis" button). Then you can see analysis at: Viewer > View Analysis Fields You can also see individual files (Report.TXT, Analysis.TXT, etc) with other options in "Viewer" menu. I hope that helps. Regards.

JMJ: No Malware analysis button

Thu Dec 27, 2012 5:18 pm

Installed yesterday on XP SP3 with fresh install of Sandboxie both downloaded yesterday I see the start analysis button which at the end of a run changes to finish analysis but I don't see and malware analysis button What data can I collect to assist, or did I miis something in the install ? Thanks

Buster:

Sun Dec 16, 2012 12:24 am

Released Buster Sandbox Analyzer 1.84. Changes: + Added �[Custom_File_Entries]� section to BSA.DAT + Added a feature to extract files from PCap files in automatic mode + Added new malware behaviors + Included new malware behaviours at �Risk Evaluation Ratings� + GUI has been redesigned + Updated BSA.DAT + Updated LOG_API + Fixed several bugs

Scrapie:

Mon Dec 03, 2012 8:28 am

Thank you for the new version :) Will check it out in the next few days! Cheers, Scrapie

Buster:

Sun Dec 02, 2012 10:50 am

Released Buster Sandbox Analyzer 1.83. Changes: + Added new malware behaviours + Added the possibility of including comments in BSA.DAT + Included new malware behaviours at �Risk Evaluation Ratings� + Optimized file string search + Updated BSA.DAT + Fixed several bugs

Buster:

Fri Nov 30, 2012 2:15 pm

Notes about version 1.82: Added a feature to analyze Android applications The feature is at "Analysis > Android APK Analyzer" and can be used to analyze Android applications. An example of a report follows: [code:1:9a2d8fa945] Report generated with Buster Sandbox Analyzer 1.82 at 15:12:19 on 30/11/2012 [ General information ] * Package File name: c:\test\SMS.APK * Package File length: 782964 bytes * Package MD5 hash: acbcad45094de7e877b656db1c28ada2 * Package SHA1 hash: 164beb630cf99d13059d080bbc9c21c66badb9fe * Package SHA256 hash: 9ae7270cbd1a2cd562bd10885804329e39a97b8a47cbebbde388bf364a003f05 * Classes.dex File length: 153016 bytes * Classes.dex Date: 12/01/2011 * Classes.dex MD5 hash: 6cc1d75c6ddee3b8119fc5b2880a2c43 * Classes.dex SHA1 hash: c43409440d67c9c23bfd9f652274f6fd1f97d15d * Classes.dex SHA256 hash: d777ee3f066a750d33e5973069a29a885c5309e62bc87f0eaebaaf7e4b3b49b4 * Classes.dex ssdeep: 3072:naVYkNCGrApvcs5Dnxm+k0alJwZ/h9VeqioBOxVPQWLsDP2iMsPBshtcbvdm:aVYkBrApv12eh9VqPQWoJSKpm * Icon MD5 hash: d8b14a343c583691b689cb63d50b8a7a * Icon SHA1 hash: 45db80badf941becbbd3f0a1cf084728a10a7207 * Icon SHA256 hash: 7c0b3d566bf857b6c123fd4995689d8725cbad116a60dd3283c21ba8271c3077 * Ad-supported: Yes [ Package name ] * com.mj.iCalendar [ Requested Permissions ] * android.permission.ACCESS_COARSE_LOCATION * android.permission.INTERNET * android.permission.RECEIVE_SMS * android.permission.RESTART_PACKAGES * android.permission.SEND_SMS * android.permission.SET_WALLPAPER [ Used Permissions ] * android.permission.ACCESS_COARSE_LOCATION * android.permission.ACCESS_FINE_LOCATION * android.permission.INTERNET [ Responsible API calls for used Permissions ] * android/app/Activity;->startActivityForResult * android/content/Context;->setWallpaper * android/content/Context;->startActivity * android/location/LocationManager;->getBestProvider * android/location/LocationManager;->requestLocationUpdates * android/telephony/gsm/SmsManager;->sendTextMessage * java/net/HttpURLConnection;->connect * java/net/URL;->openConnection [ Potentially dangerous Calls ] * getPackageInfo * getSystemService * printStackTrace * sendSMS [ Actions/Intents ] * android.intent.action.MAIN * android.intent.category.LAUNCHER * com.android.vending.INSTALL_REFERRER [ Activities ] * .iCalendar * com.admob.android.ads.AdMobActivity [ Providers ] * android.provider.Telephony.SMS_RECEIVED [ Receivers ] * .SmsReceiver * com.admob.android.ads.analytics.InstallReceiver [ SMS:Send ] * Sends a SMS to number "1066185829" with message "921X1". [ SMS:Block ] * Blocks SMS from number "10086". * Blocks SMS from number "10000". * Blocks SMS from number "10010". * Blocks SMS from number "1066185829". * Blocks SMS from number "1066133". [ Adware SDKs ] * GoogleAdMob [ URLs ] * http://a.admob.com/f0? * http://api.admob.com/v1/pubcode/android_sdk_emulator_notice * http://mm.admob.com/static/android/canvas.html * http://mm.admob.com/static/android/i18n/20101109 * http://r.admob.com/ad_source.php * http://schemas.android.com/apk/res/ [/code:1:9a2d8fa945] The feature can keep decompiled source code and include VirusTotal information in the report. Improved �Run Custom Command On Finish� feature Now it is possible to run custom commands (applications) both under real system or sandboxed. Aditionally it is possible to run the custom commands after every analyzed file or after all files have been analyzed.

Reporter:

Wed Nov 28, 2012 8:18 am

]]>Quoting Buster: ]]>When do you think you will have the chance to test again? ]]> Sorry for the long wait but I managed to keep my promise. :) I tested it for about a hour. I tried the original program and different programs. The methodology was the same as yours. I added time wait between step 5 and step 6. I waited for 5 and 10 mins before I pressed "Malware Analysis". I tried to skip step 9 too. I was unable to reproduce the bug.

Buster:

Tue Nov 27, 2012 7:13 pm

Released Buster Sandbox Analyzer 1.82. Changes: + Added a feature to analyze Android applications + Added new malware behaviours + Included new malware behaviours at �Risk Evaluation Ratings� + Improved �Run Custom Command On Finish� feature + Updated LOG_API + Updated HexDive to version 0.6 + Updated ExeInfo to version 0.0.3.2 + Fixed several bugs

Buster:

Tue Nov 27, 2012 4:44 pm

]]>Quoting thewul: ]]>I am not sure whether the version on the mainpage is indeed v.1.81 When I download the file Properties show v.1.78 size 2.551.808 bytes MD5 103dbfcf0e9e1fa56ed3d3338deb8fc1 instead of c2528b634df6ea0b153be533141360d9 as on the mainpage. Note that Bitdefender 2013 reports file (v1.78) is infected by MIDAS3 virus. (I know some virus programs come up with fals positives, just to let you know) = ]]> MD5 c2528b634df6ea0b153be533141360d9 corresponds to BSA.RAR package. Properties show 1.78 but in fact is 1.81. I just forgot to update file version. I will release BSA 1.82 soon and I will update it. Thanks for noticing the issue.

thewul:

Tue Nov 27, 2012 2:05 pm

I am not sure whether the version on the mainpage is indeed v.1.81 When I download the file Properties show v.1.78 size 2.551.808 bytes MD5 103dbfcf0e9e1fa56ed3d3338deb8fc1 instead of c2528b634df6ea0b153be533141360d9 as on the mainpage. Note that Bitdefender 2013 reports file (v1.78) is infected by MIDAS3 virus. (I know some virus programs come up with fals positives, just to let you know) =

tzuk:

Sat Nov 24, 2012 9:40 pm

Happy anniversary! -- sorry I'm a day late. Sometimes I run into web posts and I get the impression that some people use BSA first, and Sandboxie second, so thank you for creating a tool which helps to promote Sandboxie, and thank you for your ongoing efforts! :)

Buster:

Fri Nov 23, 2012 7:11 pm

Today is the 3rd anniversary of BSA! :D

Buster:

Thu Nov 15, 2012 3:21 pm

]]>Quoting Reporter: ]]>Sorry I haven't got the chance to test it again. I will do when I get back to the computer. ]]> When do you think you will have the chance to test again?

Reporter:

Sat Nov 10, 2012 2:40 am

Sorry I haven't got the chance to test it again. I will do when I get back to the computer.

Buster:

Fri Nov 09, 2012 6:49 am

Still nothing?

Buster:

Wed Nov 07, 2012 6:30 pm

]]>Quoting Reporter: ]]>I followed exactly what you did. I could not reproduce the bug either. I tried to skip step 9. The result is the same. No bug. The bug seems to be gone now. Does it have to do with the program I test? I need test more to see if I can reproduce it. I will report it when I do. ]]> I doubt the bug depends of the program you test but I would not discard that possibility completely. My suggestion: do the test with the program you were using and create a test methodology as I did. Let me know your findings, thanks!

Reporter:

Wed Nov 07, 2012 6:19 pm

]]>Quoting Buster: ]]>I meant you could use Notepad as the application to be used to make tests, so we both use the same application to make tests. I tried to reproduce the bug but I was unable. Here are the steps I follow: 1) Launch BSA and configure it to use manual mode analysis and generate HTML report. 2) Click "Start Analysis" button 3) Run "C:\WINDOWS\NOTEPAD.EXE" sandboxed and wait a few seconds. Then I close Notepad. 4) Click "Finish Analysis" button 5) Click "Malware Analysis" button. 6) Close "Malware Analysis" window. 7) Click "Options > Cancel Analysis" 8) Go to Report folder and I see REPORT.HTML was created successfully. 9) I delete all files from report folder. 10) I repeat steps 2-9. In step 8 REPORT.HTML was created successfully. Do the same and let me know your results. If this way you can not reproduce the bug, let me know the exact steps you do in the same way I did in this post, please. ]]> I followed exactly what you did. I could not reproduce the bug either. I tried to skip step 9. The result is the same. No bug. The bug seems to be gone now. Does it have to do with the program I test? I need test more to see if I can reproduce it. I will report it when I do. Thank you for your time.

Buster:

Tue Nov 06, 2012 4:43 pm

I meant you could use Notepad as the application to be used to make tests, so we both use the same application to make tests. I tried to reproduce the bug but I was unable. Here are the steps I follow: 1) Launch BSA and configure it to use manual mode analysis and generate HTML report. 2) Click "Start Analysis" button 3) Run "C:\WINDOWS\NOTEPAD.EXE" sandboxed and wait a few seconds. Then I close Notepad. 4) Click "Finish Analysis" button 5) Click "Malware Analysis" button. 6) Close "Malware Analysis" window. 7) Click "Options > Cancel Analysis" 8) Go to Report folder and I see REPORT.HTML was created successfully. 9) I delete all files from report folder. 10) I repeat steps 2-9. In step 8 REPORT.HTML was created successfully. Do the same and let me know your results. If this way you can not reproduce the bug, let me know the exact steps you do in the same way I did in this post, please.

Reporter: Re: "Generate Reports in HTML format" is broken.

Mon Nov 05, 2012 9:33 pm

]]>Quoting Buster: ]]> ]]>Quoting Reporter: ]]>In manual mode. I tried the same program four times. I hope BSA behaves the same as SandboxDiff which it produces both TXT and HTML files [u:79f516cb13]by default[/u:79f516cb13]. ]]> You only have to enable the "Generate Reports in HTML Format" to produce both TXT and HTML files by "default". Thanks for the feedback! I will try to reproduce the bug. ]]> Well I hope everyone can benefit from this feature [u:79f516cb13]by default[/u:79f516cb13]. :wink: ]]>Quoting Buster: ]]>I have tried to reproduce the problem but I was unable. Could you try to reproduce the bug using Notepad (C:\Windows\notepad.exe) and let me know if it can be reproduced, please? If you can reproduce it let me know the exact steps you do to reproduce the bug, thanks. ]]> What do you mean by using Notepad? Is it a setting in BSA? I didn't notice it. I didn't change anything about the viewer/editor used in BSA, if ever existed. For your information, I'm using Notepad++ which can be found at http://notepad-plus-plus.org/ TXT files are associated with Notepad++ now. I still keep Microsoft original Notepad. I did not change any setting in BSA except "Generate Reports in HTML Format" for the first and second time. For the third and fourth time, I checked all options in "Additional Report Options". The steps involved are simple. 1. Start Analysis 2. Run the target exe for a while and terminate it. 3. Finish Analysis 4. Marlware Analyzer Worked. Failed. Worked. Failed. Please ask if you need additional information.

Buster:

Sun Nov 04, 2012 2:00 pm

I have tried to reproduce the problem but I was unable. Could you try to reproduce the bug using Notepad (C:\Windows\notepad.exe) and let me know if it can be reproduced, please? If you can reproduce it let me know the exact steps you do to reproduce the bug, thanks.

Buster: Re: "Generate Reports in HTML format" is broken.

Sun Nov 04, 2012 10:35 am

]]>Quoting Reporter: ]]>In manual mode. I tried the same program four times. I hope BSA behaves the same as SandboxDiff which it produces both TXT and HTML files [u:66b4ba52e7]by default[/u:66b4ba52e7]. ]]> You only have to enable the "Generate Reports in HTML Format" to produce both TXT and HTML files by "default". Thanks for the feedback! I will try to reproduce the bug.

Reporter: Re: "Generate Reports in HTML format" is broken.

Sun Nov 04, 2012 10:12 am

]]>Quoting Buster: ]]> ]]>Quoting Reporter: ]]>The "Generate Reports in HTML format" does not work as intended. Sometimes it generates. Sometimes it doesn't. I tried it four times: Worked. Failed. Worked. Failed. Please double check. I think the default should be HTML because it is much easier to read than TXT. Thank you for the great work. :D ]]> Did you try in automatic or manual mode? If you tried in automatic mode, do you have "Specify Report Folder" feature enabled? Did you process the same file or different files? ]]> In manual mode. I tried the same program four times. I hope BSA behaves the same as SandboxDiff which it produces both TXT and HTML files [u:51b88ba0d7]by default[/u:51b88ba0d7].

Buster: Re: "Generate Reports in HTML format" is broken.

Sun Nov 04, 2012 12:38 am

]]>Quoting Reporter: ]]>The "Generate Reports in HTML format" does not work as intended. Sometimes it generates. Sometimes it doesn't. I tried it four times: Worked. Failed. Worked. Failed. Please double check. I think the default should be HTML because it is much easier to read than TXT. Thank you for the great work. :D ]]> Did you try in automatic or manual mode? If you tried in automatic mode, do you have "Specify Report Folder" feature enabled? Did you process the same file or different files?

Reporter: "Generate Reports in HTML format" is broken.

Sun Nov 04, 2012 12:03 am

The "Generate Reports in HTML format" does not work as intended. Sometimes it generates. Sometimes it doesn't. I tried it four times: Worked. Failed. Worked. Failed. Please double check. I think the default should be HTML because it is much easier to read than TXT. Thank you for the great work. :D

Scrapie:

Wed Oct 31, 2012 10:30 am

Thank you Sir :)

Buster:

Wed Oct 31, 2012 9:30 am

I have improved the feature that moves the mouse. Other feature I introduced recently but I did not comment was this: http://joe4security.blogspot.com.es/2012/10/defeating-sleeping-malware.html When there is a long sleep (over 1 minute), LOG_API automatically reduces the sleep.

Scrapie:

Wed Oct 31, 2012 7:10 am

Does it? Never seen this before :? Maybe because my machine has no mouse, no keyboard and no monitor plugged in and get's controlled via a RAT :D Scrapie

Buster:

Tue Oct 30, 2012 10:10 am

]]>Quoting Scrapie: ]]>Hi there, I came across this interesting article: [url=http://www.h-online.com/security/news/item/Malware-hides-behind-the-mouse-1738577.html]Malware hides behind the mouse[/url] Might be time to detect / warn not only for long idle times ... Scrapie ]]> "Since nobody moves the mouse in an automated threat analysis system..." BSA moves the mouse... or at least it was moving it. I noticed it was not being moved in last versions. I must check what the problem is.

Scrapie:

Tue Oct 30, 2012 7:55 am

Hi there, I came across this interesting article: [url=http://www.h-online.com/security/news/item/Malware-hides-behind-the-mouse-1738577.html]Malware hides behind the mouse[/url] Might be time to detect / warn not only for long idle times ... Scrapie

Buster:

Fri Oct 19, 2012 8:46 am

BlackThought, change from this: InjectDll=C:\BSA\LOG_API\64\LOG_API64.DLL to this: InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL InjectDll64=C:\BSA\LOG_API\64\LOG_API64.DLL And when you say you failed, could you be more specific, please? I don�t know what you are talking about.

BlackThought:

Fri Oct 19, 2012 6:31 am

I've tried my best to follow the instructions on the site, but still managed to fail I think. Here are my settings. Is there anything wrong? [code:1:8ff81dffca][TEST] Enabled=y ConfigLevel=7 AutoRecover=y Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore BorderColor=#0000FF,ttl BoxNameTitle=n NotifyInternetAccessDenied=y ClosedFilePath=InternetAccessDevices NotifyStartRunAccessDenied=y NeverDelete=n InjectDll=C:\BSA\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ProcessLimit1=20 ProcessLimit2=30 [UserSettings_00000000] SbieCtrl_HideMessage=*[/code:1:8ff81dffca] Im on Win 7 64-bit, didnt want to install the winpcap so i copied the files to the folder

TonyKlein:

Tue Oct 16, 2012 10:56 am

You're very welcome. :) Thanks again for a great program and stellar support!

Buster:

Tue Oct 16, 2012 9:46 am

]]>Quoting TonyKlein: ]]>Hi there, back again. It would seem you've nailed it: I ran 2 installers, and received no error messages. Everything is working fine now. Thanks again for that swift reaction! :) ]]> Thank you very much for the bug report and the bugfix confirmation! :wink:

TonyKlein:

Tue Oct 16, 2012 9:40 am

Hi there, back again. It would seem you've nailed it: I ran 2 installers, and received no error messages. Everything is working fine now. Thanks again for that swift reaction! :)

Buster:

Mon Oct 15, 2012 12:28 pm

The feature is not so complex yet to allow selecting same exe. About the "VirtualAllocEx\&WriteProcessMemory<->Whatever_blahBlah" not working I will take a look later.

Scrapie:

Mon Oct 15, 2012 9:36 am

So how do we add more then one API-Call for the same exe (in my case InternetExplorer)? Like I want to monitor CreateProcess and OpenProcess and finally WriteProcessMemory - but only if they apply to the same exe and not if they pop up for another exe during analyse. Because only if they are called for the same exe, chances are high for code injection. Some kind of joker would be good. Something like: [code:1:f6ed4e157b]CreateProcess #exe1#\&OpenProcess #exe1#\&WriteProcessMemory #exe1#<->Dangerous[/code:1:f6ed4e157b] // EDIT: Yup, that is what I want to do :) Thanks //EDIT2: [code:1:f6ed4e157b]VirtualAllocEx\&WriteProcessMemory<->Whatever_blahBlah[/code:1:f6ed4e157b] isn't working for me. What do I do wrong here?

Buster:

Mon Oct 15, 2012 9:28 am

]]>Quoting Scrapie: ]]>Means this would be a valid sample? [code:1:5ec1ffe4e0]CreateProcess((null),C:\Program Files\Internet Explorer\iexplore.exe,(null))\&OpenProcess(iexplore.exe)\&WriteProcessMemory(c:\program files\internet explorer\iexplore.exe)<->Code injection for InternetExplorer detected[/code:1:5ec1ffe4e0] ]]> You are trying to find a line containing: CreateProcess((null),C:\Program Files\Internet Explorer\iexplore.exe,(null)) then other line containing: OpenProcess(iexplore.exe) and other line containing: WriteProcessMemory(c:\program files\internet explorer\iexplore.exe) If that�s right, then it�s valid.

Scrapie:

Mon Oct 15, 2012 9:01 am

Hi there :) Means this would be a valid sample? [code:1:8402709047]CreateProcess((null),C:\Program Files\Internet Explorer\iexplore.exe,(null))\&OpenProcess(iexplore.exe)\&WriteProcessMemory(c:\program files\internet explorer\iexplore.exe)<->Code injection for InternetExplorer detected[/code:1:8402709047] and: [code:1:8402709047]VirtualAllocEx\&WriteProcessMemory<->Whatever_blahBlah[/code:1:8402709047] Cheers, Scrapie

Buster:

Sun Oct 14, 2012 9:00 am

From manual (installation and usage section): [quote:0b9d3d67a3]If you want to specify two or more strings that must appear in the same line use �[b:0b9d3d67a3]\,[/b:0b9d3d67a3]�. Example: lstricmp\,RAVMOND.EXE<->Checks for security software presence If you want to specify two or more strings that must appear in LOG_API.TXT you must use �[b:0b9d3d67a3]\&[/b:0b9d3d67a3]�. Example: LdrFindEntryForAddress\&QuerySystemInformation\&OpenProcess(smss.exe)<->Traces of Max++[/quote:0b9d3d67a3] So there are 3 string search methods: 1) Exact string match 2) Two or more strings match on same line (\,) 3) Two or more strings match on different lines (\&) Of course in BSA_USER.DAT you can use the same methods too.

Scrapie:

Sun Oct 14, 2012 4:41 am

Hi Buster, Thanks for the update :) Under [Custom_LogAPI_Entries] there is "lstrcmp\," at the start. What does that mean and do we have to use the same format in BSA_USER.dat? What other switches are there? Cheers, Scrapie

Buster:

Sat Oct 13, 2012 4:14 pm

Released Buster Sandbox Analyzer 1.81. Changes: + Updated LOG_API + Updated �URL Analyzer� feature + Updated �Check for Updates� feature + Fixed several bugs

Buster:

Fri Oct 12, 2012 5:51 pm

Notes about version 1.80: Updated �URL Analyzer� feature From this version is possible to define the web browser to be used so Internet Explorer usage will not be forced. Udated BSA.DAT I have added many new entries to "Custom_LogAPI_Entries" and "File_Strings" sections. Updated LOG_API Added support for new APIs that will help to catch new malware behaviors. Updated malware behaviors I added a few new malware behaviors. Thanks to Adam from hexacorn.com for the idea/help with the Zone.Identifier removal behavior. Updated HexDive Updated Adam�s HexDive to version 0.5 Fixed several bugs One of the bugs is related to "Check for Updates" feature. The link was pointing to isoftware.nl domain and now "bsa.rar" is hosted at netai.net domain as you can see in the first post of this thread.

Buster:

Fri Oct 12, 2012 5:29 pm

Released Buster Sandbox Analyzer 1.80. Changes: + Included new malware behaviours at �Risk Evaluation Ratings� + Updated �URL Analyzer� feature + Udated BSA.DAT + Updated LOG_API + Updated malware behaviors + Updated HexDive + Fixed several bugs

Buster:

Thu Oct 11, 2012 7:41 am

]]>Quoting Scrapie: ]]>What is causing the actual the problem? ]]> I usually do tests in Windows XP and there LOG_API works fine, but yesterday I made a test with two samples in Windows 7 and I noticed a problem. The problem is in a hook at ZwQuerySystemInformation.

Scrapie:

Thu Oct 11, 2012 7:33 am

What is causing the actual the problem? BSA is running fine here atm under same OS as Tony's. Cheers, Scrapie

TonyKlein:

Wed Oct 10, 2012 7:22 pm

]]>Quoting Buster: ]]> ]]>Quoting TonyKlein: ]]>Win 7 Pro, 32 bit ]]> I made a test and I noticed a problem in Win 7. I will release BSA 1.80 soon. As soon as it is out, use that version and let me know if the problem is solved, please. ]]> Great news! :) I'll be away for a couple of days starting tomorrow, but I'll be able to give it a go sometime later on next week.

Buster:

Wed Oct 10, 2012 4:36 pm

]]>Quoting TonyKlein: ]]>Win 7 Pro, 32 bit ]]> I made a test and I noticed a problem in Win 7. I will release BSA 1.80 soon. As soon as it is out, use that version and let me know if the problem is solved, please.

TonyKlein:

Mon Oct 08, 2012 3:33 pm

]]>Quoting Buster: ]]>At the moment you can analyze Patrick Kolla's Filealyzer in 2 ways: 1. Do not inject LOG_API.DLL. The analysis will include file, registry and port changes. You will just miss API information and related behaviors. ]]> That actually worked for me :) I could live without the API information [quote:cc17096c7a]2. Inject LOG_API.DLL and after the crash click Sandboxie Control right-click -> Terminate All Programs[/quote:cc17096c7a] That went almost OK, however at the end I got a LIst Index Out of Bounds (710) error, and BSA froze on "Checking Log.api.txt" [quote:cc17096c7a]What version of Filealyzer are you using? 2.0.5.57?[/quote:cc17096c7a] Yup, latest version, but as I said it even happened to me on closing a Sandboxed Notepad...

Buster:

Mon Oct 08, 2012 3:18 pm

At the moment you can analyze Patrick Kolla's Filealyzer in 2 ways: 1. Do not inject LOG_API.DLL. The analysis will include file, registry and port changes. You will just miss API information and related behaviors. 2. Inject LOG_API.DLL and after the crash click Sandboxie Control right-click -> Terminate All Programs What version of Filealyzer are you using? 2.0.5.57?

TonyKlein:

Mon Oct 08, 2012 3:15 pm

Win 7 Pro, 32 bit

Buster:

Mon Oct 08, 2012 3:08 pm

The "RegHive is in use" message is due Sandboxie is still sandboxing processes. The message will not appear when no program is bein sandboxed. So the question is to know why when LOG_API is injected, the program crashes. What is your OS? 32 or 64 bit?

TonyKlein:

Mon Oct 08, 2012 3:05 pm

OK, first without BSA running; it makes no difference: I right-click an installer, in this case the one for Patrick Kolla's Filealyzer, and press 'run Sandboxed' The installer launches, and red dots appear in the Tray Icon. When the installer terminates, and as soon as I press 'finish', the runtime error appears. The red dots are still there. Now WITH BSA running: I delete the contents of the sandbox, I Launch BSA and press Start Analysis; no problems so far I again right-click the installer, and press 'run Sandboxed' The installer launches, and red dots again appear in the Tray Icon. When the installer terminates, after a second or so, the runtime error appears again. The red dots are still there. BSA says: Ready for next step; I press Finish, and I get " "RegHive is in use. Be sure SandboxIE is not running before pressing Finish Analysis button." My only option is to cancel analysis. Again, without the three lines in my inifile, no runtime error

Buster:

Mon Oct 08, 2012 2:48 pm

]]>Quoting TonyKlein: ]]> ]]>Quoting Buster: ]]>Repeat me the runtime error, please. ]]> Runtime Error 204 at 62002B20, and when I press "Finish Analysis" I get: "RegHive is in use. Be sure SandboxIE is not running before pressing Finish Analysis button." ]]> Two things: 1.- Tell me the exact steps you do until you receive the "Runtime Error 204 at 62002B20" 2.- When you click "Finish Analysis", Sandboxies�s tray icon has red dots inside or it is completely yellow?

TonyKlein:

Mon Oct 08, 2012 2:43 pm

]]>Quoting Buster: ]]>Repeat me the runtime error, please. ]]> Runtime Error 204 at 62002B20, and when I press "Finish Analysis" I get: "RegHive is in use. Be sure SandboxIE is not running before pressing Finish Analysis button."

Buster:

Mon Oct 08, 2012 2:19 pm

]]>Quoting TonyKlein: ]]>I meticulously followed the steps in the video. It turned out I didn't have the 2 ProcessLimit lines in there, so I added them. I then opened Notepad sandboxed in order to reveal the correct Sandbox location (which already was correct). On closing notepad I immediately received the said Runtime Error again, which is not good... ]]> Repeat me the runtime error, please. ]]>Quoting TonyKlein: ]]>Is anything wrong with the 3 lines in my inifile, the way you see it? ]]> They are fine. ]]>Quoting TonyKlein: ]]>I then got stuck with the HideDriver installation, as I don't have either HideDriver.sys or HideDriverGui.exe. I do have BSA.sys. What do I do now? ]]> Skip that part of the video. HideDrive was replaced by a custom driver I wrote.

TonyKlein:

Mon Oct 08, 2012 1:19 pm

I meticulously followed the steps in the video. It turned out I didn't have the 2 ProcessLimit lines in there, so I added them. I then opened Notepad sandboxed in order to reveal the correct Sandbox location (which already was correct). On closing notepad I immediately received the said Runtime Error again, which is not good... Is anything wrong with the 3 lines in my inifile, the way you see it? I then got stuck with the HideDriver installation, as I don't have either HideDriver.sys or HideDriverGui.exe. I do have BSA.sys. What do I do now? Also, the fact that the Runtime Error keeps popping up as long as the three lines are in my SandboxIE.ini doesn't seem to be a good sign It's worth noting that previously I have been running the SandboxIE/BSA combo without that problem. Thanks again for your patience and your help.

Buster:

Mon Oct 08, 2012 9:48 am

Configure Sandboxie following this video: http://www.youtube.com/watch?v=MXASXoq5akc&feature=player_embedded

TonyKlein:

Sun Oct 07, 2012 9:53 pm

]]>Quoting Buster: ]]>Did you change BSA�s title? ]]> I don't remember doing that. However, I decided to restart from scratch: I removed BSA, then uninstalled, then did a fresh install of SandboxIE. I subsequently ran an installer sandboxed in order to test whether that side of things was OK. Everything worked fine. I then extracted a fresh copy of BSA, edited sandboxie.ini, and launched BSA.exe. That went without a hitch. I ran the sandboxed installer again, and everything seemed to go perfectly well, until the installer fiinshed. I was then presented with a Runtime Error 204 at 62002B20, and when I pressed "Finish Analysis" I got: "RegHive is in use. Be sure SandboxIE is not running before pressing Finish Analysis button." Exiting SandboxIE makes no difference. I experimented a little, and found that, if I REMOVED the three lines from my Sandboxie.ini, the runtime error did NOT occur. I tested this repeatedly. So the problem must lie within that inifile. Here it is; can you see anything wrong? [code:1:2663af7713] [GlobalSettings] Template=WindowsLive Template=RoboForm Template=FeedDemon Template=OnlineArmor Template=SnagIt Template=AdobeAcrobatReader Template=Evernote Template=OfficeLicensing Template=Avira_Antivirus [DefaultBox] ConfigLevel=7 AutoRecover=y Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% BorderColor=#00FFFF,ttl Enabled=y InjectDll=C:\Buster Sandbox Analyser\LOG_API\32\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y [UserSettings_268603D8] SbieCtrl_UserName=netwerker SbieCtrl_NextUpdateCheck=1349703328 SbieCtrl_UpdateCheckNotify=y SbieCtrl_ShowWelcome=n SbieCtrl_EnableLogonStart=n SbieCtrl_EnableAutoStart=y SbieCtrl_AddDesktopIcon=y SbieCtrl_AddQuickLaunchIcon=y SbieCtrl_AddContextMenu=y SbieCtrl_AddSendToMenu=y SbieCtrl_WindowCoords=200,150,1401,819 SbieCtrl_ActiveView=40022 SbieCtrl_AutoApplySettings=n SbieCtrl_HideWindowNotify=n SbieCtrl_ProcessViewColumnWidths=250,70,300 SbieCtrl_HideMessage=* SbieCtrl_BoxExpandedView=, SbieCtrl_EditConfNotify=n[/code:1:2663af7713]

Buster: Re: Another "Window title does not match LOG_API string

Sun Oct 07, 2012 4:56 pm

]]>Quoting TonyKlein: ]]>What could be wrong, or what am I doing wrong... ? ]]> Did you change BSA�s title?

TonyKlein: Re: Another "Window title does not match LOG_API string

Sun Oct 07, 2012 1:59 pm

]]>Quoting TonyKlein: ]]> What could be wrong, or what am I doing wrong... ? ]]> Fresh install of both SandboxIE and BSA, but now I have another problem for which I have to post in the SandboxIE forum itself... Let me first try to solve that, and if necessary Ill repost here... Sorry about that...

TonyKlein: Another "Window title does not match LOG_API string!&am

Sun Oct 07, 2012 12:10 pm

Hi there. Latest version of BSA. At first, on Finish Analysis, I got "Reghive not found!" I corrected the path, but now I get the dreaded "Window title does not match LOG_API string!" error when I press "Start Analysis" I have the following in my SandboxIE ini file: FileRootPath=C:\Sandbox\%USER%\%SANDBOX% InjectDll=C:\BSA\LOG_API\32\LOG_API.DLL (The path is correct.) OpenWinClass=TFormBSA NotifyDirectDiskAccess=y In Sandbox to Check it says "C:\Sandbox\Netwerker\DefaultBox", which is the correct location What could be wrong, or what am I doing wrong... ?

Buster:

Mon Oct 01, 2012 1:09 pm

raid: thanks for your kind words and the offer for hosting the tool. At the moment I will keep the archive in RapidShare but if I change my mind I will let you, thanks!

raid:

Mon Oct 01, 2012 12:47 am

]]>Quoting Buster: ]]>Due the BSA package was generating too much traffic, the owner of the website where BSA is hosted requested I move the file to an external host. So the file will not be available at http://bsa.isoftware.nl/bsa.rar anymore. You can find the link in the website or in the first post of this thread. ]]> Hi Buster! Just wanted to say thanks for the many improvements you've made to the program since I last used it. It's come a very long ways. If you need additional hosting, I'd be happy to mirror your rar file on bughunter's homesite. Shoot me an email or respond here if you'd like! Glad to see you still around man!

Buster:

Sat Sep 29, 2012 12:43 pm

Due the BSA package was generating too much traffic, the owner of the website where BSA is hosted requested I move the file to an external host. So the file will not be available at http://bsa.isoftware.nl/bsa.rar anymore. You can find the link in the website or in the first post of this thread.

Buster:

Tue Sep 25, 2012 7:15 am

]]>Quoting MrMan: ]]>I am up for collaborrating. I use these tools frequently to analyze malware. ]]> The guide is in this page (Posted: Mon Sep 17, 2012 12:14 pm). Review it and post your additions, please.

MrMan:

Mon Sep 24, 2012 10:24 pm

]]>Quoting Buster: ]]>BSA is in the final stage of development and next releases will not include many new features, just bugfixes. So at this point I thought it would be nice if I write a guide to improve malware analyses results. Anyone is up to collaborate creating the guide? ]]> I am up for collaborrating. I use these tools frequently to analyze malware.

Buster:

Mon Sep 24, 2012 2:47 pm

Released Buster Sandbox Analyzer 1.79. Changes: + Added �Edit BSA_USER.DAT� feature + Improved typical error problem checkings + Udated BSA.DAT + Updated LOG_API + Updated malware behaviors + Fixed several bugs

Buster:

Mon Sep 17, 2012 12:14 pm

At the moment I got this for the guide: [quote:82d8d22f1e]Guide for the best malware analysis results with Buster Sandbox Analyzer First revision - 12th September 2012 Buster Sandbox Analyzer usually produces good analysis results but there are a few things you can do in order to improve them. This guide offers a few suggestions to improve analyses and, therefore, results. The PC lab The configuration of the PC where you make analyses is very important. Considering that actually most malwares are being coded for 32 bit systems, probably the best operating system to be used is a Windows XP. As we want malwares show as many behaviors as possible, is not a bad idea if the operating system is not fully patched. A Windows XP with Service Pack 2 would be a smart decission. If we want certain malware behaviors show up, we need to setup the PC as if it was like any other production PC. That means: * Installing sofware like Microsoft Office, Adobe Acrobat Reader, ... * Configuring at least one mail account at Outlook It is important to do not install last version of programs like Office or Adobe Acrobat Reader. That versions are usually less exploitable and that is against our interests, so it is better idea if we install older versions. Network behaviors Nowadays many malwares are trojan downloaders. This kind of malware connects to a server, downloads one or more files and installs more malware in the PC. If the connection to server fails, most malware behaviors will not be executed, so when possible, executing the malware with a real internet connection is the best option in order to get best malware analysis results. When using a real internet connection is not an option, then the second best option is using a software like FakeNet. FakeNet is Windows network simulation tool designed for malware analysis. Sadly it can not monitor all kinds of network activity, just a few protocols like DNS, HTTP or SSL. Anyway that is better than nothing. USB behavior Many malwares spread over USB drives. Buster Sandbox Analyzer has a malware behavior that watches this behavior, but this is not possible if there is not an USB drive attached to the PC. Therefore it is a good idea if you insert an USB drive before starting to make analyses. Keylogger functionality behavior Detecting accurately keylogging activity is very difficult . Keylogging can be performed using very common Windows APIs. Probably most of the times the �Keylogger functionality� behavior is reported, it is not correct. You may consider even removing this behavior from reports. Avoiding false positive behaviors As traditional antivirus products, Buster Sandbox Analyzer may produce false positive behavior results. A false positive behavior is when Buster Sandbox Analyzer reports a behavior, like �Gets user name� i.e., when that is not exactly correct. When a false positive behavior gets produced? Usually a false positive gets produced when a program already installed in the system, like �cmd.exe�, produces the behavior. Let�s see an example: [ Process/window/string information ] * Keylogger functionality. * Enables process privileges. * Gets user name information. * Gets system default language ID. * Gets volume information. * Gets computer name. * Checks for debuggers. * Creates process "(null),C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\123.exe,(null)". * Injects code into process "c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\123.exe". * Injects code into process "c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\456.exe". * Creates a mutex "ZonesCounterMutex". * Creates a mutex "ZonesCacheCounterMutex". * Creates a mutex "ZonesLockedCacheCounterMutex". * Creates process "(null),"C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\DelUS.bat" ,c:\m\test\1". * Injects code into process "c:\windows\system32\cmd.exe". As we can see in the example report, the analysis shows that user name, default language ID, computer name and volumen information were retrieved. These behaviors are extracted by Buster Sandbox Analyzer from LOG_API.TXT. Let�s take a look at this file: Executing: c:\test\result_123.exe LoadLibrary(kernel32.dll) [c:\test\result_123.exe] LoadLibrary(shell32.dll) [c:\test\result_123.exe] LoadLibrary(advapi32.dll) [c:\test\result_123.exe] LoadLibrary(rpcrt4.dll) [c:\test\result_123.exe] LoadLibrary(secur32.dll) [c:\test\result_123.exe] LoadLibrary(msvcrt.dll) [c:\test\result_123.exe] LoadLibrary(shlwapi.dll) [c:\test\result_123.exe] GetModuleHandle(lz32.dll) [c:\test\result_123.exe] LoadLibrary(lz32.dll) [c:\test\result_123.exe] GetModuleHandle(kernel32.dll) [c:\test\result_123.exe] VirtualQueryEx(c:\test\result_123.exe) [c:\test\result_123.exe] GetModuleHandle(Kernel32) [c:\test\result_123.exe] LoadLibrary(comctl32.dll) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\test\result_123.exe] OpenProcessToken(c:\test\result_123.EXE) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\test\result_123.exe] SystemParametersInfo(SPI_GETFLATMENU,0) [c:\test\result_123.exe] GetModuleHandle(LPK.DLL) [c:\test\result_123.exe] GetModuleHandle(USER32) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\test\result_123.exe] ResumeThread() [c:\test\result_123.exe] CreateFile(c:\test\123.exe) [c:\test\result_123.exe] CreateProcess((null),C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\123.exe,(null)) [c:\test\result_123.exe] GetModuleHandle(winlogon.EXE) [c:\test\result_123.exe] GetModuleHandle(advapi32) [c:\test\result_123.exe] LoadLibrary(apphelp.dll) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\ADVAPI32.dll) [c:\test\result_123.exe] VirtualAllocEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\123.exe) [c:\test\result_123.exe] WriteProcessMemory(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\123.exe) [c:\test\result_123.exe] CreateFile(C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\456.exe) [c:\test\result_123.exe] Executing: c:\documents and settings\administrador\configuraci�n local\temp\123.exe VirtualAllocEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\123.exe) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(comdlg32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(advapi32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(rpcrt4.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(secur32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(comctl32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(shell32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(msvcrt.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(shlwapi.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(kernel32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(gdi32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(user32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(winspool.drv) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] GetModuleHandle(lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] GetModuleHandle(kernel32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] GetModuleHandle(Kernel32) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] GetModuleHandle(LPK.DLL) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] GetModuleHandle(USER32) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] OpenProcessToken(C:\Documents and Settings\Administrador\Configuraci�n local\Temp\123.exe) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] VirtualQueryEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\123.exe) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] SystemParametersInfo(SPI_GETFLATMENU,0) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] ResumeThread() [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] LoadLibrary(uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] IsDebuggerPresent() [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] BitBlt() [c:\documents and settings\administrador\configuraci�n local\temp\123.exe] VirtualAllocEx(c:\test\result_123.exe) [c:\test\result_123.exe] VirtualAllocEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\456.exe) [c:\test\result_123.exe] WriteProcessMemory(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\456.exe) [c:\test\result_123.exe] CreateFile(C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\DelUS.bat) [c:\test\result_123.exe] LoadLibrary(ole32.dll) [c:\test\result_123.exe] Executing: c:\documents and settings\administrador\configuraci�n local\temp\456.exe VirtualAllocEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\456.exe) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(msvbvm60.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\test\result_123.exe] LoadLibrary(uxtheme.dll) [c:\test\result_123.exe] IsDebuggerPresent() [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\test\result_123.exe] LoadLibrary(netapi32) [c:\test\result_123.exe] LoadLibrary(netapi32.dll) [c:\test\result_123.exe] GetComputerName() [c:\test\result_123.exe] GetModuleHandle(netapi32) [c:\test\result_123.exe] GetModuleHandle(OLE32.DLL) [c:\test\result_123.exe] LoadLibrary(c:\windows\system32\shell32.dll) [c:\test\result_123.exe] LoadLibrary(advapi32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(rpcrt4.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(EXPLORER.EXE) [c:\test\result_123.exe] LoadLibrary(secur32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(setupapi.dll) [c:\test\result_123.exe] LoadLibrary(ole32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(msvcrt.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(oleaut32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\test\result_123.exe] GetModuleHandle(lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(kernel32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] VirtualQueryEx(c:\sandbox\administrador\defaultbox\user\current\configuraci�n local\temp\456.exe) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(clbcatq.dll) [c:\test\result_123.exe] LoadLibrary(comres.dll) [c:\test\result_123.exe] LoadLibrary(oleaut32.dll) [c:\test\result_123.exe] LoadLibrary(version.dll) [c:\test\result_123.exe] LoadLibrary(c:\windows\system32\urlmon.dll) [c:\test\result_123.exe] GetModuleHandle(KERNEL32) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(iexplore.exe) [c:\test\result_123.exe] CreateMutex(ZonesCounterMutex) [c:\test\result_123.exe] CreateMutex(ZonesCacheCounterMutex) [c:\test\result_123.exe] CreateMutex(ZonesLockedCacheCounterMutex) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] ResumeThread() [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(c:\windows\system32\vb6es.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(urlmon.dll) [c:\test\result_123.exe] LoadLibrary(vb6es.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(shlwapi.dll) [c:\test\result_123.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetUserName() [c:\test\result_123.exe] LoadLibrary(uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] IsDebuggerPresent() [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(oleaut32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(ole32.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(sxs.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] FreeLibrary(C:\WINDOWS\system32\shell32.dll) [c:\test\result_123.exe] BitBlt() [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetModuleHandle(USER32) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] GetSystemDefaultLangID() [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] SetWindowsHookEx() [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(wintrust.dll) [c:\test\result_123.exe] LoadLibrary(crypt32.dll) [c:\test\result_123.exe] LoadLibrary(msasn1.dll) [c:\test\result_123.exe] LoadLibrary(imagehlp.dll) [c:\test\result_123.exe] CreateEvent(Global\crypt32LogoffEvent) [c:\test\result_123.exe] GetModuleHandle(rsaenh.dll) [c:\test\result_123.exe] LoadLibrary(rsaenh.dll) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\CRYPT32.dll) [c:\test\result_123.exe] LoadLibrary(c:\windows\system32\vb6de.dll) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(msisip.dll) [c:\test\result_123.exe] GetModuleHandle(C:\WINDOWS\system32\MSVBVM60.DLL) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] FreeLibrary(C:\WINDOWS\system32\ole32.dll) [c:\test\result_123.exe] OpenProcess(csrss.exe) [c:\documents and settings\administrador\configuraci�n local\temp\456.exe] LoadLibrary(c:\windows\system32\crypt32.dll) [c:\test\result_123.exe] LoadLibrary(c:\windows\system32\wshext.dll) [c:\test\result_123.exe] LoadLibrary(wshext.dll) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\wshext.dll) [c:\test\result_123.exe] GetModuleHandle(userenv) [c:\test\result_123.exe] LoadLibrary(c:\docume~1\admini~1\config~1\temp\delus.bat) [c:\test\result_123.exe] CreateProcess((null),"C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\DelUS.bat" ,c:\test) [c:\test\result_123.exe] VirtualAllocEx(c:\windows\system32\cmd.exe) [c:\test\result_123.exe] WriteProcessMemory(c:\windows\system32\cmd.exe) [c:\test\result_123.exe] GetModuleHandle(browseui.dll) [c:\test\result_123.exe] FreeLibrary(C:\WINDOWS\system32\urlmon.dll) [c:\test\result_123.exe] ExitProcess(0) [c:\test\result_123.exe] FreeLibrary() [c:\test\result_123.exe] Executing: c:\windows\system32\cmd.exe LoadLibrary(kernel32.dll) [c:\windows\system32\cmd.exe] LoadLibrary(msvcrt.dll) [c:\windows\system32\cmd.exe] LoadLibrary(user32.dll) [c:\windows\system32\cmd.exe] GetModuleHandle(lz32.dll) [c:\windows\system32\cmd.exe] LoadLibrary(lz32.dll) [c:\windows\system32\cmd.exe] GetModuleHandle(kernel32.dll) [c:\windows\system32\cmd.exe] VirtualQueryEx(c:\windows\system32\cmd.exe) [c:\windows\system32\cmd.exe] FreeLibrary(C:\WINDOWS\system32\lz32.dll) [c:\windows\system32\cmd.exe] ResumeThread() [c:\windows\system32\cmd.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\system32\cmd.exe] LoadLibrary(uxtheme.dll) [c:\windows\system32\cmd.exe] LoadLibrary(advapi32.dll) [c:\windows\system32\cmd.exe] LoadLibrary(rpcrt4.dll) [c:\windows\system32\cmd.exe] LoadLibrary(secur32.dll) [c:\windows\system32\cmd.exe] IsDebuggerPresent() [c:\windows\system32\cmd.exe] FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\windows\system32\cmd.exe] GetVolumeInformation(C:\) [c:\windows\system32\cmd.exe] OpenProcess(explorer.exe) [c:\test\result_123.exe] GetModuleHandle(advapi32) [c:\windows\system32\cmd.exe] GetModuleHandle(mscoree.dll) [c:\windows\system32\cmd.exe] ExitProcess(1) [c:\windows\system32\cmd.exe] The behavior �Gets volume information� raised due this line: GetVolumeInformation(C:\) [c:\windows\system32\cmd.exe] �cmd.exe� is the console window so this behavior can be considered a false positive. The same could be applied if �GetComputerName� or �GetUserName� were executed by �cmd.exe� or any other system application instead being executed by the analyzed malware or any of the dropped or downloaded programs. How to avoid this kind of false positive behaviors? Using the API exclusion list (�APIExclude.TXT�). You must include entries in that list that makes Buster Sandbox Analyzer to ignore that lines in LOG_API.TXT. A typical entry could be like this: GetVolumeInformation(C:\) [c:\windows\system32\cmd.exe][/quote:82d8d22f1e] If anyone has anything else to contribute to the guide, just post it here.

Buster:

Mon Sep 17, 2012 12:11 pm

Notes about 1.78 release: Added a feature to specify report folder in automatic mode Now it is possible to specify (from GUI or command line) the report folder (instead \BSA\Reports). Improved �URL Analyzer� feature A user noticed some websites were rejecting connection with the used user agent string, so I added a feature that allows to change the user agent string. I also added a feature (enabled by default) to use system proxy settings when connecting to a server. Improved command line feature Now it is possible to specify analysis time using "-s" or "-seconds" for time in seconds, "-m" or "-minutes" for time in minutes, "-f" or "-folder" to specify the folder with files to analyze and "-r" or "-report" to specify the report folder. Removed �Save Settings on Exit� feature From now on BSA will save settings automatically on exit.

Buster:

Mon Sep 17, 2012 11:57 am

Released Buster Sandbox Analyzer 1.78. Changes: + Added a feature to specify report folder in automatic mode + Improved �URL Analyzer� feature + Improved command line feature + Removed �Save Settings on Exit� feature + Fixed several bugs

Buster:

Sat Sep 08, 2012 11:27 am

Thanks Scrapie! I will write a first draft and as soon as it�s done I will share it so anyone can contribute with new material to be included. I asked Guest10 to be the editor of the document.

Scrapie:

Sat Sep 08, 2012 8:54 am

]]>Quoting Buster: ]]>Anyone is up to collaborate creating the guide? ]]> Yup, count me in...

Buster:

Thu Sep 06, 2012 9:15 am

BSA is in the final stage of development and next releases will not include many new features, just bugfixes. So at this point I thought it would be nice if I write a guide to improve malware analyses results. Anyone is up to collaborate creating the guide?

Buster:

Sat Sep 01, 2012 10:56 am

]]>Quoting Scrapie: ]]>Done that but not working. Will double check after I tested the three APIs for you & will get back to you here ... :) //EDIT: No, not working here, sorry. In my cfg I have this line like it worked in the past + like it is stated in BSA help file: [code:1:7beb389d1d]PacketDumpOptions DumpPackets:Yes Fileprefix:packets DNSOptions ModifyLocalDNS:Yes InvasiveOptions EnableDummyService:Yes RedirectAllTraffic:Yes MaxListeners:200 OutputOptions DumpOutput:Yes Fileprefix:output[/code:1:7beb389d1d] but when I start FakeNet from CMD I get this output: [code:1:7beb389d1d]FakeNet Version 1.0 [Starting program, for help open a web browser and surf to any URL.] [Press CTRL-C to exit.] Error parsing line: OutputOptions DumpOutput:Yes Fileprefix:output [/code:1:7beb389d1d] What the hell is wrong here �?� ]]> Version 1.0 includes a new option and seems like you just replaced the configuration line from previous version. The correct line is: "OutputOptions DumpHTTPPosts:No DumpOutput:Yes Fileprefix:output" Bold is the new parameter.

Scrapie:

Sat Sep 01, 2012 9:38 am

Done that but not working. Will double check after I tested the three APIs for you & will get back to you here ... :) //EDIT: No, not working here, sorry. In my cfg I have this line like it worked in the past + like it is stated in BSA help file: [code:1:a7bf1e09a4]PacketDumpOptions DumpPackets:Yes Fileprefix:packets DNSOptions ModifyLocalDNS:Yes InvasiveOptions EnableDummyService:Yes RedirectAllTraffic:Yes MaxListeners:200 OutputOptions DumpOutput:Yes Fileprefix:output[/code:1:a7bf1e09a4] but when I start FakeNet from CMD I get this output: [code:1:a7bf1e09a4]FakeNet Version 1.0 [Starting program, for help open a web browser and surf to any URL.] [Press CTRL-C to exit.] Error parsing line: OutputOptions DumpOutput:Yes Fileprefix:output [/code:1:a7bf1e09a4] What the hell is wrong here �?�

Buster:

Sat Sep 01, 2012 7:04 am

Do you mean version 1.0c? I just tested and I don�t see any problem. From BSA manual: "Configuration: Edit FakeNet.cfg and change the line containing the string "OutputOptions DumpOutput:No Fileprefix:output" for "OutputOptions DumpOutput:Yes Fileprefix:output". Note: It is very important you edit FakeNet.cfg as explained above, if not BSA will freeze when �FakeNet Mode� is enabled." Did you do that?

Scrapie:

Sat Sep 01, 2012 6:16 am

Hi there :) The latest version of FakeNet causes BSA to freeze. Waits for FakeNet to initialze for ever. Scrapie

Buster: Re: RE: RegDiff.txt is not generated on BSA v1.76

Fri Aug 31, 2012 9:24 am

]]>Quoting jaysonpryde: ]]>Sent it already. ]]> Got it, thanks! When I analyze the file, after removing certain registry keys and values, I get next modifications: [code:1:6c818d76f9]machine\software\microsoft\Windows\CurrentVersion\Uninstall\Internet Disk Cleaner\DisplayName = Internet Disk Cleaner machine\software\microsoft\Windows\CurrentVersion\Uninstall\Internet Disk Cleaner\UninstallString = C:\ARCHIV~1\SB~0007B.CF5\UNWISE.EXE C:\ARCHIV~1\SB~0007B.CF5\INSTALL.LOG user\current\software\Microsoft\Windows\CurrentVersion\New\@127 = 14842 user\current\software\Microsoft\Windows\CurrentVersion\Run\Internet Disk Cleaner = C:\Archivos de programa\Internet Disk Cleaner\ClearHistory.exe -Start[/code:1:6c818d76f9] Look at the registry modifications in the RegHive you sent me: [code:1:6c818d76f9]\Sandbox_Administrator_DefaultBox\user\current\Network\z = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\classes\SymbolicLinkValue = 5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F00410064006D0069006E006900730074007200610074006F0072005F00440065006600610075006C00740042006F0078005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300 \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\GDIPlus = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = yes \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\l = 530074006100720074002E00650078006500000045003A005C0069006E007300740061006C006C006500720073000000 \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList = lakbjcidhgfe \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##.host#Shared Folders\BaseClass = Drive \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e61b4d6-f097-11df-a335-806d6172696f}\BaseClass = Drive \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e61b4d9-f097-11df-a335-806d6172696f}\BaseClass = Drive \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d38c15f-65fa-4cfa-9734-d4a23d3e5a54}\BaseClass = Drive \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent = C:\Documents and Settings\Administrator\Recent \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal = C:\Documents and Settings\Administrator\My Documents \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop = C:\Documents and Settings\Administrator\Desktop \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites = C:\Documents and Settings\Administrator\Favorites \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData = C:\Documents and Settings\Administrator\Local Settings\Application Data \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData = C:\Documents and Settings\Administrator\Application Data \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Internet Settings = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx = 010000000700000002000000030000000400000006000000080000000000000005000000FFFFFFFF \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx = 020000000000000005000000010000000600000008000000070000000300000004000000FFFFFFFF \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\MRUListEx = 04000000030000000500000001000000000000000C000000020000000B000000060000000A000000090000000700000008000000FFFFFFFF \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\4\MRUListEx = 0000000005000000040000000B0000000A00000007000000090000000200000001000000080000000600000003000000FFFFFFFF \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\4\0 = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\BagMRU\1\2\14 = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\Bags\43\Shell\FolderType = Documents \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell\FolderType = Documents \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows\ShellNoRoam\Bags\74\Shell\FolderType = Documents \Sandbox_Administrator_DefaultBox\user\current\software\Microsoft\Windows NT\CurrentVersion\Winlogon = empty registry key \Sandbox_Administrator_DefaultBox\user\current\software\SandboxieAutoExec = 31 \Sandbox_Administrator_DefaultBox\user\current_classes\*\shell\sandbox = deleted registry key[/code:1:6c818d76f9] The values I get are not at your RegHive, therefore this is not a problem in BSA. Somehow when you run sandboxed the application, the registry changes are not being applied to RegHive. I would say you are doing something wrong, but it�s not something related to BSA or at least not to a bug in the code.

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Fri Aug 31, 2012 9:18 am

Sent it already.

Buster:

Fri Aug 31, 2012 9:13 am

jaysonpryde: You say you are using under a virtual machine, right? I would like you install Sandboxie in the real system, if it�s not installed yet, and download and install BSA 1.77 in real system too, in "C:\BSA" folder. Copy "\LOG_API\32\LOG_API.DLL" to "C:\BSA". Configure Sandboxie.ini (DefaultBox) and add the typical entries: InjectDll=C:\BSA\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y Reload configuration. Then run BSA, put the path to "DefaultBox" sandbox folder and analyze "C:\WINDOWS\NOTEPAD.EXE". Let me know if RegDiff.TXT is created or not.

Buster:

Fri Aug 31, 2012 8:48 am

Take a look at BSA.PDF.

jaysonpryde:

Fri Aug 31, 2012 8:46 am

]]>Quoting Buster: ]]> 1) Send me the "RegHive" file created after analyzing the file (uploading the file to a server or mailing it, as you prefer) ]]> What email address can I send it?

Buster:

Fri Aug 31, 2012 8:34 am

If you want a solution I suggest you do what I told. 1) Send me the "RegHive" file created after analyzing the file (uploading the file to a server or mailing it, as you prefer) 2) Let me know what is the last version after 1.36 that works fine so I can know what is the version that started failing.

jaysonpryde:

Fri Aug 31, 2012 7:33 am

BSA1.44 can generate RegDiff.txt but regardless of the file being ran on Sandboxie, the RegDiff.txt contains only the following: user\current\software\classes\SymbolicLinkValue = user\current\classes\*\shell\sandbox = deleted registry key I've created a program that adds registry entry on HKLM\Software\Microsoft\Windows\CurrentVersion\Run. It's captured on the RegDiff generated by BSA 1.36 but not on BSA 1.44 Just a curious question, does registering Sandboxie has something to do with this? Again, just curious

Buster:

Thu Aug 30, 2012 9:41 pm

I uploaded next versions: http://bsa.isoftware.nl/old/bsa137.rar http://bsa.isoftware.nl/old/bsa138.rar http://bsa.isoftware.nl/old/bsa139.rar http://bsa.isoftware.nl/old/bsa140.rar http://bsa.isoftware.nl/old/bsa141.rar http://bsa.isoftware.nl/old/bsa142.rar http://bsa.isoftware.nl/old/bsa143.rar http://bsa.isoftware.nl/old/bsa144.rar You say BSA 1.36 works fine. Ok, from that version download and test versions. Let me know what is the last version working fine and the first not working.

Buster: Re: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 5:33 pm

]]>Quoting jaysonpryde: ]]>I have no rapidshare account. I just pasted the contents. Hope you can dump it.. ]]> I can not. Upload to hotfile, rapidgator, ... Or compress the file with RAR and mail me it to "malware.collector". I have account at gmail. If you have too, maybe we could even chat.

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 4:49 pm

Hi, I've tested all the versions you recommended but no version generated RegDiff.txt. I tried using BSA 1.42 and it did generate a RegDiff.txt. However, the contents are incorrect. Regardless of what the file is, the contents of RegDiff.txt are: user\current\software\classes\SymbolicLinkValue = user\current\classes\*\shell\sandbox = deleted registry key

jaysonpryde:

Thu Aug 30, 2012 4:13 pm

By the way, My sandboxie version 3.74. just fyi

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 4:02 pm

I have no rapidshare account. I just pasted the contents. Hope you can dump it.. Apologies snipped. --tzuk

Buster:

Thu Aug 30, 2012 4:01 pm

I will be away next hour. I will check the forum when I am back.

Buster: Re: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:54 pm

]]>Quoting jaysonpryde: ]]>How will I send you the reghive? Attachments are not allowed here, right? ]]> Upload the file to rapidshare i.e. Let me know about the tests with versions 1.71 - 1.75. If none works I will upload a few versions from version 1.37 to know in what version stopped working for you.

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:54 pm

How will I send you the reghive? Attachments are not allowed here, right?

Buster:

Thu Aug 30, 2012 3:48 pm

Do this also: Analyze the file in manual mode and send me "RegHive" file from "c:\Sandbox\Administrator\DefaultBox" folder.

Buster:

Thu Aug 30, 2012 3:40 pm

I have tried the manual mode and I get same results. Make a test using the automatic mode and let me know if it makes any difference.

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:37 pm

I am using Manual Testing. I am also running on virtual XP sp3 machine

Buster:

Thu Aug 30, 2012 3:33 pm

I have tried and I get RegDiff.TXT generated with these values inside: [code:1:d7dcf661cc]machine\software\microsoft\Windows\CurrentVersion\Uninstall\Internet Disk Cleaner\DisplayName = Internet Disk Cleaner machine\software\microsoft\Windows\CurrentVersion\Uninstall\Internet Disk Cleaner\UninstallString = C:\ARCHIV~1\SB~0007B.CF5\UNWISE.EXE C:\ARCHIV~1\SB~0007B.CF5\INSTALL.LOG user\current\software\Microsoft\Windows\CurrentVersion\New\@127 = 14842 user\current\software\Microsoft\Windows\CurrentVersion\Run\Internet Disk Cleaner = C:\Archivos de programa\Internet Disk Cleaner\ClearHistory.exe -Start[/code:1:d7dcf661cc] How are you testing, in manual or automatic mode?

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:25 pm

You can also use the FilezillaClient installer...

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:22 pm

http://www.download3k.com/Install-Internet-Disk-Cleaner.html

Buster:

Thu Aug 30, 2012 3:15 pm

Do you have a download URL for that file? I will check it here.

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 3:12 pm

Hi, "Sandbox folder to check" --> c:\Sandbox\Administrator\DefaultBox Yes I am sure that the file I am running have some registry modifications because using BSA 1.36, RegDiff.txt is generated and changes were also recorded in Report.txt. The file that I am running is "IDCSetup(downloaded).exe" Thanks!

Buster:

Thu Aug 30, 2012 3:03 pm

Anyone else having the same problem?

Buster:

Thu Aug 30, 2012 2:58 pm

LOG_API is not related to RegDiff.TXT creation. Some questions: Are you sure the application you are sandboxing makes changes to the registry? Have you defined sandbox folder correctly? Please copy&paste here what you have at "Sandbox folder to check:"

jaysonpryde: RE: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 2:56 pm

Thanks for the quick response. I will do what you've recommended but to let you know, I've also tested this using BSA 1.77 and RegDiff is still not generated. Aside from renaming log_api_verbose.dll to log_api.dll, do I have to do some stuff? Some necessary modifications on BSA.ini? Or Sandboxie.ini? Thanks again!

Buster:

Thu Aug 30, 2012 2:49 pm

jaysonpryde: Old BSA versions are available here: http://bsa.isoftware.nl/bsa176.rar http://bsa.isoftware.nl/bsa175.rar http://bsa.isoftware.nl/bsa174.rar http://bsa.isoftware.nl/bsa173.rar http://bsa.isoftware.nl/bsa172.rar http://bsa.isoftware.nl/bsa171.rar Do this: Download BSA 1.75 and check if RegDiff.TXT is generated. If not, download 1.74 and check again. Repeat this process until version 1.71. Let me know what is the last version working fine, please. P.S.: I have done a test here and RegDiff.TXT is created correctly, so at the moment do not know what to say.

jaysonpryde: RegDiff.txt is not generated on BSA v1.76

Thu Aug 30, 2012 2:17 pm

Hi there, I've currently updated to BSA 1.76 and noticed that RegDiff.txt is not generated and no registry changes were recorded in Report.txt. I run the same sample on BSA 1.36 and RegDiff.txt was created, plus registry changes were recorded in Report.txt. Kindly advise on how will I generate RegDiff.txt. Thanks in advance!

Buster:

Thu Aug 30, 2012 12:18 pm

Released Buster Sandbox Analyzer 1.77. Changes: + Fixed several bugs

Buster:

Thu Aug 30, 2012 11:08 am

"Launch Custom Applications" feature had a bug I fixed already.

Scrapie:

Thu Aug 30, 2012 6:11 am

Will do via email :) //EDIT: Okay, what I think I found so far: 1.) Since v1.73 these things are not getting logged anymore here: Created a mutex Some entries under "Defined Log_API entry" - but not all of them which is strange computer name user name information volume information 2.) Launch Custom Allications "breaks" the analyse. BSA pretends to wait 10 sec. for them to get launched but carries on immediately and then it seems to stop in the middle and a lot of events are therefor not getting logged. If this feature is disabled it works okay exept for point 1.) 3.) Analyse duration from 1.72 to later versions is getting faster. Missing some steps?

Buster:

Wed Aug 29, 2012 10:01 am

]]>Quoting Scrapie: ]]>Hi there :) Not too sure if "Launch Custom Applications� feature works here. BSA says in status bar that it launches custom applications and will delay analys for 10 seconds - but goes on without waiting. explorer & internet explorer (in my case) are also not showing to be active in the Sandboxie Window under programs. My LaunchList.TXT looks like that: [code:1:558b819fb1]"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Windows\explorer.exe"[/code:1:558b819fb1] ]]> Try changing the path to: C:\Windows\System32\dllcache ]]>Quoting Scrapie: ]]>I also noted [size=18:558b819fb1]BIG [/size:558b819fb1]differences between v1.71 and v1.7.6 in Analysis.txt for the same files - see example below: ]]> Could you provide a sample to test with and your configuration files (BSA.INI, BSA.DAT, BSA_USER.DAT), please? I will check what changed to cause this behavior.

Scrapie:

Wed Aug 29, 2012 7:11 am

Hi there :) Not too sure if "Launch Custom Applications� feature works here. BSA says in status bar that it launches custom applications and will delay analys for 10 seconds - but goes on without waiting. explorer & internet explorer (in my case) are also not showing to be active in the Sandboxie Window under programs. My LaunchList.TXT looks like that: [code:1:128d4037ef]"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Windows\explorer.exe"[/code:1:128d4037ef] I also noted [size=18:128d4037ef]BIG [/size:128d4037ef]differences between v1.71 and v1.7.6 in Analysis.txt for the same files - see example below: [code:1:128d4037ef] Report generated with Buster Sandbox Analyzer 1.71 at 20:13:34 on 09/07/2012 Detailed report of suspicious malware actions: Code injection in process: d:\xxx\xxx\user\current\appdata\local\temp\123.exe Code injection in process: d:\xxx\xxx\user\current\appdata\local\temp\789.exe Created a mutex named: Local\Shell.CMruPidlList Created an event named: Global\C::Users:Qwerty:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent Created process: C:\Users\Qwerty\AppData\Local\Temp\123.exe,"C:\Users\Qwerty\AppData\Local\Temp\123.exe" ,C:\TMP Created process: C:\Users\Qwerty\AppData\Local\Temp\789.exe,"C:\Users\Qwerty\AppData\Local\Temp\789.exe" ,C:\TMP Defined file type created: C:\Users\Qwerty\AppData\Local\Temp\123.exe Defined file type created: C:\Users\Qwerty\AppData\Local\Temp\789.exe Defined Log_API entry: 32-bit DLL injection into process Defined Log_API entry: Looks for available Network Resources Defined Log_API entry: Opens database of services Defined Log_API entry: Writes to other process' memory (Step 1of3) Defined Log_API entry: Writes to other process' memory (Step 2of3) Defined string contained: Possible File-Binder Defined string contained: Possible File-Binder coded in VB Detected keylogger functionality Got system default language ID Risk evaluation result: High [/code:1:128d4037ef] [code:1:128d4037ef] Report generated with Buster Sandbox Analyzer 1.76 at 18:57:00 on 29/08/2012 Detailed report of suspicious malware actions: Defined Log_API entry: 32-bit DLL injection into process Defined string contained: Possible File-Binder/Crypter Defined string contained: Possible File-Binder/Crypter coded in VB Detected API hooking functionality Detected keylogger functionality Got system default language ID Risk evaluation result: High [/code:1:128d4037ef] Cheers, Scrapie

Buster:

Sun Aug 26, 2012 11:56 pm

Notes about 1.76 release: Added a feature to check for API hooks Thanks to Roberto Melacci from NoVirusThanks Company Srl (www.novirusthanks.org) for the Ring3 API Hook Scanner now BSA can find API hooks. BSA will include a short reference to the hooks found in report file and a detailed information list in Hooks.TXT file. By default BSA filters SbieDll.dll hook module and also all the modules injected through the "InjectDll" feature from Sandboxie.ini. You can include more excluded hook modules in HooksExclude.TXT file. This new feature allows BSA to detect new malware behaviors. Added �Launch Custom Applications� feature / Removed �Launch Internet Explorer� and �Launch Windows Explorer� features I have removed "Launch > Internet Explorer" and "Launch > Windows Explorer" and added "Launch Custom Applications". This new feature is much more flexible than the previous one, when the list of applications to launch was fixed. Now the user can define what applications wants to launch before the analysis begins. The list of applications to launch is defined at "Config\LaunchList.TXT" file. One application per line. Do not forget the include double quotes to file path. Something like this will be wrong: C:\Program files\My test folder\application.exe This will be fine: "C:\Program files\My test folder\application.exe" It�s possible to include parameters, just like this: "C:\Program files\My test folder\application.exe" -setup -log Fixed several bugs A few more bugs have been fixed. I have tested this version with thousand malware samples and it works fine.

Buster:

Sun Aug 26, 2012 11:23 pm

Released Buster Sandbox Analyzer 1.76. Changes: + Added a feature to check for API hooks + Added �Launch Custom Applications� feature + Added new malware behaviours + Included new malware behaviours at �Risk Evaluation Ratings� + Removed �Launch Internet Explorer� and �Launch Windows Explorer� features + Fixed several bugs

Buster:

Sun Aug 26, 2012 11:31 am

]]>Quoting Scrapie: ]]>Run's fine for me - thank you :) ]]> Thanks for the feedback! I will release version 1.76 soon. It fixes a few more bugs so it will be even more stable. The main change on next version will be the introduction of a tool that will help to catch API hooks, and therefore new malware behaviors. I also will change the feature used to launch Internet Explorer and Windows Explorer. I introduced a generic feature to launch whatever application the user decides.

Scrapie:

Sun Aug 26, 2012 11:05 am

Run's fine for me - thank you :)

Buster:

Wed Aug 22, 2012 9:54 am

Released Buster Sandbox Analyzer 1.75. Changes: + Updated HexDive to version 0.4 + Removed functionalities to locate bugs + Fixed several bugs

Buster:

Thu Aug 16, 2012 8:06 am

Notes about 1.74 release: From this version, Buster Sandbox Analyzer will add to SQL database only the first 100 dropped/modified/deleted files of analyzed file. Added functionalities to locate bugs Version 1.74 is a special release that will help me to locate bugs in the application. With the help of software like DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx) I can trace a problem to its origin. This version also includes a module named EurekaLog that will generate a file named BSA.el with useful information to locate bugs in case the application crashes. Added analysis duration information to reports I added analysis duration information to reports. Removed the option to include version information From version 1.74, Buster Sandbox Analyzer will include version information in reports.

Buster:

Thu Aug 16, 2012 7:48 am

Released Buster Sandbox Analyzer 1.74. Changes: + Added functionalities to locate bugs + Added analysis duration information to reports + Removed the option to include version information + Fixed several bugs

DrCoolZic:

Tue Jul 31, 2012 8:56 pm

Many many thanks the version 1.73 you just released fix all my problems 8) For one the "Window title does not match LOG_API string!" message is gone and when using the "Remember window position" option the positions of ALL windows are correctly remembered. Thanks for your excellent program that provides a lot of extremely useful information on top of Sandboxie. Jean

Buster:

Tue Jul 31, 2012 3:37 pm

Notes about 1.73 release: Added �Launch Internet Explorer� feature This feature works in the same basis than "Launch Windows Explorer": some malwares will show more behaviors if Internet Explorer is running. From version 1.73, if "Launch Windows Explorer" or "Launch Internet Explorer" option is enabled, BSA will wait 10 seconds before start processing the analyze file in order to give time to Windows Explorer and/or Internet Explorer to initialize in the sandbox. Improved �Report Manager� feature From version 1.73 is possible to make searchs at other parts of reports ("DESCRIPTION" field) and/or analysis reports ("ANALYSIS" field). In version 1.72 I already added some checkings to avoid common problems. In version 1.73 I added other checking related to LOG_API. From version 1.73 BSA will check if the LOG_API version being used is up to date.

Buster:

Tue Jul 31, 2012 3:19 pm

Released Buster Sandbox Analyzer 1.73. Changes: + Added �Launch Internet Explorer� feature + Added new malware behaviours + Improved �Report Manager� feature + Updated BSA.DAT + Updated LOG_API + Fixed several bugs

Buster:

Tue Jul 31, 2012 2:26 pm

I fixed a bug that caused the message you posted to appear when LOG_API for x64 is used. I also changed the way BSA works and from next version the window position will be moved to the center of the desktop only on demand.

Buster:

Tue Jul 31, 2012 11:41 am

]]>Quoting DrCoolZic: ]]> ]]>Quoting Buster: ]]>Did you click at "Options > Program Options > Change title" and changed BSA�s window title from "Buster Sandbox Analyzer" to other string? ]]> No - The title in the BSA window is "Buster Sandbox Analyzer" ]]>Quoting DrCoolZic: ]]>Try with "Options > Program Options > Remember Window Position". ]]> Did not know about this one! But it is not really working! When I start the program it does remember the window position, however if I click "Start Analysis" the window is put back in center of the two screen and same happen when I click "Finish Analysis". However "Malware analyzer" does not move the window. Also several popup windows like "Sandox folder not Empty", "Malware Behavior Analyzer Module", are open in midle of two screens. ]]> Ok, let me take a look and I will let you know.

DrCoolZic:

Tue Jul 31, 2012 11:35 am

]]>Quoting Buster: ]]>Did you click at "Options > Program Options > Change title" and changed BSA�s window title from "Buster Sandbox Analyzer" to other string? ]]> No - The title in the BSA window is "Buster Sandbox Analyzer" ]]>Quoting DrCoolZic: ]]>Try with "Options > Program Options > Remember Window Position". ]]> Did not know about this one! But it is not really working! When I start the program it does remember the window position, however if I click "Start Analysis" the window is put back in center of the two screen and same happen when I click "Finish Analysis". However "Malware analyzer" does not move the window. Also several popup windows like "Sandox folder not Empty", "Malware Behavior Analyzer Module", are open in midle of two screens.

Buster:

Tue Jul 31, 2012 11:04 am

]]>Quoting DrCoolZic: ]]>I have updated Sandboxie to 3.72 (64bits) and BSA to 1.72 I have modified the sandboxie.ini with these lines: [code:1:125c407d79]InjectDll=U:\StaticProgram\bsa\LOG_API\64\LOG_API32.DLL InjectDll64=U:\StaticProgram\bsa\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ProcessLimit1=20 ProcessLimit2=30[/code:1:125c407d79] When I click " Start Analysis " in BSA a window pops up saying " Window title does not match LOG_API string! " What does that means ??? Is it a problem ? ]]> Did you click at "Options > Program Options > Change title" and changed BSA�s window title from "Buster Sandbox Analyzer" to other string? ]]>Quoting DrCoolZic: ]]>Another small annoyance: I am using a dual screen display and any BSA windows displayed is located in the middle of the two screens (that is half on the left screen and half on the right screen). So each time it is necessary to move the windows displayed by BSA. The window is placed like that when you start the program but also when you execute commands like start/Finish analysis, malware analyzer etc. ... would be nice to fix this behavior perhaps by storing the last position of the windows (at least the main windows) ? Thanks - Jean ]]> Try with "Options > Program Options > Remember Window Position".

DrCoolZic:

Tue Jul 31, 2012 10:13 am

I have updated Sandboxie to 3.72 (64bits) and BSA to 1.72 I have modified the sandboxie.ini with these lines: [code:1:5b8fd46850]InjectDll=U:\StaticProgram\bsa\LOG_API\64\LOG_API32.DLL InjectDll64=U:\StaticProgram\bsa\LOG_API\64\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ProcessLimit1=20 ProcessLimit2=30[/code:1:5b8fd46850] When I click " Start Analysis " in BSA a window pops up saying " Window title does not match LOG_API string! " What does that means ??? Is it a problem ? Another small annoyance: I am using a dual screen display and any BSA windows displayed is located in the middle of the two screens (that is half on the left screen and half on the right screen). So each time it is necessary to move the windows displayed by BSA. The window is placed like that when you start the program but also when you execute commands like start/Finish analysis, malware analyzer etc. ... would be nice to fix this behavior perhaps by storing the last position of the windows (at least the main windows) ? Thanks - Jean

matzen:

Mon Jul 30, 2012 1:46 am

thank you for your answers!

Scrapie: Re: Bsa.sys - Trojan false alarms?

Fri Jul 27, 2012 11:01 am

]]>Quoting Buster: ]]>Because it makes use of certain APIs commonly used by malwares I guess. ]]> No, the "detection" is simply based on the File-Hash. Change a single (!) byte (for example offset 2310 from 4D to 6D which wont break the driver) and the "detection" drops from 12 AV's to 2 AV's :roll: AV's are full of s***t and love to copy "signatures" from each other so in the next test they score the same as the others - even if a "detection" makes no sense. They didn't even made the effort to generate a propper signature for the file. Easier to add a hash, done in a second and no danger of a FP... [url=https://www.virustotal.com/file/b45a7644d6dc578e7a534052e1d08aebda7301210dd21f45a4a3a89e127445ce/analysis/1343386649/]Patched BSA.SYS *Click*[/url] Scrapie

Buster: Re: Bsa.sys - Trojan false alarms?

Thu Jul 26, 2012 6:33 pm

]]>Quoting matzen: ]]>I�d like to know why is it that Bsa.sys, being such a small file, shows so many false positives (12!). Other files seem mostly clean (1 false positive at most). ]]> Because it makes use of certain APIs commonly used by malwares I guess.

matzen: Bsa.sys - Trojan false alarms?

Thu Jul 26, 2012 6:30 pm

Hi I�d like to know why is it that Bsa.sys, being such a small file, shows so many false positives (12!). Other files seem mostly clean (1 false positive at most). https://www.virustotal.com/file/fc3dec19ba7387874099565192fd3ec28aeb396fc33f18275ac9c3d306237a1e/analysis/ Thank you!

Buster:

Tue Jul 17, 2012 7:19 am

]]>Quoting shell32dll: ]]>i have found it. when i used LOG_API.DLL from folder BSA\LOG_API\ , the program still working. the problem wll occur when i use the old version of LOG_API.DLL. ]]> Yes, updating LOG_API is necessary. I will try to introduce a checking in BSA so it checks you are using a valid LOG_API dll version.

shell32dll:

Tue Jul 17, 2012 3:42 am

i have found it. when i used LOG_API.DLL from folder BSA\LOG_API\ , the program still working. the problem wll occur when i use the old version of LOG_API.DLL.

Buster:

Mon Jul 16, 2012 4:06 pm

]]>Quoting shell32dll: ]]>yes sir.. every application that I test produces the error.. can you help me? ]]> First update to BSA 1.72 and try again. It should crash anyway, but let�s try. If version 1.72 does not work, send me a mail to the mail address that appears in the manual and I will send you a custom version that may help to locate the origin of the bug.

Buster:

Mon Jul 16, 2012 4:03 pm

]]>Quoting Scrapie: ]]>Works fine for me under Win7 Prof. and Sandboxie v3.70. ]]> Update to 3.72. :wink:

Scrapie:

Mon Jul 16, 2012 8:28 am

Hi there Works fine for me under Win7 Prof. and Sandboxie v3.70. Scrapie

shell32dll:

Mon Jul 16, 2012 7:26 am

[quote:0fb440c4e1][i:0fb440c4e1]Does the error appear with every application you test (like NOTEPAD.EXE) or only with one file? If it happens only with one file: send me the file, please.[/i:0fb440c4e1][/quote:0fb440c4e1] yes sir.. every application that I test produces the error.. can you help me?

Buster:

Mon Jul 16, 2012 7:03 am

]]>Quoting shell32dll: ]]>BSA Version : BSA 1.71 Sanboxie : 3.72 how can i fix this error? ]]> Does the error appear with every application you test (like NOTEPAD.EXE) or only with one file? If it happens only with one file: send me the file, please.

shell32dll:

Mon Jul 16, 2012 6:19 am

[img:06f05af15c]http://i.minus.com/izvS0Ewma0tzs.PNG[/img:06f05af15c] BSA Version : BSA 1.71 Sanboxie : 3.72 how can i fix this error?

Buster:

Sun Jul 15, 2012 8:15 pm

Released Buster Sandbox Analyzer 1.72. Changes: + Added wildcard support for FileExclude.TXT and APIExclude.TXT + Updated Exeinfo + Fixed several bugs

Scrapie:

Sat Jul 14, 2012 11:02 pm

A new API-Call I would like to share: [code:1:d99d6d5aae]CreateProcess((null),net stop SharedAccess,(null))<->Disable Windows Security Center[/code:1:d99d6d5aae] Cheers, Scrapie

Buster:

Wed Jul 11, 2012 9:31 am

]]>Quoting Scrapie: ]]>How do I exclude the following Mutex in the analysys? [code:1:7d2656119d]CreateMutex(Global\C::Users:User:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer) [c:\windows\explorer.exe][/code:1:7d2656119d] After "thumbcache_" there is random stuff so I tried to use the wildcard "*" but didn't work. Then I tried to replace the ":" with "\" for propper file path but didn't work either. Hmmmm ... ? ]]> I will include wildcard support for FileExclude.TXT and APIExclude.TXT.

Scrapie:

Tue Jul 10, 2012 9:34 am

After analysing the generated results of over 100 different Filebinder / Joiners the following pattern stands out: [code:1:851eb510c3]Code injection in process: bindedfile_01.exe Code injection in process: bindedfile_02.exe Created process: bindedfile_01.exe Created process: bindedfile_02.exe Defined file type created: bindedfile_01.exe Defined file type created: bindedfile_02.exe Defined Log_API entry: Writes to other process' memory (Step 1of3) Defined Log_API entry: Writes to other process' memory (Step 2of3)[/code:1:851eb510c3] So if you see this pattern you can be 99% sure it is a Binder / Joiner :wink: How do I exclude the following Mutex in the analysys? [code:1:851eb510c3]CreateMutex(Global\C::Users:User:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer) [c:\windows\explorer.exe][/code:1:851eb510c3] After "thumbcache_" there is random stuff so I tried to use the wildcard "*" but didn't work. Then I tried to replace the ":" with "\" for propper file path but didn't work either. Hmmmm ... ? Cheers, Scrapie

Buster:

Sun Jul 08, 2012 11:14 am

]]>Quoting Scrapie: ]]>Thanks for that :) Now werfault.exe only pops up every now and then - much better. ]]> In what OS version are you analyzing? In XP that solution works the 100% of the time: if the application crashes a window telling "Application Error" appears but BSA closes it automatically. You can also apply a filter (APIExclude.TXT) and ignore all entries containing "c:\windows\system32\werfault.exe". ]]>Quoting Scrapie: ]]>Since we have a new feature with customer settings in USER_BSA.DAT I would like to share some of my entries ]]> Thank you very much!

Scrapie:

Sun Jul 08, 2012 8:41 am

Thanks for that :) Now werfault.exe only pops up every now and then - much better. Since we have a new feature with customer settings in USER_BSA.DAT I would like to share some of my entries: [code:1:4b5e8ce6fd][File_Strings] Stub.vbp<->Possible File-Binder coded in VB Binder.vbp<->Possible File-Binder coded in VB Joiner.vbp<->Possible File-Binder coded in VB Melt.bat<->Delets itselfe regsvr32 /s<->Add's registry keys in silent mode [Custom_LogAPI_Entries] CreateMutex(((Mutex)))<->Trace of Backdoor.Win32.Xtreme!IK NetShareEnum(127.0.0.1)<->Enables Local File Sharing WNetOpenEnum<->Looks for available Network Resources OutputDebugString<->Talks to debugger RtlAdjustPrivilege(Enable SeDebugPrivilege)<->Opens any process (ACL Bypass) RtlAdjustPrivilege(Enable SeLoadDriverPrivilege)<->Loads/Unloads drivers RtlAdjustPrivilege(Enable RtlAdjustPrivilege)<->Create user account RtlAdjustPrivilege(Enable SeSecurityPrivilege)<->Manipulates security log OpenSCManager((null),(null))<->Opens list of all services SetWindowsHookEx<->32-bit DLL injection into another process VirtualQueryEx<->Reads memory blocks of other process VirtualAllocEx<->Writes to other process memory (Step 1of3) WriteProcessMemory<->Writes to other process memory (Step 2of3) CreateRemoteThread<->Writes to other process memory (Step 3of3[/code:1:4b5e8ce6fd] Cheers, Scrapie

Buster:

Sat Jul 07, 2012 2:22 pm

Disable error reporting in different OSs: http://www.howtogeek.com/howto/7863/disable-error-reporting-in-xp-vista-and-windows-7/

Buster:

Sat Jul 07, 2012 9:29 am

]]>Quoting Scrapie: ]]>Would it be possible to have always the uptodate MD5-Hash behind the DL here in the first posting? That way we can check that the downloaded file is original in case your server gets busted and the archive manipulated. ]]> Done! ]]>Quoting Scrapie: ]]>If a file crashes (damaged download / corrupted, ...) a report is generated for the windows file werfault.exe which is not really helpfull + the rating is kind of over the top for it: [code:1:87f0c8fd85] Report generated with Buster Sandbox Analyzer 1.71 at 20:16:32 on 07/07/2012 Detailed report of suspicious malware actions: Code injection in process: c:\windows\system32\werfault.exe Created a mutex named: Global\24114ac1-c80c-22e1-a24e-114063df01f5 Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer Created a mutex named: Local\Shell.CMruPidlList Created a mutex named: Local\WERReportingForProcess2952 Created an event named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent Created process: C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2952 -s 60,C:\Windows\system32 Defined Log_API entry: Looks for available Network Resources Defined string contained: Possible File-Binder Detected process privilege elevation Enumerated running processes Got computer name Got system default language ID Got user name information Got volume information Opened a service named: WinHttpAutoProxySvc Query DNS: watson.microsoft.com Slept over 2 minutes Started a service Risk evaluation result: High[/code:1:87f0c8fd85] Is it possible to skip / abort the analyse if that happens to avoid confusion? ]]> The solution suggested is to disable error reporting: In Windows XP: Control Panel > System > Advanced > Startup and Recovery > Error Reporting > Disable error reporting

Buster:

Sat Jul 07, 2012 9:19 am

]]>Quoting bgavin: ]]>I encourage you to change the file version for every action. HP is notorious for using the same name and version, with multiple levels of "little fixes" installed. ]]> Sure, no problem.

Scrapie:

Sat Jul 07, 2012 8:34 am

]]>Quoting Buster: ]]>I tested BSA_USER.DAT feature and works fine, but try it yourself and let me know, please. ]]> Works fine for me :) Would it be possible to have always the uptodate MD5-Hash behind the DL here in the first posting? That way we can check that the downloaded file is original in case your server gets busted and the archive manipulated. If a file crashes (damaged download / corrupted, ...) a report is generated for the windows file werfault.exe which is not really helpfull + the rating is kind of over the top for it: [code:1:a0742aaf60] Report generated with Buster Sandbox Analyzer 1.71 at 20:16:32 on 07/07/2012 Detailed report of suspicious malware actions: Code injection in process: c:\windows\system32\werfault.exe Created a mutex named: Global\24114ac1-c80c-22e1-a24e-114063df01f5 Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer Created a mutex named: Local\Shell.CMruPidlList Created a mutex named: Local\WERReportingForProcess2952 Created an event named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent Created process: C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2952 -s 60,C:\Windows\system32 Defined Log_API entry: Looks for available Network Resources Defined string contained: Possible File-Binder Detected process privilege elevation Enumerated running processes Got computer name Got system default language ID Got user name information Got volume information Opened a service named: WinHttpAutoProxySvc Query DNS: watson.microsoft.com Slept over 2 minutes Started a service Risk evaluation result: High[/code:1:a0742aaf60] Is it possible to skip / abort the analyse if that happens to avoid confusion? Cheers, Scrapie

bgavin:

Fri Jul 06, 2012 9:00 pm

I encourage you to change the file version for every action. HP is notorious for using the same name and version, with multiple levels of "little fixes" installed.

Buster:

Fri Jul 06, 2012 8:00 pm

BSA 1.71 package has been reuploaded. It contains updated version of HexDive (3.0) and updated language files. I also fixed a bug.

Buster:

Fri Jul 06, 2012 7:07 am

]]>Quoting Scrapie: ]]>Oh, and Thanks for the new version :) ]]> I tested BSA_USER.DAT feature and works fine, but try it yourself and let me know, please.

Scrapie:

Fri Jul 06, 2012 6:50 am

]]>Quoting Buster: ]]>Could you show an example of Event Log information related to a malware infection? ]]> No, sorry. Will try to find a sample for Adobe or InternetExplorer and will let you know. Oh, and Thanks for the new version :) Cheers, Scrapie

Buster:

Thu Jul 05, 2012 10:04 pm

]]>Quoting bgavin: ]]>I downloaded BSA v1.71 from the site after it was released today, July 5. McAfee 8.7P4 finds the "bsa.sys" file infected with Generic BackDoor!1jd Trojan. ]]> There are some AVs having a false positive in that file. Some time ago there were like 24 AVs detecting the file. I just checked in VirusTotal: https://www.virustotal.com/file/fc3dec19ba7387874099565192fd3ec28aeb396fc33f18275ac9c3d306237a1e/analysis/1341525750/ and now they are 12/42. McAfee has 2 entries there. Could you contact McAfee and ask them to review the false positive?

bgavin:

Thu Jul 05, 2012 9:10 pm

I downloaded BSA v1.71 from the site after it was released today, July 5. McAfee 8.7P4 finds the "bsa.sys" file infected with Generic BackDoor!1jd Trojan.

Buster:

Thu Jul 05, 2012 9:23 am

Notes about 1.71 release: Added BSA_USER.DAT feature BSA_USER.DAT has the same internal structure than BSA.DAT and it�s used to keep your own definitions. When BSA.DAT gets updated you will not have to merge your definitions again as you can keep them separated. Improved �Dump Executable Processes� feature Only the files that does not exist in the real system will be dumped. This way we will avoid dumping iexplore.exe, explorer.exe, etc.

Buster:

Thu Jul 05, 2012 9:10 am

Released Buster Sandbox Analyzer 1.71. Changes: + Added new malware behaviours + Added BSA_USER.DAT feature + Improved �Dump Executable Processes� feature + Included new malware behaviours at �Risk Evaluation Ratings� + Updated BSA.DAT + Updated LOG_API + Updated Exeinfo + Fixed several bugs

Buster:

Wed Jul 04, 2012 9:33 am

Could you show an example of Event Log information related to a malware infection?

Scrapie:

Wed Jul 04, 2012 8:54 am

Hi there :) Been playing with the new EMET lately and quite like it. I recon, it would be a good tool to integrate into BSA. The latest version of EMET comes with an additional new reporting capability. There are Informations, Warnings and Error messages. Error messages are used for logging cases where EMET stopped an application with one of its mitigations, which means an active attack has been blocked . These warnings are written in the Windows Event Log. For PDF-files, BSA could config EMET before a sample gets started in the sandbox via simple cmd: [code:1:7216ab3c3f]C:\Program Files\EMET>EMET_Conf.exe --set "*\yourPDFviewer.exe"[/code:1:7216ab3c3f] The new version supports wildcards so there is no need to spec. the whole path. As soon as EMET sees a PDF-file get's started, it injects it's DLL into the viewer and protects / watches it. After the analyse is finished, BSA has to check the Windows Event Log for a Warning entry made by EMET, extract the content and integrate it into it's report. A crash (=Warning message) is a good sign for a 0-day exploit. Extracting informations from Windows Event Log is not that hard, only ~40 lines in VBA for example. What do you guys think? Cheers, Scrapie PS: Links about EMET [url]http://www.rationallyparanoid.com/articles/microsoft-emet-3.html[/url] [url]http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx[/url]

Scrapie:

Sat Jun 30, 2012 10:51 pm

Check your email for examples :)

Buster:

Sat Jun 30, 2012 10:46 pm

]]>Quoting Scrapie: ]]>That's cool :) I thought I can only exclude whole API-calls (OpenService) but this feature seems pretty powerfull. ]]> I always try features have flexibility, so users can customize the tool as they want. ]]>Quoting Scrapie: ]]>Hey, I'm playing a fair bit around with the URL-feature at the moment. Sometimes it acts a bit strange. For example if the URL is [code:1:3f5a58d66f]http://example.com/frtghc56hv/w.php=f345[/code:1:3f5a58d66f] and I enter it that way in URLs.txt it doesn't work. But if I change it to [code:1:3f5a58d66f]example.com/frtghc56hv/w.php=f345[/code:1:3f5a58d66f] then it works. ]]> Could you give a real URL that I can use to make tests, please? ]]>Quoting Scrapie: ]]>Sometimes I have to add or take "www" off, etc. ]]> That depends of the server. Example: If you visit "http://www.bsa.isoftware.nl/" will fail. If you visit "http://bsa.isoftware.nl/" will work. ]]>Quoting Scrapie: ]]>Would it be possible to build in a routine that tries for a given url [code:1:3f5a58d66f]example.com/frtghc56hv/w.php=f345[/code:1:3f5a58d66f] the following variations: [code:1:3f5a58d66f] http://example.com/frtghc56hv/w.php=f345 http://www.example.com/frtghc56hv/w.php=f345 www.example.com/frtghc56hv/w.php=f345 [/code:1:3f5a58d66f] Or for a given url [code:1:3f5a58d66f]http://www.example.com/frtghc56hv/w.php=f345[/code:1:3f5a58d66f] it tries [code:1:3f5a58d66f] http://example.com/frtghc56hv/w.php=f345 example.com/frtghc56hv/w.php=f345 www.example.com/frtghc56hv/w.php=f345 [/code:1:3f5a58d66f] ]]> I can fix the problem related to URLs containing or not the "http://" prefix, but adding/removing "www." seems a bit weird. How comes you don�t know the valid URL is "bsa.isoftware.nl" and not "www.bsa.isoftware.nl"?

Scrapie:

Sat Jun 30, 2012 10:04 pm

That's cool :) I thought I can only exclude whole API-calls (OpenService) but this feature seems pretty powerfull. Hey, I'm playing a fair bit around with the URL-feature at the moment. Sometimes it acts a bit strange. For example if the URL is [code:1:8366596e6c]http://example.com/frtghc56hv/w.php=f345[/code:1:8366596e6c] and I enter it that way in URLs.txt it doesn't work. But if I change it to [code:1:8366596e6c]example.com/frtghc56hv/w.php=f345[/code:1:8366596e6c] then it works. Sometimes I have to add or take "www" off, etc. Would it be possible to build in a routine that tries for a given url [code:1:8366596e6c]example.com/frtghc56hv/w.php=f345[/code:1:8366596e6c] the following variations: [code:1:8366596e6c] http://example.com/frtghc56hv/w.php=f345 http://www.example.com/frtghc56hv/w.php=f345 www.example.com/frtghc56hv/w.php=f345 [/code:1:8366596e6c] Or for a given url [code:1:8366596e6c]http://www.example.com/frtghc56hv/w.php=f345[/code:1:8366596e6c] it tries [code:1:8366596e6c] http://example.com/frtghc56hv/w.php=f345 example.com/frtghc56hv/w.php=f345 www.example.com/frtghc56hv/w.php=f345 [/code:1:8366596e6c] Cheers, Scrapie

Buster:

Sat Jun 30, 2012 9:14 pm

]]>Quoting Scrapie: ]]>Hi there. Is it possible to exclude OpenService(CSC) & OpenService(CscService) only without excluding the whole OpenService-API itselfe? This services are used from Windows Vista onwards and are kind of a cache for filechanges. They get triggered all the time and therefor end up in the malware analyse - but under Windows Vista and Windows 7 it is nothing bad. Sure, these services could be disabled but that could have an effect on the network spreading routine of some samples... ]]> Yes, it�s very simple: Editor > Exclusion Lists > Edit API Exclude List Then you add in one line "OpenService(CSC)" and in other line "OpenService(CscService)". Example of my APIExclude.TXT: OpenService(AudioSrv) OpenService(LanmanServer) OpenService(RASMAN)

Scrapie:

Sat Jun 30, 2012 8:55 pm

Hi there. Is it possible to exclude OpenService(CSC) & OpenService(CscService) only without excluding the whole OpenService-API itselfe? This services are used from Windows Vista onwards and are kind of a cache for filechanges. They get triggered all the time and therefor end up in the malware analyse - but under Windows Vista and Windows 7 it is nothing bad. Sure, these services could be disabled but that could have an effect on the network spreading routine of some samples... Cheers, Scrapie

Scrapie:

Sat Jun 30, 2012 3:55 am

Nice one - Good on you ! Thanks for your hard work, Scrapie

Buster:

Fri Jun 29, 2012 10:48 am

Buster Sandbox Analyzer adds support for FakeNet Source: http://practicalmalwareanalysis.com/2012/06/28/buster-sandbox-analyzer-adds-support-for-fakenet/ Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet. For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting. Once you have Sandboxie and BSA set up on your malware analysis environment you can start playing around with malware, but sometimes the malware might not run enough without a valid network connection or the malware might start with a beacon to google.com to check for connectivity. That is where FakeNet helps BSA, as it redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst. Generally, you shouldn�t use your real internet connection (Remember good OPSEC from Chapter 14?) while you analyze malware but you still want to get network information anyway, so FakeNet is a simple solution. To run BSA with FakeNet take the following steps: Download and decompress FakeNet to a folder. Edit FakeNet.cfg and change �OutputOptions DumpOutput:No Fileprefix:output� to �OutputOptions DumpOutput:Yes Fileprefix:output�. Run Sandboxie and BSA In BSA select the following: Options->Analysis Mode->Automatic Options->Automatic Analysis Options->FakeNet Mode Options->Common Analysis Options->Packet Sniffer->Save Capture to File Select �Start Analysis� Browse to the FakeNet installation folder when prompted Select the time in minutes you want BSA to allow the malware to run Browse to the folder containing your malware when prompted [img:3b4ed86512]http://tankandsiko.files.wordpress.com/2012/06/post1.png[/img:3b4ed86512] This causes BSA to use FakeNet while performing its analysis. You may notice that BSA generates a lot more output using FakeNet than without an Internet connection. With FakeNet, there is an added file �Connections.txt� in its results and this contains the FakeNet output showing all of the connections that occurred during analysis. There will also be a PCAP generated which contains all of the packets from FakeNet. I performed analysis using BSA on a piece of malware named �WebServer2.exe� and without FakeNet nothing really happened. I didn�t even see registry changes or file changes. Once I enabled FakeNet and reran BSA, the malware ended up doing a lot more since FakeNet gave a response to the beacon. The malware also ended up performing several GET and POST request that weren�t seen without FakeNet enabled in BSA.

Scrapie:

Fri Jun 29, 2012 7:03 am

]]>Quoting Buster: ]]>BSA 1.70 has been re-released fixing the bug found by Scrapie. ]]> Works perfect now - thanks for the update! Cheers, Scrapie

Buster:

Fri Jun 29, 2012 12:53 am

]]>Quoting Scrapie: ]]>Oh and another thing I came across yesterday: When upgrading, I have to backup my old BSA.DAT and copy all my entries (short example below) into your new BSA.DAT because this file get's updated by you and I don't want to miss the changes you do to it. ]]> Yes, a big part of BSA�s power is in BSA.DAT. Keeping that file updated is very important. ]]>Quoting Scrapie: ]]>Two versions of BSA.DAT would be good, one that comes officially (example BSA.DAT) from you and then another version (example User_BSA.DAT, where users can add their entries which will survive a updated without stuffing around and copy a whole lot of entries from old to new DAT. ]]> Excellent idea! :wink: I just included this feature and it will be present on next version.

Buster:

Thu Jun 28, 2012 11:53 am

BSA 1.70 has been re-released fixing the bug found by Scrapie.

Scrapie:

Thu Jun 28, 2012 9:44 am

]]>Quoting Buster: ]]>With "Extract APIs from Dumps" feature enabled, BSA 1.70 crashes and BSA 1.69 works fine, is it right? ]]> I upgraded from 1.68Beta to 1.70 so not sure about 1.69, sorry. ]]>Quoting Buster: ]]>If you run from console "HAPI.EXE FILE", does HAPI generates output? Is HAPI working fine in your computer? ]]> HAPI.EXE seems to run just fine via cmd - but where would I find the output? Can't find a output file... ]]>Quoting Buster: ]]>I have tried to reproduce the bug in my Windows 7 Prof 32-bit OS and I have been unable. In fact I don�t understand why it happens because the code related to "Extract APIs from Dumps" feature didn�t change from version 1.69 to 1.70. :? ]]> Same as top - came from 1.68beta to 1.70. Check your email :) Scrapie

Buster:

Thu Jun 28, 2012 7:58 am

With "Extract APIs from Dumps" feature enabled, BSA 1.70 crashes and BSA 1.69 works fine, is it right? If you run from console "HAPI.EXE FILE", does HAPI generates output? Is HAPI working fine in your computer? I have tried to reproduce the bug in my Windows 7 Prof 32-bit OS and I have been unable. In fact I don�t understand why it happens because the code related to "Extract APIs from Dumps" feature didn�t change from version 1.69 to 1.70. :?

Scrapie:

Thu Jun 28, 2012 7:21 am

Oh and another thing I came across yesterday: When upgrading, I have to backup my old BSA.DAT and copy all my entries (short example below) into your new BSA.DAT because this file get's updated by you and I don't want to miss the changes you do to it. Two versions of BSA.DAT would be good, one that comes officially (example BSA.DAT) from you and then another version (example User_BSA.DAT, where users can add their entries which will survive a updated without stuffing around and copy a whole lot of entries from old to new DAT. Cheers, Scrapie [code:1:17958e2d52][Custom_LogAPI_Entries] CreateMutex(((Mutex)))<->Trace of Backdoor.Win32.Xtreme!IK NetShareEnum(127.0.0.1)<->Enables Local File Sharing[/code:1:17958e2d52]

Scrapie:

Thu Jun 28, 2012 7:03 am

Doesn't matter if I use 1 sample or 100. Every time I enable that option I get the error. If I take it out, BSA runs fine for the whole day and does a great job. I'm using the standard 32-bit API-DLL if that helps... Scrapie

BarbaraComins:

Thu Jun 28, 2012 5:06 am

It is really helpful and I would like to thank for the contribution and support. [url=http://www.usedcarsite.com.au/]Usedcars[/url]

Buster:

Wed Jun 27, 2012 9:47 am

]]>Quoting Scrapie: ]]>No, still not working. I can pin point it down to option "Extract APIs from Dumps". If it is enabled I get the error. Is it disabled, it works just fine. ]]> Did you check if the problem happens with all files or only 1?

Scrapie:

Wed Jun 27, 2012 8:14 am

No, still not working. I can pin point it down to option "Extract APIs from Dumps". If it is enabled I get the error. Is it disabled, it works just fine. Windows 7 Prof 32-bit Cheers, Scrapie

Buster:

Tue Jun 26, 2012 11:38 am

]]>Quoting Scrapie: ]]>Hi there :) I get an Access violation error at address 65720000 with this version under Windows 7 Prof. Scrapie ]]> Redownload the package and try again, please. Let me know if it works or not.

Scrapie:

Tue Jun 26, 2012 9:55 am

Hi there :) I get an Access violation error at address 65720000 with this version under Windows 7 Prof. Scrapie

Buster:

Sat Jun 23, 2012 4:33 pm

Notes about 1.70 release: Added new malware behaviours The chances to catch malware behavior through the use of BSA.DAT definitions have been increased. When "Dump Executable Processes" and "Extract Strings From Dumps" options are enabled, BSA will look for coincidences from "[File_Strings]" section in the files containing strings from dump binaries. This static analysis improvement is very important because it will allow to catch behaviors that otherwise would not be possible to catch. Why? Because certain functions of malwares will not be executed during an automatic analysis. The reasons are many so it�s out of the question to discuss them. Let�s take just an example to explain the importance of this new feature: It�s unlikely the computer we use to analyze malware has a modem. That means if a malware has dial-up loging/password stealing capabilities, the function that retrieves the information (using LsaRetrievePrivateData function i.e.) will not be executed because when the malware looks for information (using RasEnumEntries i.e.) it will not find anything to steal, so the stealing function will not be executed. So how to catch the stealing function? Looking for strings like "LsaRetrievePrivateData" or "L$_RasDefaultCredentials" in analyzed and dumped binaries. The same principle can be applied to code. How to catch certain anti-debugging or anti-vmware code? For this situation I included Luigi Auriemma�s Signsrch tool. From version 1.70 BSA will include specific information in reports extracted from Signsrch logs. Signsrch utility will be run over analyzed and dumped binaries. I hope you understand now the importance of dumps in malware analysis. Improved �Additional Information� feature 64-bit applications information has been included. Updated BSA.DAT - Updated LOG_API - Updated HexDive - Updated SIGNSRCH.SIG In BSA.DAT I have include new definitions for registry and file string sections. I have included the logging of a new API in LOG_API. I updated Hexacorn�s HexDive to version 0.2 I modified Signsrch�s signature file, removing a few entries and adding new ones related to anti-debugging and virtual machine detection.

Buster:

Sat Jun 23, 2012 3:01 pm

Released Buster Sandbox Analyzer 1.70. Changes: + Added new malware behaviours + Improved �Additional Information� feature + Included new malware behaviours at �Risk Evaluation Ratings� + Added deutsch language translation (thanks to AV-Comparatives) + Updated BSA.DAT + Updated LOG_API + Updated HexDive + Updated SIGNSRCH.SIG

Buster:

Mon Jun 18, 2012 7:38 am

Notes about 1.69 release: Added a feature to generate statistics In "SQL > Report Manager > Tools" there is a new option under "Statistics". You can generate Top 10 PE Packers Identified by PEid and Exeinfo. You can also generate Top 10 Threats Identified by each antivirus product used by VirusTotal. If anyone has any idea about more statistics I may include, just let me know. Updated �Report Manager� feature Since I coded "Report Manager" feature, VirusTotal dropped 5 scanning engines (Authentium, eTrust Vet, McAfee-Artemis, Prevx and Sunbelt) and introduced 5 new (Commtouch, SUPERAntiSpyware, TotalDefense, TrendMicro-HouseCall and VIPRE). I updated "Report Manager" to support new engines. [color=red:6b30a69d72]Note: This change produces an incompatibility between SQLite DBs generated with BSA 1.68 and previous versions, and BSA 1.69.[/color:6b30a69d72] Updated LOG_API I changed an API that was causing crashes in sandboxed programs. Fixed several bugs "FakeNet Mode" feature had a problem in Windows 7: BSA was waiting for FakeNet�s initialization forever.

Buster:

Sun Jun 17, 2012 8:56 pm

Released Buster Sandbox Analyzer 1.69. Changes: + Added a feature to generate statistics + Updated �Report Manager� feature + Updated LOG_API + Fixed several bugs

Buster:

Sun Jun 17, 2012 5:01 pm

Next Buster Sandbox Analyzer release will contain the last feature in my TO-DO list: generate statistics. It will be like this: [img:7e4d256191]http://img440.imageshack.us/img440/4253/pruebawk.jpg[/img:7e4d256191]

Buster:

Fri Jun 15, 2012 7:31 pm

Notes about 1.68 release: Added support to analyze URLs from command line To run BSA from command line and analyze an URL or a file with URLs, you must supply the amount of time for analysis and the URL or file with URLs, like this: BSA.EXE -s 30 -url http://bsa.isoftware.nl BSA.EXE -m 2 -url c:\example\urls.txt Added support for FakeNet "FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst." If you do not want to use your real internet connection while you analyze malware but you still want to get network information anyway, then FakeNet is a good solution. You can get it from here: http://sourceforge.net/projects/fakenet/ FakeNet is a portable application so just decompress ZIP archive to a folder. After decompressing the archive, edit FakeNet.cfg. Change the line containing the string "[color=green:995458b51b]OutputOptions DumpOutput:No Fileprefix:output[/color:995458b51b]" for "[color=green:995458b51b]OutputOptions DumpOutput:Yes Fileprefix:output[/color:995458b51b]". [color=red:995458b51b]Editing FakeNet.cfg is very important![/color:995458b51b] If you do not edit the file, BSA will freeze because it will be waiting for output logfile. Updated ssdeep tool to version 2.8 I noticed there was a new version of ssdeep, so I included it in the package. Updated BSA.DAT I included new entries to "[Custom_LogAPI_Entries]" section. Updated LOG_API I included a new watched API and fixed a bug in LOG_API 64-bit version. Note: I got a report from a Wilders Security forum user commenting that Keyscrambler may cause troubles to LOG_API 64-bit version. The DLL will crash if Keyscrambler is running. No crashes when Keyscrambler is not running.

Buster:

Fri Jun 15, 2012 4:34 pm

Released Buster Sandbox Analyzer 1.68. Changes: + Added support to analyze URLs from command line + Added support for FakeNet + Updated ssdeep tool to version 2.8 + Updated BSA.DAT + Updated LOG_API + Fixed several bugs

Scrapie:

Tue Jun 12, 2012 8:42 am

Very good !!! Send you an email about the latest beta. Looking forward to test BSA with FakeNet :) Scrapie

Buster:

Tue Jun 12, 2012 1:49 am

]]>Quoting Scrapie: ]]>What would be a smart way to end FakeNet (send CTRL+C to cmd) after every program in sandbox is terminated but before BSA is doing it's Virustotal-Check in Auto-Mode? Because if FakeNet is still running at this stage, BSA wont be able to go out and check ... ]]> Sending CTRL+C to FakeNet�s cmd window was not a simple task at all. When I had a working method I noticed that only works when the window is visible, but not when it�s hidden. As I plan running FakeNet in a hidden window, I had to start again looking for other methods to do the task. After several hours googling I finally found a working method to do it! FakeNet�s integration with BSA is very advanced. I just miss processing the logs created with FakeNet. As soon as I have something working I will send you a beta for testing.

Buster:

Sun Jun 10, 2012 8:18 am

Buster:

Sun Jun 10, 2012 8:05 am

Added support to analyze URLS from command line. Command line format: BSA -s or -m time -url URL or file Example: BSA -s 120 -url http://www.sandboxie.com BSA -m 2 -url c:\test\urls.txt

Buster:

Sun Jun 10, 2012 7:22 am

There was a mistypo in the code that caused that opened URLs were not being showed in HTML and XML reports. This bug will be fixed in next version.

Scrapie:

Sun Jun 10, 2012 6:30 am

]]>Quoting Buster: ]]>Using [url=http://practicalmalwareanalysis.com/fakenet/]FakeNet[/url] with Buster Sandbox Analyzer. A kind of solution would be using FakeNet. With this program you would avoid any information leaves your machine, but you would be able to see DNS requests, HTTP information, mails being sent, etc. Give it a try! ]]> What would be a smart way to end FakeNet (send CTRL+C to cmd) after every program in sandbox is terminated but before BSA is doing it's Virustotal-Check in Auto-Mode? Because if FakeNet is still running at this stage, BSA wont be able to go out and check ... Cheers, Scrapie

Buster:

Sun Jun 10, 2012 12:22 am

]]>Quoting Scrapie: ]]>With the reports: Fair enough. It's not a big deal to write a little tool that goes through the various txt's and generates a html which uses a external CSS. I'm thinking of writting something like a little Report-Builder for BSA that gives users more flexibility handeling the various reports. Would such a program be usefull? ]]> I am satisfied with actual HTML format and so far nobody but you talked about doing something like that. If you are interested do it for you and when it�s finished, offer it publicly. That will not harm. :wink: ]]>Quoting Scrapie: ]]>While going through the html & the txt one thing came to my attention. If a program opens a URL, this is not shown in the HTML-Report under "Network services". Not sure if that is okay or a bug. Example of Report.txt: [code:1:a2275d992e] [ Network services ] * Looks for an Internet connection. * Connects to "service.xxxxxxxxxx.com" on port 80. * Connects to "75.xxx.xxx.69" on port 80. * Connects to "108.xxx.xxx.204" on port 80. * Opens next URLs: http://w*w.xxxxxxx.com/auto?p=df&v=2.10.413&l=1031[/code:1:a2275d992e] In Report.html the last point (Opens next URLs:) is missing. ]]> I will take a look. Thanks for the feedback! ]]>Quoting Scrapie: ]]>A total different question now - the logged APIs: That feature is great but to keep the amount of information low, is there a list of suspicious / harmfull calls? I'm thinking of only logging these calls rather then log the whole lot. Sorry, I'm not really into API-Calls so I don't know if that is a stupid idea or not... ]]> You usually get many "GetModuleHandle" in API log, and around 97-99% of the time are harmless calls, but in the other 1-3% you may get a "GetModuleHandle(sbiedll.dll)" which is a clear indication of suspicious activity. You could filter "FreeLibrary" API i.e. as it�s not used for any malicious behavior. "ExitProcess" could be discarded too. You will have to dig in this issue and exclude stuff based in your experience.

Scrapie:

Sat Jun 09, 2012 11:17 pm

Hi Buster, thanks for your fast reply :) Thanks also for adding the URLs to your request list ! With the reports: Fair enough. It's not a big deal to write a little tool that goes through the various txt's and generates a html which uses a external CSS. I'm thinking of writting something like a little Report-Builder for BSA that gives users more flexibility handeling the various reports. Would such a program be usefull? While going through the html & the txt one thing came to my attention. If a program opens a URL, this is not shown in the HTML-Report under "Network services". Not sure if that is okay or a bug. Example of Report.txt: [code:1:90f42882d8] [ Network services ] * Looks for an Internet connection. * Connects to "service.xxxxxxxxxx.com" on port 80. * Connects to "75.xxx.xxx.69" on port 80. * Connects to "108.xxx.xxx.204" on port 80. * Opens next URLs: http://w*w.xxxxxxx.com/auto?p=df&v=2.10.413&l=1031[/code:1:90f42882d8] In Report.html the last point (Opens next URLs:) is missing. A total different question now - the logged APIs: That feature is great but to keep the amount of information low, is there a list of suspicious / harmfull calls? I'm thinking of only logging these calls rather then log the whole lot. Sorry, I'm not really into API-Calls so I don't know if that is a stupid idea or not... Thanks, Scrapie

Buster:

Sat Jun 09, 2012 1:10 pm

]]>Quoting Scrapie: ]]>Hi Buster :) Haven't been here for a while but testet your latetest version and it is running very good here - Thank you for your hard work !!! ]]> Thanks! :) ]]>Quoting Scrapie: ]]>Hey, would it be possible to get the URL-Analyzer integrated into the Command Line Option? I'm thinking of something like: [code:1:75c7014ca9]BSA.EXE -s 30 -f C:\TEST -list C:\BSA\URLs.txt[/code:1:75c7014ca9] Would be good to check out a list of URLs in Automatic Mode... ]]> I will add this to my feature request list. ]]>Quoting Scrapie: ]]>Can you please explain what BSA is doing if the URL is a webpage (w*w.1.com/a.html) that might contain a link to a file and if the URL is directly to a file (w*w.1.com/a.exe)? ]]> If the URL is an .HTML file, BSA launches IE and loads the URL. If there is not any exploit that loads a link to a file that the URL might contain, then nothing happens. BSA is not a link crawler so if things do not get executed automatically, IE will just load the URL normally. If the URL is directly a file and the file is executable (.exe), in that case BSA downloads the file and executes it locally for analysis. ]]>Quoting Scrapie: ]]>And another question: Is there a way to define a custom CSS for the HTML report rather then having the CSS defined in the HTML directly? That way content (report) and design (CSS) are separate and easy to adjust in the future and the report could be integrated into a existing (Honeypot-)website. ]]> I suggest you create your custom HTML reports from the data contained in REPORT.TXT. ]]>Quoting Scrapie: ]]>Is there an option planed to let the user specific what information he wants in the HTML reports? Like program option for MD5 & SHA1 are ticked but User wants in HTML Report only MD5 should come up + Fileinfo and PE-Imports. ]]> No, I will not do something like that. If you want personalized HTML reports I suggest again you create them from the data contained in REPORT.TXT. You must understand I can not implement custom reports for HTML, JSON, XML, PDF or any other formats I may add when it�s much more simple that if someone wants customized reports he builds them.

Scrapie:

Sat Jun 09, 2012 12:05 pm

Hi Buster :) Haven't been here for a while but testet your latetest version and it is running very good here - Thank you for your hard work !!! Hey, would it be possible to get the URL-Analyzer integrated into the Command Line Option? I'm thinking of something like: [code:1:343e7a3abb]BSA.EXE -s 30 -f C:\TEST -list C:\BSA\URLs.txt[/code:1:343e7a3abb] Would be good to check out a list of URLs in Automatic Mode... Can you please explain what BSA is doing if the URL is a webpage (w*w.1.com/a.html) that might contain a link to a file and if the URL is directly to a file (w*w.1.com/a.exe)? And another question: Is there a way to define a custom CSS for the HTML report rather then having the CSS defined in the HTML directly? That way content (report) and design (CSS) are separate and easy to adjust in the future and the report could be integrated into a existing (Honeypot-)website. Is there an option planed to let the user specific what information he wants in the HTML reports? Like program option for MD5 & SHA1 are ticked but User wants in HTML Report only MD5 should come up + Fileinfo and PE-Imports. Thanks, Scrapie

Buster:

Sat Jun 09, 2012 3:07 am

I made little testing of LOG_API for 64-bit applications: I tested it with 64-bit versions of Notepad and TaskManager and it worked fine. I compiled an application in 64-bit and the program crashed. I noticed the problem was the injected DLL. Resuming: at the moment don�t use LOG_API 64-bit version.

Buster:

Fri Jun 08, 2012 7:56 pm

Comments about version 1.67 release: Improved �[File_Strings]� section at BSA.DAT Now it is possible to assign a description (it is optional, not mandatory) to the strings. So if we define this: [code:1:7b16617394][File_Strings] www.bankofamerica.com<->Traces of a banking trojan[/code:1:7b16617394] in REPORT.TXT we would get something like this: [code:1:7b16617394]* Contains string Traces of a banking trojan ("www.bankofamerica.com")[/code:1:7b16617394] And in ANALYSIS.TXT we would get something like this: [code:1:7b16617394]Defined string contained: Traces of a banking trojan ("www.bankofamerica.com")[/code:1:7b16617394] As you can see, the information is more clear in both the report and the analysis files. Added �[Custom_LogAPI_Entries�] section to BSA.DAT Similar to previous feature, I created a new entry in BSA.DAT to define strings that may appear in LOG_API.TXT file. In the section we can define a string to look for and a description for it. Like this: [code:1:7b16617394][Custom_LogAPI_Entries] CreateEvent(Global\killllllllllll)<->Traces of a trojan password[/code:1:7b16617394] Coincidences will appear in ANALYSIS.TXT only as this: [code:1:7b16617394]Defined Log_API entry: Traces of a trojan password[/code:1:7b16617394] Added support for wildcards in RegistryExclude.TXT This gives more flexibility to discard registry keys. Added support for Hexacorn�s HexDive tool You can find a description of the tool here: http://www.hexacorn.com/blog/ Added LOG_API support for 64-bit applications BSA had been lacking of a LOG_API version compatible with 64-bit applications. From this version is already available. I made some tests and the Sandboxie hiding capabilities in 64-bit OSs are not good. I do not know why but meanwhile 32-bit version of LOG_API is able to hide SbieDll.dll, the 64-bit can not. Keep that in mind if you analyze malware in a 64-bit environment. I forgot to mention in the changes, but as usual I fixed several bugs: + "Fixed" a problem with Exeinfo crashing on certain files. + Fixed a bug related to API logging in manual mode. + Fixed a problem when generating additional information on certain files. ...

Buster:

Fri Jun 08, 2012 4:18 pm

Released Buster Sandbox Analyzer 1.67. Changes: + Improved �[File_Strings]� section at BSA.DAT + Added �[Custom_LogAPI_Entries�] section to BSA.DAT + Added support for wildcards in RegistryExclude.TXT + Added support for Hexacorn�s HexDive tool + Added new malware behaviours + Included new malware behaviours at �Risk Evaluation Ratings� + Added LOG_API support for 64-bit applications

Buster:

Sun Jun 03, 2012 1:26 pm

Notes about release 1.66: After a long time I have added new entries to BSA.DAT. I added new malware behaviors: DLL registration at COM, execution of a Windows Script, ... I fixed and improved reports a bit. I fixed and improved "Dump Executable Processes" feature. I added the use of [url=https://code.google.com/p/mdmp/]MDmp[/url] tool by Vlad-Ioan Topan. Now the feature is able to dump certain processes that before was not possible.

Buster:

Sun Jun 03, 2012 12:21 pm

Released Buster Sandbox Analyzer 1.66 Changes: + Added new malware behaviours + Included new malware behaviours at �Risk Evaluation Ratings� + Improved �Dump Executable Processes� feature + Updated BSA.DAT + Updated LOG_API + Fixed several bugs

Buster:

Wed May 30, 2012 3:20 pm

Using [url=http://practicalmalwareanalysis.com/fakenet/]FakeNet[/url] with Buster Sandbox Analyzer. [quote:62e5d5e0a9]FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst. The tool supports DNS, HTTP, and SSL protocols and provides a python extension interface for implementing new or custom protocols. It also the capability to listen for traffic to any port as well as create packet capture on the localhost. [/quote:62e5d5e0a9] I guess some people using Sandboxie + Buster Sandbox Analyzer to analyze malwares disable internet connection in Sandboxie to avoid troubles. The problem is you will miss network related information. A kind of solution would be using FakeNet. With this program you would avoid any information leaves your machine, but you would be able to see DNS requests, HTTP information, mails being sent, etc. Give it a try!

Buster:

Wed May 30, 2012 3:15 pm

Notes about BSA 1.65: I added PE exports to the "Additional Information" feature. I fixed a problem that appeared with the release of Sandboxie 3.70: windows were not being showed.

Buster:

Wed May 30, 2012 3:13 pm

Released Buster Sandbox Analyzer 1.65. Changes: + Improved �Additional Information� feature + Fixed several bugs

Buster:

Tue May 29, 2012 8:32 pm

I uploaded an updated BSA package of version 1.64. It includes updated Brazilian and Russian language files and a bugfix related to the endianess that tzuk commented.

Buster:

Tue May 29, 2012 6:00 am

]]>Quoting crykid: ]]>I got a problem. I just started using buster and i cant get buster to work with any sandbox other than DefaultBox. I entered these entries under the entries that belong to the sandbox which i want to run InjectDll=C:\BSA\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y This works with DefaultBox but not with the other sandbox that i have. And i have a question, does buster edit sandboxie's ini file without user's knowledge? ]]> No, BSA does not edit SANDBOXIE.INI without user�s knowledge. Copy&paste your SANDBOXIE.INI to know what is the problem, please.

crykid:

Tue May 29, 2012 1:36 am

I got a problem. I just started using buster and i cant get buster to work with any sandbox other than DefaultBox. I entered these entries under the entries that belong to the sandbox which i want to run InjectDll=C:\BSA\LOG_API.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y This works with DefaultBox but not with the other sandbox that i have. And i have a question, does buster edit sandboxie's ini file without user's knowledge?

Buster:

Mon May 28, 2012 6:18 pm

A few comments about the new release... I have added a few new malware behaviours, mainly related to the detection of anti-malware software like Process Explorer, Process Monitor, etc. I improved "Hide Driver" manager. Now it is possible to change the name of the service (one less static info that malwares could check) and how the driver can be started. Until now the driver was being loaded on demand. From this version is possible to configure it as autostart, so it will not be necessary to start the driver manually or configure BSA to start it automatically. For this new release I have tested over 50,000 malware samples. Some of these samples were giving troubles to BSA. The new version is able to process them.

Buster:

Mon May 28, 2012 5:59 pm

Released Buster Sandbox Analyzer 1.64. Changes: + Added new malware behaviours + Improved �Hide Driver � manager + Improved anti anti-Sandboxie capabilities + Included new malware behaviours at �Risk Evaluation Ratings� + Updated LOG_API + Fixed several bugs

Buster:

Sun May 27, 2012 2:44 pm

I would say that SHIMLIB_LOG_MUTEX is a mutex related to some Windows process. In my personal BSA config I have it excluded in API exclude file. If you exclude it (I suggest you do it) from Notepad you finally would have these malware behaviours: Detected process privilege elevation Got computer name That would be more exact.

kabaczek124:

Sun May 27, 2012 2:31 pm

problem solved :) thanks now I have only "assorted suspicious action" flag: Detailed report of suspicious malware actions: Created a mutex named: SHIMLIB_LOG_MUTEX Detected process privilege elevation Got computer name but... I can live with that ;) p.s. what is SHIMLIB_LOG_MUTEX?

Buster:

Sun May 27, 2012 10:42 am

Solution: In API exclude file include next line: c:\windows\surun.exe

kabaczek124:

Sun May 27, 2012 10:02 am

log api Executing: c:\windows\surun.exe LoadLibrary(surunext.dll) [c:\windows\surun.exe] LoadLibrary(shell32.dll) [c:\windows\surun.exe] LoadLibrary(msvcrt.dll) [c:\windows\surun.exe] LoadLibrary(shlwapi.dll) [c:\windows\surun.exe] LoadLibrary(ole32.dll) [c:\windows\surun.exe] LoadLibrary(mpr.dll) [c:\windows\surun.exe] LoadLibrary(psapi.dll) [c:\windows\surun.exe] LoadLibrary(kernel32.dll) [c:\windows\surun.exe] LoadLibrary(user32.dll) [c:\windows\surun.exe] LoadLibrary(gdi32.dll) [c:\windows\surun.exe] LoadLibrary(comdlg32.dll) [c:\windows\surun.exe] LoadLibrary(comctl32.dll) [c:\windows\surun.exe] LoadLibrary(advapi32.dll) [c:\windows\surun.exe] LoadLibrary(winmm.dll) [c:\windows\surun.exe] LoadLibrary(version.dll) [c:\windows\surun.exe] LoadLibrary(netapi32.dll) [c:\windows\surun.exe] LoadLibrary(secur32.dll) [c:\windows\surun.exe] LoadLibrary(rpcrt4.dll) [c:\windows\surun.exe] LoadLibrary(crypt32.dll) [c:\windows\surun.exe] LoadLibrary(msasn1.dll) [c:\windows\surun.exe] LoadLibrary(userenv.dll) [c:\windows\surun.exe] GetModuleHandle(lz32.dll) [c:\windows\surun.exe] LoadLibrary(lz32.dll) [c:\windows\surun.exe] GetModuleHandle(kernel32.dll) [c:\windows\surun.exe] VirtualQueryEx(c:\windows\surun.exe) [c:\windows\surun.exe] GetModuleHandle(KERNEL32.DLL) [c:\windows\surun.exe] GetModuleHandle(Kernel32) [c:\windows\surun.exe] GetModuleHandle(LPK.DLL) [c:\windows\surun.exe] GetModuleHandle(psapi.dll) [c:\windows\surun.exe] GetModuleHandle(advapi32.dll) [c:\windows\surun.exe] OpenProcessToken(C:\windows\SuRun.exe) [c:\windows\surun.exe] GetComputerName() [c:\windows\surun.exe] AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\windows\surun.exe] OpenProcess(c:\windows\surun.exe) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\surun.exe] SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\surun.exe] CreateEvent(DINPUTWINMM) [c:\windows\surun.exe] FreeLibrary(C:\windows\system32\ADVAPI32.dll) [c:\windows\surun.exe] CreateEvent(Global\crypt32LogoffEvent) [c:\windows\surun.exe] CreateEvent(Global\userenv: User Profile setup event) [c:\windows\surun.exe] FreeLibrary(C:\windows\system32\lz32.dll) [c:\windows\surun.exe] CreateRemoteThread(c:\windows\surun.exe) [c:\windows\surun.exe] ResumeThread() [c:\windows\surun.exe] GetModuleHandle(Kernel32.dll) [c:\windows\surun.exe] SetProcessDEPPolicy() [c:\windows\surun.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\surun.exe] LoadLibrary(uxtheme.dll) [c:\windows\surun.exe] IsDebuggerPresent() [c:\windows\surun.exe] FreeLibrary(C:\windows\system32\uxtheme.dll) [c:\windows\surun.exe] LoadLibrary(c:\windows\surunext.dll) [c:\windows\surun.exe] GetModuleHandle(version.dll) [c:\windows\surun.exe] LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\surun.exe] FreeLibrary() [c:\windows\surun.exe] LoadLibrary(c:\windows\system32\ole32.dll) [c:\windows\surun.exe] LoadLibrary(msctfime.ime) [c:\windows\surun.exe] GetModuleHandle(C:\windows\system32\ntdll.dll) [c:\windows\surun.exe] OpenSCManager((null),(null)) [c:\windows\surun.exe] OpenService(SuRunSVC) [c:\windows\surun.exe] GetModuleHandle(mscoree.dll) [c:\windows\surun.exe] GetModuleHandle(C:\windows\system32\Msctf.dll) [c:\windows\surun.exe] OpenProcess(c:\windows\explorer.exe) [c:\windows\surun.exe] OpenProcess(c:\program files\sandboxie\sbiectrl.exe) [c:\windows\surun.exe] OpenProcess(d:\program files\avira\antivir desktop\avgnt.exe) [c:\windows\surun.exe] GetModuleHandle(EXPLORER.EXE) [c:\windows\surun.exe] FreeLibrary(C:\windows\system32\IMM32.DLL) [c:\windows\surun.exe] Executing: c:\windows\system32\notepad.exe LoadLibrary(comdlg32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(comctl32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(msvcrt.dll) [c:\windows\system32\notepad.exe] LoadLibrary(shlwapi.dll) [c:\windows\system32\notepad.exe] LoadLibrary(shell32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(winspool.drv) [c:\windows\system32\notepad.exe] LoadLibrary(advapi32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(kernel32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(gdi32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(user32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(shimeng.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(kernel32.dll) [c:\windows\system32\notepad.exe] VirtualQueryEx(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe] CreateMutex(SHIMLIB_LOG_MUTEX) [c:\windows\system32\notepad.exe] LoadLibrary(acgenral.dll) [c:\windows\system32\notepad.exe] LoadLibrary(winmm.dll) [c:\windows\system32\notepad.exe] LoadLibrary(ole32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(oleaut32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(msacm32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(version.dll) [c:\windows\system32\notepad.exe] LoadLibrary(userenv.dll) [c:\windows\system32\notepad.exe] LoadLibrary(uxtheme.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(lz32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(lz32.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(KERNEL32.DLL) [c:\windows\system32\notepad.exe] GetModuleHandle(Kernel32) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETWHEELSCROLLLINES,0) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETDRAGFULLWINDOWS,4) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETHIGHCONTRAST,12) [c:\windows\system32\notepad.exe] OpenProcessToken(C:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETNONCLIENTMETRICS,500) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETMENUDROPALIGNMENT,0) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETMOUSEHOVERTIME,0) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETFLATMENU,0) [c:\windows\system32\notepad.exe] GetModuleHandle(LPK.DLL) [c:\windows\system32\notepad.exe] CreateEvent(DINPUTWINMM) [c:\windows\system32\notepad.exe] CreateEvent(Global\userenv: User Profile setup event) [c:\windows\system32\notepad.exe] FreeLibrary(C:\windows\system32\lz32.dll) [c:\windows\system32\notepad.exe] CreateRemoteThread(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe] ResumeThread() [c:\windows\system32\notepad.exe] LoadLibrary(c:\windows\system32\uxtheme.dll) [c:\windows\system32\notepad.exe] IsDebuggerPresent() [c:\windows\system32\notepad.exe] FreeLibrary(C:\windows\system32\UxTheme.dll) [c:\windows\system32\notepad.exe] BitBlt() [c:\windows\system32\notepad.exe] LoadLibrary(c:\windows\surunext.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(psapi.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(advapi32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(rpcrt4.dll) [c:\windows\system32\notepad.exe] LoadLibrary(surunext.dll) [c:\windows\system32\notepad.exe] LoadLibrary(mpr.dll) [c:\windows\system32\notepad.exe] LoadLibrary(psapi.dll) [c:\windows\system32\notepad.exe] GetComputerName() [c:\windows\system32\notepad.exe] AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [c:\windows\system32\notepad.exe] OpenProcess(c:\windows\system32\notepad.exe) [c:\windows\system32\notepad.exe] GetModuleHandle(api-ms-win-core-libraryloader-l1-1-0.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(api-ms-win-core-processthreads-l1-1-0.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(user32.dll) [c:\windows\system32\notepad.exe] EnumProcessModules() [c:\windows\system32\notepad.exe] GetModuleHandle(version.dll) [c:\windows\system32\notepad.exe] LoadLibrary(c:\windows\system32\msctfime.ime) [c:\windows\system32\notepad.exe] FreeLibrary() [c:\windows\system32\notepad.exe] LoadLibrary(c:\windows\system32\ole32.dll) [c:\windows\system32\notepad.exe] LoadLibrary(msctfime.ime) [c:\windows\system32\notepad.exe] GetModuleHandle(C:\windows\system32\ntdll.dll) [c:\windows\system32\notepad.exe] LoadLibrary(imm32.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(UxTheme.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(USER32) [c:\windows\system32\notepad.exe] GetModuleHandle(C:\windows\system32\Msimtf.dll) [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETCARETWIDTH,0) [c:\windows\system32\notepad.exe] GetKeyboardState() [c:\windows\system32\notepad.exe] GetKeyState() [c:\windows\system32\notepad.exe] SystemParametersInfo(SPI_GETFONTSMOOTHINGTYPE,0) [c:\windows\system32\notepad.exe] GetModuleHandle(mscoree.dll) [c:\windows\system32\notepad.exe] GetModuleHandle(C:\windows\system32\Msctf.dll) [c:\windows\system32\notepad.exe] FreeLibrary(C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll) [c:\windows\system32\notepad.exe] OpenProcess(c:\program files\sandboxie\sbiectrl.exe) [c:\windows\system32\notepad.exe] OpenProcess(c:\windows\explorer.exe) [c:\windows\system32\notepad.exe] OpenProcess(d:\program files\avira\antivir desktop\avgnt.exe) [c:\windows\system32\notepad.exe] OpenProcess(c:\windows\surun.exe) [c:\windows\system32\notepad.exe] GetModuleHandle(EXPLORER.EXE) [c:\windows\system32\notepad.exe] FreeLibrary(C:\windows\system32\IMM32.DLL) [c:\windows\system32\notepad.exe] report [ General information ] * File name: c:\windows\surun.exe [ Changes to filesystem ] * No changes [ Changes to registry ] * Modifies value "NukeOnDelete=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket old value empty * Modifies value "UseGlobalSettings=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket old value empty * Modifies value "Common Start Menu=C:\Documents and Settings\All Users\Start Menu" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Modifies value "Common Documents=C:\Documents and Settings\All Users\Documents" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Modifies value "Common Desktop=C:\Documents and Settings\All Users\Desktop" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Creates value "SymbolicLinkValue=5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F0072006F0062006F0063007A0065005F0041004200550053005400450052005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300" in key HKEY_CURRENT_USER\software\classes binary data=\REGISTRY\USER\Sandbox_kabaczek_ABUSTER\user\current_classes * Modifies value "lfWeight=90010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfCharSet=EE000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfOutPrecision=01000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfClipPrecision=02000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfQuality=02000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfPitchAndFamily=21000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iPointSize=64000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "lfFaceName=Lucida Console" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "szHeader=&f" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "szTrailer=Page &p" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iMarginTop=C4090000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iMarginBottom=C4090000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iMarginLeft=D0070000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iMarginRight=D0070000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iWindowPosX=7D010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iWindowPosY=B4000000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iWindowPosDX=E2020000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "iWindowPosDY=94010000" in key HKEY_CURRENT_USER\software\Microsoft\Notepad old value empty * Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc22f56c-a5c4-11e1-83fa-001060d01fd6} old value empty * Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790e8-a5c7-11e1-ad08-806d6172696f} old value empty * Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790ea-a5c7-11e1-ad08-806d6172696f} old value empty * Modifies value "BaseClass=Drive" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebc790eb-a5c7-11e1-ad08-806d6172696f} old value empty * Modifies value "Desktop=C:\Documents and Settings\kabaczek\Desktop" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Modifies value "Start Menu=C:\Documents and Settings\kabaczek\Start Menu" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Modifies value "Personal=C:\Documents and Settings\kabaczek\My Documents" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value empty * Creates value "LastFailedCmd=C:\windows\system32\notepad.exe" in key HKEY_CURRENT_USER\software\SuRun [ Network services ] * No changes [ Process/window/string information ] * Keylogger functionality. * Enables process privileges. * Gets computer name. * Opens a service named "SuRunSVC". * Creates a mutex "SHIMLIB_LOG_MUTEX".

Buster:

Sat May 26, 2012 9:18 pm

Post here the LOG_API.TXT generated by BSA when analyzing on LUA Windows Calculator.

kabaczek124:

Sat May 26, 2012 7:17 pm

Ok, if I run any safe program e.g. windows calculator in sandboxie (and check this by BSA) i have red flags when working on LimitedUserAccount (under SuRun) (I already disable ctfmon) I wonder how bypass this, because it coud be difficult to know if program I test have falsepositiv keylogger flag or its REAL malware keylogger

Buster:

Sat May 26, 2012 6:35 pm

kabaczek124: sorry but I do not understand what you mean. You will have to ellaborate a bit more.

kabaczek124:

Sat May 26, 2012 4:12 pm

working in LUA (Surun) and sandboxie is blacklisted in SuRun got 3 red flags Detected keylogger functionality Detected process privilege elevation Got computer name Opened a service named: SuRunSVC how workaround this?

Buster:

Tue May 15, 2012 6:35 pm

]]>Quoting tzuk: ]]> ]]>Quoting kabaczek124: ]]>machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete = 01000000 machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings = 01000000 ]]> These two are written by Sandboxie, but the value should be 00000001 and not as displayed. Buster perhaps you need to fix the endianness of the values displayed? ]]> The endianness is present in REGDIFF.TXT which is raw data. In Report.TXT appears correctly.

tzuk:

Tue May 15, 2012 6:17 pm

]]>Quoting kabaczek124: ]]>machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete = 01000000 machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings = 01000000 ]]> These two are written by Sandboxie, but the value should be 00000001 and not as displayed. Buster perhaps you need to fix the endianness of the values displayed?

Buster:

Tue May 15, 2012 5:09 pm

]]>Quoting kabaczek124: ]]>your program (bsa) is a great add to the great program (sandboxie)! ]]> Thanks! :) ]]>Quoting kabaczek124: ]]> But.... I experience strange behavior. If process ctfmon.exe is running in normal windows (XP SP3) each tested program have red flags "keyloger activity" and "assorted suspicious actions" if ctfmon.exe is off: no red flags Its bug or normal behavior? ]]> ctfmon is like a supervisor so it messes with active windows. My suggestion: disable ctfmon. I have it disabled myself. An alternative way to avoid the mess would be adding to exclussion lists the entries you listed.

kabaczek124:

Tue May 15, 2012 4:17 pm

your program (bsa) is a great add to the great program (sandboxie)! But.... I experience strange behavior. If process ctfmon.exe is running in normal windows (XP SP3) each tested program have red flags "keyloger activity" and "assorted suspicious actions" details: Detailed report of suspicious malware actions: Created a mutex named: CTF.Asm.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: CTF.Compart.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: CTF.Layouts.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: CTF.LBES.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1604221776-1177238915-1003MUTEX.DefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: CTF.TMD.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003 Created a mutex named: MSCTF.Shared.MUTEX.MDO Detected keylogger functionality RegDiff machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete = 01000000 machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings = 01000000 machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents = C:\Documents and Settings\All Users\Documents machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop = C:\Documents and Settings\All Users\Desktop user\current\software\classes\SymbolicLinkValue = 5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F0061007200690067006F006C0064005F0041004200550053005400450052005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300 user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43fb83f2-adef-11df-b38d-0040d09cf3f6}\BaseClass = Drive user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0a-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0b-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0c-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal = C:\Documents and Settings\XXX\My Documents user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop = C:\Documents and Settings\XXX\Desktop if ctfmon.exe is off: no red flags Its bug or normal behavior?

Buster:

Sun May 13, 2012 7:13 pm

A few comments about the new release... First I must thank tzuk for introducing in Sandboxie the necessary feature to get multiple malware analyses working perfectly in Buster Sandbox Analyzer. From version 1.63, BSA will be able to assign events logged by Sandboxie to the proper BSA instance. In the time between version 1.62 and 1.63 release I have tested almost 30,000 malware samples. This intensive testing helped me to fix a few more bugs and introduce new features like this: - If a sandboxed process changes display resolution, BSA will restore previous settings. I have also improved already existing features, like the feature to automate setups or the feature to include additional information about processed file. I improved also the processing speed of certain files: files that crash and instead waiting for malware analysis time to finish, that processes will be closed inmediately. I introduced two new malware behaviours: connection to FTP server and connection to SMTP server (send an e-mail). Right now I am collaborating with several persons in order to improve features and malware behaviours. My TO-DO list is almost empty: I just miss adding a few statistics using the information stored in the SQL database. As usual feedback, bug reports, suggestions, questions, ... whatever will be welcome.

Buster:

Sun May 13, 2012 6:57 pm

Released Buster Sandbox Analyzer 1.63. Changes: + Added �Aggressive Window Closer� feature + Added a feature to restore display settings if changed while analysis + Added new malware behaviours + Improved �Additional Information� feature + Improved multiple malware analyses feature + Improved �Automate Setups� feature + Improved the speed processing certain files + Included new malware behaviours at �Risk Evaluation Ratings� + Fixed several bugs

Buster:

Sun May 06, 2012 11:25 pm

A few comments about the new release... Version 1.62 fixes a bug that becomes important when a large set of malware samples are analyzed. Added a feature to patch LOG_API automatically With this feature you just need to select the LOG_API file to modify and BSA will do the rest of the work automatically.

Buster:

Sun May 06, 2012 11:19 pm

Released Buster Sandbox Analyzer 1.62. Changes: + Added a feature to patch LOG_API automatically + Updated LOG_API + Fixed several bugs

Buster:

Fri May 04, 2012 11:12 pm

Released Buster Sandbox Analyzer 1.61. Changes: + Added a feature at �Risk Evaluation Ratings� to show hints related to malware behaviours + Modified the layout to show separately the file being processed from the number of files left to be processed + Added new malware behaviours + Included new malware behaviour at �Risk Evaluation Ratings� + Updated LOG_API + Fixed several bugs

Buster:

Fri May 04, 2012 9:33 am

Re-released BSA 1.60 to fix some bugs.

Buster:

Thu May 03, 2012 10:43 pm

A few comments about the new release... + Added a feature to analyze URLs I consider interesting the new feature that allows analyzing URLs. A single URL can be analyzed providing the link, or many URLs can be processed loading them from a file: one URL per line. If the URL points to an executable file (EXE), the file will be downloaded and then executed in order to be analyzed, otherwise Internet Explorer will be used to launch the page. It is recommend to configure IE with low security settings so malwares will be noticed more easily. + Added an option at �SQL > Report Manager� feature to import records from an external database As Buster Sandbox Analyzer can perform several analyses at the same time, the information will be written to several SQL databases. If you want to have the information together, you can use this feature to import records from different databases. + Added a feature to avoid screensaver activation while an analysis is being performed I noticed a weird behaviour when the screensaver get activated while an analysis is being performed. To avoid this problem Buster Sandbox Analyzer will disable screensaver while analyzing. I also noticed that Sandboxie does not allow to a sandbox program to change the status of the screensaver. If the screensaver is disabled, it is not possible to enabled it from Sandboxie. Instead the time out can be changed and some malwares will change it. To prevent this situation, Buster Sandbox Analyzer saves the status and the time out of the screensaver before start analyzing, and when finished, these values are restored. + Fixed several bugs I have tested Buster Sandbox Analyzer with several thousand malwares. Product of this intensive testing I have fixed some bugs that could be produced in certain situations. Buster Sandbox Analyzer has been enhanced and now it will run more smoothly with malwares that produce a lot of output in LOG_API.

Buster:

Thu May 03, 2012 10:15 pm

Released Buster Sandbox Analyzer 1.60. Changes: + Added a feature to analyze URLs + Added an option at �SQL > Report Manager� feature to import records from an external database + Added support for JSON reports + Added a feature to avoid screensaver activation while an analysis is being performed + Updated LOG_API + Fixed several bugs

D1G1T@L:

Thu May 03, 2012 1:36 am

]]>Quoting Buster: ]]>Russ McRee from ISSA Journal wrote a nice article about Buster Sandbox Analyzer. You can review the article here: http://holisticinfosec.org/toolsmith/pdf/may2012.pdf ]]> Congratulations on the coverage Buster! you deserve it. That was a stellar review :)

Buster:

Wed May 02, 2012 3:01 pm

Russ McRee from ISSA Journal wrote a nice article about Buster Sandbox Analyzer. You can review the article here: http://holisticinfosec.org/toolsmith/pdf/may2012.pdf

Buster:

Sat Apr 21, 2012 6:49 pm

Version 1.59 contains important bugfixes.

Buster:

Sat Apr 21, 2012 6:48 pm

Released Buster Sandbox Analyzer 1.59. Changes: + Updated LOG_API + Updated PEiD's USERDB.TXT + Fixed several bugs

Buster:

Thu Apr 19, 2012 7:13 pm

Released Buster Sandbox Analyzer 1.58. Changes: + Added new malware behaviours + Added a feature to analyze automatically a file from shell menu + Added a feature to generate additional information from analyzed executable files + Added the option of deleting analyzed file at �Manage Processed file� feature + Included new malware behaviour at �Risk Evaluation Ratings� + Included Signsrch tool by Luigi Auriemma + Updated LOG_API + Updated Exeinfo to version 0.0.3.0 + Fixed several bugs

Buster:

Mon Apr 16, 2012 10:50 am

Released Buster Sandbox Analyzer 1.57. Changes: + Added a feature to extract used APIs from dumped files + Added a feature to extract strings from dumped files + Added new malware behaviour + Fixed a bug

Buster:

Wed Apr 11, 2012 10:53 am

Released Buster Sandbox Analyzer 1.56. Changes: + Added the ability to run multiple analyses at the same time + Added new malware behaviours + Updated LOG_API + Included new malware behaviour at �Risk Evaluation Ratings� + Added russian language translation (thanks to gjf)

Buster:

Thu Apr 05, 2012 6:28 pm

I have changed a few things and I have got a version of BSA able to run multiple instances, so several malwares could be analyzed at the same time. If anyone is interested in testing it, contact with me by private message.

Buster:

Thu Apr 05, 2012 10:51 am

A few comments about last added features... + Added a new entry section to BSA.DAT: [File_Strings] + Added a feature to search for defined strings inside analyzed file At "[File_Strings]" section in BSA.DAT you can include strings that you want BSA looks for. BSA will search the strings first in ANSI format and if it is not found in UNICODE format. BSA will search the strings in the analyzed file and if the feature is enabled (Options > Automatic Analysis Options > Dump Executable Processes) also inside dumped binary files. This feature can be useful to notice banking malware i.e. For this we can include URL strings related to banks. + Improved �Dump Executable Processes� feature I have limited the dumping of processes to just one copy per executable. Previously if, let�s say, REG.EXE was executed 3 times, the process would be dumped 3 times. + Added Adobe Malware Classifier information Adobe released a tool in Python related to malware detection: http://sourceforge.net/projects/malclassifier.adobe/?_test=b " Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable. Malware Classifier uses machine learning algorithms to classify Win32 binaries � EXEs and DLLs � into three classes: 0 for �clean,� 1 for �malicious,� or �UNKNOWN.� The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs. The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary. " BSA includes a code port of this tool and uses the four classifiers. If all classifiers consider the file as clean, the file will be reported by BSA as clean. If all classifiers consider the file as malicious, BSA will report the file as malicious. If classifiers give different results the file will be considered as unknown. This malware classification is orientative and can not be considered conclusive.

Buster:

Thu Apr 05, 2012 10:37 am

Released Buster Sandbox Analyzer 1.55. Changes: + Added Adobe Malware Classifier information + Included new malware behaviour at �Risk Evaluation Ratings�

Buster:

Tue Apr 03, 2012 10:56 am

Released Buster Sandbox Analyzer 1.54. Changes: + Added a new entry section to BSA.DAT: [File_Strings] + Added a feature to search for defined strings inside analyzed file + Improved �Dump Executable Processes� feature + Included new malware behaviour + Updated LOG_API + Added portuguese (Brazil) language translation (thanks to Paulo Guzman)

Buster:

Thu Mar 29, 2012 4:25 pm

]]>Quoting MichaelS: ]]>Thank you for delivering free of charge and constantly improving this excellent Sandboxie companion. ]]> You are welcome!

MichaelS:

Thu Mar 29, 2012 2:00 pm

Thank you for delivering free of charge and constantly improving this excellent Sandboxie companion.

Buster:

Thu Mar 29, 2012 11:36 am

Some comments about the new release (1.53): I have added a new section to BSA.DAT. It is named "[Process_Code_Injection]". BSA was already reporting the injection of code in other processes but I considered that would be interesting to identify them uniquely so the user can give a different risk weight to each process being injected. So you can give a "low" or "medium" risk weight to code injections in general and select a "high" risk weight for the injections to processes like "svchost.exe", "firefox.exe", "explorer.exe", "iexplorer.exe", etc. Code injection in these processes are likely part of a malware process, so it�s interesting to be able to detect them specifically and assign them a high risk. I have changed also the layout of "Risk Evaluation Ratings". Now the malicious actions are distributed in different tabs. I think it�s easier to navigate them now. Inside "Risk Evaluation Ratings" I have added a new feature. This feature allows the user to select what malware behaviours must appear in the analysis reports. This feature increases the flexibility of Buster Sandbox Analyzer. Let�s say you do not want that "Detected keylogger functionality" appears in the analysis report. You just must uncheck the checkbox near the behaviour and it will not appear. The weight applied to a malware behaviour and the checkbox are not related. Even if you configure BSA to do not show a malware behaviour in the analysis report, the weight given to the malware behaviour will be applied anyway. And finally I would like to comment about the feature that allows to dump executable processes. When this feature is enabled (Options > Automatic Analysis Options > Dump Executable Processes), Buster Sandbox Analyzer will make a dump of the file we are processing (if it is EXE cutable) and also a dump of all the executable processes launched by the file we are processing. I will make use of this new feature on next BSA release to improve the tool.

Buster:

Thu Mar 29, 2012 11:12 am

Released Buster Sandbox Analyzer 1.53. Changes: + Added a new entry section to BSA.DAT: [Process_Code_Injection] + Added a new feature to dump executable processes in automatic mode + Added a feature that allows the user to select what behaviours must appear in the analysis report + Updated �Risk Evaluation Ratings� + Included new malware behaviour + Updated LOG_API

MichaelS:

Tue Mar 27, 2012 6:48 am

]]>Quoting Buster: ]]>Do you want the 32 or the 64 version of the DLL? ]]> I'm running Windows 7 Ult SP1 x64 and testing both 32-bit and 64-bit applications, so whichever you believe it is suitable. ]]>Quoting Buster: ]]>Place BSA in the position you prefer and then enable: Options > Program Options > Remember Window Position ]]> Yup, that and Save Settings on Exit does it. Thank you.

Buster:

Tue Mar 27, 2012 6:27 am

]]>Quoting MichaelS: ]]>Yes, it would be excellent to have an alternative for files and registry entries that a sandboxed application reads. Thank you! ]]> No problem, I will make a custom version for you. Do you want the 32 or the 64 version of the DLL? ]]>Quoting MichaelS: ]]> Unrelated: just thought I should mention, if a user has a 2 screens setup, with the primary screen to the right side, BSA positions itself offscreen (only half of the BSA GUI is visible on the main screen). That's not an issue nor an annoyance for me as I can use a window manager to automatically position BSA centered on my main screen at startup, but I don't know about others. ]]> Place BSA in the position you prefer and then enable: Options > Program Options > Remember Window Position

MichaelS:

Tue Mar 27, 2012 6:17 am

Yes, it would be excellent to have an alternative for files and registry entries that a sandboxed application reads. Thank you! Unrelated: just thought I should mention, if a user has a 2 screens setup, with the primary screen to the right side, BSA positions itself offscreen (only half of the BSA GUI is visible on the main screen). That's not an issue nor an annoyance for me as I can use a window manager to automatically position BSA centered on my main screen at startup, but I don't know about others.

Buster:

Tue Mar 27, 2012 6:00 am

]]>Quoting MichaelS: ]]>Hello, Is it possible to include accessed resources (i.e. read files/registry entries) in the reports or would that crowd the report too much? ]]> As you say, that would crowd the report too much, so when I designed the tool I decided I would not include that stuff. Anyway you could use the verbose version of LOG_API.DLL and get readed registry entries from LOG_API.TXT. And if you want I could make a special LOG_API version that also logs readed files for you. With such LOG_API.DLL version would be easy to make a program that parses LOG_API.TXT and produces a file logging readed files/registy entries.

MichaelS:

Tue Mar 27, 2012 5:13 am

Hello, Is it possible to include accessed resources (i.e. read files/registry entries) in the reports or would that crowd the report too much?

Max100:

Sun Mar 25, 2012 3:58 pm

]]>Quoting Buster: ]]>HideDriver has been removed from package. I have included a custom driver to hide Sandboxie�s processes. This driver can be installed and started by Buster Sandbox Analyzer on demand or automatically. In order to get the driver working, Buster Sandbox Analyzer must have admin rights. The driver (BSA.SYS) can be renamed for security purposes to any name. At least one antivirus vendor detects as malicious the driver. I would be grateful if you submit the driver to those vendors detecting the driver so they remove the false positive. If anyone has any questions about this or any of the new features (File Renamer) just post a message. ]]> Here there is the complete list of antivirus that reports this file as malware: https://www.virustotal.com/file/fc3dec19ba7387874099565192fd3ec28aeb396fc33f18275ac9c3d306237a1e/analysis/ Currently I submitted detailed false positive reports to: AntiVir, AVG, Microsoft, Comodo, Fortiguard, VirusBuster.

Buster:

Sun Mar 25, 2012 1:28 pm

Released Buster Sandbox Analyzer 1.52. Changes: + Added support for HTML reports + Added a feature to remove sandbox folder contents automatically in manual mode + Included new malware behaviour + Updated LOG_API + Fixed several bugs

Buster:

Tue Mar 06, 2012 7:24 pm

HideDriver has been removed from package. I have included a custom driver to hide Sandboxie�s processes. This driver can be installed and started by Buster Sandbox Analyzer on demand or automatically. In order to get the driver working, Buster Sandbox Analyzer must have admin rights. The driver (BSA.SYS) can be renamed for security purposes to any name. At least one antivirus vendor detects as malicious the driver. I would be grateful if you submit the driver to those vendors detecting the driver so they remove the false positive. If anyone has any questions about this or any of the new features (File Renamer) just post a message.

Buster:

Tue Mar 06, 2012 7:17 pm

Released Buster Sandbox Analyzer 1.51. Changes: + Added a custom driver to hide Sandboxie�s processes + Removed Hide Driver from package + Included new malware behaviour + Added File Renamer feature to utilities section + Updated LOG_API

Buster:

Sat Feb 11, 2012 2:15 pm

If anyone translates BSA to other language it would be cool if he sends me it so I include it in the package.

Buster:

Fri Feb 10, 2012 4:15 pm

Released Buster Sandbox Analyzer 1.50. Changes: + Added multi-language support + Updated LOG_API + Fixed several bugs

Buster: Re: I / O error 32

Wed Jan 18, 2012 7:16 pm

]]>Quoting M_R: ]]>Buster: Kobayashi: I miss the Buster Sandbox Analyzer reports. ;-) Yes, you are right ! After a big infection of my computer I changed some settings of it. I do not run in admin account anymore as before with user account control turned off, but instead I run in a standard user account and turned on again user account control. Then I started to get I/O error 32 I have not yet solved this problem. ]]> The problem was that "DefaultBox" folder was created from an account with admin rights. When BSA runs from a standard user account it will not have the rights to access folder contents, so it will not run fine. The solution is deleting "DefaultBox" folder from the account having admin rights and switching to standard user account, so when Sandboxie creates the folder, BSA will have the rights to access the contents.

Buster:

Mon Jan 16, 2012 9:13 pm

Released Buster Sandbox Analyzer 1.49. Changes: + Added support for XML reports + Added support for TLS hooks detection + Improved PDF Statistics + Updated LOG_API verbose versions to include FindFirst/NextFile support + Updated support for new VirusTotal web service + Fixed several bugs

Buster:

Sun Jan 15, 2012 2:25 pm

I sent you a mail. :wink:

M_R: I / O error 32

Sun Jan 15, 2012 2:19 pm

Buster: Kobayashi: I miss the Buster Sandbox Analyzer reports. ;-) Yes, you are right ! After a big infection of my computer I changed some settings of it. I do not run in admin account anymore as before with user account control turned off, but instead I run in a standard user account and turned on again user account control. Then I started to get I/O error 32 I have not yet solved this problem.

Buster:

Thu Jan 12, 2012 8:25 pm

Buster Sandbox Analyzer: Installation and configuration. [url]http://www.youtube.com/watch?v=MXASXoq5akc[/url]

D1G1T@L:

Thu Jan 12, 2012 12:36 am

That's a nice addition for new users. Good idea :)

Buster:

Wed Jan 11, 2012 8:28 pm

I just created a new section in BSA�s web site (http://bsa.isoftware.nl) named "Video Tutorials". I have added a video tutorial about the installation and configuration of Sandboxie, WinPCap and Buster Sandbox Analyzer. Comments will be welcome as usual.

Buster:

Thu Jan 05, 2012 6:52 pm

]]>Quoting aspx: ]]>Thank You My Friends Now I Can Use :D ]]> No problem. :wink: After you test the tool, it would be nice if you post your thoughts about it.

aspx:

Thu Jan 05, 2012 6:44 pm

Thank You My Friends Now I Can Use :D

Buster:

Wed Jan 04, 2012 7:21 pm

]]>Quoting aspx: ]]>hello bro i have windows seven . i go to this problem :cry: i can not open Program [img:a8ebe67862]http://www.myup.ir/images/72743564716333753449.png[/img:a8ebe67862] ]]> Read the README.TXT included in the package, please.

D1G1T@L:

Wed Jan 04, 2012 4:40 pm

aspx you get winpcap from this link: http://www.winpcap.org/ and then BSA can use it.

aspx:

Wed Jan 04, 2012 1:21 pm

hello bro i have windows seven . i go to this problem :cry: i can not open Program [img:014730b4b8]http://www.myup.ir/images/72743564716333753449.png[/img:014730b4b8]

Buster:

Sun Jan 01, 2012 9:19 pm

]]>Quoting JoeCool: ]]>Works like a charm (and it's faster too). Thank you very much. And happy new year. ]]> Thanks to you for the bug report, the feedback and your help solving the issue! Happy new year to you too!

JoeCool:

Sun Jan 01, 2012 9:09 pm

]]>Quoting Buster: ]]>BSA 1.49 beta 5: http://hotfile.com/dl/139402844/1bea04e/BSA149B5.RAR.html I changed the deleting method also for manual analysis mode. Try it and let me know if now everything works fine, please. ]]> Works like a charm (and it's faster too). Thank you very much. And happy new year.

Buster:

Sun Jan 01, 2012 8:26 pm

BSA 1.49 beta 5: http://hotfile.com/dl/139402844/1bea04e/BSA149B5.RAR.html I changed the deleting method also for manual analysis mode. Try it and let me know if now everything works fine, please.

Buster:

Sun Jan 01, 2012 8:06 pm

]]>Quoting JoeCool: ]]>Maybe you changed the wrong part of the code. I was talking about the dialog box that pops up when BSA finds that there are files in the sandbox with the delete and continue buttons. I have just tried it: deleting via the menu Utilities -> Sandbox -> Folder -> Delete contents spawns the CMD process. Everything OK here. (Only difference between your command-line and Sandboxie's is the trailing backslash so BSA will leave the folder) When I click "Delete Sandbox folder contents and continue" then BSA uses a different delete method. ]]> I changed the deleting process related to automatic analysis mode and now I realized that you mean deleting in manual analysis mode. No problem, I will change deleting method there too. As soon as I have it done I will upload a new beta version.

JoeCool:

Sun Jan 01, 2012 7:58 pm

I am always running BSA as Admin via the compatibility switch in the properties dialog. I am using Win7 SP1 x64 Maybe you changed the wrong part of the code. I was talking about the dialog box that pops up when BSA finds that there are files in the sandbox with the delete and continue buttons. As my HIPS was set to alert me when BSA spawns a process I can safely say that it did not. I have just tried it: deleting via the menu Utilities -> Sandbox -> Folder -> Delete contents spawns the CMD process. Everything OK here. (Only difference between your command-line and Sandboxie's is the trailing backslash so BSA will leave the folder) When I click "Delete Sandbox folder contents and continue" then BSA uses a different delete method. Thanks.

Buster:

Sun Jan 01, 2012 6:34 pm

]]>Quoting JoeCool: ]]>This version did not change anything. The sandbox folder is still moved to the recycle bin withouth access permissions on the user and drive folders. Also no process is spawned when I click on delete. ]]> Deleting process is invoked with the SW_HIDE parameter, so you don�t see it. This version calls: %SystemRoot%\System32\cmd.exe /c RMDIR /s /q "%SANDBOX%" The same command used by Sandboxie to delete Sandbox folder contents. Maybe the difference is in the privileges each program has. Try to run BSA with admin rights to see if it makes any difference. btw... What�s your OS/version?

JoeCool:

Sun Jan 01, 2012 6:22 pm

]]>Quoting Buster: ]]> Please download BSA 1.49 beta 4 from here: http://hotfile.com/dl/139376972/5d15a81/BSA149B4.RAR.html Test it and let me know if this version fixes the issue you found, please. ]]> This version did not change anything. The sandbox folder is still moved to the recycle bin withouth access permissions on the user and drive folders. Also no process is spawned when I click on delete.

Buster:

Sun Jan 01, 2012 5:03 pm

]]>Quoting JoeCool: ]]>I think that would be a good solution. I have never had problems when Sandboxie deletes the Sanbox. Thank you for the quick reply. Did you encounter similar problems or is there something special about my setup. I thought it was kind of strange that all access security entries where just missing. ]]> Please download BSA 1.49 beta 4 from here: http://hotfile.com/dl/139376972/5d15a81/BSA149B4.RAR.html Test it and let me know if this version fixes the issue you found, please. This is the first time that someone reports this problem. I never heard of it before.

JoeCool:

Sun Jan 01, 2012 4:14 pm

I think that would be a good solution. I have never had problems when Sandboxie deletes the Sanbox. Thank you for the quick reply. Did you encounter similar problems or is there something special about my setup. I thought it was kind of strange that all access security entries where just missing.

Buster:

Sun Jan 01, 2012 3:31 pm

]]>Quoting JoeCool: ]]>Please see a bug report about files with missing access permissions in the Recycle Bin here: http://www.sandboxie.com/phpbb/viewtopic.php?p=75812 Please tell me if there are questions and which thread you would like to continue discussion about this. ]]> We can discuss about the issue here in this thread. ]]>Quoting JoeCool: ]]>Also great work on BSA, I love it. What method to clear the Sandbox does BSA use? ]]> I mainly use DeleteFile API. I can try replacing the functions I use now to delete Sandbox folder contents with the command used by default by Sandboxie. Do you think that will be fine?

JoeCool:

Sun Jan 01, 2012 3:15 pm

Please see a bug report about files with missing access permissions in the Recycle Bin here: http://www.sandboxie.com/phpbb/viewtopic.php?p=75812 Please tell me if there are questions and which thread you would like to continue discussion about this. Also great work on BSA, I love it. What method to clear the Sandbox does BSA use?

Buster:

Sat Dec 10, 2011 11:32 pm

Released Buster Sandbox Analyzer 1.48. Changes: + Added PDF statistics feature + Added support for a new malware behaviour: get computer name + Updated LOG_API + Fixed several bugs

Buster:

Sat Dec 03, 2011 2:00 pm

Released Buster Sandbox Analyzer 1.47. Changes: + Added a feature to run BSA in automatic mode monitorizing a folder for new files to analyze. + Added a feature to avoid processing files from a whitelist. + Improved analysis cancel event. + Fixed several bugs

Buster:

Thu Nov 24, 2011 11:58 pm

Imagine you made a report and VirusTotal was down. Now you have inside the SQL database an entry with missing information. No problem... Utilities > SQL Database Manager Tools > Update Database from Report The entry will be removed from database and it will be replaced with the information from the report you provide.

Buster:

Thu Nov 24, 2011 11:41 pm

There are a lot of things to comment about version 1.46. Added a feature to include information from reports into a SQL database With this feature it�s possible to store in a SQL (sqlite 3) database the information from report files and optionally, from analysis reports. All the information from reports (REPORT.TXT) and optionally from analysis (ANALYSIS.TXT) will be added to database. [color=red:b568510b32]It�s mandatory to enable the reporting of SHA256 in order to get this feature working.[/color:b568510b32] Added a custom manager for BSA�s SQL Database I included a feature to manage the created database in an easy but powerful way. It has a SQL expression generator with the tables in database, the fields in each table, and five options. (is, is not, is null, is not null and contains) For people that know SQL, I also included a custom SQL command feature. With this feature you can use your sentences in SQL. I added a feature to remove entries from database, a predefined query to database and a function to update a record from a report file. Right-clicking in the table you will get some additional features. Added a feature to load and save settings from file on demand With this feature it�s possible to have several different BSA configurations stored in disk and easily switch between them. Added a feature to set a number of retries if connection to VirusTotal fails You can configure to don�t make retries if VirusTotal does not respond or choose from 1 to 5 retries. Added a feature to launch automatically Explorer.exe in automatic mode Recently I processed a malware that didn�t show the behaviour I expected. First I thought it was due a bug in Sandboxie. The bug existed and tzuk fixed it, but at the end it was not related with the issue. Ronen analyzed the piece of malware and discovered that the malware was injecting code to explorer.exe. Due the process was not being sandboxed, the malware could not inject the code. When explorer.exe is sandboxed, the malware will behave as it should. As some trojans may inject code in explorer.exe I decided to include this feature. When enabled BSA will sandbox explorer.exe before the analysis begins. Added a feature to skip already processed files in automatic mode When enabled, BSA will check at SQL database if the file was analyzed previously. Fixed several bugs As usual, several bugs fixed and other new introduced. :lol:

Buster:

Thu Nov 24, 2011 11:02 pm

Released Buster Sandbox Analyzer 1.46. Changes: + Added a feature to include information from reports into a SQL database + Added a custom manager for BSA�s SQL Database + Added a feature to load and save settings from file on demand + Added a feature to set a number of retries if connection to VirusTotal fails + Added a feature to launch automatically Explorer.exe in automatic mode + Added a feature to skip already processed files in automatic mode + Fixed several bugs

Buster:

Thu Nov 17, 2011 4:24 pm

Released Buster Sandbox Analyzer 1.45. Changes: + Added a feature to produce reports in PDF format + Added support for new malware behaviours: get volume information, alternate data stream creation + Updated LOG_API

Buster:

Fri Nov 11, 2011 8:45 pm

]]>Quoting nemo700: ]]>Seems to be working fine now. Fantastic! Thanks for fixing it, and for writing such a useful little program in the first place :D ]]> Thanks for the bugfix confirmation and the kind words!

nemo700:

Fri Nov 11, 2011 8:02 pm

[quote:f1ea562b3b]I uploaded again BSA 1.44 package including the fix. Try it and let me know if everything works fine, please.[/quote:f1ea562b3b] Seems to be working fine now. Fantastic! Thanks for fixing it, and for writing such a useful little program in the first place :D

Buster:

Fri Nov 11, 2011 2:43 pm

]]>Quoting nemo700: ]]>There seems to be a bug in BSA 1.44; after I've installed it, I can no longer run Windows Explorer within Sandboxie - if I go Sandbox > DefaultBox > Run Sandboxed > Run Windows Explorer, it immediately crashes with "Windows Explorer has encountered an error and needs to close..." (faulting module ntdll.dll). If I remove BSA's config lines from Sandboxie.ini everything works OK again. No problems using an older version of BSA, either (1.38 ). I didn't manage to catch any of the versions that came out in between 1.38 and 1.44 to test them... All this is happening with Sandboxie 3.60 on 2 separate Windows XP SP3 machines. ]]> There was a bug in LOG_API (all versions). One more time tzuk saved my ass and helped me to fix the bug. I uploaded again BSA 1.44 package including the fix. Try it and let me know if everything works fine, please.

Buster:

Wed Nov 09, 2011 2:13 pm

I can reproduce the problem. Thanks for the bug report! As soon as I have news, I will post them here.

nemo700:

Wed Nov 09, 2011 12:11 pm

There seems to be a bug in BSA 1.44; after I've installed it, I can no longer run Windows Explorer within Sandboxie - if I go Sandbox > DefaultBox > Run Sandboxed > Run Windows Explorer, it immediately crashes with "Windows Explorer has encountered an error and needs to close..." (faulting module ntdll.dll). If I remove BSA's config lines from Sandboxie.ini everything works OK again. No problems using an older version of BSA, either (1.38 ). I didn't manage to catch any of the versions that came out in between 1.38 and 1.44 to test them... All this is happening with Sandboxie 3.60 on 2 separate Windows XP SP3 machines. Sorry if this isn't the right place to report this, but I couldn't see anywhere on the BSA site to do so...

Buster:

Sun Nov 06, 2011 9:44 am

Released Buster Sandbox Analyzer 1.44. Changes: + Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports + Added a feature to minimize BSA when the feature to do video capture is enabled + Added a feature to compress to ZIP sandbox folder contents when �Keep Sandbox Files� is enabled + Added information related to date of submission in VirusTotal reports + Added several improvements + Updated LOG_API

Buster:

Wed Oct 26, 2011 6:17 am

I would like to share with you what I consider the best Sandboxie settings to run BSA. In Sandboxie.ini, apart of adding these lines: InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA NotifyDirectDiskAccess=y You should include these ones: ProcessLimit1=20 ProcessLimit2=30 These are used to avoid a malware runs many processes (system bombing) and hangs the system. These should be included in "Defaultbox" settings section or on any other sandbox you are using to run BSA. In usersettings section you should include: SbieCtrl_HideMessage=* This line is used to hide all messages coming from Sandboxie. It�s used to avoid an analysis gets interrupted.

Buster:

Sun Oct 16, 2011 9:15 am

]]>Quoting Max100: ]]>1) Can be added directly under [GlobalSettings] section? ]]> In this thread (http://sandboxie.com/phpbb/viewtopic.php?t=11421&start=15) I asked the same to tzuk and his reply was: "The setting should go in a sandbox section, might also work in the GlobalSettings section. But not UserSettings. " So I guess the same applies to other settings too. ]]>Quoting Max100: ]]>2) InjectDll is still valid for Sandboxie 64 bit? Because here I see the existence of InjectDll64 parameter: http://www.sandboxie.com/index.php?InjectDll64 ]]> Yes, it�s valid. It will have effect over 32 bit applications.

Max100:

Sat Oct 15, 2011 9:48 pm

]]>Quoting Buster: ]]>Buster Sandbox Analyzer users using Sandboxie version 3.60 must add next line to Sandboxie.ini: NotifyDirectDiskAccess=y So in total 3 lines must be added to Sandboxie.ini: InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ]]> 1) Can be added directly under [GlobalSettings] section? 2) InjectDll is still valid for Sandboxie 64 bit? Because here I see the existence of InjectDll64 parameter: http://www.sandboxie.com/index.php?InjectDll64

Buster:

Fri Oct 14, 2011 9:54 am

Buster Sandbox Analyzer users using Sandboxie version 3.60 must add next line to Sandboxie.ini: NotifyDirectDiskAccess=y So in total 3 lines must be added to Sandboxie.ini: InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA NotifyDirectDiskAccess=y

Buster:

Thu Sep 22, 2011 7:00 pm

Another great contribution, thanks!

Antoni:

Thu Sep 22, 2011 6:31 pm

I created my second video on using BSA, this time how to hide the Sandboxie Processes: http://www.youtube.com/watch?v=IRZStSpzm48 -regards

D1G1T@L:

Thu Sep 22, 2011 3:29 am

Thanks Antoni :)

Antoni:

Wed Sep 21, 2011 9:14 pm

]]>Quoting D1G1T@L: ]]>Kudos for the vid, it's easy to follow and understand. Can you please tell me the name of the video recorder that you used? Its definitely looks more full featured than others I have come across. ]]> Yep it's Camtasia Studio 7, not free but you can check out the trial of you want: [url]http://www.techsmith.com/camtasia/[/url] It contains pretty much all you need to make tutorial vids... -regards

D1G1T@L:

Wed Sep 21, 2011 8:31 pm

Kudos for the vid, it's easy to follow and understand. Can you please tell me the name of the video recorder that you used? Its definitely looks more full featured than others I have come across.

Buster:

Wed Sep 21, 2011 2:14 pm

]]>Quoting Antoni: ]]>Here is a YT video I created on the basic install and use of BSA with Sandboxie: [url]http://www.youtube.com/watch?v=wXFpo78712M[/url] -regards ]]> Thank you very much!

Antoni:

Wed Sep 21, 2011 2:09 pm

Here is a YT video I created on the basic install and use of BSA with Sandboxie: [url]http://www.youtube.com/watch?v=wXFpo78712M[/url] -regards

Antoni:

Wed Sep 21, 2011 9:01 am

]]>Quoting D1G1T@L: ]]>Antoni, why did you remove the tutorial video? It would have been useful for Buster's website to help out beginners. www.youtube.com/watch?v=g8hrGszOow8 ]]> yeah as Buster said there were two errors in it, one where the lines I put in the config file were missing and two because I never made it clear to reload the config file into sandboxie after the change, I'd rather do it right or not at all... I'm in the process of remaking it again so something should be up again soon! -regards

sarabose: Buster Sandbox Analyzer

Wed Sep 21, 2011 5:55 am

Thanks a ton for the Buster Sandbox Analyzer! Awesome tool to have..very important one for web masters!

Buster:

Wed Sep 21, 2011 5:36 am

Yes, he removed it. It had a mistake with the injection of LOG_API.DLL and he prefered to make it again.

D1G1T@L:

Wed Sep 21, 2011 12:32 am

Antoni, why did you remove the tutorial video? It would have been useful for Buster's website to help out beginners. www.youtube.com/watch?v=g8hrGszOow8

Buster:

Sun Sep 18, 2011 4:50 pm

Released Buster Sandbox Analyzer 1.43. Changes: + Replaced Buster Sandbox Analyzer with a custom logo. (thanks Antoni) + Maintenance release: minor changes. I almost added all the features I had in the TO-DO list and fixed all known bugs. I just miss adding some statistics but such feature is not prioritary, that�s why this version should be the last one for a while.

Buster:

Mon Sep 05, 2011 1:45 pm

]]>Quoting D1G1T@L: ]]>Bravo Buster! This is impressive indeed. Makes the commercial analyzers look like they were made by rookies :D ]]> It could not have been possible without tzuk�s collaboration. I�m specially proud of the output reports. They are simple but at the same time complete, and they are easy to understand.

Buster:

Mon Sep 05, 2011 1:35 pm

I just re-released BSA 1.42 package. I changed something related to the video screen capturing feature.

D1G1T@L:

Mon Sep 05, 2011 1:19 pm

Bravo Buster! This is impressive indeed. Makes the commercial analyzers look like they were made by rookies :D

Buster:

Mon Sep 05, 2011 12:54 am

As you can see, Buster Sandbox Analyzer is the only malware analyzer that reports that there was an attempt to end windows session (reboot) and an attempt to write directly to disk.

Buster:

Mon Sep 05, 2011 12:47 am

Norman Sandbox Analyzer [code:1:db48987293]TEST.EX_ : Not detected by Sandbox (Signature: NO_VIRUS) [ DetectionInfo ] * Filename: C:\analyzer\scan\TEST.EX_. * Sandbox name: NO_MALWARE * Signature name: NO_VIRUS. * Compressed: NO. * TLS hooks: NO. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File length: 10240 bytes. * MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66. * SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\systm.txt. * Creates file C:\WINDOWS\TEMP\sys3.exe. * Deletes file C:\sample.exe. [ Process/window information ] * Creates process "sys3.exe". * Checks if privilege "SeShutdownPrivilege" is available. * Enables privilege SeShutdownPrivilege. [ Signature Scanning ] * C:\sample.exe (10240 bytes) : no signature detection. * C:\WINDOWS\TEMP\systm.txt (13 bytes) : no signature detection. * C:\WINDOWS\TEMP\sys3.exe (10240 bytes) : no signature detection.[/code:1:db48987293]

Buster:

Mon Sep 05, 2011 12:44 am

Anubis [code:1:cba326a8fc] ___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for TEST.EX_ MD5: afb7773a0af4f0ebcd22d19cdabb7f66 [#############################################################################] Summary: - Write to foreign memory areas: This executable tampers with the execution of another process. - AV Hit: This executable is detected by an antivirus software. - Execution did not terminate correctly: The executable crashed. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. [=============================================================================] Table of Contents [=============================================================================] - General information - TEST.EX_.exe a) Registry Activities b) File Activities c) Process Activities - sys3.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 112 s Report created: 09/04/11, 23:57:30 UTC Termination reason: All tracked processes have exited Program version: 1.75.3394 [#############################################################################] 2. TEST.EX_.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: TEST.EX_.exe MD5: afb7773a0af4f0ebcd22d19cdabb7f66 SHA-1: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc File Size: 10240 Bytes Command Line: "C:\TEST.EX_.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ], Base Address: [0x73D90000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254) [=============================================================================] 2.a) TEST.EX_.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 2.b) TEST.EX_.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PHYSICALDRIVE0 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ] File Name: [ PHYSICALDRIVE0 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] File Name: [ C:\TEST.EX_.exe ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CRTDLL.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) TEST.EX_.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ], Command Line: [ ] Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ], Command Line: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ] [#############################################################################] 3. sys3.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by TEST.EX_.exe Filename: sys3.exe MD5: afb7773a0af4f0ebcd22d19cdabb7f66 SHA-1: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc File Size: 10240 Bytes Command Line: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ], Base Address: [0x73D90000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254) [=============================================================================] 3.a) sys3.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability ], Value Name: [ ShutdownReasonUI ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time [=============================================================================] 3.b) sys3.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\TEST.EX_.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\CRTDLL.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org[/code:1:cba326a8fc]

Buster:

Mon Sep 05, 2011 12:39 am

Xandora [code:1:b45c306fdf]File Details MD5 afb7773a0af4f0ebcd22d19cdabb7f66 SHA-1 f7c0a34cebad3b18c12eefbf8b55a02eafed4adc First Received 2011-09-05 08:36:00 Last Received 2011-09-05 08:36:00 Size (bytes) 10240 Weightage 71 virustotal.com 19 vendors detected Static File Header read more ++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++ TimeStamp: 4DDA3D47 Mon May 23 18:56:07 2011 Subsystem: 2 (Windows GUI) Image Base: 2AA00000 Size: 00005000 Code Base: 00001000 Size: 00000C00 Data Base: 00002000 Size: 00001800 Entry Point: 00001600 (file offset 00000A00) ++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++ 1: .text RVA: 00001000 Offset: 00000400 Size: 00000C00 Flags: C0040020 (CRW) 2: .data RVA: 00002000 Offset: 00001000 Size: 00001400 Flags: C0000040 (DRW) 3: .rsrc RVA: 00004000 Offset: 00002400 Size: 00000400 Flags: 40000040 (DR) virustotal.com Output read more 19 vendors from virtustotal.com detected as malware HEUR:Trojan.Win32.Generic avariantofWin32/MBRlock.D Heuristic.gen Win32:MBRlock-B Suspicious Registry Change read more The following Registry Keys were changed software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List software_Microsoft_Windows_NT_CurrentVersion_AeDebug[/code:1:b45c306fdf]

Buster:

Mon Sep 05, 2011 12:34 am

ThreatExpert [code:1:ff87c6ea41] Submission details: Submission received: 4 September 2011, 19:19:29 Processing time: 14 min 12 sec Submitted sample: File MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66 File SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC Filesize: 10.240 bytes Technical Details: File System Modifications The following files were created in the system: # Filename(s) File Size File Hash 1 %Temp%\sys3.exe [file and pathname of the sample #1] 10.240 bytes MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66 SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC 2 %Temp%\systm.txt 32 bytes MD5: 0x46525D5665EB34AD79F2B75FF27A8659 SHA-1: 0x83C7AA2AF8CCD12F45D116ADDF7295EB3217FB0A Note: %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).[/code:1:ff87c6ea41]

Buster:

Mon Sep 05, 2011 12:22 am

Comodo Instant Malware Analysis [code:1:d2a6bf45e5]� File Info Name Value Size 10240 MD5 afb7773a0af4f0ebcd22d19cdabb7f66 SHA1 f7c0a34cebad3b18c12eefbf8b55a02eafed4adc SHA256 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391 Process Exited � Keys Created � Keys Changed � Keys Deleted � Values Created � Values Changed � Values Deleted � Directories Created � Directories Changed � Directories Deleted � Files Created Name Size Last Write Time Creation Time Last Access Time Attr C:\Documents and Settings\User\Local Settings\Temp\sys3.exe 10240 2009.01.09 10:54:20.453 2009.01.09 10:54:22.890 2009.01.09 10:54:22.890 0x20 C:\Documents and Settings\User\Local Settings\Temp\systm.txt 18 2009.01.09 10:54:22.875 2009.01.09 10:54:22.843 2009.01.09 10:54:22.843 0x20 � Files Changed � Files Deleted Name Size Last Write Time Creation Time Last Access Time Attr C:\TEST\sample.exe 10240 2009.01.09 10:54:20.453 2009.01.09 10:53:58.578 2009.01.09 10:53:58.578 0x20 � Directories Hidden � Files Hidden � Drivers Loaded � Drivers Unloaded � Processes Created � Processes Terminated � Threads Created PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem 0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE � Modules Loaded � Windows Api Calls PId Image Name Address Function ( Parameters ) | Return Value 0xd8 C:\TEST\sample.exe 0x2aa0158f CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\DOCUME~1\User\LOCALS~1\Temp\\sys3.exe", bFailIfExists: 0x1)|0x1 � DNS Queries � HTTP Queries � Verdict Auto Analysis Verdict Suspicious++ � Description Suspicious Actions Detected Copies self to other locations Deletes self[/code:1:d2a6bf45e5]

Buster:

Mon Sep 05, 2011 12:14 am

Buster Sandbox Analyzer version 1.42 includes an important addition related to malware behaviour. Thanks to tzuk, from this version, BSA will be able to report files that make direct disk write attempts, like formating a disk, writing to MBR, etc. This feature was possible thanks to tzuk�s collaboration. Thanks tzuk! :wink: Here we can see the analysis of a MBR infector done with several malware analyzers: Buster Sandbox Analyzer 1.42 Report.TXT [code:1:1c55b8a422] Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011 [ General information ] * File name: c:\m\test\test.exe * File length: 10240 bytes * File signature (PEiD): Borland Delphi 3.0 (???) * * Digital signature: Unsigned * MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66 * SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc * SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391 * VirusTotal detections: AntiVir: TR/Crypt.XPACK.Gen Avast: Win32:MBRlock-B Avast5: Win32:MBRlock-B AVG: unknown virus Win32/DH.AA53594850 BitDefender: Gen:Variant.Kazy.31729 ByteHero: Virus.Win32.Heur.l DrWeb: Trojan.MBRlock.12 Emsisoft: Trojan-Ransom.Win32.Mbro!IK F-Secure: Gen:Variant.Kazy.31729 GData: Gen:Variant.Kazy.31729 Ikarus: Trojan-Ransom.Win32.Mbro Jiangmin: Trojan/MBro.h Kaspersky: HEUR:Trojan.Win32.Generic Microsoft: Trojan:Win32/Ransom.DV NOD32: a variant of Win32/MBRlock.D nProtect: Gen:Variant.Kazy.31729 Panda: Suspicious file Rising: Suspicious TheHacker: Trojan/MBRlock.d TrendMicro: PAK_Generic.001 TrendMicro-HouseCall: PAK_Generic.001 VBA32: Trojan.Ransom.5705 VIPRE: Trojan.Win32.Generic!BT VirusBuster: Trojan.MBRLocker.Gen [ Changes to filesystem ] * Deletes file C:\M\TEST\TEST.EXE * Creates file C:\Documents and Settings\Administrador\Configuraci�n local\Temp\sys3.exe File length: 10240 bytes File signature (PEiD): Borland Delphi 3.0 (???) * Digital signature: Unsigned MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66 SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391 VirusTotal detections: AntiVir: TR/Crypt.XPACK.Gen Avast: Win32:MBRlock-B Avast5: Win32:MBRlock-B AVG: unknown virus Win32/DH.AA53594850 BitDefender: Gen:Variant.Kazy.31729 ByteHero: Virus.Win32.Heur.l DrWeb: Trojan.MBRlock.12 Emsisoft: Trojan-Ransom.Win32.Mbro!IK F-Secure: Gen:Variant.Kazy.31729 GData: Gen:Variant.Kazy.31729 Ikarus: Trojan-Ransom.Win32.Mbro Jiangmin: Trojan/MBro.h Kaspersky: HEUR:Trojan.Win32.Generic Microsoft: Trojan:Win32/Ransom.DV NOD32: a variant of Win32/MBRlock.D nProtect: Gen:Variant.Kazy.31729 Panda: Suspicious file Rising: Suspicious TheHacker: Trojan/MBRlock.d TrendMicro: PAK_Generic.001 TrendMicro-HouseCall: PAK_Generic.001 VBA32: Trojan.Ransom.5705 VIPRE: Trojan.Win32.Generic!BT VirusBuster: Trojan.MBRLocker.Gen * Creates file C:\Documents and Settings\Administrador\Configuraci�n local\Temp\systm.txt File length: 18 bytes MD5 hash: 56f96e284ebf1b3fbc78c70eae09d2ca SHA1 hash: 940b172e63ad2c8e65eb8a48b459e11cc3196211 SHA256 hash: f6248d82a67be08f8fab93862504eabad0b3a8db57775ed0674459e2fcde961e [ Changes to registry ] * No changes [ Process/window information ] * Enables process privileges. * Creates process "C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null)". * Writes directly to disk. * Ends Windows session.[/code:1:1c55b8a422] Analysis.TXT [code:1:1c55b8a422] Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011 Detailed report of suspicious malware actions: Created file in defined folder: C:\Documents and Settings\Administrador\Configuraci�n local\Temp\systm.txt Created process: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null) Defined file type created: C:\Documents and Settings\Administrador\Configuraci�n local\Temp\sys3.exe Detected direct disk write attempt Detected process privilege elevation Ends Windows session File deleted itself Risk evaluation result: High[/code:1:1c55b8a422]

Buster:

Sun Sep 04, 2011 11:41 pm

Released Buster Sandbox Analyzer 1.42. Changes: + Added a feature to capture screen in video (VLC installation required) + Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required) + Fixed a bug

Buster:

Thu Sep 01, 2011 9:20 am

]]>Quoting Bellzemos: ]]>That program's not cracked, that's right. And I think I understand your explanation. Thank you! ]]> Here you can read the explanation from tzuk: http://sandboxie.com/phpbb/viewtopic.php?p=72021#72021 "the Internet access restriction occurs when the program tries to generally initialize Internet functionality, which means before the program asks for any specific Internet operation, and before it gives any specific IP address."

Buster:

Wed Aug 24, 2011 3:34 pm

Released Buster Sandbox Analyzer 1.41. Changes: + Usability improvement: hashes (MD5, SHA1, SHA256) showed in reports can be selected individually + In automatic mode, when �Keep Sandbox files� is enabled, empty folders and files will be removed + Added an option to include information for modified files in reports + Fixed several bugs

Bellzemos:

Tue Aug 23, 2011 1:17 am

That program's not cracked, that's right. And I think I understand your explanation. Thank you!

Buster:

Tue Aug 23, 2011 12:56 am

We recently were discussing a similar situation in this thread: http://sandboxie.com/phpbb/viewtopic.php?t=10856 I don�t think there is any need to repeat the same things, and not, I�m not talking about cracking. This thing I told should be enough: "If there is a connection, WinPCap�s driver will catch it, so BSA will too. If there are not connections to view, then it means WinPCap didn�t catch anything... ergo there were not connections. Maybe the application wanted to access a resource related to internet and Sandboxie denied it, even if later the application would not connect anywhere. " http://sandboxie.com/phpbb/viewtopic.php?p=70419#70419

Bellzemos:

Tue Aug 23, 2011 12:45 am

When I finish the BSA test Viewer\View Connections is greyed out. But when I run the program in a sandbox with denied internet access it says that this program wants to connect to the internet.

Buster:

Mon Aug 22, 2011 10:44 pm

Ok, then ellaborate your comment... You say it connects to internet but you can not find out where. Copy&paste the connection log to know what you talk about.

Bellzemos:

Mon Aug 22, 2011 10:41 pm

DOSBox is a 32-bit application.

Buster:

Mon Aug 22, 2011 4:16 pm

Sandboxie does not support 16 bit program, so BSA does not too. If that application is 16 bit... bingo! you got the explanation. If that�s the case, if you want to check where it�s connecting check with WireShark.

Bellzemos:

Mon Aug 22, 2011 3:43 pm

Hi! I think BSA is unable to detect where some program connects. If you are willing to try it, there you can download that program (it's slow connection): [url]http://ykhwong.x-y.net/[/url] It is a DOSBox SVN build. Original DOSBox doesn't connect to the internet but this one does. And I can't find out where to. Thanx.

Buster:

Mon Aug 22, 2011 8:25 am

In reports, additional information like file length, file hash, file entropy, etc., is showed for created files. For modified files no information is added. Should I change this behaviour and treat the same both new created and modified files or keep it as is now? I was thinking that at least VirusTotal information should be showed for modified files.

Buster:

Wed Aug 17, 2011 1:33 pm

Released Buster Sandbox Analyzer 1.40. Changes: + Usability improvement in File Hash, File Scanner, File Signature and automatic analysis features: last used folder will be remembered + Usability improvement in File Hash, File Scanner and File Signature features: added drag and drop support + Added Exeinfo support to File Signature feature + Improved File Hash feature: all hashes can be checked at VirusTotal at once, VirusTotal reports can be saved to disk

Buster:

Wed Aug 10, 2011 4:46 pm

Released Buster Sandbox Analyzer 1.39. Changes: + Fixed several bugs.

Buster:

Wed Aug 10, 2011 4:19 pm

]]>Quoting bole5: ]]>The program I tried (copytrans suite/ilibs) is freely downloadable on... ]]> The program is protected with Themida and it does not like the things LOG_API does. There is nothing I can do to fix that, sorry.

Buster:

Thu Aug 04, 2011 12:48 pm

I will try to find out what the bug is. Thanks for the report.

bole5:

Thu Aug 04, 2011 11:57 am

Great addition to sandboxie for paranoid people like me ;) I am trying to analyze a program that protects itself from the debuggers by running CheckRemoteDebuggerPresent(). When I run this program in sandboxie, everything works ok, but if I inject LOG_API.DLL in the config, the program chrushes. Here is what I see in the API call log: ... LoadLibrary(shell32.dll) [c:\program files\copytrans suite\ilibs\ilibs.exe] LoadLibrary(imagehlp.dll) [c:\program files\copytrans suite\ilibs\ilibs.exe] CheckRemoteDebuggerPresent() [c:\program files\copytrans suite\ilibs\ilibs.exe] CreateProcess(C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2560 -s 356,C:\Windows\system32) [c:\program files\copytrans suite\ilibs\ilibs.exe] The program I tried (copytrans suite/ilibs) is freely downloadable on http://www.copytrans.net/download.php

Buster:

Thu Jul 28, 2011 7:56 pm

I noticed a bug in version 1.38 and updated BSA package with the fix. If anyone notices a "invalid integer value" error message, redownload the package.

Buster:

Thu Jul 28, 2011 5:11 pm

Released Buster Sandbox Analyzer 1.38. Changes: + Added risk evaluation module + Added several improvements + Fixed several bugs

Buster:

Sun Jul 17, 2011 11:14 am

I forgot to comment a new feature in version 1.37. * Added "Version Information" feature. This feature will include a header in reports with the version and date of creation of reports.

Buster:

Sat Jul 16, 2011 10:59 pm

Released Buster Sandbox Analyzer 1.37. Changes: * Improved hiding feature * Updated BSA.DAT * Removed evaluation risk feature * Fixed several bugs Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer. Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near future but having other format.

Buster:

Wed Jul 06, 2011 2:23 pm

I did some modifications to LOG_API and I would like to share the new version so anyone can test it before I release a new official package. All versions of LOG_API (32/64, and verbose/non-verbose) can be downloaded from: http://hotfile.com/dl/123256140/6dd6210/LOG_API.RAR.html Changes: * It should hide Sandboxie and LOG_API itself a bit better. * It is possible to name LOG_API with the file name you prefer. If somebody finds any problem just let me know, please.

jaysonpryde:

Sat Jul 02, 2011 7:24 am

Apologies for not reading the manual. I'll do the necessary changes. Again, thank you

Buster:

Fri Jul 01, 2011 4:58 pm

Rename LOG_API.DLL to other name, then rename LOG_API_VERBOSE.DLL to LOG_API.DLL. If you are using a 64-bit system, do the same but replacing LOG_API_VERBOSE.DLL for LOG_API64_VERBOSE.DLL.

Buster: Re: [Buster-LOG_API]: API Calls related to Registry modifica

Fri Jul 01, 2011 9:26 am

]]>Quoting jaysonpryde: ]]>I recently observed using the new BSA (1.36), API calls related registry modification (e.g added registry entry) is not recorded in LOG_API.txt. Said modifications were captured in RegDiff.txt but not in LOG_API. As far as I know, on the previous version(s) of Buster, API calls related to registry modification is recorded in LOG_API.txt ]]> From manual: http://bsa.isoftware.nl/frame5.htm [code:1:45dea9d1cc]Note: BSA includes two versions of LOG_API.DLL. The difference between them is that one will not show file/registry operations so BSA will run faster.[/code:1:45dea9d1cc] The note is in red colour, which means it is an important thing. :wink:

jaysonpryde: [Buster-LOG_API]: API Calls related to Registry modification

Fri Jul 01, 2011 6:39 am

Hi again, I recently observed using the new BSA (1.36), API calls related registry modification (e.g added registry entry) is not recorded in LOG_API.txt. Said modifications were captured in RegDiff.txt but not in LOG_API. As far as I know, on the previous version(s) of Buster, API calls related to registry modification is recorded in LOG_API.txt Here's an example: RegDiff.txt: machine\software\microsoft\Windows\CurrentVersion\Run\ExampleAutoRunJaysonPryde = jaysonpryde.exe machine\software\microsoft\Windows\CurrentVersion\Run\sample = JaysonPryde.exe LOG_API.TXT Executing: c:\users\administrator\desktop\addregistryentry.exe LoadLibrary(mscoree.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(lz32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(lz32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(KERNEL32.DLL) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(advapi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(shlwapi.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(comctl32.dll) [c:\users\administrator\desktop\addregistryentry.exe] OpenProcessToken(C:\Users\Administrator\Desktop\AddRegistryEntry.exe) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(LPK) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(KERNEL32) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(msvcrt.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(MSCoree.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(PGORT80.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(msvcr80.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(advapi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ntdll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(advapi32) [c:\users\administrator\desktop\addregistryentry.exe] OpenProcess(c:\users\administrator\desktop\addregistryentry.exe) [c:\users\administrator\desktop\addregistryentry.exe] CreateEvent(Global\CorDBIPCSetupSyncEvent_3860) [c:\users\administrator\desktop\addregistryentry.exe] CreateRemoteThread(c:\users\administrator\desktop\addregistryentry.exe) [c:\users\administrator\desktop\addregistryentry.exe] IsDebuggerPresent() [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(shell32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(EXPLORER.EXE) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(rpcrt4.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\3aac7b97549d4ccf0c7dca3d1777f9b4\mscorlib.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorlib.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(uxtheme.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(user32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(kernel32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system\34942db56010e4225825bfae8a27559f\system.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(system.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\07e39e61fd6133a92333a2c98f2ffeb7\system.drawing.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] Thank you :) LoadLibrary(system.drawing.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\b0be4ac8da47fbf783dabd1505e6c55e\system.windows.forms.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(system.windows.forms.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\uxtheme.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(user32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(gdi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\gdiplus.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(gdiplus.dll) [c:\users\administrator\desktop\addregistryentry.exe] CreateDC(Display,\\.\DISPLAY1,(null)) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(gdi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] BitBlt() [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(imm32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(comctl32) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\system32\ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(USER32) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\comctl32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetKeyState() [c:\users\administrator\desktop\addregistryentry.exe] GetKeyboardState() [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(rsaenh.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(rsaenh.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(crypt32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ole32) [c:\users\administrator\desktop\addregistryentry.exe]

Buster:

Mon Jun 27, 2011 7:21 am

I used Shannon Entropy and the alphabet consists in 256 elements. You can take a look at the algorithm codification here: http://ezbitz.com/2009/05/08/calculate-a-file-shannon-entropy-in-c/

jaysonpryde:

Mon Jun 27, 2011 1:11 am

[quote:fb11c30574] High entropy = probably the file is packed/crypted Low entropy = probably the file is not packed/crypted [/quote:fb11c30574] Follow-up question on this. I have 2 scenarios. 1 packed, the other unpacked. For the packed sample scenario, i limited it to the basic concept of packing or compression. For example, the unpacked version has 12 counts of 0xab and the packed version was cut down to 2 counts. Also, for simplicity, scenario below consists of 2 byte elements only. My question is, considering my understanding and computations are correct, and referencing what you said about entropy values, why is that the entropy of the packed sample lower than the unpacked sample? Sample Case: [i:fb11c30574]Unpacked:[/i:fb11c30574] byte[1] = 12 byte[2] = 10 entropy[1] = -(12/22)*(log(12/22)/log 2) = 0.477 entropy[2] = -(10/22)*(log(10/22)/log 2) = 0.517 [b:fb11c30574]entropy = 0.994[/b:fb11c30574] [i:fb11c30574]Packed:[/i:fb11c30574] byte[1] = 2 byte[2] = 4 entropy[1] = -(2/6)*(log(2/6)/log 2) = 0.528 entropy[2] = -(4/6)*(log(4/6)/log 2) = 0.390 [b:fb11c30574]entropy = 0.918[/b:fb11c30574] Thanks a lot

Buster:

Sun Jun 26, 2011 9:18 am

Thanks for the bug report! It will be fixed on next release; meanwhile you can use 1.37 beta 1 which fixes the bug: http://hotfile.com/dl/122239769/b4b1fd5/BSA137B1.RAR.html

Scrapie:

Sat Jun 25, 2011 10:51 pm

Hi Analysed ~100 samples yesterday with the new version and runs fine. Thanks for your hard work ! One smal bug I came across: Sometimes the VirusTotal results still contain HTML-Code. Example is: http://www.virustotal.com/file-scan/report.html?id=f41f8a595c6cb843c15293e21111fec22f9f152f90c9cc63d7c9582009ce2319-1216129837 and the coresponding part in BSA looks like that: [code:1:704de215ad]Creates file C:\oh\uh\aaaahhh\splash.exe File length: 16384 bytes File signature (PEiD): Microsoft Visual Basic 5.0 / 6.0 File signature (Exeinfo): MS Visual Basic 5.0-6.0 EXE File entropy: 2.91282 (36.4103%) ssdeep signature: 96:KlOXsF/VTh3nLUdOiL2j85DyPGh0gr7QDX8OEa2:Kco/VTh3nLGw85DyS0grsDGa,"splash.exe" MD5 hash: 3e2ff294df5e3ca8f595a2bdcb5d060c SHA1 hash: 894d1a951a592daf18d1a89361fc5e89b7025c60 SHA256 hash: f41f8a595c6cb843c15293e21111fec22f9f152f90c9cc63d7c9582009ce2319 VirusTotal detections: Authentium: Possibly a new variant of W32/VB-EMU:VB-Dropper-ba
sed!Maximus Avast: Win32:Trojan-gen. {VB} F-Prot: Possibly a new variant of W32/VB-EMU:VB-Dropper-ba
sed!Maximus F-Prot4: W32/VB-EMU:VB-Dropper-based!Maximus Norman: W32/ColdFusion.CK UNA: Backdoor.Coldfusion.12.56D7[/code:1:704de215ad] You see the
in the Authentium & F-Prot results. Not sure if it is related to the new version or not + it is not a big thing :) Thanks again for your hard work, Scrapie PS: Love the Filepath of this one *ggg*

jaysonpryde: Re: [Buster Analyzer]: RegDiff.txt not generated

Sat Jun 25, 2011 11:34 am

I'm sorry for confirming late... I've overlooked your request to confirm it. My apologies. Yes the bug I reported was already fixed on the 1.36 build with RegDiff.txt already generated. Thanks a lot. :)

Buster:

Sat Jun 25, 2011 8:06 am

In your first post in the forum you reported a problem related to RegDiff.TXT not being generated. I told you the bug should be fixed in version 1.35 and asked you to confirm if that was right. You never replied. Could you confirm the problem is solved, please? About your question... High entropy = probably the file is packed/crypted Low entropy = probably the file is not packed/crypted You should read this paper to know more about entropy and malwares: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf

jaysonpryde: File Entropy

Sat Jun 25, 2011 7:55 am

Thank you very much for the prompt response. On another topic, i'll just ask on how you interpret the file entropy measure that BSA is outputting? For example, entropy = 7.9941 (99.9302%)...What does this mean? 99.9302% what? All i know is that file entropy is the randomness/distribution of bytes. Again, thank you very much!

Buster: Re: Buster Analyzer 1.36 Download link

Sat Jun 25, 2011 6:56 am

]]>Quoting jaysonpryde: ]]>where can I download the1.36? ]]> Official versions are released on BSA�s home site: http://bsa.isoftware.nl Direct download: http://bsa.isoftware.nl/bsa.rar

jaysonpryde: Buster Analyzer 1.36 Download link

Sat Jun 25, 2011 6:12 am

Hi guys, where can I download the1.36? http://hotfile.com/dl/121800026/3d87a55/BSA136B5.RAR.html is no longer existing. Thank you

Buster:

Fri Jun 24, 2011 4:12 pm

Released Buster Sandbox Analyzer 1.36. Changes: + Added support for ssdeep + Improved the support for DLL files + Report informations can be selected individually + Updated BSA.DAT + Fixed several bugs

Scrapie:

Fri Jun 24, 2011 6:59 am

Checked & working fine on my computer :)

Buster:

Thu Jun 23, 2011 4:06 pm

BSA 1.36 beta 5: http://hotfile.com/dl/121800026/3d87a55/BSA136B5.RAR.html Changes with 1.35 version: + Added support for ssdeep + Improved DLL support + Report informations can be selected individually (for main file/for dropped files), both or none. + Fixed several bugs Test it and let me know if it works fine, please.

Buster:

Thu Jun 23, 2011 7:50 am

Later today I will send BSA 1.36 beta 5. It should fix the "ghost bug" and fix the last bug reported by Loks. I will change of place some features.

Buster:

Thu Jun 23, 2011 7:07 am

]]>Quoting Scrapie: ]]>What is the "*" in front of ssdeep line? ]]> A copy&paste collateral effect. :wink:

Loks:

Thu Jun 23, 2011 6:14 am

Just checked 1.36 B3. SSdeep feature works fine. I just noticed an unrelated bug. Even though I have turned off all reports on file related information [ Options -> Common analysis options -> Reports], the Report.txt still generates file hash and file signature. Can you fix this please ?

Scrapie:

Thu Jun 23, 2011 5:50 am

Works fine for me: [code:1:b1963c7260][ Changes to filesystem ] * Creates file C:\456\123\Projekt1.exe File length: 20480 bytes File signature (PEiD): Microsoft Visual Basic 5.0 / 6.0 File signature (Exeinfo): MS Visual Basic 5.0-6.0 EXE File type: EXE File entropy: 1.91583 (23.9479%) * ssdeep signature: 96:/lxHke/gZB4997ICzWLg/gml/RzhYlEDcY94wWVKquQ2:/THd997IA/gUpdYaZ94RJuQ,"Projekt1.exe" MD5 hash: 7d266dcb9e4b83489f2b8560e9805133 SHA1 hash: f232e019668824fb4e06fbb7412dfcafec7631c2 SHA256 hash: 4954d727d22d6066ac1a809c74ebce504cac303f778eed08eb0540d8a5263be4 VirusTotal detections: No detections found[/code:1:b1963c7260] Good work & thanks for including ssdeep! Scrapie PS: What is the "*" in front of ssdeep line?

Buster:

Wed Jun 22, 2011 10:59 am

BSA 1.36 beta 3: http://hotfile.com/dl/121664809/bd3e722/BSA136B3.RAR.html Changes: + I added a feature to include ssdeep information (only Win32 PE files) on reports, for both main and dropped files. + I fixed two bugs. Please let me know if everything works fine.

Scrapie:

Tue Jun 21, 2011 10:39 am

That is correct. First line is just for us humans so we understand the ssdeep signature format :) And Thanks for adding it !!! Cheers, Scrapie

Buster:

Tue Jun 21, 2011 9:54 am

Ok, I will add an option to include ssdeep�s output int reports. I see the output consists in 2 lines, and first one seems to be always the same, so I guess I can remove first line and just keep second, right?

Scrapie:

Tue Jun 21, 2011 9:38 am

Hi ssdeep gives you a fuzzy-hash from a file. This helps to find out if the file uses the same code (recycling) from other samples collected in your honeypot. It can be usefull to categorize samples. For example you have a collections of ssdeep-signatures (you don't need the files, just the hashes) from Binders and the new file matches 80% up with one of them and 70% with another so you can be pretty sure it is a Binder aswell - and not a rootkit. Or the new sample uses some code as one of your filesharing-worms coz it matches up 75%. So it might be just a new variant or someone re-used the spreading-code in his own project. But you know it is worm using the same module for filesharing - and not a file virus. I used ssdeep on a host that updated his Droppers (2.000 @ the same time and every single one slightly different) every 24h to avoid detection. So every 24h I timed wget to DL the latest sample-batch and run them against the old hashes. The detection was always >95% - which is pretty good. Virustotal at the same time gave me 0 detection. Another example was comparing new releases of VB-Crypters. A lot of them were using the few open-source samples you can DL. Slight modifications and tada: "This is my new Crypter!" No credits, just changed the GUI and shifted the Stub-code a bit around. Undetected by most AV's but ssdeep showed the original source that has been used and then you can have a closer look at both. In the end you end up with kind of family tree with the open-source ones on the bottom and the rips branching out. More examples and links about ssdeep and malware analyse: [url=http://blog.infosanity.co.uk/2009/12/15/fuzzy-hashing-memory-carving-and-malware-identification/]Link[/url] [url=http://blog.sei.cmu.edu/post.cfm/fuzzy-hashing-techniques-in-applied-malware-analysis]Link[/url] [url=https://www.chioka.in/lang/en/2009/12/11/grouping-malware/]Link[/url] Cheers, Scrapie

Buster:

Tue Jun 21, 2011 7:29 am

]]>Quoting Scrapie: ]]>Would it be possible to include ssdeep into the hash-section? [code:1:ec223c4af9]ssdeep.exe -b file.exe>sig.txt[/code:1:ec223c4af9] ]]> What�s ssdeep used for and why it�s a valuable information to include in the report?

Scrapie:

Tue Jun 21, 2011 5:46 am

Hi Would it be possible to include ssdeep into the hash-section? [code:1:9ab77a9ec7]ssdeep.exe -b file.exe>sig.txt[/code:1:9ab77a9ec7] - File.exe is the file you want to generate the signature from. - The "> " puts output in file "sig.txt". Cheers, Scrapie

Buster:

Tue Jun 21, 2011 5:39 am

I am trying to isolate the buggy code so I just sent other beta. Let me know if it works fine or not.

Loks:

Tue Jun 21, 2011 3:50 am

It occured in automatic mode. I even tried a clean install, and it still wouldn't work for me. The beta you gave me works fine.

Buster:

Mon Jun 20, 2011 7:55 am

]]>Quoting Loks: ]]>Doesn't work for me either... ]]> I was unable to reproduce the problem. Does it occurr in manual analysis mode, in automatic from GUI, in automatic from command line or in all modes? I was comparing the changes from version 1.34 to 1.35 and I don�t see anything that could cause this behaviour. :?

Scrapie:

Mon Jun 20, 2011 7:44 am

Hi Started from scratch with new version of Sandboxie and atm it works here again: [code:1:ea1144dd25][ Changes to filesystem ] * Creates file C:\Program Files\Defraggler\Defraggler.exe File length: 2221368 bytes File signature (PEiD): Microsoft Visual C++ ?.? [Overlay] * File signature (Exeinfo): Microsoft Visual C++ ver. 8.0 / Visual Studio 2005 - no MSCab File type: EXE File entropy: 6.46089 (80.7612%) Digital signature: Signed MD5 hash: ac9b05fb6f49abaaf5fbd57810e54a2a SHA1 hash: 788eb21f8ec7621b5fe9064e8532b260281c2387 SHA256 hash: 1ee3ddc2ab5c00dcc077fbce344961f43e14c7d7bcf843862aa10d580f3a176c VirusTotal detections: No detections found [/code:1:ea1144dd25] Don't know what caused the problem in first place but yeah - works again after I deinstalled everything... Scrapie

Loks:

Mon Jun 20, 2011 6:45 am

]]>Quoting Scrapie: ]]>Hi Here the new version doesn't include Hashes, Filefinfos, Entrophy, ... in the Report.txt anymore. Just me or someone else having the same problem? Cheers, Scrapie ]]> Doesn't work for me either...

Scrapie:

Sat Jun 18, 2011 4:32 am

Hi Here the new version doesn't include Hashes, Filefinfos, Entrophy, ... in the Report.txt anymore. Just me or someone else having the same problem? Cheers, Scrapie

Buster:

Fri Jun 17, 2011 4:58 pm

Why did I decide to reintroduce HideDriver in the package? I noticed that the feature to hide Sandboxie�s processes from LOG_API was not perfect, so I decided to remove the feature from LOG_API. At the same time HideDriver does not work on 64-bit systems, so I decided to keep a special version of LOG_API for that systems. So from BSA 1.35 things are like this: On 32-bit systems, hiding Sandboxie will be a work done combining the use of HideDriver and LOG_API.DLL. On 64-bit systems, hiding Sandboxie will be an exclusive work of LOG_API.DLL. I want to remark that, as I comment in the manual, from version 1.35 LOG_API.DLL should not be renamed. It must keep that filename because LOG_API will hide itself.

Buster:

Fri Jun 17, 2011 4:52 pm

Released Buster Sandbox Analyzer version 1.35. Changes: + Added HideDriver again + Added LOG_API version for 64 bit systems + Fixed several bugs

Buster: Re: [Buster Analyzer]: RegDiff.txt not generated

Fri Jun 17, 2011 4:51 pm

]]>Quoting jaysonpryde: ]]>Anyways, I have a question related to the combined usage of Sandboxie and Buster Analyzer for file analysis. I�ve already come up with an automated system that utilizes the combination of two. My question is, on the automated system, RegDiff.txt is not generated by Buster. But when I tried running Buster and Sandboxie manually on the same file (i.e. Run BSA, Start Analysis, Run Program in Sandboxie, Stop BSA Analysis and then Analyze), RegDiff.txt is generated. ]]> This bug should be fixed in BSA 1.35. Please, confirm.

Buster:

Fri Jun 17, 2011 1:03 pm

Thanks for sharing the script with us, Loks!

Loks:

Fri Jun 17, 2011 12:51 pm

Here's the script I use to process samples downloaded by my honey pot using BSA. Hopefully someone will find it useful. You will need to install VMWare with VMTools installed, because I use vmrun for most part of it. Tried using virtualbox, but it keeps crashing on me. [code:1:36b2371e1b] #!/bin/bash # This script will forward all samples downloaded by my honeypot for processing to BSA # BSA runs on top of SandboxIE inside a VMWare # BSA will process them, and churn out a report # The script will then rename the report and compress them in a zip file # Questions/Comments -> P.M me # I'm sure this script can be made better. But I don't have the time to do it # ============================== # Setting up directory locations # ============================== # Home folder where the analysis setup resides MANE="/media/data/BSA" # Folder where the samples downloaded from honeypots get collected DOWNLOADS="/media/data/BSA/01.downloads" # Folder where the samples move to for processing PROCESS="/media/data/BSA/02.process" # Folder where BSA's reports will finally be moved to REPORTS="/media/data/BSA/03.reports" # Only PE files are sent to processing. Non PE files will be moved here REJECTS="/media/data/BSA/04.rejects" # Only PE exe files are sent to processing. Other PE files - dll,sys files move here OTHERS="/media/data/BSA/05.others" # Location of this script TOOLS="/media/data/BSA/tools" # Temproary folder TRANSIT="${TOOLS}/temp" # Path to VMware vmx file VMX="/media/data/vmware/bsa/BSA.vmx" # Credentials to the Windows XP Image VM_CREDENTIALS="-T ws -gu Administrator -gp password " # Total analysis time per sample for BSA ANALYSIS_TIME=120 # Location of BSA reports in the virtual machine BSA_REPORTS="C:\\BSA\\REPORTS\\" # ============= # Start of code # ============= # The files downloaded from my honeypot go to "/media/data/BSA/01.downloads" as and when they get downloaded # I move the files from "/media/data/BSA/01.downloads" to "/media/data/BSA/02.process" and then start BSA for analysis # So we first need to make sure that: # 01.The downloads folder where samples get downloaded to is not empty - which means we have samples for analysis # 02.The process folder is empty - which means no samples are currently being analyzed by BSA # This bash file can be run as a cron job every 1 hour, so all files are processed automatically. if [ $(find ${PROCESS} -type d -empty | wc -l) -eq 1 ] && [ $(find ${DOWNLOADS} -type d -empty | wc -l) -eq 0 ] ; then echo -e "Moving files from \"Downloads\" to \"Process\" directory in 10 Seconds" sleep 10 # ============== # Moving samples # ============== # Moving the samples from downloads directory to process directory mv ${DOWNLOADS}/* ${PROCESS} # ============== # Renaming Files # ============== # Files downloaded by honeypots tend to have weird file names at times which Windows can't handle. So I'm renaming the files to their MD5 echo -e "Renaming files to their MD5" find ${PROCESS} -iname "*" -type f -exec md5sum {} \; | sed -r "s/(^.*)(\s+)(.*)/mv \"\3\" \1/" | sed "s/\" /\" \"\/media\/data\/BSA\/02.process\//" | sed "s/\s$/\"/" > ${TRANSIT}/mv.sh # Move the files bash ${TRANSIT}/mv.sh # ===================== # Moving unwanted files # ===================== # Although BSA can process non pe files, I really don't care about them. So I'm moving the unwanted file types to the rejects folder echo -e "Moving non PE files & PE dll and sys files to \"Rejects\" & \"Other\" folders" file ${PROCESS}/* | egrep -iv "for MS Windows" | sed "s/^/mv \"/" | sed "s/: .*//" | sed "s/$/\" \/media\/data\/BSA\/04.rejects/" > ${TRANSIT}/rejects.sh file ${PROCESS}/* | egrep -i "(DLL)|(driver)" | sed "s/^/mv \"/" | sed "s/: .*//" | sed "s/$/\" \/media\/data\/BSA\/05.others/" > ${TRANSIT}/others.sh bash ${TRANSIT}/rejects.sh bash ${TRANSIT}/others.sh # ============ # Start VMWare # ============ # The vmware has WindowsXP installed, with "Autologin" turned on using tweakui, downloaded from Microsoft's website # I've disabled error reporting completely on the machine. It interferes with the analysis at times # I've used vmrun for most of the operations as you can see. # I have taken a snapshot of the VMWare after installing BSA/SandboxIE, along with other tools # I have taken a snapshot after you "suspend" the VMWare image. It is recommended not to "Shutdown" the image and then take a snapshot # The snapshot is named BSA, which is used in the vmrun commands later # I have shared "02.process" directory as Z:\incoming and "03.reports" directory as Z:\outgoing directory inside vmware withe read/write access echo -e "Reverting virtual machine and invoking \"Buster Sandbox Analyzer\"" vmrun -T ws revertToSnapshot ${VMX} BSA vmrun -T ws start ${VMX} # ========= # Start BSA # ========= # Starting BSA.exe inside VMWare interactively. So each sample will be analyzed for 120 seconds as declared earlier # Notice that the shared folder "02.process" a.k.a Z:\incoming is where BSA will take samples for analysis from echo -e "Each sample will be analyzed for $ANALYSIS_TIME seconds" vmrun ${VM_CREDENTIALS} runProgramInGuest ${VMX} -interactive c:\\bsa\\bsa.exe -s $ANALYSIS_TIME -f Z:\\incoming # ================== # Moving the reports # ================== # I've enabled "Manage Processed File" -> "Move To Reports Folder" in BSA options # So, once the analysis on all samples is complete, the original dropper is "moved" from 02.process a.k.a z:\incoming folder to the 03.reports a.k.a z:\outgoing folder. echo -e "Analysis completed. Moving files now" sleep 10 vmrun ${VM_CREDENTIALS} CopyFileFromGuestToHost ${VMX} "${BSA_REPORTS}" "${REPORTS}" # ================================ # Renaming and compressing reports # ================================ # BSA creates reports inside folders with the time stamp # We will rename and remove the time stamp & compress the reports folder into a .zip file echo -e "Renaming reports" find ${REPORTS} -maxdepth 1 -mindepth 1 -type d | sed -r "s/(^.*)(\s)(20.*)/mv \"\1\2\3\" \1/" > ${TRANSIT}/report.sh bash ${TRANSIT}/report.sh echo -e "Compressing reports" cd ${REPORTS} find . -maxdepth 1 -mindepth 1 -type d -exec zip -rmq {}.zip {} \; # ================= # Suspending VMWare # ================= # We will suspend VMWare once the analysis is complete vmrun suspend ${VMX} else echo -e "Either \"Downloads\" directory has no files to process or \"Process\" directory contains files...Quitting" fi [/code:1:36b2371e1b]

Buster:

Mon Jun 13, 2011 10:40 pm

Welcome to the forum! I will check what happens with RegDiff.TXT and will let you know as soon as find out what�s going on. Thanks for the report!

jaysonpryde: [Buster Analyzer]: RegDiff.txt not generated

Mon Jun 13, 2011 10:27 pm

Good day! Newbie on this forum :) Anyways, I have a question related to the combined usage of Sandboxie and Buster Analyzer for file analysis. I�ve already come up with an automated system that utilizes the combination of two. My question is, on the automated system, RegDiff.txt is not generated by Buster. But when I tried running Buster and Sandboxie manually on the same file (i.e. Run BSA, Start Analysis, Run Program in Sandboxie, Stop BSA Analysis and then Analyze), RegDiff.txt is generated. I�ve already set the following in Sandboxie.ini but still, RegDiff was not generated in the automated system. Other text files (Analysis.txt, Report.txt, FileDiff.txt and Log_API.txt) were generated: InjectDll = c:\bsa\LOG_API.DLL OpenWinClass=TFormBSA Do you have any ideas on this matter? Do I have to modify something on BSA's configuration? Any help is greatly appreciated

Buster:

Wed Jun 01, 2011 8:46 pm

]]>Quoting Samurai Jack: ]]>It hides processes on 64-bit Windows 7 too? ]]> Yes, it does. (32-bit processes) You can make a simple test: sandbox Task Manager and check if Sandboxie processes appear listed.

Samurai Jack:

Wed Jun 01, 2011 8:22 pm

]]>Quoting Buster: ]]>Within BSA 1.34 I released a new LOG_API.DLL. This new version makes unnecessary the use of HideDriver to hide Sandboxie�s processes. I made my own tests and I think the results are satisfactory. Did anyone make any tests to verify the new DLL works properly? ]]>It hides processes on 64-bit Windows 7 too?

Buster:

Tue May 31, 2011 4:55 pm

Within BSA 1.34 I released a new LOG_API.DLL. This new version makes unnecessary the use of HideDriver to hide Sandboxie�s processes. I made my own tests and I think the results are satisfactory. Did anyone make any tests to verify the new DLL works properly?

M_R:

Fri May 27, 2011 7:31 am

Thanks a lot for your answer. I will try it out and write the result here. But its a pity that I will miss the downloaded files this way. If I understand you well, this means that the use of Sandboxie is dangerous in general without using "a proper malware replication environment" like Inetsim. For example, you can run an unknown file in Sanboxie, that turns out to be a nasty piece of malware, and so infect your network by an 0 day exploit or getting in trouble another way as you mentioned. A lot of people use Sandboxie for running executables that they do not trust and can be malware.

Scrapie:

Fri May 27, 2011 6:39 am

Hi Use FakeDNS from iDefense and put all requests through to a VM-Machine with a sniffer on. That way you can see what the malware is trying to do but without leaving your controlled environment. Sure, you won't get any files downloaded from the net through malware that way. But you can see to which adresses they try to connect + the URLs so you can check that out manually. You can even set up your own HTTP & IRC-Server to serve some files / requests from malware - but that is a bit tricky and uses more VM-machines... Another way would be tunneling all traffic from that machine through a proxy or Tor-Network. Easy to do and quite effective. But it is absolutly [size=18:c863ad7df4]NOT A GOOD IDEA !!![/size:c863ad7df4] because you will get the Tor-Nodes in the same trouble you are in right now. So please don't use this method. Cheers, Scrapie

Buster: Re: Automatic Analysis

Fri May 27, 2011 5:47 am

]]>Quoting Astrowe: ]]>yes, that might be it. thanks, gonna check and let you know afterwards ]]> Don�t forget to comment about this, please.

Loks: Re: Malware is sending spam

Fri May 27, 2011 12:56 am

]]>Quoting M_R: ]]>This is not about a bug, but about a problem I have with running malware in the sandbox. ]]> This isn't a problem either. It's a question of you not having a proper malware replication environment. ]]>Quoting M_R: ]]>The malware in the sandbox had made contact with a Gbot Command and Control Server. Another reason might be sending spam. Possible solutions: Windows firewall is not much a help, for its just blocking incoming connections. To block all connections with another firewall is not what I want. ]]> There are firewalls out there which can block connections based on rules you define, and in Linux they come for free. Ip tables etc. You can even install snort and write custom signatures based on the packet headers to block, say all IRC connections. ]]>Quoting M_R: ]]> Blocking on a individual basis is possible and for running one peace of malware its no problem to check if you want the malware to pass the firewall or not. But in the automatic mode on and running a lot of malware its no option. I am not sure if blocking port 25 will prevent sending spam. And maybe blocking the IP from the Gbot Command and Control Center. Any ideas ? ]]> You should using Inetsim or something similar which will simulate the internet services rather than running everything on a real machine. What you are doing right now is extremely dangerous. The malware you run can be contributing a DOS on the CIA or download child porn or scan your entire subnet and send a new exploit and malware for all you now, and you can get into real trouble than just getting your IP blocked by your ISP. Only if you want to analyze your malware closely after initial analysis with inetsim, should you allow that malware to connect to the Internet, and that too with you controlling what it does and having a hawk eye over it.

M_R: Malware is sending spam

Thu May 26, 2011 4:14 pm

This is not about a bug, but about a problem I have with running malware in the sandbox. A few days ago my IP was blacklisted by Spamhaus and Barracuda. Then you can not send mail anymore until its removed from the blacklist. That takes a few days. [img:02b97b869e]http://i1104.photobucket.com/albums/h336/Kobayashi1947/lunapic_130640333876780_1.png[/img:02b97b869e] The malware in the sandbox had made contact with a Gbot Command and Control Server. Another reason might be sending spam. Possible solutions: Windows firewall is not much a help, for its just blocking incoming connections. To block all connections with another firewall is not what I want. Blocking on a individual basis is possible and for running one peace of malware its no problem to check if you want the malware to pass the firewall or not. But in the automatic mode on and running a lot of malware its no option. I am not sure if blocking port 25 will prevent sending spam. And maybe blocking the IP from the Gbot Command and Control Center. Any ideas ?

Buster:

Wed May 25, 2011 6:57 pm

Released Buster Sandbox Analyzer 1.34. Changes: + Added a feature to copy/move processed files in automatic mode + Added a feature to export RegHive to .REG format + Updated LOG_API + Removed HideDriver + Fixed a bug

Astrowe: Re: Automatic Analysis

Wed May 25, 2011 6:35 pm

]]>Quoting Buster: ]]> I found a bug when in the command line the time is supplied in minutes. It will be fixed in version 1.34 wich I will release today or tomorrow. Maybe that�s the reason of the problem you found. ]]> yes, that might be it. thanks, gonna check and let you know afterwards

Buster: Re: Automatic Analysis

Wed May 25, 2011 6:02 pm

]]>Quoting Astrowe: ]]>i know what you mean.. well i checked it out and it does exactly what i expected it to do :) but the countdown usualy somehow manages to get stuck at 49s or so.. don't really know why. then it looks like it doesn't do anything but bsa.exe has high cpu load like 80%+ EDIT: i unchecked virustotal analysis and some other common analysis settings and it works just fine.. EDIT#2: sometimes the analysis ends before the time's up --that'd be okay if the sample has closed by itself but it actally doesn't or at least i think so, 'cause when i run the file in sanboxie, it runs all the time and creates way more events than the bsa report shows afterwards. and it happens only when automatic analysis via command line runs. manual analysis works just fine. actually i did not try to run automatic analysis from the gui so i'm gonna try this and get back at you. strange thing is that when i run the analysis from command line with the very file again, it works okay. ]]> I found a bug when in the command line the time is supplied in minutes. It will be fixed in version 1.34 wich I will release today or tomorrow. Maybe that�s the reason of the problem you found.

Astrowe: Re: Automatic Analysis

Wed May 25, 2011 5:56 pm

]]>Quoting Buster: ]]> I never forget any feature request. I really appreciate to receive them. The problem is I don�t have much free time and I must give priority to things. Now the feature is there, so try it and let me know what you think about it. :) ]]> i know what you mean.. well i checked it out and it does exactly what i expected it to do :) but the countdown usualy somehow manages to get stuck at 49s or so.. don't really know why. then it looks like it doesn't do anything but bsa.exe has high cpu load like 80%+ EDIT: i unchecked virustotal analysis and some other common analysis settings and it works just fine.. EDIT#2: sometimes the analysis ends before the time's up --that'd be okay if the sample has closed by itself but it actally doesn't or at least i think so, 'cause when i run the file in sanboxie, it runs all the time and creates way more events than the bsa report shows afterwards. and it happens only when automatic analysis via command line runs. manual analysis works just fine. actually i did not try to run automatic analysis from the gui so i'm gonna try this and get back at you. strange thing is that when i run the analysis from command line with the very file again, it works okay.

Buster:

Wed May 25, 2011 7:26 am

Even if two buttons look like identical, let�s say they contain "Finish" label, they can be different and they must be treated differently. I don�t know how to detect significant change in the GUI / Desktop of a program. If you find a method let me know and I will try it. Rootkits usually use a driver to get stealth capabilities and Sandboxie will not allow that, so they can not hide when they run sandboxed. "You mentioned a few things in the manual but it is still very easy to detect if a sandbox is running." Well, not so easy. You can try to code a program and check if it�s able to notice if it�s being running sandboxed or not.

Scrapie:

Wed May 25, 2011 6:45 am

Hi Buster, thanks for your answer :) My understanding of the "Automated Setups" feature was, that when a button got the caption "Ok", "Finish", "Install", ... BSA will cklick it - not depending on any setup-software used or the window caption. That's why I was a bit unsure about the 7zip-setup which clearly has a "Finish" button. But looks like I got that wrong... Screenshot every second + changed PID, hmmm. That's why I only got one screen from a Scareware-AV the other day during installation. Would it be possible to get a new screenshot every time there is a significant change in the GUI / Desktop? A installation would be fully documented with screenshots that way. You are right, entrophy isn't a significant information to recognize malware. It only means that certain EXE-files could be protected via a packer or a crypter. Which leaves us with two (main) possibilities: a.) It is malware trying to change it's filesignature, minimize filesize and / or rise the level for analysing. b.) It is legal software trying to avoid reverse engeniering and / or bring down filesize. I was just curious if you draw on the entrophy of PEid - which isn't documented and closed-source, that's all :) Any experience using a rootkit (which is in the end nothing else then a more advanced HideDriver) to hide any traces (file, reg, folder, proc) of Sandboxie and BSA from software running in the sandbox? You mentioned a few things in the manual but it is still very easy to detect if a sandbox is running. Yeah, I know fighting fire with fire but kind of interesting. Will play around a bit in that direction. Cheers, Scrapie

Buster:

Tue May 24, 2011 1:25 pm

]]>Quoting Scrapie: ]]>New command line works great for me. Had a few runs on samples and no problems so far. Well, done & Thank you ! ]]> Thank you for testing and for the feedback! :wink: ]]>Quoting Scrapie: ]]>Might pay to check the the option "Automatic Analysis Options > Automate Setups" again. Tested it with the beta version of the 7zip-installer (h++p://sourceforge.net/projects/sevenzip/files/7-Zip/9.21/7z921.exe) and BSA didn't click the last "Finish"-button during installation. Maybe this feature is broken or there is something special about this setup, dunno... ]]> Every setup in the world is not supported, of course. In my opinion the actual feature works well, but it can be improved. I will take a look at the setup you mention. ]]>Quoting Scrapie: ]]>The screenshot feature - is it possible to get more information on that one? Like how often is it taking a shot / what triggers a shot? Any custom options to set like quality or filetype? ]]> Screenshot routine is launched every second. It checks sandboxed processes and if the PID is new then it takes a screenshot. Meanwhile the PID is the same, no more screenshots will be taken. I think the quality and the filetype are ok but I�m open to hear comments and suggestions. ]]>Quoting Scrapie: ]]>Another question: File entrophy - that information comes from PEid? ]]> No, I coded my own routine based on Shannon's entropy algorithm. The algorithm is applied to the whole file, not to individual sections. I added that feature because it was a request, but I don�t think the entropy is a significant information to consider when you are evaluating if a sample is a malware or not. Regards.

Buster: Re: Automatic Analysis

Tue May 24, 2011 1:17 pm

]]>Quoting Astrowe: ]]>i was wondering if you forgot about me.. but thank you, really.. gonna try this out right now ]]> I never forget any feature request. I really appreciate to receive them. The problem is I don�t have much free time and I must give priority to things. Now the feature is there, so try it and let me know what you think about it. :)

Astrowe: Re: Automatic Analysis

Tue May 24, 2011 1:07 pm

]]>Quoting Buster: ]]> Finally I added this feature request. Sorry for the delay. You will be able to run BSA in real automatic mode doing: bsa.exe -m 1 -f c:\folder or bsa.exe -s 45 -f c:\folder Where: -m = minutes (1 min - 60 max) -s = seconds (1 min - 3600 max) ]]> i was wondering if you forgot about me.. but thank you, really.. gonna try this out right now

Scrapie:

Tue May 24, 2011 9:37 am

Hi :) New command line works great for me. Had a few runs on samples and no problems so far. Well, done & Thank you ! Might pay to check the the option "Automatic Analysis Options > Automate Setups" again. Tested it with the beta version of the 7zip-installer (h++p://sourceforge.net/projects/sevenzip/files/7-Zip/9.21/7z921.exe) and BSA didn't click the last "Finish"-button during installation. Maybe this feature is broken or there is something special about this setup, dunno... The screenshot feature - is it possible to get more information on that one? Like how often is it taking a shot / what triggers a shot? Any custom options to set like quality or filetype? Another question: File entrophy - that information comes from PEid? Cheers, Scrapie

Buster:

Mon May 23, 2011 1:36 pm

Re-released BSA 1.33 package to fix a severe problem in LOG_API.

Buster:

Sat May 21, 2011 12:30 pm

Released Buster Sandbox Analyzer 1.33. Changes: + Added a feature to run BSA from command line in automatic mode + Added Exeinfo support + Added extra information of dropped files + Updated BSA.DAT + Updated LOG_API + Fixed a bug

Buster:

Sat May 21, 2011 9:26 am

]]>Quoting Scrapie: ]]>You'r a star ! Will test it next week and report back :9 Had a look @ TrID yet? What you think? ]]> I know TrID for years and I never liked it really. In fact I coded my own extension renamer because I was not satisfied with the available tools to find file formats. My code was oriented to catch malware file formats, so it fit perfectly to implement it into BSA. I think I will be able to release the new version today. Stay tuned. :wink:

Scrapie:

Sat May 21, 2011 4:29 am

You'r a star ! Will test it next week and report back :9 Had a look @ TrID yet? What you think? Cheers, Scrapie

Buster: Re: Automatic Analysis

Fri May 20, 2011 10:09 pm

]]>Quoting Astrowe: ]]>Hey guys, i like the automatic analysis option, but.. is there any way i could make it like really automatic? :D i mean like some command line arguments or something like that. I want this: run bsa.exe that automatically analyses all files in somehow defined folder and for pre-defined time, with no user action needed. something like bsa.exe -auto -t 100 -f c:\test does anybody have any idea how to do this? or am i just stupid and not aware that there already is something like that.. thanks in advance! ]]> Finally I added this feature request. Sorry for the delay. You will be able to run BSA in real automatic mode doing: bsa.exe -m 1 -f c:\folder or bsa.exe -s 45 -f c:\folder Where: -m = minutes (1 min - 60 max) -s = seconds (1 min - 3600 max)

Buster:

Fri May 20, 2011 9:28 pm

I added support for Exeinfo. In fact other person suggested the same just today in other forum. I also added support to run BSA from command line. As soon as I make some more tests and update manuals I will make the new version available.

Scrapie:

Wed May 18, 2011 7:05 am

Hi Buster :) I was looking for new ways to check out malware and found your addition to sandboxie. I used tools like RegShot, FileMon, RegMon, TotalUninstall, Autoruns, Strings, TrID, PEid, ssdeep and Smartsniff in the past. But it means a lot of manual work. Your tool does (most) of it automatically - what brings me to your 2. question: It would be good to have BSA started by - lets say a honeypot - that just captured a sample. The honeypot would start BSA in auto. mod with a little batch or via shell with the timeout-time and the path to the folder where the sample is saved. Pretty much like Astrowe suggested it in a earlier posting in this thread. BSA would then start his automatic analyse as it does atm after entering these two variables by hand if you are in auto. mod. In the evening you come home, check your honeypot and BSA reports and see what was on the net today :) Have you looked into TrID yet? It is a great tool for finding out what filetype unknown files are. I mean PEid is okay for PE-Files put that's it. TrID will jump in after that and find out what type of file it is. Marco is a nice guy and it is still putting in new signatures from users every 4 weeks or so. DB contains 4301 filetypes atm. There is even a DLL you can use in your own programs. Quite easy and I used it in VB6 to check unknown files. Semi-automatic updates and building the DB are done here via one small batchfile. If you need any help with that send me a PM and I will send you my VB6-Source and the update-batch. Another thing for you could be "Exeinfo PE". A PEid-clone which I found a bit better in some situations. You can call the little exe via shell or cmd line with "exeinfope.exe *.exe /s" and you will get a logfile with the results. Enough for today :) Cheers m8, Scrapie

Buster:

Tue May 17, 2011 9:08 am

]]>Quoting Scrapie: ]]>Just came across your great tool and really loving it :) Very, very good work m8! ]]> Thanks for the kind words. :) One question: where did you hear about the tool? ]]>Quoting Scrapie: ]]>Any news about the command line to pass on TIME and FOLDER to BSA ? ]]> In automatic or manual mode? Running from command line should run "Malware analyzer" feature or not? Please give more details about what you would expect BSA does running from command line.

Scrapie:

Tue May 17, 2011 8:50 am

Hi Just came across your great tool and really loving it :) Very, very good work m8! Any news about the command line to pass on TIME and FOLDER to BSA ? Cheers, Scrapie

Buster:

Mon May 09, 2011 5:23 pm

With the inclusion of VirusTotal av detections, Buster Sandbox Analyzer becomes a very powerful malware analysis and detection tool. BSA combines the traditional pattern and heuristic detection (provided by VirusTotal�s av engines) with the malware behaviour analysis technology. From this combination we get a strong anti-malware tool.

Buster:

Mon May 09, 2011 5:02 pm

Released Buster Sandbox Analyzer 1.32. Changes: + Added a feature to include av identifications from VirusTotal on reports + Improved �Automated Setup� feature

Buster:

Fri May 06, 2011 7:54 pm

]]>Quoting SnDPhoenix: ]]>Oh, you're probably right! I think I had tested this on a x86 Windows 7 in the past before moving to x64 permanently but now I can't remember if that's the case or not. :P In any case, that sucks though. Any plans to produce a x64 build in the future? :) EDIT: Actually, I just realized something. On x64 Windows, don't drivers have to be signed in order to run on the OS, or something like that? Maybe I'm thinking of something else? :P If thats the case though, then that probably explains why the driver won't run on x64 Windows 7. :? ]]> I didn�t code HideDriver. http://www.codeproject.com/KB/system/hide-driver.aspx "All versions are x86; x64 windows version is not supported because of PatchGuard."

SnDPhoenix:

Fri May 06, 2011 7:49 pm

]]>Quoting Buster: ]]>AFAIK HideDriver doesn�t work on 64bits. ]]> Oh, you're probably right! I think I had tested this on a x86 Windows 7 in the past before moving to x64 permanently but now I can't remember if that's the case or not. :P In any case, that sucks though. Any plans to produce a x64 build in the future? :) EDIT: Actually, I just realized something. On x64 Windows, don't drivers have to be signed in order to run on the OS, or something like that? Maybe I'm thinking of something else? :P If thats the case though, then that probably explains why the driver won't run on x64 Windows 7. :?

Buster:

Fri May 06, 2011 1:20 pm

AFAIK HideDriver doesn�t work on 64bits.

SnDPhoenix:

Fri May 06, 2011 9:47 am

Hey, just wondering, is anyone else having a problem with the HideDriver component? I swear I've had it working before, but for some reason I just tried using it (I need it for a program I want to run sandboxed, but it detects Sandboxie) and now I can't get it working for some reason. I already knew how to set it up, but since it wasn't working I read up on your site just to see if I had forgotten something, but I had already done everything correctly. :P Anyways some technical info. I'm running BSA v1.31 on Windows 7 SP1 x64 all up to date, with the latest Sandboxie Beta installed and I have the Experimental Protection enabled. When I load up the HideDriverGUI, I select the path to the driver, leave the driver name field alone and click Install. It installs correctly. However when I click Run, I get this message: [URL=http://imgur.com/PovzZ][img:60e5da33e8]http://i.imgur.com/PovzZ.png[/img:60e5da33e8][/URL] Any idea guys? Am I alone in this issue? :lol: The rest of the BSA suite otherwise works perfectly! :D

Buster:

Thu May 05, 2011 8:02 pm

Beta 4: https://www.yousendit.com/download/MEtTb3BEQzc3N0JjR0E9PQ I fixed a bug and also added the chance of retrieving malware information of dropped (win32) files.

D1G1T@L:

Mon May 02, 2011 8:27 pm

All working well here. Ultimately the choice is your ofcourse if you want to add that extra bit, would be nice. Keep it up :)

Buster:

Mon May 02, 2011 4:54 pm

But first try that version and let me know if it works fine or not. :wink:

D1G1T@L:

Mon May 02, 2011 3:08 pm

]]>Quoting Buster: ]]>Question: Should I keep the feature as it�s now or I should include an option to include av detections for every executable created? ]]> Hi Buster, IMHO including AV detection for newly created exe.s would be quite useful for pinpointing where malicious code is appeneded and or if some exe.s have suspicious behaviors which are not displayed by others.

Buster:

Mon May 02, 2011 2:19 pm

Buster Sandbox Analyzer 1.32 beta 2: http://bsa.isoftware.nl/bsa132b2.rar (only BSA.EXE included) I have added a new feature: Options > Common Analysis Options > Reports > Include VirusTotal Malware Information. When enabled, BSA will include in the report the antivirus detections (if any) for the processed file available at www.virustotal.com Could anyone try it and let me know if it works fine or not, please? Question: Should I keep the feature as it�s now or I should include an option to include av detections for every executable created?

Buster:

Mon May 02, 2011 2:11 pm

jeremyofmany: You�re welcome. Glad you like it.

jeremyofmany:

Mon May 02, 2011 2:04 pm

Thank you for Buster Sandbox Analyzer. I downloaded an EXE which happened to contain trojans/viruses. I ran it within Sandboxie and was able to get an easily readable log of everything it did. I have been looking for something like this for years - especially something that logs it in such readable form. Cheers!

shark:

Thu Apr 28, 2011 7:32 pm

thanks for the excellent review

Buster:

Mon Apr 25, 2011 2:38 pm

Released Buster Sandox Analyzer 1.31. Changes: + Improved malware behaviour detections. + Updated LOG_API library (normal and verbose). + Added a feature to delete sandbox folder contents. + Fixed some bugs.

Buster:

Mon Apr 25, 2011 8:18 am

Many improvements in software (BSA, Sandboxie, ...) come from the interaction between software developers and the users of software. Without that interaction, the software would evolve less or more slowly. Thanks to the feedback from users (to their suggestions, feature requests, etc) the software becomes better. That�s why I really appreciate feedback.

Loks:

Mon Apr 25, 2011 7:19 am

I came to know of BSA only after reading that book. The current version of BSA has come a long way in terms of features from what was mentioned in that book.

Buster:

Sun Apr 24, 2011 10:52 pm

]]>Quoting tzuk: ]]>Good stuff. Thanks for the link Buster. :) I copied your post to Positive Reviews, hope you don't mind. ]]> Sure, no problem. Glad you liked it.

tzuk:

Sun Apr 24, 2011 6:35 pm

Good stuff. Thanks for the link Buster. :) I copied your post to Positive Reviews, hope you don't mind.

soccerfan:

Sun Apr 24, 2011 1:28 pm

]]>Quoting Buster: ]]>A review of Buster Sandbox Analyzer was included in the book "Malware Analyst's Cookbook" by.... http://es.scribd.com/doc/52508880/85/RECIPE-8-9-AUToMATED-ANALYSIS-WITH-SANDBoXIE-AND-BUSTER ]]> Congratulations. A well written synopsis of both Sandboxie and BSA! I enjoyed reading it :)

Buster:

Sun Apr 24, 2011 11:27 am

A review of Buster Sandbox Analyzer was included in the book "Malware Analyst's Cookbook" by Michael Hale Ligh, Steven Adair, Blake Hartstein and Matthew Richard. http://es.scribd.com/doc/52508880/85/RECIPE-8-9-AUToMATED-ANALYSIS-WITH-SANDBoXIE-AND-BUSTER

Buster:

Wed Apr 20, 2011 9:13 am

Released Buster Sandox Analyzer 1.30. Changes: + Added a feature to automate setups when running in automatic mode + Added a feature to run a custom command after an automatic analysis finishes + BSA will report the creation of hidden folders + Fixed a cosmetic bug

Astrowe:

Thu Apr 14, 2011 11:31 am

]]>Quoting Buster: ]]>BSA users: I would like to ask you a favour. Could you register at http://www.mywot.com and give a good report to "bsa.isoftware.nl", please? It has been marked as suspicious due to misleading reports. Thanks in advance! ]]> well that's probably the least we could do considering how much effort did you already put into BSA 8) [url=http://www.mywot.com/en/scorecard/bsa.isoftware.nl/comment-20171778#comment-20171778]done[/url]

doktornotor:

Wed Apr 13, 2011 9:32 am

]]>Quoting Buster: ]]>BSA users: I would like to ask you a favour. Could you register at http://www.mywot.com and give a good report to "bsa.isoftware.nl", please? It has been marked as suspicious due to misleading reports. Thanks in advance! ]]> Well, I at least managed to get the false positive removed from BitDefender TrafficLight. :roll:

dynarx:

Wed Apr 13, 2011 3:43 am

Just added my 2c worth of green to your rating, Buster. Never give up, never surrender. :) Cheers! D

Mike:

Tue Apr 12, 2011 8:16 pm

Rated, commented, and voted earlier. At the time, it seemed no one else had voted on the comments yet, so just want to point out that possibility.

Buster:

Tue Apr 12, 2011 4:50 pm

Thank you! Ruhe: Meanwhile at WOT the alert was yellow/orange, at McAfee�s SiteAdvisor is even worst, it�s red.

Guest10:

Tue Apr 12, 2011 4:38 pm

]]>Quoting Buster: ]]>Could you register at http://www.mywot.com and give a good report to "bsa.isoftware.nl", please? ]]>Done.

Ruhe:

Tue Apr 12, 2011 2:05 pm

This example shows that WOT is absurd.

Buster:

Tue Apr 12, 2011 1:51 pm

BSA users: I would like to ask you a favour. Could you register at http://www.mywot.com and give a good report to "bsa.isoftware.nl", please? It has been marked as suspicious due to misleading reports. Thanks in advance!

Buster:

Sat Apr 09, 2011 11:16 am

In version 1.29 I introduced an interesting feature when processing in automatic mode. BSA will keep a list of files pendant of being processed. If the user wants to stop the analysis he can do it clicking in "Options > Restart". The list will contain the list of files that were not processed. If the feature is enabled (Options > Automatic Analysis Options > Resume Process When Available) next time BSA runs in automatic mode it will continue processing the files from the list. If you don�t want to resume an analysis, you can disable the feature or delete PROCESS.LST. I also introduced other feature for the automatic mode. Sometimes certain message windows are not closed when sandboxed processes finish. Even if the automatic analysis continues to work fine, such windows will not be closed, being an annoying thing. An example of such window messages that don�t get closed is something like this: [img:b2bc796cf0]http://www.dbforums.com/attachments/microsoft-sql-server/8311d1208072574-distrib-exe-application-error-application-failed-initialize-properly-0xx0000142-apperr-snapshot03april08.jpg[/img:b2bc796cf0] With the new introduced feature is possible to close such windows. You must edit "WindowMessages.TXT" and add a string that appears in the title of the window. When the string is found, BSA will close that window. In the image example the string to search for would be " - Application Error".

Buster:

Sat Apr 09, 2011 11:04 am

Released Buster Sandox Analyzer 1.29. Changes: + Added a feature to resume automatic mode analysis + Added a feature to close certain window messages when running in automatic mode

Buster:

Fri Apr 01, 2011 2:04 pm

Re-released version 1.28 to fix a bug.

Buster:

Mon Mar 28, 2011 8:55 am

Released Buster Sandbox Analyzer 1.28. Changes: + Included two versions of LOG_API.DLL: One of them will not show file/registry operations so BSA will run faster + Invalid Win32 PE files will be reported + Added a feature to include Digital Signature information for dropped files + Added a feature to rename automatically processed files to their proper extension + Added a feature to do not process unknown file types + Added a feature that allows to adjust the time limit in minutes or seconds + Added a feature to take screenshots of sandboxed windows when running in automatic mode + When a non PE file is processed the file being processed will appear at report and the application that launched it too

Loks:

Mon Mar 28, 2011 5:44 am

Hi Buster, Commenting out the line doesn't seem to solve the problem. The analysis is still slow

Buster:

Sat Mar 26, 2011 8:09 pm

]]>Quoting Loks: ]]>However, BSA has become very slow. I took notepad.exe from windows folder and set analysis time as 30 seconds. It took ~3 minutes to complete processing it. ]]> Edit Sandboxie.ini and comment the line saying: InjectDll=C:\whatever\LOG_API.DLL To comment it you can add a ";" at the beginning, like this: ;InjectDll=C:\whatever\LOG_API.DLL Save and reload Sandboxie�s configuration. Then process notepad.exe again and let me know if speed is good again, please.

Loks:

Sat Mar 26, 2011 5:54 pm

Hi buster, yes i used the new log-api.dll

Buster:

Sat Mar 26, 2011 12:44 pm

Loks:

Sat Mar 26, 2011 12:05 pm

Hi Buster, The name of the file in the report is correctly reported now. However, BSA has become very slow. I took notepad.exe from windows folder and set analysis time as 30 seconds. It took ~3 minutes to complete processing it. I couldn't test the automated setup either. I tried installing microsoft powertoys, but it took a long time and finally crashed with the same I/O error I got the previous time. Installer uploaded here: [url]http://www.megaupload.com/?d=CLJJQFW0[/url]

Buster:

Thu Mar 24, 2011 9:11 pm

]]>Quoting Loks: ]]> Some bugs I came across: Executing samples based on file type: I removed the extension of a text file and tried running it. Under normal circumstances, notepad would run it. But this time, BSA is not able to identify the file as a text file, and uses rundll32.exe to run it. When a file crashes and Windows error reporting opens up a dialog box like the one shown below, BSA hangs and doesn't continue. [u:9a1905b44f]http://oi51.tinypic.com/208uw3k.jpg[/u:9a1905b44f] In the report.txt under "General Information" the file name for non PE is the parent process which opened the file. Example: When I execute "sample.dll"...instead of reporting the file name as sample.dll, the report says "rundll32.exe" as the file name, which was the process which ran sample.dll. Can this be fixed? Also, I would like to request for a couple of more features if possible: 1. Can we have the report.txt in an xml format? 2. Currently, when analysis crashes on a file, we can't pause/skip the file and continue analysis on the next files. We have to restart the whole thing. Can there be a feature to handle this ? ]]> BSA 1.28 beta 10: https://www.yousendit.com/download/eURCK2VtcWY3bUN4dnc9PQ New: + Added a feature to skip unknown file types + When a non PE file is processed the real file will appear in the report, not the application that launched it + Added a feature to automate setups + I had to compile a LOG_API.DLL that doesn�t show registry operations. They slow down BSA a lot. The feature to automate setups must be tested a lot. Some files may hang BSA. Important: I will not support every setup, only the most generic ones. I will not support when setup asks if installation folder must be created. Test it and let me know, please.

Loks:

Wed Mar 23, 2011 4:00 pm

Hi Buster, Thanks for the quick reply. I realized that there's a workaround for the error dialog box. I just disabled the error reporting feature in Windows and that seemed to solve the problem - at least for now :)

Buster:

Wed Mar 23, 2011 2:47 pm

]]>Quoting Loks: ]]> Some bugs I came across: Executing samples based on file type: I removed the extension of a text file and tried running it. Under normal circumstances, notepad would run it. But this time, BSA is not able to identify the file as a text file, and uses rundll32.exe to run it. ]]> I think the best solution is to skip the files BSA is unable to identify. ]]>Quoting Loks: ]]>When a file crashes and Windows error reporting opens up a dialog box like the one shown below, BSA hangs and doesn't continue. [u:28932fb2fc]http://oi51.tinypic.com/208uw3k.jpg[/u:28932fb2fc] ]]> That�s a problem I knew it would show up soon or later. Send me a file I can use to reproduce the problem and I will try to fix it. I already talked with tzuk about this. In theory in you terminate processes, that error dialog should be closed, but it doesn�t occur that way. ]]>Quoting Loks: ]]>In the report.txt under "General Information" the file name for non PE is the parent process which opened the file. Example: When I execute "sample.dll"...instead of reporting the file name as sample.dll, the report says "rundll32.exe" as the file name, which was the process which ran sample.dll. Can this be fixed? ]]> I will try to fix that. ]]>Quoting Loks: ]]> Also, I would like to request for a couple of more features if possible: 1. Can we have the report.txt in an xml format? 2. Currently, when analysis crashes on a file, we can't pause/skip the file and continue analysis on the next files. We have to restart the whole thing. Can there be a feature to handle this ? ]]> I will consider them.

Loks:

Wed Mar 23, 2011 12:09 pm

Hi Buster, The screen shot feature works well. Some bugs I came across: Executing samples based on file type: I removed the extension of a text file and tried running it. Under normal circumstances, notepad would run it. But this time, BSA is not able to identify the file as a text file, and uses rundll32.exe to run it. When a file crashes and Windows error reporting opens up a dialog box like the one shown below, BSA hangs and doesn't continue. [u:3a11ad73c9]http://oi51.tinypic.com/208uw3k.jpg[/u:3a11ad73c9] In the report.txt under "General Information" the file name for non PE is the parent process which opened the file. Example: When I execute "sample.dll"...instead of reporting the file name as sample.dll, the report says "rundll32.exe" as the file name, which was the process which ran sample.dll. Can this be fixed? Also, I would like to request for a couple of more features if possible: 1. Can we have the report.txt in an xml format? 2. Currently, when analysis crashes on a file, we can't pause/skip the file and continue analysis on the next files. We have to restart the whole thing. Can there be a feature to handle this ?

Buster:

Mon Mar 21, 2011 4:31 pm

]]>Quoting Astrowe: ]]>That's perfect! Really useful feature and works nice. Thanks ]]> Thank you for testing.

Astrowe:

Mon Mar 21, 2011 3:21 pm

]]>Quoting Buster: ]]>BSA 1.28 beta 6 https://www.yousendit.com/download/eUREbUpYT2J0TWxFQlE9PQ Added the feature to take screenshots when running in automatic mode. ]]> That's perfect! Really useful feature and works nice. Thanks

Buster:

Sun Mar 20, 2011 3:31 pm

BSA 1.28 beta 6 https://www.yousendit.com/download/eUREbUpYT2J0TWxFQlE9PQ Added the feature to take screenshots when running in automatic mode.

Buster:

Sat Mar 19, 2011 7:54 pm

BSA 1.28 beta 5: https://www.yousendit.com/download/eURDTG13YTJlM1N4dnc9PQ I fixed the problem with .TXT, .VBS, .BAT, etc files. I also added a feature to let the user adjust the time limit in minutes or seconds. Try it and let me know how it works, please.

Loks:

Fri Mar 18, 2011 7:22 am

It's really strange. I'm not able to reproduce the issue anymore either. Maybe it was a one off thing.

Buster:

Fri Mar 18, 2011 6:52 am

I can not reproduce the behaviour. Probably this is related to file associations. Check your Windows configuration and review to what programs are associated ".SYS" files. Probably you will find that BSA got associated to them. If it�s that way then just remove the association.

Loks:

Fri Mar 18, 2011 4:27 am

Uploaded here: [url]http://rapidshare.com/files/453109300/sys.zip[/url] Password - "clean" without quotes Let me know if you are able to replicate the problem.

Buster:

Thu Mar 17, 2011 6:15 pm

]]>Quoting Loks: ]]>I just took a random clean .sys file from the windows xp system32 directory. If you still need the file I ran, I can upload it when I get back to work tomorrow. ]]> Yes, please, upload it.

Loks:

Thu Mar 17, 2011 4:15 pm

Hi Buster, I just took a random clean .sys file from the windows xp system32 directory. If you still need the file I ran, I can upload it when I get back to work tomorrow.

Buster:

Thu Mar 17, 2011 3:09 pm

Could you upload a .sys file somewhere so I can check if I can reproduce the behaviour, please?

Loks:

Thu Mar 17, 2011 11:58 am

Hi Buster, Here are the results: * When an invalid Win32 files is processed Sandboxie shows a message. This works successfully. I took notepad.exe and removed the last section and dropped it in the queue. The report shows the file is not valid PE file :) * Digital signature information can be selected for main file only or all dropped files. This works successfully. Report shows whether dropped/downloaded files are digitally signed or not. This slows down analysis time a bit, but it is good that you have given a check box for checking dig.signature for dropped files :D * Running in automatic mode BSA will change, when required, the extension of the processed file to the proper one. I could not completely test this. BSA kept throwing errors when I had different file types in the queue folder. [url]http://imageupload.org/?d=4D81F62A1[/url] To reproduce the issue just take any text file, vb script file, .BAT file and try running it in BSA. I get that error. This can't be a permissions issue, because I'm running BSA in admin account. I also deleted the contents of the sandbox before I ran the analysis. Also, BSA v1.27 runs the files successfully. I did notice that you rename the files to the correct extension, and rename it back to the original extension, once the analysis is complete. Nice :D. But I need to run more tests before I can confirm that this works successfully. One more question for you. Why does BSA run another copy of itself sandboxed when there is a .sys file in the queue? Screenshot here: [url]http://imageupload.org/?d=4D81F9AF1[/url]

Buster:

Thu Mar 17, 2011 6:51 am

This time I will release beta versions so anyone can test the new introduced features and verify if they work fine and if I introduced bugs. BSA 1.28 beta 4: https://www.yousendit.com/download/eURBYlJWT001bmcwTVE9PQ This beta version includes: * When an invalid Win32 files is processed Sandboxie shows a message. In automatic mode this behaviour was stoping BSA. Now the window will be closed and a "Invalid Win32 file" will be added to the report. So now BSA will not be stopped for that reason, but even more interesting is the fact that with this feature can be located easily non working Win32 samples. * Digital signature information can be selected for main file only or all dropped files. Only executable files, of course, because BAT, PDF, ... don�t have signatures. * Running in automatic mode BSA will change, when required, the extension of the processed file to the proper one.

Loks:

Thu Mar 17, 2011 1:33 am

wow. That was quick. I will look at the logs about the UDP packets and the reg open keys once I get to work. I have a couple of more feature requests, but will ask you for just one before you release the next version. Execution timeout for each file is given in minutes. Can we have it in seconds please? If i have 30 seconds for each file, it will double the number of samples i analyze Thanks

Buster:

Wed Mar 16, 2011 11:28 pm

]]>Quoting Loks: ]]>Here's one more suggestion for BSA. Take screen shots of windows created inside the sandbox -> Useful especially for fake AV analysis ]]> I implemented this feature in other program I coded so I think I will be able to include it on BSA too.

Buster: Re: Buster Sandbox Analyzer

Wed Mar 16, 2011 11:27 pm

]]>Quoting Loks: ]]>I'm currently evaluating different automated malware analysis systems before I choose one and implement it in my network. I came across your tool yesterday and I ran it against a mirage of threats - pdf/vbs/autorun/fakeav/worms/backdoors/packed/nonpacked samples and so on. I sent the same files to online malware analysis systems like anubis and threatexpert to see how BSA/Sandboxie compared. I'm still in the process of comparing and analyzing the results but I can tell you that I'm very impressed with your simple and extremely effective approach. I will let you know the results soon. At the top of my head, here are a couple of suggestions for improvement if i may call it that: 1. Execute files based on file type and not on file extension: AFAIK sandboxie fails to execute an exe file if i rename it to .ex. Maybe BSA can quickly check the folder with the samples for file type and rename them before sending them to sandboxie for proper execution. This is because, when vendors exchange samples or clients submit samples they are always renamed in order to prevent accidental execution. 2. Digital signature is currently checked only for the main exe. Not for the dropped files. Although not critical, this is useful in cases when a malware drops clean copies of files to aid its execution. 3. Button clicker: Not sure how viable this is, but most fake AV malware and potentially unwanted applications have an "I agree" or "Next" button pop up during execution and analysis is not complete unless the user clicks on those buttons. Maybe you can have a button clicker which automatically clicks on certain predefined buttons inside a sandbox. This is extremely useful in automated analysis. 4. Sandbox manager for auto analysis: I know you can create multiple sandboxes in sandboxie. But I wish I could run multiple instances of BSA which can manage those different sandboxes and assign the samples to different sandboxes to improve analysis time drastically. Again, this is just a wish list & I'm very grateful for the features you have already provided. Thanks ]]> First, thank you for all the interesting suggestions! 1. Execute files based on file type and not on file extension Done. The feature will be present in BSA 1.28. 2. Digital signature is currently checked only for the main exe. Not for the dropped files. Done. There will be an option in BSA 1.28 to select the digital signature checking for created Win32 files. 3. Button clicker I implemented such feature in other program I coded so probably there will not be any problem adding the code to BSA. 4. Sandbox manager for auto analysis That�s out of my coding skills, sorry.

Buster:

Wed Mar 16, 2011 7:54 pm

]]>Quoting Loks: ]]>#2 Important registry modifications made by the malware are logged by LOG_API.txt, but are not displayed in report.txt. I tried modifying the registry exclusion list to see if that helped, but it didn't. Example: Registry run entry created is logged but not displayed: RegCreateKeyEx(HKCU\Software\Microsoft\Windows\CurrentVersion\Run\,(null)) [c:\documents and settings\loks\xierooj.exe] Registry restrictions made are logged but not displayed: RegOpenKeyEx(HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun) [c:\documents and settings\loks\desktop\queue\changeup.exe] Changes to Image File Execution Options are logged but not displayed: RegOpenKeyEx(HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\changeup.exe\RpcThreadPoolThrottle) [c:\documents and settings\loks\desktop\queue\changeup.exe] ]]> Again there is no bug. "RegOpenKeyEx" just opens the specified registry key. It�s like reading a file from disk. There is nothing to report there. "RegCreateKeyEx" is different. The question is that even if a registry function is used, that doesn�t mean it worked successfully. It may fail. Or maybe a change is produced but before processes finish the malware changes the key again and it gets the same valued it had, and as BSA compares registry values and only reports changes, then the modification will not appear in reports. In this case I would say something failed. If you use the "RegHive Explorer" feature from BSA to review the reghive you attached and surf registry keys, you will see that the key modification reported by LOG_API is not present in the reghive archive.

Buster:

Wed Mar 16, 2011 7:26 pm

]]>Quoting Loks: ]]>#1 At times, it doesn't capture the PCAP file even though it reports the network activity correctly. ]]> This is not a bug. I explain you what happens: UDP packets does not have a known program origin, so they can not be filtered. This means that a packet may be generated by a program running outside sandbox. The packet will be captured but it doesn�t belong to any program running in the sandbox. What to do to avoid this? 1) Don�t run any program unsandboxed while you run BSA. This will help to mitigate the problem. 2) Ignore UDP packets completely. Sadly that�s the best thing I can suggest.

Buster:

Wed Mar 16, 2011 2:04 pm

Thanks for the reports. I will take a look as soon as I have some free time.

Loks:

Wed Mar 16, 2011 11:50 am

Hi Buster, I ran into a couple of hurdles with BSA. I have tried different combination of options in BSA, but they seem persistent. #1 At times, it doesn't capture the PCAP file even though it reports the network activity correctly. #2 Important registry modifications made by the malware are logged by LOG_API.txt, but are not displayed in report.txt. I tried modifying the registry exclusion list to see if that helped, but it didn't. Example: Registry run entry created is logged but not displayed: RegCreateKeyEx(HKCU\Software\Microsoft\Windows\CurrentVersion\Run\,(null)) [c:\documents and settings\loks\xierooj.exe] Registry restrictions made are logged but not displayed: RegOpenKeyEx(HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun) [c:\documents and settings\loks\desktop\queue\changeup.exe] Changes to Image File Execution Options are logged but not displayed: RegOpenKeyEx(HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\changeup.exe\RpcThreadPoolThrottle) [c:\documents and settings\loks\desktop\queue\changeup.exe] Thanks

Astrowe:

Wed Mar 16, 2011 11:04 am

]]>Quoting Loks: ]]>Here's one more suggestion for BSA. Take screen shots of windows created inside the sandbox -> Useful especially for fake AV analysis ]]> +1 on that

Loks:

Wed Mar 16, 2011 10:45 am

Here's one more suggestion for BSA. Take screen shots of windows created inside the sandbox -> Useful especially for fake AV analysis

Loks: Buster Sandbox Analyzer

Wed Mar 16, 2011 7:38 am

I'm currently evaluating different automated malware analysis systems before I choose one and implement it in my network. I came across your tool yesterday and I ran it against a mirage of threats - pdf/vbs/autorun/fakeav/worms/backdoors/packed/nonpacked samples and so on. I sent the same files to online malware analysis systems like anubis and threatexpert to see how BSA/Sandboxie compared. I'm still in the process of comparing and analyzing the results but I can tell you that I'm very impressed with your simple and extremely effective approach. I will let you know the results soon. At the top of my head, here are a couple of suggestions for improvement if i may call it that: 1. Execute files based on file type and not on file extension: AFAIK sandboxie fails to execute an exe file if i rename it to .ex. Maybe BSA can quickly check the folder with the samples for file type and rename them before sending them to sandboxie for proper execution. This is because, when vendors exchange samples or clients submit samples they are always renamed in order to prevent accidental execution. 2. Digital signature is currently checked only for the main exe. Not for the dropped files. Although not critical, this is useful in cases when a malware drops clean copies of files to aid its execution. 3. Button clicker: Not sure how viable this is, but most fake AV malware and potentially unwanted applications have an "I agree" or "Next" button pop up during execution and analysis is not complete unless the user clicks on those buttons. Maybe you can have a button clicker which automatically clicks on certain predefined buttons inside a sandbox. This is extremely useful in automated analysis. 4. Sandbox manager for auto analysis: I know you can create multiple sandboxes in sandboxie. But I wish I could run multiple instances of BSA which can manage those different sandboxes and assign the samples to different sandboxes to improve analysis time drastically. Again, this is just a wish list & I'm very grateful for the features you have already provided. Thanks

Buster:

Wed Mar 16, 2011 7:12 am

I see you just registered in this forum to comment the bug. I have some questions if you don�t mind: How long have you been using BSA? Do you miss any feature? Do you have any suggestions to improve BSA? Thanks!

Loks: Buster Sandbox Analyzer

Wed Mar 16, 2011 7:06 am

Excellent. The issue is now resolved. Thanks

Buster:

Wed Mar 16, 2011 6:59 am

Thanks for the details Loks. It was easy to reproduce the problem and it should be fixed already. Download again the RAR and try it.

Loks: Buster Sandbox Analyzer

Wed Mar 16, 2011 6:57 am

deleted.

Buster:

Wed Mar 16, 2011 6:21 am

I re-released BSA 1.27 fixing the problem. Download the RAR again and test it, please. Be sure you download the new RAR because the browser may download the old RAR from cache.

Loks: Buster Sandbox Analyzer

Wed Mar 16, 2011 6:00 am

Hi Buster, first of all, congratulations on this extremely useful tool. [quote="Buster"]Released Buster Sandbox Analyzer version 1.27. + Added a feature to include file entropy information of Win32 files. While analyzing a sample today with this feature turned on, I noticed that BSA displays a "File Access Denied" error message and eventually needs to be killed. Here's the image of the error message: [url]http://img703.imageshack.us/i/errorwa.jpg/[/url] Any help would be appreciated.

Buster:

Tue Mar 15, 2011 7:58 pm

Released Buster Sandbox Analyzer version 1.27. + Added a feature to include file entropy information of Win32 files. + Added a feature to include file type information on new created files. + Added an option to remember last position on screen.

Astrowe:

Tue Mar 15, 2011 5:51 pm

]]>Quoting Buster: ]]>As soon as I release version 1.27 I will check what I can do about that. ]]> thank you, really

Buster:

Tue Mar 15, 2011 5:45 pm

As soon as I release version 1.27 I will check what I can do about that.

Astrowe: Automatic Analysis

Tue Mar 15, 2011 3:59 pm

Hey guys, i like the automatic analysis option, but.. is there any way i could make it like really automatic? :D i mean like some command line arguments or something like that. I want this: run bsa.exe that automatically analyses all files in somehow defined folder and for pre-defined time, with no user action needed. something like bsa.exe -auto -t 100 -f c:\test does anybody have any idea how to do this? or am i just stupid and not aware that there already is something like that.. thanks in advance!

Buster:

Tue Mar 08, 2011 1:42 pm

]]>Quoting DrCoolZic: ]]>Yes it works :) Sorry this was a stupid question :oops: ]]> No, it�s not stupid. In the manual is mentioned this: "Note: The user has a choice of where to locate BSA's working directory and the user should be aware of the restrictions Vista and 7 impose on \Program Files. If BSA is to be run from \Program Files, then it must be given admin privileges or set the required access rights." BSA may need admin privileges even when it�s running out of \Program files, so I must change the manual. ]]>Quoting DrCoolZic: ]]>Few more questions: Is BSA suppose to work correctly on a Windows X64 version? ]]> Yes, it�s. I usually test BSA on a Windows 7 x64 to check everything works fine. If you find any problem let me know and I will take a look at it. ]]>Quoting DrCoolZic: ]]>When specifying the InjectDll path in sandboxie.ini do I need to put quotes if path contain spaces? For example InjectDll=U:\Static Program\bsa\log_api.dll ]]> No, it�s not necessary, but I must say that�s related to the way Sandboxie works, not to BSA. ]]>Quoting DrCoolZic: ]]>One last quick request. When BSA is open on a system with dual screen the BSA Windows is always open across (in the middle) of the two screen which is a little bit annoying. Is there a way so that the program would remember the last position used? ]]> Sure, no problem! I will introduce an option to remember last position used. ]]>Quoting DrCoolZic: ]]>Many thanks - great program ! ]]> Thanks for using it! :wink:

DrCoolZic:

Tue Mar 08, 2011 1:11 pm

Yes it works :) Sorry this was a stupid question :oops: Few more questions: Is BSA suppose to work correctly on a Windows X64 version? When specifying the InjectDll path in sandboxie.ini do I need to put quotes if path contain spaces? For example InjectDll=U:\Static Program\bsa\log_api.dll One last quick request. When BSA is open on a system with dual screen the BSA Windows is always open across (in the middle) of the two screen which is a little bit annoying. Is there a way so that the program would remember the last position used? Many thanks - great program !

Buster: Re: Sandboxie not found on Windows 7 X64

Tue Mar 08, 2011 12:43 pm

]]>Quoting DrCoolZic: ]]>I have installed sandboxie 3.52 (fully registered) and I have downloaded latest version of BSA on a Windows 7 ultimate x64 When I try to start BSA I get a pop up windows: Error - Sandboxie not found. ]]> Try running BSA with admin rights.

DrCoolZic: Sandboxie not found on Windows 7 X64

Tue Mar 08, 2011 12:35 pm

I have installed sandboxie 3.52 (fully registered) and I have downloaded latest version of BSA on a Windows 7 ultimate x64 When I try to start BSA I get a pop up windows: Error - Sandboxie not found. I have searched through this thread and found some information on this problem but nothing works to fix it. [list:d99f4eb336][*:d99f4eb336]In sandboxie: configure Windows shel integration I have the Add righ click action ... checked [*:d99f4eb336]In regedit the HKCR\*\sheel\sandbox\command contains a default entry with ""C:\Program Files\Sandboxie\Start.exe" /box:__ask__ "%1" %*" value [/list:u:d99f4eb336] Is this a problem with x64 version of Windows? BSA works without problem on my Windows XP? Thanks

Buster:

Sun Mar 06, 2011 4:40 pm

Released BSA 1.26: + Added new entry to BSA.DAT + BSA will remember last used Sandbox folder + Improved the method to detect Sandboxie�s presence + Fixed some bugs

Buster:

Tue Feb 15, 2011 7:21 am

]]>Quoting TheMaster: ]]>When I try to open BSA.exe it tells me "Sandboxie not found!". ]]> User Alan Baxter wrote: "I ran into one glitch while running BSA. When I clicked the Start Analysis button, "Sandboxie not found!" was displayed in the BSA status bar and the analysis did not start. It turns out that the Sandboxie Windows Shell Integration > "Run Sandboxed" Actions > Add right-click action "Run Sandboxed" to files and folders option needs to be checked for BSA to detect Sandboxie." Sorry, my fault for not including a note at manual commenting this issue. ]]>Quoting TheMaster: ]]>HideDriverGUI.exe doesn't work either. When I run it and click Install it tells me "Installed" but when I press "Run" it tells me "Can't start service: This driver has been blocked from reading" (its in Swedish, but whatever) ]]> Hide Driver only works in 32bit OS. Probably you are using 64bit, right? If you have any other question or doubt just let me know and thanks for trying my program.

TheMaster:

Mon Feb 14, 2011 11:28 pm

When I try to open BSA.exe it tells me "Sandboxie not found!". I put all the files in C:\bsa and I run BSA.exe as administrator HideDriverGUI.exe doesn't work either. When I run it and click Install it tells me "Installed" but when I press "Run" it tells me "Can't start service: This driver has been blocked from reading" (its in Swedish, but whatever) I got winpcap installed My Sandboxie.ini looks like this: http://pastebay.com/114616 Have I done something wrong?

Bellzemos:

Wed Jan 19, 2011 1:07 am

No, I'm sorry if that came out as an insult to your work or whatever, I didn't mean anything like that. I am a big paranoid about computer viruses, I always check everyhing on the Virus Total site and if there are more than two or three notifications about malware I don't use that file. I know it's stupid since there's a lot of F/Ps nowadays, but that's how I am. I think I will try your tool, it seems like a really great suplement to the already outstanding Sandboxie. Thanx for understanding.

Buster:

Tue Jan 18, 2011 6:12 pm

]]>Quoting Bellzemos: ]]>Well, call me whatever you want, but I admit that I'm a little scarred to install the BSA. :oops: ]]> Then don�t install it.

Bellzemos:

Tue Jan 18, 2011 4:05 pm

Well, call me whatever you want, but I admit that I'm a little scarred to install the BSA. :oops:

Buster:

Mon Jan 17, 2011 6:24 am

]]>Quoting Bellzemos: ]]>Maybe that was answered already... Is BSA safe to use on any (32 or 64 bit) system? Does it modify the system in any way (apart from creating some files in its own directory)? Can it be used sandboxed (in a sandbox)? Thank you. ]]> BSA is safe to use. It doesn�t make any changes to system. It can not be used sandboxed. ]]>Quoting Bellzemos: ]]>Edit:[url] http://www.virustotal.com/file-scan/report.html?id=0761325d9d33fc3044dc9984cb4cd5c474591a42b811f0c30e989670b6dbd825-1295234233[/url] Wow! :D Why don't you notify the AV companies about your program, so that they'd exclude it from their viral databases? ]]> I have notified the false positive to several companies but they are too many.

Bellzemos:

Mon Jan 17, 2011 3:04 am

Maybe that was answered already... Is BSA safe to use on any (32 or 64 bit) system? Does it modify the system in any way (apart from creating some files in its own directory)? Can it be used sandboxed (in a sandbox)? Thank you. Edit:[url] http://www.virustotal.com/file-scan/report.html?id=0761325d9d33fc3044dc9984cb4cd5c474591a42b811f0c30e989670b6dbd825-1295234233[/url] Wow! :D Why don't you notify the AV companies about your program, so that they'd exclude it from their viral databases?

Buster:

Sun Jan 16, 2011 3:06 pm

Released BSA 1.25. + Added an utility to load DLL files. + Added some checkings to avoid problems with the use of the tool. + Fixed a bug.

Buster:

Fri Jan 14, 2011 2:47 pm

Soon I will release BSA 1.25. This version will be mainly to keep it fully compatible with last official release of Sandboxie (3.52). I will also implement some checkings to avoid typical new user mistakes. :wink:

Buster:

Fri Jan 14, 2011 2:46 pm

I also got confirmation for a fix here: http://forums.clearclouddns.com/messageview.aspx?catid=241&threadid=6972&enterthread=y

Mark_:

Fri Jan 14, 2011 10:51 am

got this in my mailbox: [quote:bf1d7e86d4]Hi: Thanks for the report. That site will be unblocked in a forthcoming update. Eric Howes GFI Software [/quote:bf1d7e86d4]

Buster:

Thu Jan 13, 2011 2:12 pm

I also added an entry in the forum and they are checking it.

Mark_:

Thu Jan 13, 2011 7:52 am

http://www.clearclouddns.com/Blocked-Site/?domain=bsa.isoftware.nl submitted :)

Buster:

Wed Jan 12, 2011 10:30 pm

Thanks for let me know about it!

Ruhe:

Wed Jan 12, 2011 9:49 pm

Hi Buster, FYI: I'm using ClearCloud (see my signature). Your BSA site is blocked by it, people using ClearCloud can't visit your site. [url=http://dl.dropbox.com/u/1040549/bsa_screenshot.png]Screenshot[/url]

Buster: Re: RE: Nothing shows

Mon Dec 27, 2010 8:54 am

]]>Quoting New BSA User: ]]>It just dawned on me what happened. by the instructions on the PDF, I copied and pasted the configuration data from the PDF instructions, but, the name of the file that I extracted was "Buster.Sandbox.Analyzer.123" and not "BSA" that the instruction PDF pathway pointed to, so when I renamed the folder in the root drive to "BSA", the problem was corrected. you may want to modify the PDF to reflect this, or rename the rar file to "BSA" to keep the pathway correct without renaming the folder. thanks for all the assistance with this ]]> BSA�s official web site is: http://bsa.isoftware.nl/ and direct download to official version is: http://bsa.isoftware.nl/bsa.rar Version 1.23 is not the last one. Version 1.24 is. Glad to hear the problem was solved! :wink:

New BSA User: RE: Nothing shows

Mon Dec 27, 2010 12:07 am

It just dawned on me what happened. by the instructions on the PDF, I copied and pasted the configuration data from the PDF instructions, but, the name of the file that I extracted was "Buster.Sandbox.Analyzer.123" and not "BSA" that the instruction PDF pathway pointed to, so when I renamed the folder in the root drive to "BSA", the problem was corrected. you may want to modify the PDF to reflect this, or rename the rar file to "BSA" to keep the pathway correct without renaming the folder. thanks for all the assistance with this

New BSA User: RE: Nothing shows

Sun Dec 26, 2010 11:41 pm

LOG_API.DLL is in the default folder, the BSA folder in the root of the drive (C). BSA is running in manual mode, and with the attempts I made, I made sure to run the file in the BSA sandbox. I right clicked the Sandboxie icon in the syste4m tray, and chose "BSA>Run Any Program" to launch by

Buster:

Sun Dec 26, 2010 11:05 pm

You didn�t reply question number 1: In what folder is stored LOG_API.DLL? Other questions: Are you running BSA in automatic or manual mode? Are you sure you are sandboxing the programs in "BSA" sandbox and not in the "DefaultBox"?

New BSA User: RE: Nothing showing

Sun Dec 26, 2010 9:07 pm

Just for additional information, the system that it is installed on is, Win 7 Pro, x64, i5 processor, 6 GB Ram.

New BSA User: RE: Nothing showing

Sun Dec 26, 2010 8:49 pm

The configuration is as follows [GlobalSettings] Template=WindowsLive Template=7zipShellEx Template=Avast_Antivirus Template=Office_Outlook_Avast_Mail_Scanner Template=OfficeLicensing Template=OrbitDownloader [DefaultBox] ConfigLevel=7 AutoRecover=y Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% DropAdminRights=y Enabled=y [UserSettings_113C0282] SbieCtrl_UserName=dennis SbieCtrl_NextUpdateCheck=865293353584 SbieCtrl_UpdateCheckNotify=y SbieCtrl_ShowWelcome=n SbieCtrl_BoxExpandedView_DefaultBox=y SbieCtrl_HideWindowNotify=n SbieCtrl_WindowLeft=200 SbieCtrl_WindowTop=150 SbieCtrl_WindowWidth=660 SbieCtrl_WindowHeight=450 SbieCtrl_ActiveView=40021 SbieCtrl_BoxExpandedView_BSA=y SbieCtrl_ColWidthProcName=250 SbieCtrl_ColWidthProcId=70 SbieCtrl_ColWidthProcTitle=310 SbieCtrl_AutoApplySettings=n [BSA] Enabled=y ConfigLevel=7 AutoRecover=y Template=BlockPorts Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% DropAdminRights=y BoxNameTitle=n BorderColor=#0000FF InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA

Buster: Re: RE: Nothing showing

Sun Dec 26, 2010 7:48 pm

]]>Quoting New BSA User: ]]>I created one beside the default, named "BSA", and that is the one that I configured for, and the one that I defined in "sandbox folder to check", everything else I left with defaults ]]> 1) In what folder is stored LOG_API.DLL? 2) Copy&paste SANDBOXIE.INI

New BSA User: RE: Nothing showing

Sun Dec 26, 2010 7:25 pm

I created one beside the default, named "BSA", and that is the one that I configured for, and the one that I defined in "sandbox folder to check", everything else I left with defaults

Buster: Re: Nothing showing

Sun Dec 26, 2010 7:10 pm

]]>Quoting New BSA User: ]]>After extracting BSA to the root folder ( C ) and adding everything to the Sandboxie configuration, when I run BSA,, nothing shows on the "API Call Log" while running the sandboxed application ]]> How many sandboxes you have configured in Sandboxie?

New BSA User: Nothing showing

Sun Dec 26, 2010 6:36 pm

After extracting BSA to the root folder ( C ) and adding everything to the Sandboxie configuration, when I run BSA,, nothing shows on the "API Call Log" while running the sandboxed application

Buster:

Sun Dec 12, 2010 5:31 pm

]]>Quoting Binky: ]]>If I install software in a sandbox with all internet access blocked, can I get a log from Sandboxie of the IP addresses attempted? ]]> I checked: if you block all internet access with Sandboxie you can not get a log of the IP addresses attempted. Remember that you can make your own tests. You just need to test using harmless stuff like a FTP client or a web browser. Also remember that you will loose useful functionalities if you block internet access.

Binky:

Sun Dec 12, 2010 5:23 pm

Thanks for the answers Buster. ]]>Quoting Buster: ]]>I�m not sure. I will have to check before giving a reply. ]]> The only way I know how to block and log internet accesses is with a firewall. So I will use Comodo Firewall until someone offers an alternative. If I install software under Sandboxie+BSA, and it looks clean, I don't see a convenient way to recover all sandboxed files and registry keys to the same folder. The best work-around I have come up with is to delete the sandbox and then re-install the software. Does anybody have a more convenient work-around?

Buster:

Thu Dec 09, 2010 2:24 pm

]]>Quoting Binky: ]]>I am not sure if I understand your answer. In the PCAP folder of bsa.rar, I find 6 DLLs, 3 EXEs and a Fingerprints folder. Are you saying that 2 of the DLLs are for copying to Windows\System32 to prevent BSA errors for PCs without WinPcap installed? ]]> Yes, copying that 2 of the DLLs to Windows\System32 you prevent BSA from giving an error and not working. If you install WinPCap then it�s not necessary to copy the DLLs because WinPCap�s installation will do it. ]]>Quoting Binky: ]]>And are you saying that the other contents of the PCAP folder of bsa.rar are unique to BSA and are for using BSA to access WinPcap functionality (when WinPcap is installed)? ]]> Yes, that�s correct. ]]>Quoting Binky: ]]>When I install software, I prefer to block all internet access by the installer. This helps prevent spying and identity theft. I like to perform a reverse-DNS lookup of the IP addresses for attempted accesses to see the associated domain, which helps me understand the legitimacy of the software. Today, I use Comodo Firewall to produce a pop-up when any unapproved application accesses the internet. I always choose "block" when I am installing software, and I can see the IP addresses in the Firewall log. If I install software in a sandbox with all internet access blocked, can I get a log from Sandboxie of the IP addresses attempted? ]]> I�m not sure. I will have to check before giving a reply. ]]>Quoting Binky: ]]>Do I understand correctly that if I block internet access with either Comodo Firewall or Sandboxie, BSA+WinPcap will not log IP addresses attempted? If my understanding is correct, it is clear that I (with my preference to block internet access) should not install WinPcap. ]]> If blocking internet access to sandboxed applications BSA+WinPcap will not work then obviously is a non-sense to install WinPCap. :wink:

Binky:

Wed Dec 08, 2010 9:49 pm

Thanks Buster for the quick helpful reply. ]]>Quoting Buster: ]]>3. In BSA.RAR is not included WinPcap. There are 2 files related to WinPcap but they are not operative. ]]> I am not sure if I understand your answer. In the PCAP folder of bsa.rar, I find 6 DLLs, 3 EXEs and a Fingerprints folder. Are you saying that 2 of the DLLs are for copying to Windows\System32 to prevent BSA errors for PCs without WinPcap installed? And are you saying that the other contents of the PCAP folder of bsa.rar are unique to BSA and are for using BSA to access WinPcap functionality (when WinPcap is installed)? When I install software, I prefer to block all internet access by the installer. This helps prevent spying and identity theft. I like to perform a reverse-DNS lookup of the IP addresses for attempted accesses to see the associated domain, which helps me understand the legitimacy of the software. Today, I use Comodo Firewall to produce a pop-up when any unapproved application accesses the internet. I always choose "block" when I am installing software, and I can see the IP addresses in the Firewall log. If I install software in a sandbox with all internet access blocked, can I get a log from Sandboxie of the IP addresses attempted? Do I understand correctly that if I block internet access with either Comodo Firewall or Sandboxie, BSA+WinPcap will not log IP addresses attempted? If my understanding is correct, it is clear that I (with my preference to block internet access) should not install WinPcap.

Buster:

Wed Dec 08, 2010 7:37 pm

]]>Quoting Binky: ]]>I am interested in trying BSA. I read all the pages on the BSA website and all the pages of this forum. I have a few questions: 1. In Appendix A, why is SandboxieCrypto.exe excluded from the list of processes to hide? 2. If Sandboxie blocks internet access for all programs in the sandbox, will BSA still show attempted internet accesses in its report? 3. Is it better to install the latest WinPcap from http://www.winpcap.org/ or the WinPcap version included in bsa.rar? 4. If I copy PACKET.DLL and WPCAP.DLL from PCAP folder to Windows\System32, will BSA log internet access? Or does WinPcap have to be installed? Thanks ]]> 1. Because I forgot to include it. :roll: 2. No, BSA will be unable to show internet access attempts. 3. In BSA.RAR is not included WinPcap. There are 2 files related to WinPcap but they are not operative. You must download WinPcap from winpcap.org and install it in order to get full packet capturing and internet reporting functions from BSA. 4. No, BSA will not log internet access. BSA just will not show the error message when those files are not present in Windows\System32. WinPcap have to be installed. I hope I solved your questions. If you need further help on any question just ask me. :)

Binky:

Wed Dec 08, 2010 4:30 pm

I am interested in trying BSA. I read all the pages on the BSA website and all the pages of this forum. I have a few questions: 1. In Appendix A, why is SandboxieCrypto.exe excluded from the list of processes to hide? 2. If Sandboxie blocks internet access for all programs in the sandbox, will BSA still show attempted internet accesses in its report? 3. Is it better to install the latest WinPcap from http://www.winpcap.org/ or the WinPcap version included in bsa.rar? 4. If I copy PACKET.DLL and WPCAP.DLL from PCAP folder to Windows\System32, will BSA log internet access? Or does WinPcap have to be installed? Thanks

tzuk:

Mon Nov 22, 2010 11:22 pm

M_R, I'm not really sure how to help you identify which of the 2000 malware samples is causing this. But if you do manage to identify the one that can break out of the sandbox, I hope you will let me have a look at it.

Buster:

Sun Nov 21, 2010 2:46 pm

Maybe you could use Capture BAT (https://www.honeynet.org/node/315) driver to watch system changes and find what�s the file that caused the changes.

M_R:

Sun Nov 21, 2010 2:19 pm

Thanks for your answer. Before I continue I will sure do that. In the last week I have run more than 2000 samples of malware in sandboxie in the automatic analysis mode of BSA. But more than once I get indications that some malware gets out of the sandbox. A few times after testing a few hundred samples I could not reboot my system in a normal way. I had to use the power off button. With the last samples test (about 600 samples) the explorer did not start anymore and after reboot something was modified in my Kaspersky AV. (The AV is not running in the background, its just in my program folder) I want to be sure that the malware really does modify the system. Is there a way to identify the specific malware that could have done this ?

nick s: Re: Automatic Analysis Mode

Sat Nov 20, 2010 8:04 am

]]>Quoting M_R: ]]>But this makes me more vulnerable for infections. ]]> At this point in time, not from sandboxed malware. At most, sandboxed malware will see the sandbox and terminate or do something innocuous. Outside the sandbox, of course, you lose UAC's warning system when running as admin. In an admin environment, I would do a clean disk image (including the MBR) before and restore it after working with malware.

M_R: Automatic Analysis Mode

Fri Nov 19, 2010 1:11 pm

Hi, I am using BSA in automatic analysis mode on Windows Vista. A lot of malware want administrator rights. Normally I use Vista on a Standard Account with UAC enabled. The result is a lot of popups asking for administrator rights. To avoid all those popups I run BSA now in an administrator account and UAC disabled. But this makes me more vulnerable for infections. Is there a way out this dilemma ? Thanks for the nice program !

Buster:

Tue Nov 16, 2010 6:21 pm

Released BSA 1.24. No major changes this time; just a few minor additions and a bugfix. * Added help inside BSA through a .CHM file. * BSA will not modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SbieSvc value * Fixed a bug when processing in automatic mode.

Buster:

Mon Nov 01, 2010 6:36 am

]]>Quoting Soupnutzy: ]]>I did submit the idtotext.dll and developer scan log to Mbam for analysis and they have fixed the issue. Updated the scanner and retest, all is good. :) Thanks Buster ]]> Thanks to you for getting the false positive removed.

Soupnutzy:

Mon Nov 01, 2010 6:00 am

]]>Quoting Buster: ]]> If someone is suspicious about any file contained in the package I suggest he contacts an antivirus company and requests a detailed analysis to confirm the false positive. ]]> I did submit the idtotext.dll and developer scan log to Mbam for analysis and they have fixed the issue. Updated the scanner and retest, all is good. :) Thanks Buster

Buster:

Sun Oct 31, 2010 7:28 am

]]>Quoting Soupnutzy: ]]>I have ignored it until I see discussion about it. Thank you Buster. ]]> Other file from BSA package has been detected as malware in the past. Probably it�s still being detected. I talk about LOG_API.DLL. If someone is suspicious about any file contained in the package I suggest he contacts an antivirus company and requests a detailed analysis to confirm the false positive.

Soupnutzy:

Sat Oct 30, 2010 10:06 pm

I have ignored it until I see discussion about it. Thank you Buster.

Buster:

Sat Oct 30, 2010 12:05 pm

]]>Quoting Soupnutzy: ]]>Mbam found idtotext.dll in Plugins folder of BSA to be infected with trojan.dropper.pgen md5 from VT acee2f51bb004e61da3f792e02d5e42a ]]> False positive.

Soupnutzy:

Sat Oct 30, 2010 10:41 am

Mbam found idtotext.dll in Plugins folder of BSA to be infected with trojan.dropper.pgen md5 from VT acee2f51bb004e61da3f792e02d5e42a

Buster:

Mon Oct 25, 2010 4:35 pm

]]>Quoting Alan Baxter: ]]>I installed WinPCap but did not actually configure or use the packet sniffer. I'll try that out sometime. ]]> With the packet sniffer you can see what applications connected to internet, to what IP and from/to what ports. You can even review the packets. It�s pretty interesting stuff from a malware forensic point of view.

Alan Baxter:

Mon Oct 25, 2010 4:01 pm

]]>Quoting Buster: ]]>Did you install WinPCap and configured the packet sniffer to get the analysis of network activity? ]]> I installed WinPCap but did not actually configure or use the packet sniffer. I'll try that out sometime.

Buster:

Mon Oct 25, 2010 5:32 am

Thanks for the great review, Alan Baxter! Did you install WinPCap and configured the packet sniffer to get the analysis of network activity? [quote:3fafacb534]I ran into one glitch while running BSA. When I clicked the Start Analysis button, "Sandboxie not found!" was displayed in the BSA status bar and the analysis did not start. It turns out that the Sandboxie Windows Shell Integration > "Run Sandboxed" Actions > Add right-click action "Run Sandboxed" to files and folders option needs to be checked for BSA to detect Sandboxie. The testing went smoothly after I checked that option. [/quote:3fafacb534] That�s something that has been commented here in the forum but BSA 1.23 documentation misses that information. If I ever release 1.24 version I�ll include that.

Alan Baxter: Review of Buster Sandbox Analyzer 1.23

Mon Oct 25, 2010 4:38 am

Review of Buster Sandbox Analyzer 1.23 Summary: I used Buster Sandbox Analyzer (BSA) to inspect the behavior of some suspected malware. BSA has good documentation and it can be used effectively with its default settings. BSA helped me to positively identify the behavior of a new potentially malicious web download as malware. Details: A malicious website pretended that it had found several infections on my computer and tried to download a program. The executable was named packupdate107_2118.exe. I gave permission for the executable to be downloaded and prepared to analyze it with BSA on Windows XP SP3 with Sandboxie 3.50. I first tried running the executable in a sandbox without BSA. When my firewall notified me that the executable wanted permission to access the Internet, I realized I might need to give it Internet access in order to fully inspect its behavior. I didn't want the executable to be able to read any private information off my computer while it was phoning home. To be on the safe side, I blocked the following drives and folders in a special sandbox with the Resource Access > File Access > Blocked Access setting: - Each of the drives except the system drive - D:\Documents and Settings\ - D:\RECYCLER\ I didn't see anything else on the system drive that needed to be read protected. I ran into one glitch while running BSA. When I clicked the Start Analysis button, "Sandboxie not found!" was displayed in the BSA status bar and the analysis did not start. It turns out that the Sandboxie Windows Shell Integration > "Run Sandboxed" Actions > Add right-click action "Run Sandboxed" to files and folders option needs to be checked for BSA to detect Sandboxie. The testing went smoothly after I checked that option. The BSA documentation for setting up and running a test is complete and accurate. I modified Sandboxie.ini as instructed, configured the test sandbox not to automatically delete its contents, deleted any existing sandbox, and started the test. I used the default BSA options. All I did was: - Find and select the sandbox test folder using the tips in the documentation - Click the Start Analysis button - Run packupdate107_2118.exe in the sandbox. - I gave it permission to access the Internet and watched its progress popup while it downloaded over 3MB of files and executed a helper application. - packupdate107_2118.exe then ran into an unexpected error and terminated. Maybe it didn't like being in a sandbox and/or not having permission to read the folders I had protected. - I clicked the Stop Analysis button - I clicked the Malware Analyzer button when it was highlighted shortly thereafter. The Malware Behaviour Analyzer Module window popped up. Its Malicious Actions Pane contained a summary of possible problematic behavior. The details pane identified the risk of the tested executable as High and included details such as: - Deletion of the startup entries for a long list of security products I may have been using. - Addition of several bogus entries to the hosts file which redirected several financial sites to a different IP. There were many other details whose implications are beyond my ability to understand well, but the financial site phishing and attacks on security software were enough to convince me that this malware was bad news. I used the BSA Save Report option to save the detailed logs of its analysis. My anti-virus software didn't have the malware in its database yet, so I uploaded a copy to their site. It was in the AV's database within 24 hours after I reported it. BSA worked well for me. I'll use it again if run across any more suspicious downloads.

Soupnutzy:

Thu Oct 21, 2010 8:24 pm

]]>Quoting Mike: ]]>] I dunno, that sounds a lot like a Google redirect virus: http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en http://www.pcmag.com/article2/0,2817,2370676,00.asp ]]> Buster has also suggest an infection. I do not doubt either of your conclusions, but struggle to understand the reinfection vector. I wipe and reinstall from manufacturer media, only surfing through Sandboxie and still become infected. The only explanations I have for this behavior is MITM, firmware infection, targeted network intrusions. Of the three, MITM and targeted network intrusions are the most likely. Unfortunately I can't check the router for infection. :( Running various TDL cleaners, they are terminated quickly after running or , in the case of tdss remover, BSOD. Virus and anti malware are negative. I have sent the minidump of the BSOD to Esage Labs but they have not responded yet and there is not a new version since 10/11/10. @ Buster I have turned off the restore point, WOW 2+ GB. I dislike Vista's non-obvious disable method of system restore. Deleting temp files after a shutdown and restart, revealed 5 MB of temp files. FF/Sandboxie was empty. No more 24kb presence. Now I just WAS (wait and see), hoping for TDL warriors to make another charge while I look into reboot to restore softwares.

Mike:

Thu Oct 21, 2010 3:00 pm

]]>Quoting Soupnutzy: ]]>302 redirects still happen but now only on certain searches of Google. Various scans are negative. ]]> I dunno, that sounds a lot like a Google redirect virus: http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en http://www.pcmag.com/article2/0,2817,2370676,00.asp

Buster:

Thu Oct 21, 2010 5:22 am

]]>Quoting Soupnutzy: ]]>Without cleaning the Windows temp files, 24kb exists inside defaultbox after deletion of Defaultbox. Could suggest restoration from another location (Windows temp), still thinking though. ]]> Disable System Restore and check.

Soupnutzy:

Thu Oct 21, 2010 1:17 am

Hi Buster, I wanted to update you and get your thoughts on it, the 302 redirect issue I was having. While using Sandboxie I started getting 302 redirects after using BSA. I still don't know what is causing them but have discovered some functions they have. [list:84ba383225] [*:84ba383225]302 redirects appear after surfing. [*:84ba383225]302 redirects appear when clicking on a Google result. (FF addons and configuration prevent automatic redirections.) [*:84ba383225]Delete sandbox does not remove 302 redirects completely, they begin to sporadically appear. [*:84ba383225]After using Delete Defaultbox and using ATF Cleaner to empty temp files (all Windows temp files) the 302 redirects stop completely until reinfection. [*:84ba383225]Without cleaning the Windows temp files, 24kb exists inside defaultbox after deletion of Defaultbox. Could suggest restoration from another location (Windows temp), still thinking though. [/list:u:84ba383225] Can MITM create this situation by going around SBIE as opposed to through? Thanks, Soupnutzy

Buster:

Fri Oct 15, 2010 5:53 am

For some reason I don�t know LOG_API.DLL makes certain applications to crash, like the ones you mention.

Oneder:

Fri Oct 15, 2010 4:02 am

XP VM. Buster can you check that calculator or notepad comes up if run sandboxed where BSA is set to monitor. If I delete the line "InjectDll=c:\bsa\log_api.dll" then calculator runs ok sandboxed but doesn't come up with that line present. Tried SB version 3.46 and latest beta. On a Win 7 VM calculator runs sandboxed with that line present. Could be my setups?

Buster:

Tue Oct 12, 2010 9:59 pm

]]>Quoting iycgtptyarvg: ]]> ]]>Quoting Buster: ]]> ]]>Quoting iycgtptyarvg: ]]>That option is not turned on. In fact, all the data is still in the directories. I have it point to "C:\Sandbox". Is that correct? ]]> No, it�s not. From manual: To start working with BSA you must specify with what sandbox folder you will work. Sandbox folder must be defined at "Sandbox folder to check". If you are not sure of the folder you must specify, follow next steps: 1.- Sandbox NOTEPAD.EXE (any other application will be fine also). 2.- Right click Sandboxie's tray icon. 3.- Select "DefaultBox" or whatever sandbox you want to use. 4.- Click "Explorer Contents". A Windows Explorer window will be opened. 5.- Copy the path from Windows Explorer and paste it in "Sandbox folder to check". ]]> I did exactly that... it opened Windows Explorer at the 'C:\Sandbox' directory. What should I have it point at then?!? ]]> It should be something like: C:\Sandbox\Something\DefaultBox You know it�s the correct folder because Reghive and Reghive.log files are there.

iycgtptyarvg:

Tue Oct 12, 2010 9:22 pm

]]>Quoting Buster: ]]> ]]>Quoting iycgtptyarvg: ]]>That option is not turned on. In fact, all the data is still in the directories. I have it point to "C:\Sandbox". Is that correct? ]]> No, it�s not. From manual: To start working with BSA you must specify with what sandbox folder you will work. Sandbox folder must be defined at "Sandbox folder to check". If you are not sure of the folder you must specify, follow next steps: 1.- Sandbox NOTEPAD.EXE (any other application will be fine also). 2.- Right click Sandboxie's tray icon. 3.- Select "DefaultBox" or whatever sandbox you want to use. 4.- Click "Explorer Contents". A Windows Explorer window will be opened. 5.- Copy the path from Windows Explorer and paste it in "Sandbox folder to check". ]]> I did exactly that... it opened Windows Explorer at the 'C:\Sandbox' directory. What should I have it point at then?!?

Buster:

Tue Oct 12, 2010 3:42 pm

]]>Quoting iycgtptyarvg: ]]>That option is not turned on. In fact, all the data is still in the directories. I have it point to "C:\Sandbox". Is that correct? ]]> No, it�s not. From manual: To start working with BSA you must specify with what sandbox folder you will work. Sandbox folder must be defined at "Sandbox folder to check". If you are not sure of the folder you must specify, follow next steps: 1.- Sandbox NOTEPAD.EXE (any other application will be fine also). 2.- Right click Sandboxie's tray icon. 3.- Select "DefaultBox" or whatever sandbox you want to use. 4.- Click "Explorer Contents". A Windows Explorer window will be opened. 5.- Copy the path from Windows Explorer and paste it in "Sandbox folder to check".

iycgtptyarvg:

Tue Oct 12, 2010 3:37 pm

]]>Quoting Oneder: ]]> ]]>Quoting iycgtptyarvg: ]]>I always get 'Reghive not found! Please click on restart!' when I press 'Stop analysis'. What am I doing wrong? ]]> From the pdf usage file within BSA folder. [color=red:cf8529f066]Note: Automatically delete contents of sandbox must be disabled.[/color:cf8529f066] And all processes must be terminated within the sandbox before hitting "Stop analysis" ]]> That option is not turned on. In fact, all the data is still in the directories. I have it point to "C:\Sandbox". Is that correct?

Oneder:

Tue Oct 12, 2010 11:33 am

]]>Quoting iycgtptyarvg: ]]>I always get 'Reghive not found! Please click on restart!' when I press 'Stop analysis'. What am I doing wrong? ]]> From the pdf usage file within BSA folder. [color=red:bfdfed69fb]Note: Automatically delete contents of sandbox must be disabled.[/color:bfdfed69fb] And all processes must be terminated within the sandbox before hitting "Stop analysis"

iycgtptyarvg:

Tue Oct 12, 2010 11:17 am

I always get 'Reghive not found! Please click on restart!' when I press 'Stop analysis'. What am I doing wrong?

Buster:

Fri Oct 08, 2010 1:58 pm

]]>Quoting Soupnutzy: ]]>Thank you for the help Buster, I appreciate it. ]]> Glad to help you.

Soupnutzy:

Fri Oct 08, 2010 1:40 pm

If it is malware then it must be network related, either a router or other computer on the network that reinfects on reconnections. 302 redirects still happen but now only on certain searches of Google. Various scans are negative. O.K. BSA seems to be working well now. Thank you for the help Buster, I appreciate it.

Buster:

Thu Oct 07, 2010 5:19 am

]]>Quoting Soupnutzy: ]]>When I run BSA to analyze FF, just start then stop, I have keylogger and backdoor detections in the analysis. I will have to try with a connection and without a connection to see if there is a difference. ]]> You will not find any difference. That�s the typical behaviour for FF.

Soupnutzy:

Wed Oct 06, 2010 9:56 pm

]]>Quoting Buster: ]]>302 redirections were not related to BSA because it doesn�t change any registry value or anything that may cause such effect. ]]> I figured as much. ]]>Quoting Buster: ]]>Maybe you got some malware inside the sandbox folder and it was gone when you deleted sandbox folder contents. ]]> It didn't disappear across sandbox deletions previously. When I use Virus Total, it goes outside the sandbox to get files for upload, like the sandbox isn't there. When I run BSA to analyze FF, just start then stop, I have keylogger and backdoor detections in the analysis. I will have to try with a connection and without a connection to see if there is a difference.

Buster: Re: Sandboxie not found! by BSA 1.23

Tue Oct 05, 2010 6:25 am

]]>Quoting Alan Baxter: ]]>I figured it was something like that. I'm glad to help out. It's the least I can do to show my appreciation for BSA. ]]> Put your review here after you test it. :wink:

Alan Baxter: Re: Sandboxie not found! by BSA 1.23

Tue Oct 05, 2010 3:08 am

]]>Quoting Buster: ]]>Thanks for the information! I thought that key was always present when Sandboxie is installed. Next time other user reports the same problem I know the solution. :wink: ]]> I figured it was something like that. I'm glad to help out. It's the least I can do to show my appreciation for BSA.

Buster: Re: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 4:48 pm

]]>Quoting Alan Baxter: ]]>Thanks. It turns out a reinstall wasn't necessary. All I had to do was check Add right-click action "Run Sandboxed" to files and folders to get Sandboxie to add that key. I had unchecked that a long time ago to reduce context menu clutter and didn't realize that recent versions of BSA now require it to be checked. ]]> Thanks for the information! I thought that key was always present when Sandboxie is installed. Next time other user reports the same problem I know the solution. :wink:

Alan Baxter: Re: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 4:33 pm

]]>Quoting Buster: ]]> ]]>Quoting Alan Baxter: ]]>The key "HKEY_CLASSES_ROOT\*\shell\sandbox\command" is present, but has no name/value pairs in it. ]]> That�s the problem. That key should contain a value. I suggest you reinstall Sandboxie to fix the problem. ]]> Thanks. It turns out a reinstall wasn't necessary. All I had to do was check Add right-click action "Run Sandboxed" to files and folders to get Sandboxie to add that key. I had unchecked that a long time ago to reduce context menu clutter and didn't realize that recent versions of BSA now require it to be checked.

Buster: Re: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 3:46 pm

]]>Quoting Alan Baxter: ]]>The key "HKEY_CLASSES_ROOT\*\shell\sandbox\command" is present, but has no name/value pairs in it. ]]> That�s the problem. That key should contain a value. I suggest you reinstall Sandboxie to fix the problem.

Alan Baxter: Re: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 2:41 pm

]]>Quoting Buster: ]]> ]]>Quoting Alan Baxter: ]]>Whenever I click the Start Analysis button, "Sandboxie not found!" is displayed in the BSA status bar. ]]> Tell me the value of the next registry key: HKEY_CLASSES_ROOT\*\shell\sandbox\command ]]> The key "HKEY_CLASSES_ROOT\*\shell\sandbox\command" is present, but has no name/value pairs in it.

Buster: Re: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 5:36 am

]]>Quoting Alan Baxter: ]]>Whenever I click the Start Analysis button, "Sandboxie not found!" is displayed in the BSA status bar. ]]> Tell me the value of the next registry key: HKEY_CLASSES_ROOT\*\shell\sandbox\command

Alan Baxter: Sandboxie not found! by BSA 1.23

Mon Oct 04, 2010 12:52 am

Whenever I click the Start Analysis button, "Sandboxie not found!" is displayed in the BSA status bar. The Start Analysis button stays highlighted. I'm expecting the highlight to change to the Stop Analysis button, but that doesn't happen . I'm unable to use this new version of BSA. Sandboxie is currently running. BSA 1.13 still works. BSA 1.23 Sandboxie 3.46 and 3.48 (registered) WinPcap 4.1.2 Windows XP SP3 SbieCtrl.exe and SbieSvc.exe both appear in Task Manager > Processes Edit: Didn't realize there was a Sandboxie update. Problem persists with version 3.48

Buster:

Sun Oct 03, 2010 6:53 am

]]>Quoting Soupnutzy: ]]>302 redirects have stopped on their own with out my intervention. I don't know how they began nor how it solved itself. I have updated absolutely nothing since FF upgrade. ]]> 302 redirections were not related to BSA because it doesn�t change any registry value or anything that may cause such effect. Maybe you got some malware inside the sandbox folder and it was gone when you deleted sandbox folder contents.

Soupnutzy:

Sun Oct 03, 2010 2:32 am

]]>Quoting Buster: ]]>Does happen the same when you sandbox FireFox but don�t run BSA? ]]> If I had never run BSA and sandbox Firefox or Opera I would never see 302 redirect. They only occurred after the use of BSA with Sandboxie. First time I used BSA I got the multiprocess firefox issue and the 302 redirect issue in Opera. I didn't bring it to your attention because I didn't know it was related to BSA. After updating Firefox to 3.6.10 the multiprocess issue disappeared but I can't say it was a result of the upgrade because I hadn't given it a run just before the upgrade either, many days apart. 302 redirects have stopped on their own with out my intervention. I don't know how they began nor how it solved itself. I have updated absolutely nothing since FF upgrade.

Buster:

Fri Oct 01, 2010 12:36 pm

]]>Quoting Soupnutzy: ]]> ]]>Quoting Buster: ]]>Browser running sandboxed or unsandboxed? ]]> The browser is running sandboxed. In my Google quest I found some discussion on 302 redirects involving javascript, ajax and JSON. ]]> Does happen the same when you sandbox FireFox but don�t run BSA?

Soupnutzy:

Fri Oct 01, 2010 9:58 am

]]>Quoting Buster: ]]>Browser running sandboxed or unsandboxed? ]]> The browser is running sandboxed. In my Google quest I found some discussion on 302 redirects involving javascript, ajax and JSON.

Buster:

Thu Sep 30, 2010 12:59 pm

]]>Quoting Soupnutzy: ]]>What might be an efficient medium for this to occur? email, forum, Database server website similar to VT? ]]> I guess the most efficient would be a database server website ]]>Quoting Soupnutzy: ]]>Another issue popped up. The first time it occurred I failed to recognize it. After using BSA the browser now gives a 302 redirect from search engines on Firefox and Opera. Previous to using BSA, starting the browsers in Sandboxie produced no 302 redirect. What could be causing this? ]]> Browser running sandboxed or unsandboxed?

Soupnutzy:

Thu Sep 30, 2010 10:59 am

]]>Quoting Buster: ]]>The way to compare API log to other users logs of same .exe or whatever is sharing the logs. ]]> What might be an efficient medium for this to occur? email, forum, Database server website similar to VT? Another issue popped up. The first time it occurred I failed to recognize it. After using BSA the browser now gives a 302 redirect from search engines on Firefox and Opera. Previous to using BSA, starting the browsers in Sandboxie produced no 302 redirect. What could be causing this?

Buster:

Wed Sep 29, 2010 6:43 am

]]>Quoting Soupnutzy: ]]>Thanks Buster for taking the time to advise me. :) Is there a way to compare api log, or other logs, to other users logs of same .exe, at least for common .exe's? ]]> Glad to hear the problem is gone. The way to compare API log to other users logs of same .exe or whatever is sharing the logs.

Soupnutzy:

Wed Sep 29, 2010 2:24 am

]]>Quoting Buster: ]]> Seems to be a problem unique and related to the configuration in your system. ]]> I've been trying to eliminate the uniqueness for some time, so have been trying to learn WinDebug. Not easy when your not a programmer. Hunt and peck, blind alley debug for sure. ]]>Quoting Buster: ]]>Does the problem persist if you upgrade/downgrade to other FireFox versions? ]]> Upgrading to Firefox to 3.6.10 or the unique problem upgraded, but seems to have solved the problem of FF not running when analyzed is clicked. Snippet to show the running Buster Sandbox Analyzer. :mrgreen: [code:1:1ba84afd50]Created process: (null),"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel=1124.5754860.2126587444 "C:\Windows\system32\Macromed\Flash\NPSWF32.dll" 1124 plugin \\.\pipe\gecko-crash-server-pipe.1124,(null) Defined file type created: C:\Users\username\AppData\AppData\Roaming\Mozilla\Firefox\Profiles\ob1konu6.default\prefs.js Detected backdoor listening on port: 0 Detected keylogger functionality Injected code into process: c:\program files\mozilla firefox\plugin-container.exe Internet connection: C:\Program Files\Mozilla Firefox\plugin-container.exe Connects to "xx.yy.xx.yyy" on port 1935 (TCP). Listed all entry names in a remote access phone book Opened a service named: AudioSrv Opened a service named: RasAuto Opened a service named: RASMAN Opened a service named: Sens [/code:1:1ba84afd50] Thanks Buster for taking the time to advise me. :) Is there a way to compare api log, or other logs, to other users logs of same .exe, at least for common .exe's?

Buster:

Tue Sep 28, 2010 4:54 pm

]]>Quoting Soupnutzy: ]]>I can't believe I've stumped you on a problem. :o Maybe there is something I should be looking for that I am not aware of. This is my most desperate hour. Help me, Obi-Wan Kenobi; you're my only hope. ]]> Seems to be a problem unique and related to the configuration in your system. It�s very difficult if not impossible to solve it without having the computer in front of me, sorry. Does the problem persis if you upgrade/downgrade to other FireFox versions?

Soupnutzy:

Tue Sep 28, 2010 2:59 pm

I can't believe I've stumped you on a problem. :o Maybe there is something I should be looking for that I am not aware of. This is my most desperate hour. Help me, Obi-Wan Kenobi; you're my only hope.

Oneder:

Tue Sep 21, 2010 7:59 am

Hi Buster, could you give one of the below installers for a newish rogue "Antivirus 2010 Security Centre" a run via Sandboxie with Hide Driver active and see if you can get it to run fully. Seems to be VM/Sandbox aware and still won't run with Sandboxie's processes and log api hidden but will run on a virtualized whole system. My setup may be wrong this end? -http://www.mediafire.com/file/iy5rkiz9uxbw9uz/Antivirus_2010.rar

Buster: Re: Program change request

Sun Sep 19, 2010 10:16 pm

]]>Quoting Guest10: ]]>BSA puts the LogFile entry: 2;C:\BSA\Reports\Sandboxie.LOG in the Registry each time that "Start Analysis" is clicked. It leaves that entry in the Registry when BSA is finished with its analysis. BSA also deletes the file "C:\BSA\Reports\Sandboxie.LOG" if that file already exists. OK. But I like to leave logging turned on whenever Sandboxie runs, and don't want BSA to delete the log file that contains all previously logged results each time that BSA is used. You probably should check to see if the user has already defined a setting for "LogFile" (somewhere outside of the BSA folder), and preserve that setting before you replace it with your own setting. Then restore the previous setting for LogFile when BSA finishes. That way the user won't lose their own log file contents whenever BSA deletes the .LOG file in its "Reports" folder. ]]> Ok.

Buster:

Sun Sep 19, 2010 10:14 pm

]]>Quoting Soupnutzy: ]]>Sandbox folder is empty. Checking the physical location of Sandbox folder, contains desktop.ini and dont-use.txt There are no instances of Firefox running as far as I can tell. Following your advice has not solved the issue. I have dumped a list of processes at various stages: Before starting BSA and Firefox After starting BSA After starting BSA analyze Firefox After Closing both down I can't attach text files here. Process dump lists available at http://drop.io/bsahelp ]]> I don�t know what the problem could be. I will continue thinking about the issue to try to find where the problem is.

Guest10: Program change request

Sun Sep 19, 2010 9:31 pm

BSA puts the LogFile entry: 2;C:\BSA\Reports\Sandboxie.LOG in the Registry each time that "Start Analysis" is clicked. It leaves that entry in the Registry when BSA is finished with its analysis. BSA also deletes the file "C:\BSA\Reports\Sandboxie.LOG" if that file already exists. OK. But I like to leave logging turned on whenever Sandboxie runs, and don't want BSA to delete the log file that contains all previously logged results each time that BSA is used. You probably should check to see if the user has already defined a setting for "LogFile" (somewhere outside of the BSA folder), and preserve that setting before you replace it with your own setting. Then restore the previous setting for LogFile when BSA finishes. That way the user won't lose their own log file contents whenever BSA deletes the .LOG file in its "Reports" folder.

Soupnutzy:

Sun Sep 19, 2010 6:46 pm

Sandbox folder is empty. Checking the physical location of Sandbox folder, contains desktop.ini and dont-use.txt There are no instances of Firefox running as far as I can tell. Following your advice has not solved the issue. I have dumped a list of processes at various stages: Before starting BSA and Firefox After starting BSA After starting BSA analyze Firefox After Closing both down I can't attach text files here. Process dump lists available at http://drop.io/bsahelp

Buster:

Sat Sep 18, 2010 7:18 pm

]]>Quoting Soupnutzy: ]]>Issues: I have an issue with Firefox 3.6.8. Originally I had the wrong sandbox folder location in BSA, resolved that. Now Firefox, when starting after BSA Start Analyze, claims a process is already running. The issue only occurs with Firefox and only after pressing "Start Analyze". Starting Firefox in Sandboxie without analyzing with BSA does not create the process is already running issue. I switched to Opera and everything runs fine. Vista SP2 Sandboxie 3.46 Buster Sandbox Analyzer 1.23 Firefox version is 3.6.8 ]]> Is FireFox already running unsandboxed? If yes, close FireFox. Is the sandbox folder empty? If not, remove all contents. Let me know if that solves the problem, please.

Soupnutzy:

Sat Sep 18, 2010 2:58 pm

Reading the pdf manual included in the BSA folder I found the requirements to get BSA running. It was fairly simple and not at all difficult or overly complex. 1. Add the necessary entries to Sandboxie configure file. 2. Close and delete contents of any Sandbox instances. 3. Running as Admin, start BSA.exe, from the bsa folder in the root of the drive. ex. C:\bsa\BSA.exe 4. Press "Start Analyzing" 5. Start what you want to monitor in Sandboxie. ex. opera.exe or firefox.exe 6. Perform any or all necessary functions. 7. Right click, Sandboxie tray icon, Terminate All Programs. 8. Press "Stop Analyzing" 9. New window opens, you can view processes as well as any reports generated. 10. Press "Malware Analysis" to help determine the type of malicious activity present. Issues: I have an issue with Firefox 3.6.8. Originally I had the wrong sandbox folder location in BSA, resolved that. Now Firefox, when starting after BSA Start Analyze, claims a process is already running. The issue only occurs with Firefox and only after pressing "Start Analyze". Starting Firefox in Sandboxie without analyzing with BSA does not create the process is already running issue. I switched to Opera and everything runs fine. Vista SP2 Sandboxie 3.46 Buster Sandbox Analyzer 1.23 Firefox version is 3.6.8

wolfmann:

Sat Aug 21, 2010 7:46 pm

I think a great improvement is to let BSA to edit the sandbox.ini file, maybe with a standart "Browse for file" window. A lot of less experienced user have problems editing manually the ini files. Perhaps it is not recommended also to play and mess up that file. In this way in my opinion BSA will be a more "complete" program and all users, noobs or experienced can analyze executables via BSA without manually editing ini files like "professionals". Let BSA to be for all kind of users.

Buster:

Fri Aug 13, 2010 10:35 pm

The sandbox folder is defined in Sandboxie (Sandboxie Control > Sandbox > Set Container Folder) not in BSA. In BSA you only specify the path to locate it.

Larusso:

Fri Aug 13, 2010 8:17 pm

Thx for your quick answer. Still in controversity with Win7 xD I installed the sandbox in D:\Programme\Sandbox. (german OS) Created a new Box called "analyse" So the "Folder to check" is "D:\Programme\sandbox\analyse" Okay, now i follow your instructions again and the Output was C:\Sandbox\larusso\analyse. I dont understand why it is on C: but it works now. Thx /me feels like a n00b :D

Buster:

Fri Aug 13, 2010 2:40 pm

]]>Quoting Larusso: ]]>First of all Great Work :) ]]> Thanks! :) ]]>Quoting Larusso: ]]>I used it on WinXP before without any Problems. Now i updated to Win7 Home 32 bit and get allways a message [quote:25fffc20cb]RegHive not found! Please click on restart ]]> when i click Stop Analyse. I downloaded all (sandboxie, bsa,..) today. Any ideas ?[/quote:25fffc20cb] Usually the problem related to "Reghive not found!" message is that "Sandbox folder to check" folder is not correctly set. Do this: 1) Sandbox anything, e.g. CALC.EXE. 2) Copy to clipboard the path you are using at "Sandbox folder to check" and paste it in a Windows Explorer 3) Check if "RegHive" file is in that folder. If it�s not there then "Sandbox folder to check" is incorrect and you must edit it. Most probably you forgot to add the name of the sandbox folder to the path.

Larusso:

Fri Aug 13, 2010 2:24 pm

Hy Buster, First of all Great Work :) I used it on WinXP before without any Problems. Now i updated to Win7 Home 32 bit and get allways a message [quote:4b5faec8b0]RegHive not found! Please click on restart[/quote:4b5faec8b0] when i click Stop Analyse. I downloaded all (sandboxie, bsa,..) today. Any ideas ?

Buster:

Sun Aug 08, 2010 1:52 pm

]]>Quoting M E N: ]]>I have solved this problem! :) Thanks! ]]> Nothing like reading the manual or the README.TXT, right? :wink: :P

M E N:

Sun Aug 08, 2010 3:59 am

I have solved this problem! :) Thanks!

M E N:

Sun Aug 08, 2010 3:17 am

what is this?? [quote:cb25384b8c]http://img843.imageshack.us/img843/4200/08082010101320.png[/quote:cb25384b8c] help me please!!!

Buster:

Sat Jul 31, 2010 6:37 pm

]]>Quoting Franck: ]]>Congratulations Buster for the nice BSA review at Raymond ! :)/ ]]> Thanks! Raymond mailed me to comment about it. It�s really a nice review.

Franck:

Sat Jul 31, 2010 10:46 am

Congratulations Buster for the nice BSA review at Raymond ! :) http://www.raymond.cc/blog/archives/2010/07/30/buster-sandbox-analyzer-makes-sandboxie-stronger/

Buster: Re: NOT 64bit compatible.

Wed Jul 28, 2010 12:40 am

]]>Quoting Moose: ]]>Configured as stated in your help manual, it doesn't show up at all. Launching BSA.exe errors out about the missing WinPcap thing. ]]> Install WinPCap. Let me know when you have done that and if errors are gone after installation.

Moose: Re: NOT 64bit compatible.

Wed Jul 28, 2010 12:34 am

]]>Quoting Buster: ]]> ]]>Quoting Moose: ]]>So, BSA does not work with 64bit versions of Sandboxie. ]]> I have tried BSA with 64bit version of Sandboxie and was working fine. What does it fail in your end? ]]> Configured as stated in your help manual, it doesn't show up at all. Launching BSA.exe errors out about the missing WinPcap thing. You talk about "When you are ready press "Start Analysis" button." Where's the "Start Analysis" button ? How do we even know that Sandboxie picked up BSA in the 1st place ?

Buster: Re: NOT 64bit compatible.

Tue Jul 27, 2010 11:08 pm

]]>Quoting Moose: ]]>So, BSA does not work with 64bit versions of Sandboxie. ]]> I have tried BSA with 64bit version of Sandboxie and was working fine. What does it fail in your end?

Moose: NOT 64bit compatible.

Tue Jul 27, 2010 10:40 pm

So, BSA does not work with 64bit versions of Sandboxie. Buster, Ain't it too hard of a job to explicitly add that to the top post, and to the help file on your site, I really cannot believe why you still didn't make the users aware of that. :?

Buster: Re: RegistryExclude.txt

Fri Jul 02, 2010 10:38 am

]]>Quoting rilos: ]]>Started BSA again - now it works fine. RegistryExclude.txt ist already filled with some content. ]]> Registry exclusion list, as rest of exclusions lists and other functions in BSA, is only available for edition when BSA has not been started yet. (clicked on "Start Analysis") And yes, RegistryExclude.txt is already filled with some content. I decided to do that when some users reported "problems" because they didn�t read the manual.

rilos: RegistryExclude.txt

Fri Jul 02, 2010 10:23 am

Started BSA again - now it works fine. RegistryExclude.txt ist already filled with some content.

rilos: Registry exclusion List

Fri Jul 02, 2010 10:18 am

Thanks Buster, everything seems to be alright now! But I cant edit the registry exclusion List, the edit function is greyed out ? I just wanted to exclude the registry modifications done by sandboxie itself so not to get confused.

Buster: Re: WinPCap

Fri Jul 02, 2010 8:55 am

]]>Quoting rilos: ]]>So, how do I start it manually when needed? ]]> You don�t have to do anything. BSA will start WinPCap when needed. It�s transparent for you.

rilos: WinPCap

Fri Jul 02, 2010 8:44 am

Thanks Buster! WinPCap was obviosly not installed! When I deleted "Packet.dll" and "WPCap.dll" in System32-folder the installation run properly. I decided not to start WinPCap on boot-time. So, how do I start it manually when needed? Thanks!

Buster: Re: WinPCap

Tue Jun 29, 2010 1:33 pm

]]>Quoting rilos: ]]>Sorry, one more question. WinPCap seems to be already installed on my system (as the installation routine says). What about the two files I copied to prevent the errormessage if WinPCap would not be installed? Shall I delete them? Or is the message (that WinPCap is already installed) wrong, because I copied the files to "mislead" the system? Thanks! (probably beginners questions ...) kind regards, rilos ]]> Check if WinPcap is in the Add/Remove programs. If it�s not then you know the message is wrong. If it�s there, keep the files.

rilos: WinPCap

Tue Jun 29, 2010 1:22 pm

Sorry, one more question. WinPCap seems to be already installed on my system (as the installation routine says). What about the two files I copied to prevent the errormessage if WinPCap would not be installed? Shall I delete them? Or is the message (that WinPCap is already installed) wrong, because I copied the files to "mislead" the system? Thanks! (probably beginners questions ...) kind regards, rilos

Buster:

Tue Jun 29, 2010 1:19 pm

]]>Quoting rilos: ]]>Do I have to copy the same sequence of text (settings) to every sandbox in the sandboxie.ini - file? ]]> Yes, that�s right.

rilos:

Tue Jun 29, 2010 1:03 pm

[quote:a4e1ccb6a5]Stupid question: You have log_api.dll at C:\BSA folder, don�t you?[/quote:a4e1ccb6a5] yes :-) What do you mean by "adding to every sandbox" or missing [default_box] ? Do I have to copy the same sequence of text (settings) to every sandbox in the sandboxie.ini - file? That means copy: "[BSA_Box] ConfigLevel=6 AutoRecover=y Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% Enabled=y InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA " again inside sandboxie.ini to "[DEFAULT_Box] ConfigLevel=6 AutoRecover=y Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% Enabled=y InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA " ?

Buster:

Fri Jun 18, 2010 6:57 am

Everything seems correct. Try adding the 2 lines to every sandbox you have configured at Sandboxie.ini. I guess you only miss "[DefaultBox]". Stupid question: You have log_api.dll at C:\BSA folder, don�t you?

rilos:

Fri Jun 18, 2010 6:48 am

]]>Quoting Buster: ]]> You have something not configured properly somewhere because API logging works fine. Most probably the problem is that you included the 2 lines to add in Sandboxie.ini at the wrong place. ]]> Thanks, Buster. I put the 2 lines where its indicated in the help "installation and usage" in the same sequence: " GlobalSettings] TemplateReject=SynapticsTouchPad [BSA_Box] ConfigLevel=6 AutoRecover=y Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}% RecoverFolder=%Personal% RecoverFolder=%Favorites% RecoverFolder=%Desktop% Enabled=y InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA [UserSettings_0DC20194]" did I do anything wrong?

Buster:

Thu Jun 17, 2010 11:24 pm

]]>Quoting rilos: ]]>... and from where do I install WinPCap? Does it slow down my computer when it runs permanently in the background? I dont want to have too many processes running on the system, without notice - its already too much... Or does it only start by BSA, when needed? Thanks! ]]> The manual explains it clearly: http://bsa.isoftware.nl/framec.htm WinPCap can be downloaded from: http://www.winpcap.org Direct download: http://www.winpcap.org/install/bin/WinPcap_4_1_1.exe It doesn�t slow down the PC at all. You can configure it to run only on-demand or always you start the computer. That�s something you configure during WinPCap installation.

Buster:

Thu Jun 17, 2010 11:22 pm

]]>Quoting rilos: ]]>I created just a special Sandbox for BSA underneath the 'default'-Sandbox. And I specified this BSA-Sandbox in BSA. Thanks for the help! :wink: ]]> You have something not configured properly somewhere because API logging works fine. Most probably the problem is that you included the 2 lines to add in Sandboxie.ini at the wrong place.

rilos:

Thu Jun 17, 2010 10:18 pm

... and from where do I install WinPCap? Does it slow down my computer when it runs permanently in the background? I dont want to have too many processes running on the system, without notice - its already too much... Or does it only start by BSA, when needed? Thanks!

rilos:

Thu Jun 17, 2010 10:09 pm

I created just a special Sandbox for BSA underneath the 'default'-Sandbox. And I specified this BSA-Sandbox in BSA. Thanks for the help! :wink:

Buster:

Thu Jun 17, 2010 12:29 pm

]]>Quoting rilos: ]]>upgraded to 3.45.18 - now works fine! Thank you! ]]> Glad to hear the problem is solved. :) ]]>Quoting rilos: ]]>Btw: what is that PCap thing for? ]]> Read here: http://en.wikipedia.org/wiki/Pcap ]]>Quoting rilos: ]]>And what is meant by installation of PCap? ]]> Installation of WinPCap. PCap is the name of the file format. WinPCap installation is meant for capturing network traffic. ]]>Quoting rilos: ]]>Is it just that you have to copy these two files into the system32-directory? ]]> No, copying that two files is a procedure to do only when you don�t want to install WinPCap. Copying the two files you avoid the error that appears when you run BSA and WinPCap is not installed. It�s recommended to install WinPCap so capture network traffic feature is available. ]]>Quoting rilos: ]]>When I start notepad in sandboxie I dont see any results in BSA during runtime. But reports are generated fine and malware analysis runs fine too. ]]> In what sandbox are you running notepad? default or other you created?

Buster:

Thu Jun 17, 2010 12:22 pm

]]>Quoting rilos: ]]>Yes, I have 3.442 installed - which is quite new! Should I install the newest version (beta) ? Thanks! ]]> Yes, it�s quite new but LOG_API.DLL uses a function available on 3.45.01 and newer versions.

rilos:

Thu Jun 17, 2010 12:17 pm

upgraded to 3.45.18 - now works fine! Thank you! Btw: what is that PCap thing for? And what is meant by installation of PCap? Is it just that you have to copy these two files into the system32-directory? What does it do? When I start notepad in sandboxie I dont see any results in BSA during runtime. But reports are generated fine and malware analysis runs fine too.

rilos:

Thu Jun 17, 2010 11:51 am

Yes, I have 3.442 installed - which is quite new! Should I install the newest version (beta) ? Thanks!

Buster:

Thu Jun 17, 2010 11:18 am

If he uses 3.44x that will be the problem for sure.

tzuk:

Thu Jun 17, 2010 11:04 am

I'd start by asking which version of Sandboxie is it. Maybe Rilos still uses version 3.44x ?

Buster:

Wed Jun 16, 2010 3:59 pm

This problem has been reported at Wilders forum too: http://www.wilderssecurity.com/showthread.php?t=259357&page=7 Maybe there is a conflict between LOG_API.DLL and other software. I would discard a bug in the DLL because it�s working fine for other BSA users, like Franklin, which also use BSA on Vista. tzuk: Do you have any idea about how to locate the bug? Using WinDebug maybe?

Rilos: Problems with BSA - WerFault.exe

Wed Jun 16, 2010 2:43 pm

Hi Buster, thanks for BSA. I tried it out on a Vista32 System. I expanded the Sandboxie-Config-file by the two lines as described on your help-site. When I start any application in sandboxie it generates lots of 'WerFault.exe' processes - a list that gets bigger and bigger until I suddenly stopped the programs. What could be the reason for that? Thank you!

Buster: Re: because this aplication create a service???

Sun Jun 06, 2010 5:02 pm

]]>Quoting Dig: ]]>because this aplication create a service?? NPF service whit System32/drivers/npf.sys ]]> It�s used by WinPCap. http://www.file.net/process/npf.sys.html

Dig: because this aplication create a service???

Sun Jun 06, 2010 4:37 pm

because this aplication create a service?? NPF service whit System32/drivers/npf.sys

Buster:

Sun Jun 06, 2010 3:23 pm

Glad to hear everything is working fine. :) I will also update the manual to point that version 3.45.01 is required.

New bsa User:

Sun Jun 06, 2010 3:14 pm

]]>Quoting Buster: ]]>Install Sandboxie 3.45.16 (http://sandboxie.com/phpbb/viewtopic.php?t=7511) and let me know if it makes a difference. ]]> Well upgrading Sandboxie seems to have taken care of it. Everything is working good now

Buster:

Sun Jun 06, 2010 3:04 pm

Install Sandboxie 3.45.16 (http://sandboxie.com/phpbb/viewtopic.php?t=7511) and let me know if it makes a difference.

New bsa User:

Sun Jun 06, 2010 3:02 pm

]]>Quoting Buster: ]]>Version of Sandboxie, not BSA. ]]> I'm showing version 3.442 on Sandboxie

Buster:

Sun Jun 06, 2010 2:51 pm

Version of Sandboxie, not BSA.

New bsa User:

Sun Jun 06, 2010 2:49 pm

]]>Quoting Buster: ]]>What version of Sandboxie do you have installed? ]]> I'ts showing the version is 1.23

Buster:

Sun Jun 06, 2010 7:55 am

What version of Sandboxie do you have installed?

New bsa User: Re: Crashing

Sun Jun 06, 2010 7:24 am

]]>Quoting Buster: ]]> ]]>Quoting New bsa User: ]]>I have just recently installed Sandboxie and downloaded BSA, I copied the enitre extracted bsa folder to the root (C:) of my drive. I then created a new sanbox from the default, just for BSA, then edited the configuration to include the following, "InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA" minus the qoutes, and by copying and pasting from the PDF file. now, every time I try starting an application with that sandbox, I get a crash of the sandbox and my JIT debugger attaches. I end up having to kill the process tree. because it seems that the debugger crashes also and it just keeps bringing up another debugger. can you [u:512c8f671d]PLEASE[/u:512c8f671d] tell me what I'm doing wrong[/u] ]]> Everything seems to be correct. To be sure that is LOG_API.DLL which causes the crash do this: Remove the 2 lines (InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA) from new sandbox configuration and try starting an application. Let me know if it works or crash. ]]> I took the two lines out and it loads the sandboxed application without a problem then

Buster: Re: Crashing

Sun Jun 06, 2010 6:46 am

]]>Quoting New bsa User: ]]>I have just recently installed Sandboxie and downloaded BSA, I copied the enitre extracted bsa folder to the root (C:) of my drive. I then created a new sanbox from the default, just for BSA, then edited the configuration to include the following, "InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA" minus the qoutes, and by copying and pasting from the PDF file. now, every time I try starting an application with that sandbox, I get a crash of the sandbox and my JIT debugger attaches. I end up having to kill the process tree. because it seems that the debugger crashes also and it just keeps bringing up another debugger. can you [u:760590571d]PLEASE[/u:760590571d] tell me what I'm doing wrong[/u] ]]> Everything seems to be correct. To be sure that is LOG_API.DLL which causes the crash do this: Remove the 2 lines (InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA) from new sandbox configuration and try starting an application. Let me know if it works or crash.

New bsa User: Crashing

Sun Jun 06, 2010 6:21 am

I have just recently installed Sandboxie and downloaded BSA, I copied the enitre extracted bsa folder to the root (C:) of my drive. I then created a new sanbox from the default, just for BSA, then edited the configuration to include the following, "InjectDll=c:\bsa\log_api.dll OpenWinClass=TFormBSA" minus the qoutes, and by copying and pasting from the PDF file. now, every time I try starting an application with that sandbox, I get a crash of the sandbox and my JIT debugger attaches. I end up having to kill the process tree. because it seems that the debugger crashes also and it just keeps bringing up another debugger. can you [u:5f4b3d6eb0]PLEASE[/u:5f4b3d6eb0] tell me what I'm doing wrong[/u]

Mark_:

Fri Jun 04, 2010 2:35 pm

]]>Quoting Buster: ]]>It�s not a bug, that�s the way how it works. If you read the manual (BSA.PDF) you will see that BSA uses WinPCap to capture network traffic. It�s recommended to install [url=http://www.winpcap.org]WinPCap[/url] because it�s very necessary for analysis. As explained in the readme (README.TXT) if for any reason (I don�t see any valid reason to don�t do it) you don�t want to install WinPCap then you must copy WPCAP.DLL and PACKET.DLL from PCAP folder to Windows\System32 folder. Don�t know if copying the files to BSA folder you override the errors too. If it works, that�s ok. ]]> when a dll is loaded, windows first looks into the application directory, and after that it searches the %PATH% system var for the dll

Buster:

Fri Jun 04, 2010 1:23 pm

]]>Quoting Max100: ]]>I'm trying last bsa program release, but I'm forced to copy wpcap.dll and packet.dll from PCAP folder to bsa folder. Only in this way I can open the executable (BSA.EXE) without dialog errors (packet.dll / wpcap.dll not present). I have this bug with Windows XP x86 and Windows 7 x64. ]]> It�s not a bug, that�s the way how it works. If you read the manual (BSA.PDF) you will see that BSA uses WinPCap to capture network traffic. It�s recommended to install [url=http://www.winpcap.org]WinPCap[/url] because it�s very necessary for analysis. As explained in the readme (README.TXT) if for any reason (I don�t see any valid reason to don�t do it) you don�t want to install WinPCap then you must copy WPCAP.DLL and PACKET.DLL from PCAP folder to Windows\System32 folder. Don�t know if copying the files to BSA folder you override the errors too. If it works, that�s ok.

Max100:

Fri Jun 04, 2010 11:40 am

I'm trying last bsa program release, but I'm forced to copy wpcap.dll and packet.dll from PCAP folder to bsa folder. Only in this way I can open the executable (BSA.EXE) without dialog errors (packet.dll / wpcap.dll not present). I have this bug with Windows XP x86 and Windows 7 x64.

Buster:

Wed Jun 02, 2010 2:42 pm

netai.net was a poor server, with continous problems with downloads. Mark_ has been so nice to give me hosting. The new address (and I hope definitive for a long long time) is http://bsa.isoftware.nl

H3*:

Tue Jun 01, 2010 8:39 pm

Ok Guest10, I used to abuse download managers but now I prefer a clean pc without this and that things, if I can't get things downloaded then let it be, I'll survive :) Nothing wrong with IE tweaked to max only allowed downloads, if I need java or activex it takes a few seconds to activate them, actually I used IE 6 until a few weeks ago, but more and more websites looks weird with it, but no problem with IE 8 here, quick load and it do the job. Sorry Buster for hijack your thread, so I write here now that I got BSA downloaded to make this "chat" more legitimate. :)

Guest10:

Tue Jun 01, 2010 8:11 pm

]]>Quoting H3*: ]]>Guest10: yes thats the one, with IE download is wery instable and slow then just cut it off. did you test to download with IE? ]]>No, I use Firefox and had no problem - no download manager was used. It's strange because I occasionally have to switch to IE to make some downloads work, when they don't work with Firefox. (I think it makes Mitch's day when I have to admit that :lol: )

H3*:

Tue Jun 01, 2010 7:47 pm

Guest10: yes thats the one, with IE download is wery instable and slow then just cut it off. did you test to download with IE? Tried about 7-10 times without no bsa.rar on my desktop yet. thanks again for new links Buster.

Buster:

Tue Jun 01, 2010 7:44 pm

I have experienced broken downloads too. If you don�t use a download manager the download usually is not completed correctly. I miss Ruhe�s host very much. :(

Guest10:

Tue Jun 01, 2010 7:39 pm

]]>Quoting H3*: ]]>Buster, your link cut off the downloads everytime, so now you know :) ]]>If that means you can't get the download, I had no problem with using the second link. I just downloaded the new version again, to be sure that the link still works. http://bsa.netai.net/bsa.rar

Buster:

Tue Jun 01, 2010 7:38 pm

Alternative downloads for version 1.23: http://rapidshare.com/files/394145158/Buster.Sandbox.Analyzer.1.23.rar http://www.megaupload.com/?d=PFQJP2RB http://hotfile.com/dl/45975923/4feff23/Buster.Sandbox.Analyzer.1.23.rar.html

H3*:

Tue Jun 01, 2010 7:28 pm

Buster, your link cut off the downloads everytime, so now you know :) thanks.

Buster:

Tue Jun 01, 2010 7:01 pm

]]>Quoting hotmog: ]]> ]]>Quoting Buster: ]]>Released Buster Sandbox Analyzer 1.23 to fix a bug. ]]> Buster - Your old download link no longer works, and the ones given in your previous post are for v1.22 only (I tried substituting 1.23 but to no avail). ]]> The new host is: http://bsa.netai.net And the direct download link is: http://bsa.netai.net/bsa.rar If anyone has troubles downloading (broken downloads) let me know and I will upload to other sites like with version 1.22.

hotmog:

Tue Jun 01, 2010 6:55 pm

]]>Quoting Buster: ]]>Released Buster Sandbox Analyzer 1.23 to fix a bug. ]]> Buster - Your old download link no longer works, and the ones given in your previous post are for v1.22 only (I tried substituting 1.23 but to no avail).

Buster:

Tue Jun 01, 2010 5:31 pm

Released Buster Sandbox Analyzer 1.23 to fix a bug.

Buster:

Mon May 31, 2010 2:00 am

A bug has been reported in version 1.22 so I decided to fix the bug and upload version 1.22 again. Links to new version are updated already but anyway here you have them again: http://rapidshare.com/files/393478240/Buster.Sandbox.Analyzer.1.22.rar http://www.megaupload.com/?d=TOTVC9ZH http://hotfile.com/dl/45674283/98e6168/Buster.Sandbox.Analyzer.1.22.rar.html

Buster:

Sun May 30, 2010 10:39 pm

Have no mercy with that kind of posts!

tzuk:

Sun May 30, 2010 9:21 pm

Sorry Buster, but someone who signs their posts with a link to "make money fast" is just asking for the posts to be deleted.

Buster:

Sun May 30, 2010 4:35 pm

]]>Quoting joetraff: ]]>I have checked out the tool. And I think it's awesome. ]]> Thanks! :D Did you have any problems to configure it? Is easy to use with the provided instructions (PDF)? What do you like more and what less?

Buster:

Sun May 30, 2010 1:22 pm

No, you�re right. In the computer where I�m logged as site admin I can see contents but from other computer where I�m not logged I also get the same message. We will have to wait until the admin has reviewed the site but meanwhile it�s available through alternative download links.

H3*:

Sun May 30, 2010 1:15 pm

I'll guess you're right, but this link: http://bsa.netai.net/ drops me to this place: http://www.000webhost.com/admin-review Checked about 1 min ago, but I need some coffee now so I test it again later on. :) oh, just saw your link to rapidshare, thanks.

Buster:

Sun May 30, 2010 1:12 pm

I have noticed that downloads from netai.net are not reliable. The download may be interrupted before the file has been completely downloaded. In case of troubles with the download here you have additional download links: http://rapidshare.com/files/393478240/Buster.Sandbox.Analyzer.1.22.rar http://www.megaupload.com/?d=TOTVC9ZH http://hotfile.com/dl/45674283/98e6168/Buster.Sandbox.Analyzer.1.22.rar.html

Buster:

Sun May 30, 2010 12:56 pm

I opened the account just a few hours ago so I guess it�s a normal procedure.

H3*:

Sun May 30, 2010 12:30 pm

[quote:17b09137b6]Website Under Review You see this page, because the system administrator of 000webhost.com is currently checking this website for malicious content. This redirect will be removed once we will finish manually checking all files on this account. As far we check over 100 websites, it can take about 2-4 hours to complete. If you are the owner of this website, you will get email confirmation once it's done. If you are a visitor - please come back later. www.000webhost.com is a free web hosting provider and all free hosting providers suffer from abusers. Around 5% of users signup here just to start hacking or phishing website or make other damage. So, in order to survive, we must monitor what our users are hosting. We are sorry for any inconveniences, but checking all content manually, it is the only way to provide you with the most secure and reliable service. If you have found any illegal website on our network.[/quote:17b09137b6] Someone reported you to delay your release? or they really going thru every owners files? :shock:

Buster:

Sun May 30, 2010 12:12 am

Released Buster Sandbox Analyzer 1.22. Change list: Added automatic malware analysis mode Added digital signature verification Removed "Check Ports" Updated Buster Sandbox Analyzer GUI Updated LOG_API library

Buster:

Sun May 30, 2010 12:06 am

Actual host is going down soon. Thanks to Ruhe for hosting the tool all this time! The new host is: http://bsa.netai.net

Buster:

Tue May 18, 2010 6:15 pm

News about the automatic analysis mode: It will process any kind of file type: EXE, PDF, XLS, ... If the file type is associated to a program, then the program will be launched. e.g.: .PDF files associated to Adobe Acrobat Reader. Depends of the program if the processed file is opened automatically or not. If the file type is not associated to any program then we receive the message telling Windows can not open that file. It�s up to the users make the appropiate associations. Automatic analysis feature will save network traffic (when BSA is properly configured for that) .pcap file in report folder. Additionally the user can configure BSA to save a copy of sandbox folder contents. That way we can easily get a copy of dropped components.

Buster:

Tue May 18, 2010 1:50 am

Due popular demand I decided to include the automatic analysis on next release. Each sample contained in a specified folder will run for a user specified time and during that time malware processes can run alone, without user interaction until time experires, or user can interact with the sample. When the time experies Sandboxie�s processes will be terminated and the reports will be generated. I have nice plans for this feature. I pretend the feature can be configured so it becomes more flexible and powerful.

Buster:

Fri May 14, 2010 6:43 pm

I forgot to mention in the manual that version 1.21 allows the user to set a time limit for the analysis. With this feature we can configure how many minutes we want to let the sandboxed applications to run. When the time limit expires Sandboxie will terminate processes automatically.

Buster:

Thu May 13, 2010 4:09 pm

Released Buster Sandbox Analyzer 1.21. Change list: Changes in BSA.DAT: Added [Custom_Folder_Entries] section. Upated [File_Types_Modified] section to [File_Types_Created_Modified]. Updated Capture-BAT Log Analyzer feature. Updated malware analysis in Buster Sandbox Analyzer.

Buster:

Thu May 06, 2010 9:14 am

Version 1.20 fixes several bugs: DNS Queries not logged when the network is configured in DHCP, duplicated entries in the API logger window, one malicious behaviour missed, SetValueKey and DeleteValueKey were being missed from API call log, ... New version also introduces new features: Capture-BAT Log Analyzer. LOG_API library will show the name of the application that made the API call. Local network traffic can be configured to be sniffed or not.

Buster: Released BSA 1.20

Thu May 06, 2010 9:08 am

Released Buster Sandbox Analyzer 1.20. Change list: Added Capture-BAT Log Analyzer feature. Fixed bugs in Buster Sandbox Analyzer. Updated LOG_API library.

Buster:

Tue May 04, 2010 5:17 pm

Next BSA release (1.20) will show on LOG_API.TXT what program made the API call. This feature can be used by malware analyzers to get information more exact about the analyzed stuff. It will also contain a feature to parse Capture-BAT log files. This feature comes from the suggestions received by malware analysts some weeks ago. As you know BSA is limited by Sandboxie�s limits which are related to security questions. So to improve BSA�s analysis capabilities I have introduced support for other malware analysis tool: Capture-BAT. [quote:962145a2f0]Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.[/quote:962145a2f0] https://www.honeynet.org/node/315 BSA will parse Capture-BAT log and .pcap file (when available) and will generate a report and an analysis from them. Capture-BAT log parser feature will use the same rules defined for BSA in BSA.DAT. Capture-BAT is a good tool but it misses logging some information that could be useful to generate more accurate results. Sadly Capture-BAT development seems to be stopped. Maybe if enough people mail the author asking to continue developing the tool he may reconsider it. Send me a PM if you are interested in helping to get Capture-BAT being developed again.

Buster:

Sat Apr 24, 2010 12:04 pm

]]>Quoting Mark_: ]]>if you manually import pcap_dump function from wpcap (with LoadLibrary and GetProcAddress) you can simply disable the functionality when the dll is not found :) ]]> The call is done from a component. I don�t want to touch it. Could you give me some feedback about the new packet sniffer?

Mark_:

Sat Apr 24, 2010 11:52 am

if you manually import pcap_dump function from wpcap (with LoadLibrary and GetProcAddress) you can simply disable the functionality when the dll is not found :)

Buster:

Sat Apr 24, 2010 10:39 am

From version 1.19 if WinPCap is not installed BSA will not run. If for any reason you don�t want to install WinPCap and want to avoid this problem simply copy WPCAP.DLL and PACKET.DLL from \BSA\PCAP folder to \Windows\System32.

Buster:

Thu Apr 22, 2010 6:10 pm

I�ld like to get feedback about the new packet sniffer. Thanks!

Buster: Re: Feature request

Thu Apr 22, 2010 6:50 am

]]>Quoting neo: ]]>Thanks and congratulations on your geat work. Now, if I could make a few feature requests for BSA...It'd be nice to be able to have: - a pcap of network traffic - a MD5 of the files that are created next to the name/path - batch processing. That would be absolutely wonderful ]]> A pcap of network traffic can be retrieved with version 1.19. :wink:

Buster:

Wed Apr 21, 2010 10:11 pm

The new release (1.19) improves very much the internet packet sniffer. Old packet sniffer was not working on Windows Vista and it may fail in other OSs. The new packet sniffer uses WinPCap for capturing packets (http://www.winpcap.org) so WinPCap must be installed to get packets captured. Old packet sniffer was capturing packets from both sandboxed and unsandboxed applications. The new packet sniffer only captures TCP traffic coming from sandboxed applications. UDP traffic is captured from both sandboxed and unsandboxed applications. I could not find a solution to avoid this. Old packet sniffer was unable to show what application generated each packet. The new packet sniffer shows what application generated the packet. It�s also possible to save to file captured packets. This feature can be used to do forensic network analysis. Captured files are Wireshark and NetworkMiner compatibles. All these features improve BSA�s analysis capabilities a lot. Apart a feature named Pcap Explorer has been introduced in the new release. Pcap Explorer is a forensic network analysis tool. It�s able to open .pcap files generated by BSA, Wireshark, or NetworkMiner. This feature shows packet information and can follow a TCP session as Wireshark does. It�s also able to filter packets by user defined parameters. http transmitted files and mail attachments can be extracted automatically to disk. It can display information like URL requests or DNSs queried. Packet contents can be searched by text strings or hexadecimal bytes. For managing big .pcap files, Pcap Explorer has a feature named "Pcap Splitter". A smaller .pcap file can be saved filtering contents by user specified information. Buster Sandbox Analyzer has been fine tuned to report less false positives.

Buster:

Wed Apr 21, 2010 9:58 pm

Released Buster Sandbox Analyzer 1.19. Change list: Added Pcap Explorer feature Improved the packet sniffer Updated Buster Sandbox Analyzer Updated LOG_API library

Buster:

Sun Apr 04, 2010 6:21 pm

]]>Quoting Kurt: ]]>Thanks! (That was quick!...) ]]> No problem! Read the manual carefully and pay special attention to the notes in red color.

Kurt:

Sun Apr 04, 2010 5:47 pm

Thanks! (That was quick!...)

Buster:

Sun Apr 04, 2010 2:53 pm

]]>Quoting Kurt: ]]>Sorry to blunder in like that, but is there somewhere one can download this app (BSA)? ]]> Official site is: http://bsa.sandboxie.info And the tool can be downloaded from: http://bsa.sandboxie.info/bsa.rar

Kurt:

Sun Apr 04, 2010 2:47 pm

Sorry to blunder in like that, but is there somewhere one can download this app (BSA)?

Buster:

Sat Apr 03, 2010 11:58 pm

]]>Quoting Guest10: ]]>One of these days I'm going to be able to say that: I knew Buster before he became famous :lol: ]]> Hahahahaaha :lol: But don�t be surprised if someone comes here and tell you I have been famous for years. :roll:

Guest10:

Sat Apr 03, 2010 11:12 pm

One of these days I'm going to be able to say that: I knew Buster before he became famous :lol:

Buster: Re: Feature request

Sat Apr 03, 2010 7:15 pm

]]>Quoting neo: ]]>if I could make a few feature requests for BSA...It'd be nice to be able to have: - a pcap of network traffic ]]> A pcap of network traffic is retrived using WinPCap. What BSA will include on next release will be a pcap analyzer.

Buster:

Mon Mar 29, 2010 5:42 pm

I just checked and I don�t think anything is messed up with the change. On next release the modification will be there.

Guest10:

Mon Mar 29, 2010 4:57 pm

Buster, Would it mess up anything in your program if you changed the Registry LogFile entry, from 1;C:\BSA\Reports\Sandboxie.LOG to 2;C:\BSA\Reports\Sandboxie.LOG to tell Sandboxie to preface each message with the time and date information? After each use of BSA, I set the entry back to use log level 2.

Buster:

Wed Mar 24, 2010 11:30 am

Released Buster Sandbox Analyzer 1.18. Change list: Fixed a problem with memory usage

Buster:

Mon Mar 22, 2010 1:57 am

Released Buster Sandbox Analyzer 1.17. Change list: Improved File Hash and RegHive Explorer features Fixed bugs in Buster Sandbox Analyzer, File Hash and RegHive Explorer features Thanks to nick s for the bug report in File Hash feature. Thanks to majoMo for the bug reports in Buster Sandbox Analyzer and RegHive Explorer.

Buster:

Fri Mar 19, 2010 5:04 pm

Soon I will release Buster Sandbox Analyzer 1.17. This version will improve a bit File Hash and RegHive Explorer features. After 1.17, new releases should be much more spaced in time as all the features I had planned are included already. New versions should include just bugfixes or small improvements. If there is interest I could release a special version only for professionals. This version would include next additional features: * Batch analysis This feature would allow to generate analysis of files in a folder in an automated way. * File Extractor This is a feature I have been working for two years. It allows the extraction of files from setups, installations, embedded files, compressed files, etc. It supports 7z, ZIP, GZIP, BZIP2, TAR, RAR, CAB, ISO, ARJ, LZH, CHM, Z, CPIO, RPM, DEB, NSIS, ACE, EML, Inno Setup, Microsoft SZDD, Microsoft TNEF, RTF, Gentee, Setup Factory, RapSFX, Thraex�s Astrum InstallWizard, SEA, Instyler, BInstall, Cexe, Quick Batch File Compiler, WScript, Smart Install Maker, Stubbie SFX Extractor, ... virtually all executable installers. * LOG_API library source code The source code could be modified in order to add new APIs to log or customize the output. If anyone is interested contact me at my mail.

Buster:

Tue Mar 16, 2010 6:00 pm

Version 1.16 includes RegHive Explorer, a feature that allows to view Windows registry modifications performed by sandboxed applications. It�s the only feature of its kind as it�s specifically designed to view Sandboxie�s reghive files. Additionally RegHive Explorer allows to synchronize reghive and Windows registry so we can visualize modifications more easily. Version 1.16 also includes a new version of LOG_API library. The new DLL has been updated to be compatible with the changes in Sandboxie 3.45.01.

Buster:

Tue Mar 16, 2010 5:56 pm

Released Buster Sandbox Analyzer 1.16. Change list: Added RegHive Explorer feature Updated LOG_API library

Buster:

Fri Mar 12, 2010 4:14 pm

Guestone: I just updated to Sandboxie v.3.45.01 and tried the malware. I don�t get any problem even injecting LOG_API.DLL. Can you confirm that too?

Max100:

Fri Mar 12, 2010 12:23 am

]]>Quoting Buster: ]]> What can I do if users don�t read and follow the manual? :wink: ]]> Sorry, next time I'll read manual carefully. I was too much blinded by that (for me) unexpected behavior. :roll:

Buster:

Thu Mar 11, 2010 3:07 pm

Max100: Sorry, I didn�t reply because I have been busy coding the feature I will include in the next release. Is a false positive? Yes. Is a false positive you could have avoided? Yes. From Buster Sandbox Analyzer manual: [color=red:faa21fd534]Note: Some registry and value keys are modified by Sandboxie, not by sandboxed processes. I suggest running CALC.EXE, or any other program that does not modify the registry, and add strings from resulting RegDiff.TXT to exclusion list.[/color:faa21fd534] That note is in red because I consider it very important. What can I do if users don�t read and follow the manual? :wink:

Max100:

Thu Mar 11, 2010 2:54 pm

@Buster: I don't know why you haven't replied to my previous post. It seems clearly a false positive... installing that program on my real computer, that registry keys are not removed, while your BSA reports that keys are removed. Just a confirm, nothing other.

Guestone:

Thu Mar 11, 2010 12:20 am

Buster:You can download the malware sample from here [url]http://www.datafilehost.com/download-0b4c7fd2.html[/url]

Buster:

Wed Mar 10, 2010 4:53 pm

Guestone: If you send me the malware maybe I can fix the problem. As temporal solution you can analyze the file without injecting LOG_API. The most important information for analysis will be retrieved anyway.

Guestone:

Wed Mar 10, 2010 2:08 pm

[img:4540aadafd]http://www.ld-host.de/uploads/images/b0e14a88cfdb97a128b6b1d63c17b72c.png[/img:4540aadafd] Using BSA to analyze a trojan sample running sandboxed i get an error,but after removed the two lines InjectDll=xxx from sandboxie�s configuration works fine. xp sp3 sandboxie 3.44 Buster Sandbox Analyzer version 1.15

Max100:

Tue Mar 09, 2010 11:35 am

Hello! Is it possible that a trusted reputable software can delete these keys associated to java? * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{DBC80044-A445-435B-BC74-9C25C1C588A9} * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C} Complete report of program in question: http://www.mediafire.com/file/lmyynmg0jeg/Report.TXT I can't explain this behavior, and you?

Buster:

Tue Mar 09, 2010 1:23 am

New URL to reach Buster Sandbox Analyzer web site: http://bsa.sandboxie.info

Buster:

Tue Mar 09, 2010 1:22 am

Released Buster Sandbox Analyzer 1.15: Change list: Added Memory Explorer feature Updated BSA.DAT Updated LOG_API library Updated Buster Sandbox Analyzer Fixed a bug in Buster Sandbox Analyzer

Buster:

Thu Mar 04, 2010 12:05 pm

]]>Quoting andyjazzz7: ]]>In version 1.12 was not possible to drag-and-drop files from Windows Explorer to File Scanner�s window. ]]> This limitation was removed in version 1.13.

andyjazzz7:

Thu Mar 04, 2010 9:42 am

]]>Quoting nick s: ]]> ]]>Quoting tzuk: ]]>I extracted the BSA archive to some work folder somewhere outside C:\Program Files, where I have full access privileges even as a standard user account. ]]> Thanks. I finally got it working that way on Vista this morning. Not sure why I could not get it to work that way on 7 last night. I suspect the reason is that I use AppLocker on 7 and have noticed that sometimes a reboot or logoff (which I did not do) is required to remove the "lock". ]]> I understand that the log file is useful in the report from BSA.. In version 1.12 was not possible to drag-and-drop files from Windows Explorer to File Scanner�s window.

Buster:

Mon Mar 01, 2010 5:05 pm

Released Buster Sandbox Analyzer 1.14. Change list: Added PE Explorer Added File Disassembler

Buster:

Thu Feb 25, 2010 4:47 pm

Released Buster Sandbox Analyzer 1.13. Change list: Added Process Explorer Fixed bugs in Buster Sandbox Analyzer and LOG_API library

Buster:

Sat Feb 20, 2010 9:15 pm

What are the advantages/disadvantages of running BSA with UAC-elevated Administrator privileges and what are for running it as normal?

nick s:

Sat Feb 20, 2010 8:45 pm

]]>Quoting tzuk: ]]>I extracted the BSA archive to some work folder somewhere outside C:\Program Files, where I have full access privileges even as a standard user account. ]]> Thanks. I finally got it working that way on Vista this morning. Not sure why I could not get it to work that way on 7 last night. I suspect the reason is that I use AppLocker on 7 and have noticed that sometimes a reboot or logoff (which I did not do) is required to remove the "lock".

Buster:

Sat Feb 20, 2010 8:25 pm

Fixing the problem tzuk found I also was able to solve an issue present in File Scanner feature. In version 1.12 was not possible to drag-and-drop files from Windows Explorer to File Scanner�s window. In next release this will be possible.

Buster:

Sat Feb 20, 2010 8:23 pm

tzuk just confirmed that I fixed the problem he found related to running BSA with UAC-elevated Administrator privileges. tzuk: Thank you very much for reporting the bug and providing a solution to solve it :!: :)

Buster:

Sat Feb 20, 2010 8:17 pm

]]>Quoting Guest10: ]]>I was a bit surprised to find that Sandboxie's log file is now set to: 1;C:\BSA\Reports\Sandboxie.LOG That log file shows that I have started Thunderbird a number of times, outside of the sandbox. The log is probably correct. I don't see these Sandboxie messages pop-up, because I have that message hidden. It's still logging messages, 10 days after my last use of BSA. ]]> I guess that once the entry has been set, Sandboxie will log stuff until next time you run BSA, moment when the log will be deleted. ]]>Quoting Guest10: ]]>I understand that the log file is useful in the report from BSA, but does BSA overwrite a Registry entry for "LogFile" if one already exists? ]]> Yes, BSA overwrites the entry to: "1;BSA_Path\Reports\Sandboxie.LOG". ]]>Quoting Guest10: ]]>Should BSA leave it's LogFile setting in the Registry, so that Sandboxie continues logging messages even when finished using BSA? ]]> Is it too annoying? I could delete the entry when BSA closes if you want. ]]>Quoting Guest10: ]]>Does BSA empty (or over-write) this log file each time it is used, so that items that already exist in the log file are not considered as a part of the current analysis of the sandboxed program? Or should the user be deleting, or moving, all items in the "Reports" folder after each use? ]]> BSA automatically generates a new Sandboxie.LOG every time a new analysis is performed. If you want to save reports (Sandboxie.LOG included), from version 1.12 you can use: Utilities -> Reports -> Save Report. BSA will create a folder with the date and the hour and will store inside all report files (FileDiff, RegDiff, Sandboxie.Log, Connections.TXT, etc etc) inside a folder. I hope I replied all your questions. If you still have any doubt just let me know. Regards.

tzuk:

Sat Feb 20, 2010 6:51 pm

]]>Quoting nick s: ]]>How are you able to run BSA with normal privileges and see API calls? If I execute BSA with normal privileges, click Start, I get a "Cannot create file C:\Program Files\BSA\regdump.exe." error because a non-elevated BSA is not able to write to its directory. ]]> I extracted the BSA archive to some work folder somewhere outside C:\Program Files, where I have full access privileges even as a standard user account.

Guest10:

Sat Feb 20, 2010 3:17 pm

I wasn't sure if I had left the Sandboxie LogFile entry in my Registry or not, so I decided to check. I had been experimenting with a setting of: 2;C:\SbieLog.txt I hadn't seen any file by that name created, yet. I was a bit surprised to find that Sandboxie's log file is now set to: 1;C:\BSA\Reports\Sandboxie.LOG That log file shows that I have started Thunderbird a number of times, outside of the sandbox. The log is probably correct. I don't see these Sandboxie messages pop-up, because I have that message hidden. It's still logging messages, 10 days after my last use of BSA. I understand that the log file is useful in the report from BSA, but does BSA overwrite a Registry entry for "LogFile" if one already exists? Should BSA leave it's LogFile setting in the Registry, so that Sandboxie continues logging messages even when finished using BSA? Does BSA empty (or over-write) this log file each time it is used, so that items that already exist in the log file are not considered as a part of the current analysis of the sandboxed program? Or should the user be deleting, or moving, all items in the "Reports" folder after each use?

nick s:

Sat Feb 20, 2010 4:13 am

]]>Quoting tzuk: ]]>On the other hand if BSA.EXE is running with normal privileges, then it can see API calls from sandboxed programs that are running either with normal or admin privileges. ]]> Hi tzuk, How are you able to run BSA with normal privileges and see API calls? If I execute BSA with normal privileges, click Start, I get a "Cannot create file C:\Program Files\BSA\regdump.exe." error because a non-elevated BSA is not able to write to its directory. BSA never gets into "logging" mode. This is on Windows 7 32-bit.

Buster:

Fri Feb 19, 2010 12:18 pm

]]>Quoting tzuk: ]]>You can make a note about this in the documentation, or you might be able to have BSA.EXE call the function ChangeWindowMessageFilter to make window communication possible: http://msdn.microsoft.com/en-us/library/ms632675%28VS.85%29.aspx ]]> MSDN says: [quote:91ebba2d4a]Adds or removes a message from the User Interface Privilege Isolation (UIPI) message filter.[/quote:91ebba2d4a] I have looked for an example of ChangeWindowMessageFilter and found this: http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/0ccf84fd-b78d-45b3-9b79-7366003cb19d ChangeWindowMessageFilter(WM_DROPFILES, MSGFLT_ADD); What message should be used in case BSA is running with UAC-elevated Administrator privileges so it can see API calls from sandboxed programs running with normal privileges? Would be WM_COPYDATA? That�s the message I use to communite from LOG_API.DLL to BSA.EXE through WMCopyData.

tzuk:

Fri Feb 19, 2010 11:22 am

I can also confirm now the DLL works fine. But I noticed a peculiar thing: If BSA.EXE is running with UAC-elevated Administrator privileges, it can only "see" API calls from sandboxed programs that are also running with UAC-elevated privileges. It does not see API calls from sandboxed programs running with normal privileges. On the other hand if BSA.EXE is running with normal privileges, then it can see API calls from sandboxed programs that are running either with normal or admin privileges. This is probably due to a UAC mechanism called UIPI: http://en.wikipedia.org/wiki/User_Interface_Privilege_Isolation You can make a note about this in the documentation, or you might be able to have BSA.EXE call the function ChangeWindowMessageFilter to make window communication possible: http://msdn.microsoft.com/en-us/library/ms632675%28VS.85%29.aspx

Buster:

Thu Feb 18, 2010 6:11 pm

tzuk: thank you for the information! I compiled the DLL I sent you and nick s confirmed that everything is working fine now. :)

Buster:

Thu Feb 18, 2010 5:17 pm

]]>Quoting Mark_: ]]>as far as i know, 32 bit dll cant be injected in a 64 bit process, u would need a 64 bit dll for that... ]]> Sandboxie will not inject 32-bit version of the DLL to 64-bit processes, only 32-bit ones.

tzuk:

Thu Feb 18, 2010 10:37 am

]]>Quoting nick s: ]]>The bad news is that now, with the correct path, all sandboxed apps now crash with an error like this... ]]> I can reproduce this problem, I've sent some technical information to Buster, I hope it will help to resolve this problem.

Mark_:

Thu Feb 18, 2010 1:29 am

as far as i know, 32 bit dll cant be injected in a 64 bit process, u would need a 64 bit dll for that...

nick s:

Wed Feb 17, 2010 9:55 pm

]]>Quoting Buster: ]]>nick s: the bottom line is that if LOG_API didn�t work is because something was not correctly configured. Could you comment how you injected the DLL? Maybe tzuk can notice the problem. ]]> The good news is that I had specified the wrong path to LOG_API.DLL in Sandboxie.ini. I omitted "(x86)". The bad news is that now, with the correct path, all sandboxed apps now crash with an error like this... [quote:c7ff735c53]The instruction at 0x73f34b99 referenced memory at 0x00000008. The memory could not be read. Click on OK to terminate the program.[/quote:c7ff735c53] The "instruction at" varies every time but the "referenced memory" is always the same.

Buster:

Wed Feb 17, 2010 8:16 pm

DarkStalker, from Wilder�s forum, asked me if Buster Sandbox Analyzer works under x64. Well, I don�t have a x64 system so I asked for help and nick s was so kind to test the tool for me. nick s reported that packet sniffer, view filediff/regdiff/etc, file hash, hex editor, etc etc works fine. Everything works except LOG_API.DLL. Talking with tzuk about making a 64-bit version of the DLL he told me LOG_API should work fine in x64 systems: 32-bit LOG API DLL should be injected into the 32-bit malware process just fine, with the same old InjectDll setting. nick s: the bottom line is that if LOG_API didn�t work is because something was not correctly configured. Could you comment how you injected the DLL? Maybe tzuk can notice the problem.

Buster:

Fri Feb 12, 2010 11:48 pm

Released Buster Sandbox Analyzer 1.12. Change list: Added File Scanner. Version 1.12 includes a feature to submit files to VirusTotal to be scanned.

Buster:

Tue Feb 09, 2010 2:19 pm

Released Buster Sandbox Analyzer 1.11. Change list: Added File Hex Editor. Version 1.11 includes a built-in hex editor.

Buster:

Mon Feb 08, 2010 12:17 am

Could you send the package to Webroot�s support team and ask them to remove the false positive, please? That�s a generic detection: http://www.sophos.com/security/analyses/viruses-and-spyware/malhckpka.html

SandboxieLiker: Virus Mal/HckPk-A claimed by Webroot from uncompressing BSA

Sun Feb 07, 2010 9:53 pm

After downloading BSA now from http://bsa.qnea.de/bsa.rar with up-to-date "Webroot Anti-Virus with Spy Sweeper" running in the background gave the following warning from Webroot at the end of uncompressing with 7Zip: "Mal/HckPk-A is attempting to access the file system" with log note "File System Shield: found: Virus: Mal/HckPk-A, version"

Buster:

Sat Feb 06, 2010 9:23 am

In one of my first posts on this thread I wrote: [quote:04332c72df]Additional notes: BSA reflects the changes that would be made to system. Temporal changes are not showed. e.g. if a file is created inside the sandbox and later is deleted before processes are terminated. The same for registry entries. [/quote:04332c72df] In current versions of BSA temporal changes on file and registry can be checked reviewing LOG_API.TXT.

Buster:

Thu Feb 04, 2010 12:06 pm

Released Buster Sandbox Analyzer 1.10. Change list: Added File Hash, File Strings and some other features New features don�t improve malware detection capabilities but may be of help to malware analyzers.

Buster:

Wed Feb 03, 2010 5:20 pm

Guest10: Thanks for the side note! I may include it in BSA�s manual.

Guest10:

Wed Feb 03, 2010 5:18 pm

In another message thread, it was mentioned that Alvira A/V is giving a false positive report on BSA. I thought that I would mention that Norton 2010 A/V has a component called "Sonar Protection" that doesn't like the Registry scanning/comparing that BSA does when analyzing an install. It doesn't seem to be reacting to the name of the program (I think it was called RegDump.exe) as much as it is reacting to the actual behaviour that is occurring, when checking for Registry changes that were made during the install. Since Norton stops that program, there will be no listing of Registry changes in the Report. Norton's Sonar Protection needs to be temporarily disabled when using BSA.

Cadillakin:

Tue Feb 02, 2010 6:34 pm

]]>Quoting Buster: ]]>Thanks, Cadillakin! If the tax software was coded by a russian developer it may have a logic reason to query DNSs from Russia. :-? ]]> Yeah. Perhaps Turbo-tax (Intuit) was secretly sold to young Russian hackers and the Russian coding sites. There were also some DNS queries to open-source websites in Russia. Your tool is very helpful. It allows us to see nearly everything that is occurring during installation whereas AV scanners are mostly going to catch known viral-file installations. Many of the tools the hackers are using are legitimate Windows processes that they are creating within the install for the purpose of stealing information.. The AV scanners aren't normally catching these...

Buster:

Tue Feb 02, 2010 2:54 pm

Thanks, Cadillakin! If the tax software was coded by a russian developer it may have a logic reason to query DNSs from Russia. :-?

Cadillakin:

Tue Feb 02, 2010 1:37 am

A big thank you to Buster for this analyzer.. I was shopping on Usenet for some tax software... I found it and ran it in the sandbox.. As is my practice, I explored the installed files. Everything worked well.. No obvious signs of infection. No writing to windows.. No start/run entries... No files created in temp folders. But I still wasn't satisfied. I used Buster's program and reran the install... The program logs were literally laced with created events, dns queries to Russia.. and many hidden processes.. Needless to say, I kept it in the sandbox. What's most interesting to me is that there were many users commenting on this app in Newzbin that their scanners showed it clean... There are perhaps hundreds of users with the finest AV apps money can buy.. and they downloaded, installed and asserted it was clean. It seems some of the bad guys aren't laying obvious eggs for the scanners to discover...

Buster:

Fri Jan 29, 2010 10:23 am

I forgot to mention in the manual that to avoid PEiD�s window appearing while using "File Signature -> Process a Folder" you must run PEID.EXE and uncheck "Stay on top" checkmark.

Buster:

Thu Jan 28, 2010 2:20 pm

Released Buster Sandox Analyzer 1.09. Change list: Added File Signatures feature Updated LOG_API library File Signatures provides information about the packer, if any, used to compress a file or the compiler used to build it.

Buster:

Sat Jan 23, 2010 7:58 pm

Released Buster Sandbox Analyzer 1.08. Change list: Added a packet sniffer Updated BSA.DAT Updated LOG_API library

Buster:

Sat Jan 23, 2010 5:33 pm

]]>Quoting Ruhe: ]]>Then the easiest and best would be to exclude it by default. Either built in the source or by an already existing RegistryExclude.TXT in the .rar archive. ]]> Yeah, I thought about adding a RegistryExclude.TXT including that entry in BSA package. Probably that�s what I�ll do. Thanks for your opinion!

Ruhe:

Sat Jan 23, 2010 5:12 pm

Then the easiest and best would be to exclude it by default. Either built in the source or by an already existing RegistryExclude.TXT in the .rar archive.

Buster:

Sat Jan 23, 2010 4:18 pm

I have seen in other forums people making questions related to BSA reports, specifically about this entry: machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x That entry is created by Sandboxie so it must added to registry exclusion list, if not it will raise an alert on every malware analysis.

Buster:

Mon Jan 18, 2010 5:08 pm

BSA 1.07 may produce wrong Analysis.TXT. Meanwhile next version is not released this behaviour can be fixed editing BSA.DAT, lines 243, and modifying "->" for "<->".

Buster: Re: Feature request

Fri Jan 15, 2010 6:39 am

]]>Quoting neo: ]]>Tzuk and Buster, Thanks and congratulations on your geat work. Now, if I could make a few feature requests for BSA...It'd be nice to be able to have: - a pcap of network traffic ]]> In version 1.08 I will introduce a packet sniffer in order to improve the information related to internet connections, but BSA will not produce a pcap of network traffic. I don�t consider this relevant. Anyway in anyone is interested in pcap files I suggest installing the portable version of Wireshark and running it unsandboxed.

Buster:

Tue Jan 12, 2010 6:20 pm

Past week I was looking for a program using a specified API to make some tests. I looked in a folder containing both harmless and malware files and chance wanted I picked a malware. Even more surprising was to discover that the malware was Sandboxie-aware, among other applications like VMWare, Syser Debugger, etc. I injected LOG_API.DLL and the poor malware could not see it was being analyzed under Sandboxie. :twisted: Anyone else have analyzed Sandboxie-aware malwares?

Buster:

Tue Jan 12, 2010 5:08 pm

Released Buster Sandbox Analyzer version 1.07 Change list: Added detection of new malicious activities Updated BSA.DAT Updated LOG_API library

Buster:

Sun Jan 03, 2010 1:09 am

You�re welcome. :)

hotmog:

Sun Jan 03, 2010 12:08 am

Hi Buster Yes, you're dead right! Previously I only did a CTRL/ALT/DEL to check the processes, but when I ran Process Explorer using your instructions, SbieDll.Dll is indeed still visible. Clearly, running Sandboxie in "stealth mode" by default is not going to be a feasible option for me. My wife uses this PC under her own user account; she neither knows, nor wishes to know, the ins and outs of Sandboxie. So the fact that Internet Explorer is sandboxed when she connects to the internet has to be completely transparent, hence IE being a forced program in the Defaultbox. At least I understand a lot more now than I did earlier how to use your excellent add-on facility to Sandboxie, and can always run it completely "hidden" using my dedicated sandbox should I feel the urge. Many thanks for your sound advice. :)

Buster:

Sat Jan 02, 2010 8:42 pm

]]>Quoting hotmog: ]]>Hi Buster I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe). I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser. ]]> The driver to hide processes takes care of the "more visible" components of Sandboxie: Sbiesvc.exe, SbieCtrl.exe, SandboxieDComLaunch.exe and SandboxieRpcSs.exe. I mean that when you hide Sandboxie components you easily can check if they are hidden just opening the Task Manager and checking if they appear there. But have you tried to check if SbieDll.Dll is visible when you don�t inject LOG_API.DLL? Do you know how to check that? I suggest two programs to check: 1) Process explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx 2) VMMap http://technet.microsoft.com/en-us/sysinternals/dd535533.aspx You can test this way: Don�t inject LOG_API.DLL and sandbox NOTEPAD.EXE. Then open Process Explorer and select NOTEPAD.EXE process. Go to "View" -> "Show Lower Panel". Then "View" -> "Lower Pane View" -> "DLLs". SbieDll.dll will be listed. You can close Process Explorer but keep the sandboxed instance of NOTEPAD.EXE. Run VMMap and select NOTEPAD.EXE. Again you will see SbieDll.Dll LOG_API.DLL makes invisibile SbieDll.Dll for such programs. Test and let me know if that�s right.

hotmog:

Sat Jan 02, 2010 8:28 pm

Hi Buster I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe). I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser.

Buster:

Sat Jan 02, 2010 7:39 pm

This feature has been requested to the guys who coded the driver to hide processes. Unfortunately they didn�t reply to it. You can know more about the driver here: http://www.codeproject.com/KB/system/hide-driver.aspx Maybe someone with more experience than me in C++ would be able to add the feature. I must say also that hiding Sandboxie is like a process in two steps. The driver to hide processes is the first part and injecting LOG_API.DLL would be the second. I suggest you create a sandbox specifically for BSA and you add the injection of LOG_API.DLL in that sandbox and not in the defaultbox, where it will create problems with your forced programs.

hotmog:

Sat Jan 02, 2010 6:26 pm

Thanks for that info, Nick. I've now removed those two command lines from the Defaultbox configuration settings. ]]>Quoting Buster: ]]>Note for the people interested in hiding Sandboxie: Read BSA.PDF to know how to hide Sandboxie. It�s not necessary you run BSA to hide Sandboxie. It�s only necessary you inject LOG_API.DLL and run the driver to hide processes. ]]> Just tried it - I rather like that! Surprisingly, it still runs in "stealth" mode even though only the Defaultbox is opened, which doesn't now have the InjectDll command. I don't suppose there's any chance of enabling some sort of facility to retain/load the initialization parameters - ie driver path & process names - in a configuration file, rather than having to store them in a text file and paste them into the HideDriverGUI.exe program every time I want to run it? Also will it work with non-Sandboxie processes (I was thinking of Shadow Defender, for example)?

nick s:

Sat Jan 02, 2010 5:52 pm

]]>Quoting hotmog: ]]>Any idea what's causing this, and how it can be resolved? ]]> During the 1.06 betas, Buster explained the issue this way: log_api.dll intercepts GetModuleHandle requests for SbieDll.dll and returns "nothing found". This is desirable when running sandboxed malware that tries to detect Sandboxie. Unfortunately, it breaks forced programs. It's best to have a dedicated sandbox for use with BSA and set another sandbox to manage your forced programs.

hotmog:

Sat Jan 02, 2010 4:22 pm

Hi Buster I downloaded BSA today, and have followed the instructions to install and use it, including renaming LOG_API.DLL to an aleatory name as recommended. All the files are in a folder called "BSA" in the C:\ root directory. I've created a new sandbox called BSA specifically for when I want to run the analyzer, which has auto-delete turned off. However I also added the two command lines: InjectDll=c:\bsa\log_api.dll (with log_api.dll amended to its aleatory name) OpenWinClass=TFormBSA to the Defaultbox settings. The Defaultbox is configured to force iexplore.exe to run within it whenever IE is opened outside the sandbox. Now, whenever I open IE, I get an SBIE2313 error "Could not execute SandboxieRpcSs.exe", and SBIE2204 "Cannot start SandboxieRpcSs service". However, if I terminate all sandboxed processes, then right-click on the Defaultbox and select Run Web Browser, IE opens normally. Once that has happened, I can click on the IE icon from the taskbar to launch another instance of IE OK, with no errors. Any idea what's causing this, and how it can be resolved?

Buster:

Fri Jan 01, 2010 7:19 pm

Note for the people interested in hiding Sandboxie: Read BSA.PDF to know how to hide Sandboxie. It�s not necessary you run BSA to hide Sandboxie. It�s only necessary you inject LOG_API.DLL and run the driver to hide processes.

Buster:

Fri Jan 01, 2010 7:13 pm

Buster Sandbox Analyzer 1.06 has been released. Change list: Added Sandboxie hidden capabilities Improved BSA.DAT (thanks to nick s) Fixed a bug in Buster Sandbox Analyzer LOG_API library completely rewritten

jumanji:

Fri Jan 01, 2010 1:31 am

Great buster keep up the good work.

Ruhe:

Fri Dec 18, 2009 8:13 am

As hoster of BSA I can confirm this, as I see at the traffic on the domain.

Buster:

Wed Dec 16, 2009 3:48 pm

I like BSA has its own section because that means it has some originality. :)

bs1:

Wed Dec 16, 2009 3:25 pm

Buster, It looks like you're getting some [url=http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm]notoriety[/url]. (Scroll down to the "Tests and malware analysis tools" section.) Congrats. :D

nick s:

Mon Dec 14, 2009 6:41 am

]]>Quoting Buster: ]]>Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT...... ]]> I see that when I run [url=http://blogs.sepago.de/helge/2008/05/04/free-tool-list-registry-links-reg_link/]List Registry Links[/url] unsandboxed... [code:1:6b0dee4499]c:\files\listregistrylinks>ListRegistryLinks.exe hku "hku\S-1-5-21-25130506-776034094-9161161-1001\Software\Classes" -> "HKU\S-1-5-21 -25130506-776034094-9161161-1001_Classes" "hku\Sandbox_Nick_DefaultBox\user\current\software\classes" -> "HKU\Sandbox_Nick _DefaultBox\user\current_classes" "hku\S-1-5-18" -> "HKU\.Default" c:\files\listregistrylinks>[/code:1:6b0dee4499] It's interesting to watch the continuous symbolic registry link activity when running ListRegistryLink sandboxed.

majoMo:

Mon Dec 14, 2009 12:32 am

Your research work is correct: [u:ce3a07deea]HKLM[/u:ce3a07deea] and [u:ce3a07deea]HKU[/u:ce3a07deea] contain all registry data. [u:ce3a07deea]HKCR[/u:ce3a07deea], [u:ce3a07deea]HKCU[/u:ce3a07deea] and [u:ce3a07deea]HKCC[/u:ce3a07deea] are just links . [code:1:ce3a07deea]Root Key Equivalent HKCR HKCU\Software\Classes + HKLM\SOFTWARE\Classes HKCU HKU\SID HKCC HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current[/code:1:ce3a07deea] :wink:

Buster:

Sun Dec 13, 2009 9:33 pm

nick s: You asked about HKEY_USERS HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT. That means that any entry in BSA.DAT must reference HKEY_USERS\.DEFAULT and not HKEY_USERS\S-1-5-18 because that one will never appear in RegDiff.TXT. There are a few other cases like this. e.g. HKEY_CLASSES_ROOT changes will appear under HKEY_CURRENT_USER\software\classes. The same happens with HKEY_CURRENT_CONFIG. In case of doubt it�s better to make a test and check where is done the change.

Buster:

Sun Dec 13, 2009 9:17 pm

Released Buster Sandbox Analyzer 1.05. Change list: Added "Assorted suspicious actions" Fixed several bugs in Buster Sandbox Analyzer Updated LOG_API library

Buster:

Fri Dec 11, 2009 7:22 am

]]>Quoting nick s: ]]>Sorry for my confusion. BSA logs all registry mods to RegDiff.TXT while Malware Analyzer (Analysis.TXT) filters its output through the registry rules set in BSA.DAT. Is that correct? ]]> That�s correct. Analysis.TXT is built with the matches from BSA.DAT at RegDiff.TXT.

nick s:

Fri Dec 11, 2009 5:57 am

]]>Quoting Buster: ]]> ]]>Quoting nick s: ]]>Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications? ]]> I don�t understand what you mean. BSA already logs all registry modifications. :? ]]> Sorry for my confusion. BSA logs all registry mods to RegDiff.TXT while Malware Analyzer (Analysis.TXT) filters its output through the registry rules set in BSA.DAT. Is that correct?

nick s:

Fri Dec 11, 2009 5:46 am

]]>Quoting Buster: ]]>I must check this. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are supported right now but others are not. This happens because Sandboxie "translates" the names of the keys to his own format. Anyway, as search is done to check if strings are contained, I suggest you put in BSA.DAT first the longest string: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes then: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 and rest literally: HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 Does it make sense to you? ]]> Makes sense. I will try it out.

Buster:

Thu Dec 10, 2009 6:24 am

]]>Quoting nick s: ]]>Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications? ]]> I don�t understand what you mean. BSA already logs all registry modifications. :?

Buster:

Thu Dec 10, 2009 6:18 am

]]>Quoting nick s: ]]> ]]>Quoting Buster: ]]>The problem with MD�s rules is you miss the reason to add them. ]]> Do you mean the description that follows "<->"? ]]> Yes, the description that follows "<->". Does Malware Defender�s rules give an explanation about why they included that keys? If MD doesn�t include it, you will have to introduce it yourself. ]]>Quoting nick s: ]]>What conversion/wildcard recommendations do you have for the following keys/subkeys? [code:1:3a2d7cc58c]HKEY_USERS HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes[/code:1:3a2d7cc58c] Only the contents of the "Classes" subkey is unique. ]]> I must check this. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are supported right now but others are not. This happens because Sandboxie "translates" the names of the keys to his own format. Anyway, as search is done to check if strings are contained, I suggest you put in BSA.DAT first the longest string: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes then: HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 and rest literally: HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 Does it make sense to you?

nick s:

Thu Dec 10, 2009 5:20 am

Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications?

nick s:

Thu Dec 10, 2009 4:39 am

]]>Quoting Buster: ]]>The problem with MD�s rules is you miss the reason to add them. ]]> Do you mean the description that follows "<->"? What conversion/wildcard recommendations do you have for the following keys/subkeys? [code:1:121e3b1555]HKEY_USERS HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-18 HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001 HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes[/code:1:121e3b1555] Only the contents of the "Classes" subkey is unique.

Buster:

Wed Dec 09, 2009 8:05 pm

Glad to hear it works fine! :) Nobody asked to use wildcards more than 1 time per line but luckily I added the feature. :wink: In your example the search string could be optimized from: machine\system\*Control*\Control\Session Manager\* to: machine\system\Control*\Control\Session Manager or at least to: machine\system\*Control*\Control\Session Manager Both would be equivalent as final "*" is ignored. This is done because I do the search to check if the string is contained, not equivalent. Nice to hear you will share the rules! :D The problem with MD�s rules is you miss the reason to add them.

nick s:

Wed Dec 09, 2009 7:18 pm

]]>Quoting Buster: ]]>nick s: Try version 1.04 and let me know if the wildcard feature works as expected. ]]> Working well so far. For example, machine\system\*Control*\Control\Session Manager\* captured the following deletions: machine\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\CriticalSectionTimeout = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ExcludeFromKnownDlls = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\GlobalFlag = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentCommit = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentReserve = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\NumberOfInitialSessions = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ObjectDirectories = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ProcessorControl = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ProtectionMode = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\ResourceTimeoutCount = deleted value key machine\SYSTEM\ControlSet001\Control\Session Manager\SetupExecute = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\BootExecute = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\CriticalSectionTimeout = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ExcludeFromKnownDlls = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\GlobalFlag = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentCommit = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentReserve = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\NumberOfInitialSessions = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ObjectDirectories = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ProcessorControl = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ProtectionMode = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\ResourceTimeoutCount = deleted value key machine\SYSTEM\ControlSet002\Control\Session Manager\SetupExecute = deleted value key ]]>Quoting Buster: ]]>Do you plan sharing Malware Defender's default registry rules? It would be nice! ]]> Of course :D. Since there are about 200 rules, it will take me a couple of more days to convert and organize them.

Buster:

Wed Dec 09, 2009 2:16 pm

nick s: Try version 1.04 and let me know if the wildcard feature works as expected. Do you plan sharing Malware Defender's default registry rules? It would be nice!

Buster:

Wed Dec 09, 2009 2:14 pm

Released Buster Sandbox Analyzer 1.04. Change list: Added support for network shares Added a feature to allow wildcards in BSA.DAT Added a feature to ignore when sandbox folder is not empty Added a feature to check for updates on start Updated LOG_API library

nick s:

Tue Dec 08, 2009 4:48 am

]]>Quoting Buster: ]]>Ok, I will add wildcard (*) support for: [AutoStart_Registry_Created_or_Modified] and [Custom_Registry_Entries] ]]> Thank you :D.

Buster:

Tue Dec 08, 2009 4:32 am

]]>Quoting nick s: ]]>I'm working on converting Malware Defender's default registry rules for use in BSA. Wildcards would also be useful in dealing with something like multiple ControlSet* entries: \SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath \SYSTEM\ControlSet*\Control\Lsa; Authentication Packages \SYSTEM\ControlSet*\Control\Lsa; Notification Packages ]]> Ok, I will add wildcard (*) support for: [AutoStart_Registry_Created_or_Modified] and [Custom_Registry_Entries] ]]>Quoting nick s: ]]>Note that the"; " preceding a value is still part of Malware Defender's syntax. Would the following be a correct conversion? from... \SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath to... \SYSTEM\ControlSet*\Control\BootVerificationProgram\ImagePath<->ImagePath ]]> Yes, apart of the "*" which is not supported yet, the rest would be a valid conversion.

nick s:

Tue Dec 08, 2009 4:05 am

I'm working on converting Malware Defender's default registry rules for use in BSA. Wildcards would also be useful in dealing with something like multiple ControlSet* entries: \SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath \SYSTEM\ControlSet*\Control\Lsa; Authentication Packages \SYSTEM\ControlSet*\Control\Lsa; Notification Packages \SYSTEM\ControlSet*\Control\Lsa; Security Packages \SYSTEM\ControlSet*\Control\NetworkProvider\Order; ProviderOrder \SYSTEM\ControlSet*\Control\Print\Monitors\* \SYSTEM\ControlSet*\Control\SecurityProviders; SecurityProviders \SYSTEM\ControlSet*\Control\Session Manager; BootExecute \SYSTEM\ControlSet*\Control\Session Manager; Execute \SYSTEM\ControlSet*\Control\Session Manager; PendingFileRenameOperations \SYSTEM\ControlSet*\Control\Session Manager; S0InitialCommand \SYSTEM\ControlSet*\Control\Session Manager; SetupExecute \SYSTEM\ControlSet*\Control\Session Manager\KnownDLLs\* \SYSTEM\ControlSet*\Control\Terminal Server\Wds\rdpwd; StartupPrograms \SYSTEM\ControlSet*\Services \SYSTEM\ControlSet*\Services\*; ImagePath \SYSTEM\ControlSet*\Services\*; ServiceDll \SYSTEM\ControlSet*\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\* \SYSTEM\ControlSet*\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\* Note that the"; " preceding a value is still part of Malware Defender's syntax. Would the following be a correct conversion? from... \SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath to... \SYSTEM\ControlSet*\Control\BootVerificationProgram\ImagePath<->ImagePath

Buster:

Tue Dec 08, 2009 2:15 am

]]>Quoting Rona: ]]>\Software\Microsoft\Internet explorer\Main\\*page \Software\Microsoft\Windows\Currentversion\Internet settings\*zones \Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects* \SOFTWARE\Microsoft\Windows*\CurrentVersion\Image File Execution Options* If wildcards are not supported I'll gonna had large list. :cry: ]]> Let�s take this as example: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects There is only one "Browser Helper Objects*" registry key. That key has 3 entries: {bf00e119-21a3-4fd1-b178-3b8537e75c92} {DBC80044-A445-435b-BC74-9C25C1C588A9} {E7E6F031-17CE-4C07-BC86-EABFE594F69C} I guess it�s more or less the same in your computer. Are you worried because you want to catch that 3 entries and you pretend to use \Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects* to do it? Or is something different?

Rona:

Tue Dec 08, 2009 1:53 am

\Software\Microsoft\Internet explorer\Main\\*page \Software\Microsoft\Windows\Currentversion\Internet settings\*zones \Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects* \SOFTWARE\Microsoft\Windows*\CurrentVersion\Image File Execution Options* If wildcards are not supported I'll gonna had large list. :cry:

Buster:

Tue Dec 08, 2009 1:35 am

]]>Quoting Rona: ]]>[quote:ae2e93ef73][Custom_Registry_Entries] registry key<->reason to add it ]]> Can i use wildcard to add it ??[/quote:ae2e93ef73] No, wildcards are not supported. What do you have in mind? Could you put an example, please?

Rona:

Tue Dec 08, 2009 1:09 am

[quote:363bf02829][Custom_Registry_Entries] registry key<->reason to add it [/quote:363bf02829] Can i use wildcard to add it ??

Buster:

Mon Dec 07, 2009 12:28 am

Released Buster Sandbox Analyzer 1.03. Change list: Updated BSA.DAT with new registry AutoStart locations Added a feature to save user settings Added a feature to include in Report.TXT the hashes of created files Improved Report.TXT information Updated LOG_API library Fixed a few bugs in Buster Sandbox Analyzer

Buster:

Sun Dec 06, 2009 12:43 am

]]>Quoting Guest1: ]]>Find it difficult to add the registry or maybe i was wrong. ]]> There is a bug or a lack of information, as you prefer. The strings should be lowercased. In version 1.03 I will make them case insenstive.

Guest1:

Sun Dec 06, 2009 12:22 am

Find it difficult to add the registry or maybe i was wrong. For example i added in [Custom_Registry_Entries] machine\software\microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools<->Disable Registry Tools user\current\software\Microsoft\Internet Explorer\Main\Start Page<->change start page The malware analyzer module does not alert me this .

Buster:

Sat Dec 05, 2009 11:40 am

neo: In version 1.02 the MD5, SHA1 and SHA256 (finally I decided to include it because I saw it�s being used in other sites already) of the file you start processing is optionally included in the report. You just need to supply the filename to obtain such info in Report.TXT. I will include an option in version 1.03 to also put in the report the hashes of the created files. Newuser: Let me know if the "custom_registry_entries" feature satisficies your request.

Buster:

Fri Dec 04, 2009 9:43 pm

Released Buster Sandbox Analyzer 1.02. Change list: Added MD5, SHA1 and SHA256 hashing when file to process is specified Added custom registry entry checking Added a feature to check for updates Fixed a few bugs in Buster Sandbox Analyzer Fixed a bug in LOG_API library

Buster: Re: Feature request

Fri Dec 04, 2009 5:15 pm

Thanks for your kind words, neo. pcap: As you may know I started developing this project recently so I�m still adding the basic stuff to make it to work properly. Capture network traffic is something I had on mind to look in the future but that will have to wait until I add other features I consider more urgent. MD5, SHA1 and SHA256 hashing is something that I will add on next version. I already had it on my to-do list. What I implemented already and will be included also on next release is a check for new updates. Batch processing: I may include this feature in the future, not sure. As BSA is designed there is no real beneffit of having batch processing. The user must start/stop Sandboxie manually, therefore the advantage of having batch processing is not the same than, e.g., has for Norman Sandbox Analyzer where user intervention is not required.

neo: Feature request

Fri Dec 04, 2009 4:44 pm

Tzuk and Buster, Thanks and congratulations on your geat work. Now, if I could make a few feature requests for BSA...It'd be nice to be able to have: - a pcap of network traffic - a MD5 of the files that are created next to the name/path - batch processing. That would be absolutely wonderful Thanks again.

Newuser:

Fri Dec 04, 2009 2:04 pm

[quote:e06ec2539c][Custom_Registry_Entries] registry key<->reason to add it That way if the registry is used it will be reported in the analysis as: Reason to add it: registry key [/quote:e06ec2539c] That's a good idea,looking forward to new features :D

Buster:

Fri Dec 04, 2009 12:48 pm

]]>Quoting Newuser: ]]>Yes,is better that can add our own custom registry entries or files to define as high risk. ]]> Own custom registry entries is good idea. I will add the feature. I had an idea about this. The format for user defined registry entries will be: [Custom_Registry_Entries] registry key<->reason to add it That way if the registry is used it will be reported in the analysis as: Reason to add it: registry key That looks good, doesn�t it? People could "contribute" their own custom registry entries and the reason to add it, so other users could use them too. About defined files, I don�t see any reason for that. Could you give any or an example, please?

Newuser:

Fri Dec 04, 2009 12:37 pm

Yes,is better that can add our own custom registry entries or files to define as high risk.

Buster:

Fri Dec 04, 2009 12:10 pm

]]>Quoting Newuser: ]]>Can i configure what registry entries as High risk action?? ]]> I�m not sure to understand what you want. Do you want to add your own custom registry entries or define what registry entries already defined in BSA.DAT must be considered as high risk?

Newuser:

Fri Dec 04, 2009 10:30 am

Can i configure what registry entries as High risk action??

ApoNie:

Fri Dec 04, 2009 10:25 am

i'm interested to join to develope BSA, can give the full source code, maybe i can take about report's result and program interface :) u can add me at yahoo messengger, s h a h r i r 1 9 9 9 at yahoo.com (remove space). We can discuss further there.. ;)

Buster:

Tue Dec 01, 2009 4:16 pm

Buster Sandbox Analyzer has a web. Ugly, I know, but a web. :) You can visit it here: [url]http://bsa.qnea.de/[/url]

Buster:

Sat Nov 28, 2009 4:11 pm

Released Buster Sandbox Analyzer 1.01. Change list: Added backdoor and keylogger detection capabilities Added Event and Service creation detection capabilities Added malware analyzer detection capabilities Added the option of visualizing report files directly from the tool Fixed a bug related to the creation of port differences As usual current version can be downloaded from [url]http://bsa.qnea.de/bsa.rar[/url]

Buster:

Tue Nov 24, 2009 8:17 am

Tester: Thanks for the report! I can reproduce the bug. It will be fixed in next release.

Buster:

Tue Nov 24, 2009 7:58 am

]]>Quoting Mark_: ]]>and some random comments about your dll: you hooked for example _lopen in kernel32, but that inturn simply calls CreateFileA (which calls CreateFileW) it looks like you built the dll in a debug build? (this is bad for performance) you load psapi.dll but you never release it (FreeLibrary) the dll name is hardcoded, it might be usefull for anti detection purposes to rename it, any functions depending on its name could fail due to it not being found with its default name. you call WSAStartup once (you control this once trough a bool, use DLL_PROCESS_ATTACH instead?) yet you never call WSACleanup. (why call startup in the first place, not like you have to initialize connections?) ]]> I didn�t code that DLL. It has been coded by David Zimmer when he was working for iDefense Labs (http://labs.idefense.com/). David released the DLL as part of the SysAnalyzer package: http://labs.idefense.com/software/malcode.php I don�t know how to code in C++. I have modified intuitively the source to adapt it to my needs. Seems like you know C++ and know how to fix that problems you comment. If you don�t mind we can be in touch by mail and talk about fixing the problems. Is it ok? Please, mail me to the mail address that appears in the tool. About the anti-detection... malware coders will detect Sandboxie. I think it will not change anything if the API logger DLL has a static name.

Tester:

Tue Nov 24, 2009 2:49 am

[img:23eca968f3]http://www.ld-host.de/uploads/images/87aa5bdba7c27243751c1ede8ffd54ff.jpg[/img:23eca968f3] Problem to create file when pressing "Check Port" then click "Find Differences"buttons.

Mark_:

Tue Nov 24, 2009 2:30 am

]]>Quoting Buster: ]]> ]]>Quoting Mark_: ]]>i uploaded the dll trough the gui as suspected false positive, it might be an idea to also upload it on the site somewhere, with an explanation of the purpose :) ]]> Sorry but I�m not sure to understand what you mean. Could you explain again with other words? ]]> it might be usefull for speedy removing the false positive that triggers log_dll as virus, if you mail the file to their customer support with an explanation about the file. and some random comments about your dll: you hooked for example _lopen in kernel32, but that inturn simply calls CreateFileA (which calls CreateFileW) it looks like you built the dll in a debug build? (this is bad for performance) you load psapi.dll but you never release it (FreeLibrary) the dll name is hardcoded, it might be usefull for anti detection purposes to rename it, any functions depending on its name could fail due to it not being found with its default name. you call WSAStartup once (you control this once trough a bool, use DLL_PROCESS_ATTACH instead?) yet you never call WSACleanup. (why call startup in the first place, not like you have to initialize connections?)

Buster:

Tue Nov 24, 2009 1:39 am

]]>Quoting Mark_: ]]>i uploaded the dll trough the gui as suspected false positive, it might be an idea to also upload it on the site somewhere, with an explanation of the purpose :) ]]> Sorry but I�m not sure to understand what you mean. Could you explain again with other words?

Mark_:

Tue Nov 24, 2009 1:37 am

i uploaded the dll trough the gui as suspected false positive, it might be an idea to also upload it on the site somewhere, with an explanation of the purpose :)

Buster:

Mon Nov 23, 2009 8:38 pm

]]>Quoting UPieper: ]]>Hi Buster, for info: Avira flags log_api.dll as backdoor. I also did a scan at Virustotal: File LOG_API.DLL received on 2009.11.23 19:39:02 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 7/41 (17.08%) Regards UP ]]> LOG_API.DLL hooks several APIs, that�s why some antivirus may detect it heuristically.

UPieper:

Mon Nov 23, 2009 7:52 pm

Hi Buster, for info: Avira flags log_api.dll as backdoor. I also did a scan at Virustotal: File LOG_API.DLL received on 2009.11.23 19:39:02 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 7/41 (17.08%) Regards UP

Buster:

Mon Nov 23, 2009 6:49 pm

I have released Buster Sandbox Analyzer 1.0. You can download it from here: [url]http://bsa.qnea.de/bsa.rar[/url] Several new things have been introduced with respect to last published beta release. Reading the manual is necessary in order to configure properly the tool. If someone has any doubt I�ll be glad to give explanations.

Buster:

Mon Nov 23, 2009 6:45 pm

]]>Quoting UPieper: ]]>a very useful tool indeed. A small suggestion I have is to add two buttons in the GUI "Open FileDiff" and "Open RegDiff"... ]]> Ok, I will consider it.

UPieper:

Mon Nov 23, 2009 4:49 pm

Hi Buster, a very useful tool indeed. A small suggestion I have is to add two buttons in the GUI "Open FileDiff" and "Open RegDiff"... Greetings,

Buster:

Mon Nov 23, 2009 7:08 am

No problem! Blind testers are welcome too! :P

UPieper:

Mon Nov 23, 2009 7:07 am

God...I must be blind! :shock:

Buster:

Mon Nov 23, 2009 7:04 am

URL has been posted in this thread.

UPieper:

Mon Nov 23, 2009 6:13 am

Hi Buster, Great....but I can't find a download link in this thread? :wink: Greetings, UP

Buster:

Sun Nov 22, 2009 11:09 pm

]]>Quoting UPieper: ]]>That looks very interesting...If you need any beta testers, I'm ready :-) ]]> You are welcome as tester, of course! All the help will be really appreciated. You have available a beta version. Did you try it already? Just let me know any bugs, suggestions, requests, ... you have. tzuk has been so kind to add the feature I requested so I expect to release 1.0 version really soon... a couple of days, maybe less. btw... you joined in 2007 and you only published 9 messages. Amazing! :)

UPieper:

Sun Nov 22, 2009 9:56 pm

That looks very interesting...If you need any beta testers, I'm ready :-)

Buster:

Sun Nov 22, 2009 7:23 pm

I found an elegant solution to avoid having the API logger as an external module. In current beta version the API logger is included inside Buster Sandbox Analyzer. The solution was to use Sandboxie to inject the API logger DLL in sandboxed processes. The manual is almost finished.

Buster:

Sat Nov 14, 2009 4:17 pm

Meanwhile I wait for the inclusion of the feature I requested I have continued improving the tool. I have included an API logger in the package that can help to obtain additional valuable information from the analyzed programs. Here you can see a report generated from a variant of Bagle worm: [ Changes to filesystem ] * Creates file D:\WINDOWS\AVBgle.exe * Creates file D:\WINDOWS\base64.tmp [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 * Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run * Modifies value "AppData=D:\Documents and Settings\Test\Datos de programa" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders old value "AppData=D:\DOCUME~1\Test\Datos de programa" * Modifies value "SavedLegacySettings=3C0000004E000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections old value "SavedLegacySettings=3C0000004D000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" [ Network services ] * Looks for an Internet connection. * Connects to "212.27.42.58 (free.fr)" on port 25 (TCP). * Connects to "74.125.79.114 (1e100.net)" on port 25 (TCP). * Connects to "64.12.138.57 (aol.com)" on port 25 (TCP). * Connects to "72.167.238.201 (secureserver.net)" on port 25 (TCP). [ Process/window information ] * Creates a mutex Bgl_*L*o*o*s*e*. * Creates a mutex _!MSFTHISTORY!_. * Creates a mutex d:!documents and settings!test!configuraci�n local!archivos temporales de internet!content.ie5!. * Creates a mutex d:!documents and settings!test!cookies!. * Creates a mutex d:!documents and settings!test!configuraci�n local!historial!history.ie5!. * Creates a mutex (null). * Creates a mutex RasPbFile.

Buster:

Thu Nov 05, 2009 7:30 am

]]>Quoting Mark_: ]]>you might wanna take a look at sqlite for storing signatures, and maybe make some simple server/client protocol where u can submit locally created rules to a central server ]]> It�s not in my plans to create an anti-malware product.

Mark_:

Thu Nov 05, 2009 2:24 am

you might wanna take a look at sqlite for storing signatures, and maybe make some simple server/client protocol where u can submit locally created rules to a central server

Buster:

Wed Nov 04, 2009 9:48 pm

Buster Sandbox Analyzer is working fine. In next thread you can see results of the first "field test" I did with it: http://sandboxie.com/phpbb/viewtopic.php?t=6591

Buster:

Tue Nov 03, 2009 12:20 pm

I guess I should write a manual. I dislike executable setups. If prefer "portable" tools.

Ruhe:

Tue Nov 03, 2009 12:09 pm

Hi Buster, even if the current version only consists of two files - a documentation in .txt or .pdf could be added too - do you think it could be useful to offer an executable setup? I know from experience that some (unexperienced) users prefer a setup.

Buster:

Mon Nov 02, 2009 9:27 pm

Thanks, tzuk! When you implement the message log file feature BSA will be more accurate. BSA is, apart of nice, very cheap. Probably many people don�t know that the most similar tool to BSA is [url=http://www.norman.com/enterprise/all_products/malware_analyzer/norman_sandbox_analyzer/en-us]Norman Sandbox Analyzer[/url] and it costs around 12.000 euros for one year license. Of course Norman�s product is more advanced as it has been developed for some years by anti-malware professionals. Anyway I think that with a bit of work we can make of BSA a tool worth to have.

tzuk:

Mon Nov 02, 2009 9:10 pm

Buster, I tried your tool, very nice. Now I understand what you plan to do with the message log file. :)

Buster:

Mon Nov 02, 2009 3:46 pm

]]>Quoting Mark_: ]]>also, this item is listed while it is from sandboxie itself: Defined registry entry added to AutoStart location: machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x ]]> I wrote about that: Important: Some registry and value keys are modified by Sandboxie not by sandboxed processes. I suggest running CALC.EXE (or any other program that does not modify the registry) and add strings from resulting RegDiff.TXT to exclusion list.

Mark_:

Mon Nov 02, 2009 3:32 pm

you should list those items imo, maybe some kinda exploit is used to hide the modifications (example: embedded null in registry keys) also, this item is listed while it is from sandboxie itself: Defined registry entry added to AutoStart location: machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x

Buster:

Mon Nov 02, 2009 3:09 pm

BSA 1.0 beta 2 released. Download link remains the same. Changes: Added rules for empty/deleted value keys in registry.

Buster:

Mon Nov 02, 2009 8:31 am

Additional notes: BSA reflects the changes that would be made to system. Temporal changes are not showed . e.g. if a file is created inside the sandbox and later is deleted before processes are terminated. The same for registry entries. If a registry value is changed and then changed again and finally the value is the same than the entry from real registry, the change will be reflected anyway. I�m considering to don�t show that kind of entry. Should I show it even if finally it�s equal to the value from real registry or should I skip it? Any thoughts about this? Even if the primary goal of BSA is to analyze if sandboxed processes behaviour like a malware, tzuk gave me an interesting idea: BSA could be used to "undo" the effects of malware. And as mentioned already, BSA can be used just to see what changes to system were done.

Buster:

Mon Nov 02, 2009 12:34 am

Buster Sandbox Analyzer 1.0 beta has been released. You can get it from here: [url]http://bsa.qnea.de/bsa.rar[/url] I edited the previous posts to reflect some changes I did since I wrote the information. Ideas, suggestions, bug reports, ... are welcome!

Buster:

Sat Oct 31, 2009 6:53 pm

I�m afraid I can not do that from outside the sandbox or at least I don�t know how to code such thing.

:

Sat Oct 31, 2009 9:59 am

Hi Buster, Actually you would implement the features tzuk somehow considered unnecessary... I do think he's wrong, but might be me too. With a tool like this one can actually see what's going on at his favorite sandbox) The only question could be about host processes reading attempts and possible realtime-warning like. [quote:0cfbc5b002]--------------------- [b:0cfbc5b002]BSA WARNING[/b:0cfbc5b002] --------------------- Sandboxie <[b:0cfbc5b002]ANALYSIS[/b:0cfbc5b002]> Process Details (PID=3888, size=15368KB, ran by Admin) is trying to [b:0cfbc5b002]write[/b:0cfbc5b002] data at a restricted area\path <[b:0cfbc5b002]c:\[/b:0cfbc5b002]>. <[b:0cfbc5b002]A[/b:0cfbc5b002]>llow <[b:0cfbc5b002]D[/b:0cfbc5b002]>eny <[b:0cfbc5b002]T[/b:0cfbc5b002]>erminate[/quote:0cfbc5b002] Keep up

Buster:

Sat Oct 31, 2009 6:53 am

I plan to release 1.0 beta this weekend. I still must do some checkings under Windows 7.

Mark_:

Sat Oct 31, 2009 12:13 am

a download link would be nice, for starters ^^, also, it might be usefull to have a config editor, and to remove the needed empty line.

Buster:

Fri Oct 30, 2009 8:42 pm

I�m open to feature requests, suggestions and bug reports. Just post here and let me know. When tzuk adds the feature I requested I will release BSA 1.0 final version. Meanwhile I plan to betatest actual version. People like raid may help to improve malware detection rules.

Buster:

Fri Oct 30, 2009 8:38 pm

BSA.DAT format : The malware analyzer module is a bit flexible and can be customized by the user. [File_Types_Copied_Windows]: Here the user defines what file types (extensions) that get copied into Windows folder must raise an alert. By default .exe, .dll and .sys are watched. Other interesting file types to watch could be .VBS e.g. Why this? Many malwares copy their components in Windows folder. [File_Types_Modified]: Here the user defines what file types that are modified must be watched. By default .exe and .dll files are watched. Why this? Modify an .exe is a typical action of viruses. [File_Types_Copied_AutoStart]: Here we define what file types must be watched when copied to AutoStart locations. AutoStart location is e.g. startup folder. By default .exe and .dll files are watched. Why this? It�s typical of malwares to get their components included in autostart locations so they run when Windows loads. [AutoStart_Files_Added_or_Modified]: Here we define what autostart files must be watched when added to disk or modified. By default the list of autostart files is: win.ini system.ini wininit.ini winstart.bat dosstart.bat autoexec.nt config.nt autoexec.bat config.sys autorun.inf Why this? Other method of malwares to get running when Windows loads is adding theirself to one of those files. [AutoStart_Registry_Created_or_Modified]: Here we define what registry autostart locations to watch. The list is a bit large so I will not put it here. Just as example: \software\microsoft\windows\currentversion\run Why this? It�s very typical of malwares to add theirself into a registry autostart location so they get loaded when Windows boots. If you want to include new file types to watch or registry autostart locations or whatever feel free to do it. You can also remove or edit actual values. You just need to know that after a section "[blablabla]" you must include all the values and there can not be an empty space between them. An empty line must be included between the last value and the next section . [code:1:c661a1a337][File_Types_Copied_AutoStart] .exe .dll .sys [AutoStart_Files_Added_or_Modified][/code:1:c661a1a337] That�s fine. [code:1:c661a1a337][File_Types_Copied_AutoStart] .exe .dll .sys [AutoStart_Files_Added_or_Modified][/code:1:c661a1a337] [code:1:c661a1a337][File_Types_Copied_AutoStart] .exe .dll .sys [AutoStart_Files_Added_or_Modified][/code:1:c661a1a337] That�s wrong and malware analyzer module will not work properly.

Buster:

Fri Oct 30, 2009 8:22 pm

File differences format : There are 3 difference files: FileDiff.TXT, RegDiff.TXT and PortDiff.TXT In FileDiff.TXT there are 4 symbols as first char in every line. "+" represents a new file: A file that is not present in real disk so it�s created. "-" represents a deleted file: A file that being present in real disk and that was deleted. "~" represents a modified file: A file that was changed. "=" represents a copied file: Sandboxie copied a file inside the sandbox. This doesn�t represent any change. Temporal files (files that are created and later deleted) can not be represented at the moment. Probably it would be necessary the use of an injected DLL to catch that kind of files. In RegDiff.TXT you can find next information: "created registry key": The registry key was created. "deleted registry key": The registry key was deleted. "empty value key": The value of a key was removed. "deleted value key": The value of a key was deleted. When the content of a value changes you get something like: user\current\software\Microsoft\Windows\CurrentVersion\Applets\Regedit\FindFlags = 0E000000 Important: Some registry and value keys are modified by Sandboxie not by sandboxed processes. I suggest running CALC.EXE (or any other program that does not modify the registry) and add strings from resulting RegDiff.TXT to exclusion list.

Buster:

Fri Oct 30, 2009 8:08 pm

Exclusion list : The exclusion list is a set of strings that the user wants to be excluded from results. All lines containing a string that appears in the exclusion list will be removed from reports. You can define exclusions for file, registry and ports. There is an exclusion list editor included in BSA but files can be directly edited with any text editor. File exclusion strings are not sandbox path relative. This mean you must specify the path or file as it will appear in the real disk . e.g.: C:\pagefile.sys would be ok C:\SandBox\ExampleUser\DefaultBox\drive\C\pagefile.sys would not be ok. Registry exclusion list uses relative strings. Sandboxie will "translate" HKEY_CURRENT_USER to user\current\ and HKEY_LOCAL_MACHINE to machine\. To avoid mistakes you should take strings directly from RegDiff.TXT an include them in exclusion list. Exclusion list is case insensitive .

Buster: Buster Sandbox Analyzer

Fri Oct 30, 2009 7:17 pm

I edit the first post to include information about where to download the tool. Official site is: http://bsa.isoftware.nl And the tool can be downloaded from: http://bsa.novirusthanks.org/downloads/bsa.rar http://www.woodmann.com/virusbuster/bsa.rar Actual version: 1.88 MD5: c5b4fba39d6c8250311d8333633893ce --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- Hi. As commented already I decided to change the name of my tool because the purpose of it changed. The tool will now be named Buster Sandbox Analyzer or BSA to short it. The main goal of the tool will be to analyze the behaviour of sandboxed processes and decide if the the changes made to system may be malware suspicious. It can also be used just to check what changes (files and registry) were made in the system. Instructions to run BSA : Of course, in order to run BSA Sandboxie must be installed and running properly. BSA does not require installation. Just create a folder and copy BSA.EXE and BSA.DAT inside. When you run BSA you can see this: [img:f38d0eabcb]http://img413.imageshack.us/img413/292/38465994.jpg[/img:f38d0eabcb] To start working with the tool you just need to specify with what Sandbox folder you will work. You must specify the complete path to the sandbox folder. e.g. for the DefaultBox would be something like: C:\Sandbox\ExampleUser\DefaultBox You only will have to specify the sandbox path one time. When you close BSA the program automatically will remember the used sandboxes. This information will be stored under \CONFIG folder with the name BSA.INI. The sandbox folder must exist and must be empty . BSA will check that both conditions are accomplished and if any of them is not BSA will warn about it. When you are ready to start working with the tool press "Start" button. If the sandbox folder exists and the folder is empty BSA will be ready for next step. After pressing "Start" two buttons get enabled. Now it�s the moment to sandbox whatever you want . If you are interested in getting port differences press "Check Ports" button if not just skip it. When you are done terminate all sandboxed processes and then click "Find Differences". If Sandboxie is still in use BSA will warn about that. At this point if you are only interested in getting the changes made to system you can quit BSA. You will find FileDiff.TXT, RegDiff.TXT and PortDiff.TXT (when available) at BSA�s folder. You can open those files with any text editor because they are in plain text. If you are interested in the malware analysis click the button. BSA will perform several checks to the changes made to system looking for malware behaviour. At the moment some of the checks are not available. When you close malware analyser results of the analysis will be saved to ANALISIS.TXT. On next message I will explain the exclusion list, the BSA.DAT format and the file differences format.