 |
 | Buster Analyzer 1.36 Download link |  |
|
jaysonpryde
|
|
Hi guys,
where can I download the1.36? http://hotfile.com/dl/121800026/3d87a55/BSA136B5.RAR.html is no longer existing. Thank you |
|||||||||||
|
|||||||||||||
 |
| Re: Buster Analyzer 1.36 Download link | |
|
Buster
|
|
Official versions are released on BSA´s home site: http://bsa.isoftware.nl Direct download: http://bsa.isoftware.nl/bsa.rar |
|||||||||||||
|
|||||||||||||||
|
| File Entropy | |
|
jaysonpryde
|
|
Thank you very much for the prompt response.
On another topic, i'll just ask on how you interpret the file entropy measure that BSA is outputting? For example, entropy = 7.9941 (99.9302%)...What does this mean? 99.9302% what? All i know is that file entropy is the randomness/distribution of bytes. Again, thank you very much! |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
In your first post in the forum you reported a problem related to RegDiff.TXT not being generated. I told you the bug should be fixed in version 1.35 and asked you to confirm if that was right. You never replied.
Could you confirm the problem is solved, please? About your question... High entropy = probably the file is packed/crypted Low entropy = probably the file is not packed/crypted You should read this paper to know more about entropy and malwares: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.9861&rep=rep1&type=pdf |
|||||||||||
|
|||||||||||||
|
| Re: [Buster Analyzer]: RegDiff.txt not generated | |
|
jaysonpryde
|
|
I'm sorry for confirming late... I've overlooked your request to confirm it. My apologies.
Yes the bug I reported was already fixed on the 1.36 build with RegDiff.txt already generated. Thanks a lot.  |
|||||||||||
|
|||||||||||||
|
| |
|
Scrapie
|
|
Hi
Analysed ~100 samples yesterday with the new version and runs fine. Thanks for your hard work ! One smal bug I came across: Sometimes the VirusTotal results still contain HTML-Code. Example is: http://www.virustotal.com/file-scan/report.html?id=f41f8a595c6cb843c15293e21111fec22f9f152f90c9cc63d7c9582009ce2319-1216129837 and the coresponding part in BSA looks like that:
You see the <br/> in the Authentium & F-Prot results. Not sure if it is related to the new version or not + it is not a big thing
Thanks again for your hard work, Scrapie PS: Love the Filepath of this one *ggg* |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
Thanks for the bug report!
It will be fixed on next release; meanwhile you can use 1.37 beta 1 which fixes the bug: http://hotfile.com/dl/122239769/b4b1fd5/BSA137B1.RAR.html |
|||||||||||
|
|||||||||||||
|
| |
|
jaysonpryde
|
|
Follow-up question on this. I have 2 scenarios. 1 packed, the other unpacked. For the packed sample scenario, i limited it to the basic concept of packing or compression. For example, the unpacked version has 12 counts of 0xab and the packed version was cut down to 2 counts. Also, for simplicity, scenario below consists of 2 byte elements only. My question is, considering my understanding and computations are correct, and referencing what you said about entropy values, why is that the entropy of the packed sample lower than the unpacked sample? Sample Case: Unpacked: byte[1] = 12 byte[2] = 10 entropy[1] = -(12/22)*(log(12/22)/log 2) = 0.477 entropy[2] = -(10/22)*(log(10/22)/log 2) = 0.517 entropy = 0.994 Packed: byte[1] = 2 byte[2] = 4 entropy[1] = -(2/6)*(log(2/6)/log 2) = 0.528 entropy[2] = -(4/6)*(log(4/6)/log 2) = 0.390 entropy = 0.918 Thanks a lot |
|||||||||||||
|
|||||||||||||||
|
| |
|
Buster
|
|
I used Shannon Entropy and the alphabet consists in 256 elements.
You can take a look at the algorithm codification here: http://ezbitz.com/2009/05/08/calculate-a-file-shannon-entropy-in-c/ |
|||||||||||
|
|||||||||||||
|
| [Buster-LOG_API]: API Calls related to Registry modification | |
|
jaysonpryde
|
|
Hi again,
I recently observed using the new BSA (1.36), API calls related registry modification (e.g added registry entry) is not recorded in LOG_API.txt. Said modifications were captured in RegDiff.txt but not in LOG_API. As far as I know, on the previous version(s) of Buster, API calls related to registry modification is recorded in LOG_API.txt Here's an example: RegDiff.txt: machine\software\microsoft\Windows\CurrentVersion\Run\ExampleAutoRunJaysonPryde = jaysonpryde.exe machine\software\microsoft\Windows\CurrentVersion\Run\sample = JaysonPryde.exe LOG_API.TXT Executing: c:\users\administrator\desktop\addregistryentry.exe LoadLibrary(mscoree.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(lz32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(lz32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(KERNEL32.DLL) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(advapi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(shlwapi.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(comctl32.dll) [c:\users\administrator\desktop\addregistryentry.exe] OpenProcessToken(C:\Users\Administrator\Desktop\AddRegistryEntry.exe) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(LPK) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(KERNEL32) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(msvcrt.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(MSCoree.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(PGORT80.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(msvcr80.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(mscorwks.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(advapi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ntdll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(advapi32) [c:\users\administrator\desktop\addregistryentry.exe] OpenProcess(c:\users\administrator\desktop\addregistryentry.exe) [c:\users\administrator\desktop\addregistryentry.exe] CreateEvent(Global\CorDBIPCSetupSyncEvent_3860) [c:\users\administrator\desktop\addregistryentry.exe] CreateRemoteThread(c:\users\administrator\desktop\addregistryentry.exe) [c:\users\administrator\desktop\addregistryentry.exe] IsDebuggerPresent() [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(shell32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(EXPLORER.EXE) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(rpcrt4.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\3aac7b97549d4ccf0c7dca3d1777f9b4\mscorlib.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorlib.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(uxtheme.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(user32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(kernel32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(mscorjit.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system\34942db56010e4225825bfae8a27559f\system.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(system.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\07e39e61fd6133a92333a2c98f2ffeb7\system.drawing.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] Thank you
LoadLibrary(system.drawing.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\b0be4ac8da47fbf783dabd1505e6c55e\system.windows.forms.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(system.windows.forms.ni.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\uxtheme.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(user32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(gdi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\microsoft.net\framework\v2.0.50727\gdiplus.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(gdiplus.dll) [c:\users\administrator\desktop\addregistryentry.exe] CreateDC(Display,\\.\DISPLAY1,(null)) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(gdi32.dll) [c:\users\administrator\desktop\addregistryentry.exe] BitBlt() [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(imm32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(comctl32) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\system32\ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(USER32) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\comctl32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetKeyState() [c:\users\administrator\desktop\addregistryentry.exe] GetKeyboardState() [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(ole32.dll) [c:\users\administrator\desktop\addregistryentry.exe] GetModuleHandle(rsaenh.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(rsaenh.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(crypt32.dll) [c:\users\administrator\desktop\addregistryentry.exe] LoadLibrary(ole32) [c:\users\administrator\desktop\addregistryentry.exe] |
|||||||||||
|
|||||||||||||
|
| Re: [Buster-LOG_API]: API Calls related to Registry modifica | |
|
Buster
|
|
From manual: http://bsa.isoftware.nl/frame5.htm
The note is in red colour, which means it is an important thing.  |
|||||||||||||||
|
|||||||||||||||||
|
| |
|
Buster
|
|
Rename LOG_API.DLL to other name, then rename LOG_API_VERBOSE.DLL to LOG_API.DLL.
If you are using a 64-bit system, do the same but replacing LOG_API_VERBOSE.DLL for LOG_API64_VERBOSE.DLL. |
|||||||||||
|
|||||||||||||
|
| |
|
jaysonpryde
|
|
Apologies for not reading the manual.
I'll do the necessary changes. Again, thank you |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
I did some modifications to LOG_API and I would like to share the new version so anyone can test it before I release a new official package.
All versions of LOG_API (32/64, and verbose/non-verbose) can be downloaded from: http://hotfile.com/dl/123256140/6dd6210/LOG_API.RAR.html Changes: * It should hide Sandboxie and LOG_API itself a bit better. * It is possible to name LOG_API with the file name you prefer. If somebody finds any problem just let me know, please. |
|||||||||||
|
|||||||||||||
|
| |
|
Buster
|
|
Released Buster Sandbox Analyzer 1.37.
Changes: * Improved hiding feature * Updated BSA.DAT * Removed evaluation risk feature * Fixed several bugs Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer. Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near future but having other format. |
|||||||||||
|
|||||||||||||
|
 | Buster Sandbox Analyzer | |
|
||
Use the RSS feed to watch this topic for replies |
|
|