Notes about 1.68 release:

Added support to analyze URLs from command line

To run BSA from command line and analyze an URL or a file with URLs, you must supply the amount of time for analysis and the URL or file with URLs, like this:

BSA.EXE -s 30 -url http://bsa.isoftware.nl

BSA.EXE -m 2 -url c:\example\urls.txt


Added support for FakeNet

"FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst."

If you do not want to use your real internet connection while you analyze malware but you still want to get network information anyway, then FakeNet is a good solution.

You can get it from here: http://sourceforge.net/projects/fakenet/

FakeNet is a portable application so just decompress ZIP archive to a folder.

After decompressing the archive, edit FakeNet.cfg. Change the line containing the string "OutputOptions DumpOutput:No Fileprefix:output" for "OutputOptions DumpOutput:Yes Fileprefix:output".

Editing FakeNet.cfg is very important!

If you do not edit the file, BSA will freeze because it will be waiting for output logfile.


Updated ssdeep tool to version 2.8

I noticed there was a new version of ssdeep, so I included it in the package.


Updated BSA.DAT

I included new entries to "[Custom_LogAPI_Entries]" section.


Updated LOG_API

I included a new watched API and fixed a bug in LOG_API 64-bit version.

Note: I got a report from a Wilders Security forum user commenting that Keyscrambler may cause troubles to LOG_API 64-bit version. The DLL will crash if Keyscrambler is running. No crashes when Keyscrambler is not running.

Next Buster Sandbox Analyzer release will contain the last feature in my TO-DO list: generate statistics.

It will be like this:

Released Buster Sandbox Analyzer 1.69.

Changes:

+ Added a feature to generate statistics
+ Updated “Report Manager” feature
+ Updated LOG_API
+ Fixed several bugs

Notes about 1.69 release:

Added a feature to generate statistics

In "SQL > Report Manager > Tools" there is a new option under "Statistics".

You can generate Top 10 PE Packers Identified by PEid and Exeinfo. You can also generate Top 10 Threats Identified by each antivirus product used by VirusTotal.

If anyone has any idea about more statistics I may include, just let me know.


Updated “Report Manager” feature

Since I coded "Report Manager" feature, VirusTotal dropped 5 scanning engines (Authentium, eTrust Vet, McAfee-Artemis, Prevx and Sunbelt) and introduced 5 new (Commtouch, SUPERAntiSpyware, TotalDefense, TrendMicro-HouseCall and VIPRE).

I updated "Report Manager" to support new engines.

Note: This change produces an incompatibility between SQLite DBs generated with BSA 1.68 and previous versions, and BSA 1.69.


Updated LOG_API

I changed an API that was causing crashes in sandboxed programs.


Fixed several bugs

"FakeNet Mode" feature had a problem in Windows 7: BSA was waiting for FakeNet´s initialization forever.

Released Buster Sandbox Analyzer 1.70.

Changes:

+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Added deutsch language translation (thanks to AV-Comparatives)
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated HexDive
+ Updated SIGNSRCH.SIG

Notes about 1.70 release:

Added new malware behaviours

The chances to catch malware behavior through the use of BSA.DAT definitions have been increased.

When "Dump Executable Processes" and "Extract Strings From Dumps" options are enabled, BSA will look for coincidences from "[File_Strings]" section in the files containing strings from dump binaries.

This static analysis improvement is very important because it will allow to catch behaviors that otherwise would not be possible to catch. Why? Because certain functions of malwares will not be executed during an automatic analysis. The reasons are many so it´s out of the question to discuss them. Let´s take just an example to explain the importance of this new feature:

It´s unlikely the computer we use to analyze malware has a modem. That means if a malware has dial-up loging/password stealing capabilities, the function that retrieves the information (using LsaRetrievePrivateData function i.e.) will not be executed because when the malware looks for information (using RasEnumEntries i.e.) it will not find anything to steal, so the stealing function will not be executed.

So how to catch the stealing function? Looking for strings like "LsaRetrievePrivateData" or "L$_RasDefaultCredentials" in analyzed and dumped binaries.

The same principle can be applied to code. How to catch certain anti-debugging or anti-vmware code? For this situation I included Luigi Auriemma´s Signsrch tool.

From version 1.70 BSA will include specific information in reports extracted from Signsrch logs. Signsrch utility will be run over analyzed and dumped binaries.

I hope you understand now the importance of dumps in malware analysis.


Improved “Additional Information” feature

64-bit applications information has been included.


Updated BSA.DAT - Updated LOG_API - Updated HexDive - Updated SIGNSRCH.SIG

In BSA.DAT I have include new definitions for registry and file string sections.

I have included the logging of a new API in LOG_API.

I updated Hexacorn´s HexDive to version 0.2

I modified Signsrch´s signature file, removing a few entries and adding new ones related to anti-debugging and virtual machine detection.

Hi there

I get an Access violation error at address 65720000 with this version under Windows 7 Prof.


Scrapie

Redownload the package and try again, please. Let me know if it works or not.

No, still not working.
I can pin point it down to option "Extract APIs from Dumps". If it is enabled I get the error. Is it disabled, it works just fine.

Windows 7 Prof 32-bit


Cheers,
Scrapie

Did you check if the problem happens with all files or only 1?

It is really helpful and I would like to thank for the contribution and support.

Usedcars

Doesn't matter if I use 1 sample or 100. Every time I enable that option I get the error. If I take it out, BSA runs fine for the whole day and does a great job.
I'm using the standard 32-bit API-DLL if that helps...


Scrapie

Oh and another thing I came across yesterday:

When upgrading, I have to backup my old BSA.DAT and copy all my entries (short example below) into your new BSA.DAT because this file get's updated by you and I don't want to miss the changes you do to it.
Two versions of BSA.DAT would be good, one that comes officially (example BSA.DAT) from you and then another version (example User_BSA.DAT, where users can add their entries which will survive a updated without stuffing around and copy a whole lot of entries from old to new DAT.


Cheers,
Scrapie

With "Extract APIs from Dumps" feature enabled, BSA 1.70 crashes and BSA 1.69 works fine, is it right?

If you run from console "HAPI.EXE FILE", does HAPI generates output? Is HAPI working fine in your computer?

I have tried to reproduce the bug in my Windows 7 Prof 32-bit OS and I have been unable. In fact I don´t understand why it happens because the code related to "Extract APIs from Dumps" feature didn´t change from version 1.69 to 1.70.

I upgraded from 1.68Beta to 1.70 so not sure about 1.69, sorry.


HAPI.EXE seems to run just fine via cmd - but where would I find the output? Can't find a output file...



Same as top - came from 1.68beta to 1.70.
Check your email


Scrapie