www.sandboxie.com :: View topic

Posted: Tue Aug 23, 2011 1:17 am

That program's not cracked, that's right. And I think I understand your explanation. Thank you!

Posted: Wed Aug 24, 2011 3:34 pm

Released Buster Sandbox Analyzer 1.41.

Changes:

+ Usability improvement: hashes (MD5, SHA1, SHA256) showed in reports can be selected individually
+ In automatic mode, when “Keep Sandbox files” is enabled, empty folders and files will be removed
+ Added an option to include information for modified files in reports
+ Fixed several bugs

Posted: Thu Sep 01, 2011 9:20 am

Bellzemos wrote:

That program's not cracked, that's right. And I think I understand your explanation. Thank you!

Here you can read the explanation from tzuk:

http://sandboxie.com/phpbb/viewtopic.php?p=72021#72021

"the Internet access restriction occurs when the program tries to generally initialize Internet functionality, which means before the program asks for any specific Internet operation, and before it gives any specific IP address."

Posted: Sun Sep 04, 2011 11:41 pm

Released Buster Sandbox Analyzer 1.42.

Changes:

+ Added a feature to capture screen in video (VLC installation required)
+ Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required)
+ Fixed a bug

Posted: Mon Sep 05, 2011 12:14 am

Buster Sandbox Analyzer version 1.42 includes an important addition related to malware behaviour. Thanks to tzuk, from this version, BSA will be able to report files that make direct disk write attempts, like formating a disk, writing to MBR, etc.

This feature was possible thanks to tzuk´s collaboration. Thanks tzuk! Wink

Here we can see the analysis of a MBR infector done with several malware analyzers:

Buster Sandbox Analyzer 1.42

Report.TXT

Code:

Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011

[ General information ]
* File name: c:\m\test\test.exe
* File length: 10240 bytes
* File signature (PEiD): Borland Delphi 3.0 (???) *
* Digital signature: Unsigned
* MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66
* SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
* SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
* VirusTotal detections:
AntiVir: TR/Crypt.XPACK.Gen
Avast: Win32:MBRlock-B
Avast5: Win32:MBRlock-B
AVG: unknown virus Win32/DH.AA53594850
BitDefender: Gen:Variant.Kazy.31729
ByteHero: Virus.Win32.Heur.l
DrWeb: Trojan.MBRlock.12
Emsisoft: Trojan-Ransom.Win32.Mbro!IK
F-Secure: Gen:Variant.Kazy.31729
GData: Gen:Variant.Kazy.31729
Ikarus: Trojan-Ransom.Win32.Mbro
Jiangmin: Trojan/MBro.h
Kaspersky: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Ransom.DV
NOD32: a variant of Win32/MBRlock.D
nProtect: Gen:Variant.Kazy.31729
Panda: Suspicious file
Rising: Suspicious
TheHacker: Trojan/MBRlock.d
TrendMicro: PAK_Generic.001
TrendMicro-HouseCall: PAK_Generic.001
VBA32: Trojan.Ransom.5705
VIPRE: Trojan.Win32.Generic!BT
VirusBuster: Trojan.MBRLocker.Gen

[ Changes to filesystem ]
* Deletes file C:\M\TEST\TEST.EXE
* Creates file C:\Documents and Settings\Administrador\Configuración local\Temp\sys3.exe
File length: 10240 bytes
File signature (PEiD): Borland Delphi 3.0 (???) *
Digital signature: Unsigned
MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66
SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
SHA256 hash: 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
VirusTotal detections:
AntiVir: TR/Crypt.XPACK.Gen
Avast: Win32:MBRlock-B
Avast5: Win32:MBRlock-B
AVG: unknown virus Win32/DH.AA53594850
BitDefender: Gen:Variant.Kazy.31729
ByteHero: Virus.Win32.Heur.l
DrWeb: Trojan.MBRlock.12
Emsisoft: Trojan-Ransom.Win32.Mbro!IK
F-Secure: Gen:Variant.Kazy.31729
GData: Gen:Variant.Kazy.31729
Ikarus: Trojan-Ransom.Win32.Mbro
Jiangmin: Trojan/MBro.h
Kaspersky: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Ransom.DV
NOD32: a variant of Win32/MBRlock.D
nProtect: Gen:Variant.Kazy.31729
Panda: Suspicious file
Rising: Suspicious
TheHacker: Trojan/MBRlock.d
TrendMicro: PAK_Generic.001
TrendMicro-HouseCall: PAK_Generic.001
VBA32: Trojan.Ransom.5705
VIPRE: Trojan.Win32.Generic!BT
VirusBuster: Trojan.MBRLocker.Gen
* Creates file C:\Documents and Settings\Administrador\Configuración local\Temp\systm.txt
File length: 18 bytes
MD5 hash: 56f96e284ebf1b3fbc78c70eae09d2ca
SHA1 hash: 940b172e63ad2c8e65eb8a48b459e11cc3196211
SHA256 hash: f6248d82a67be08f8fab93862504eabad0b3a8db57775ed0674459e2fcde961e

[ Changes to registry ]
* No changes

[ Process/window information ]
* Enables process privileges.
* Creates process "C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null)".
* Writes directly to disk.
* Ends Windows session.

Analysis.TXT

Code:

Report generated with Buster Sandbox Analyzer 1.42 at 01:59:55 on 05/09/2011

Detailed report of suspicious malware actions:

Created file in defined folder: C:\Documents and Settings\Administrador\Configuración local\Temp\systm.txt
Created process: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\\sys3.exe,(null)
Defined file type created: C:\Documents and Settings\Administrador\Configuración local\Temp\sys3.exe
Detected direct disk write attempt
Detected process privilege elevation
Ends Windows session
File deleted itself

Risk evaluation result: High

Posted: Mon Sep 05, 2011 12:22 am

Comodo Instant Malware Analysis

Code:

• File Info
Name Value
Size 10240
MD5 afb7773a0af4f0ebcd22d19cdabb7f66
SHA1 f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
SHA256 21e50b810a2de50d7b8a28bdd26359952733546d59a45249da76f186a678d391
Process Exited
• Keys Created
• Keys Changed
• Keys Deleted
• Values Created
• Values Changed
• Values Deleted
• Directories Created
• Directories Changed
• Directories Deleted
• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\Local Settings\Temp\sys3.exe 10240 2009.01.09 10:54:20.453 2009.01.09 10:54:22.890 2009.01.09 10:54:22.890 0x20
C:\Documents and Settings\User\Local Settings\Temp\systm.txt 18 2009.01.09 10:54:22.875 2009.01.09 10:54:22.843 2009.01.09 10:54:22.843 0x20
• Files Changed
• Files Deleted
Name Size Last Write Time Creation Time Last Access Time Attr
C:\TEST\sample.exe 10240 2009.01.09 10:54:20.453 2009.01.09 10:53:58.578 2009.01.09 10:53:58.578 0x20
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
• Modules Loaded
• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0xd8 C:\TEST\sample.exe 0x2aa0158f CopyFileA(lpExistingFileName: "C:\TEST\sample.exe", lpNewFileName: "C:\DOCUME~1\User\LOCALS~1\Temp\\sys3.exe", bFailIfExists: 0x1)|0x1
• DNS Queries
• HTTP Queries
• Verdict
Auto Analysis Verdict
Suspicious++
• Description
Suspicious Actions Detected
Copies self to other locations
Deletes self

Posted: Mon Sep 05, 2011 12:34 am

ThreatExpert

Code:

Submission details:
Submission received: 4 September 2011, 19:19:29
Processing time: 14 min 12 sec
Submitted sample:
File MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66
File SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC
Filesize: 10.240 bytes

Technical Details:

File System Modifications

The following files were created in the system:

# Filename(s) File Size File Hash
1 %Temp%\sys3.exe
[file and pathname of the sample #1] 10.240 bytes MD5: 0xAFB7773A0AF4F0EBCD22D19CDABB7F66
SHA-1: 0xF7C0A34CEBAD3B18C12EEFBF8B55A02EAFED4ADC
2 %Temp%\systm.txt 32 bytes MD5: 0x46525D5665EB34AD79F2B75FF27A8659
SHA-1: 0x83C7AA2AF8CCD12F45D116ADDF7295EB3217FB0A

Note:
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Posted: Mon Sep 05, 2011 12:39 am

Xandora

Code:

File Details
MD5 afb7773a0af4f0ebcd22d19cdabb7f66
SHA-1 f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
First Received 2011-09-05 08:36:00
Last Received 2011-09-05 08:36:00
Size (bytes) 10240
Weightage 71
virustotal.com 19 vendors detected

Static File Header
read more
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4DDA3D47 Mon May 23 18:56:07 2011
Subsystem: 2 (Windows GUI)
Image Base: 2AA00000 Size: 00005000
Code Base: 00001000 Size: 00000C00
Data Base: 00002000 Size: 00001800
Entry Point: 00001600 (file offset 00000A00)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00000C00 Flags: C0040020 (CRW)
2: .data RVA: 00002000 Offset: 00001000 Size: 00001400 Flags: C0000040 (DRW)
3: .rsrc RVA: 00004000 Offset: 00002400 Size: 00000400 Flags: 40000040 (DR)

virustotal.com Output
read more
19 vendors from virtustotal.com detected as malware

HEUR:Trojan.Win32.Generic
avariantofWin32/MBRlock.D
Heuristic.gen
Win32:MBRlock-B
Suspicious

Registry Change
read more
The following Registry Keys were changed

software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
software_Microsoft_Windows_CurrentVersion_Group_Policy_State_Machine_Extension-List
software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
software_Microsoft_Windows_CurrentVersion_Group_Policy_State_S-1-5-21-790525478-1390067357-1417001333-500_Extension-List
software_Microsoft_Windows_NT_CurrentVersion_AeDebug

Posted: Mon Sep 05, 2011 12:44 am

Anubis

Code:

___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+

[#############################################################################]
Analysis Report for TEST.EX_
MD5: afb7773a0af4f0ebcd22d19cdabb7f66
[#############################################################################]

Summary:
- Write to foreign memory areas:
This executable tampers with the execution of another process.

- AV Hit:
This executable is detected by an antivirus software.

- Execution did not terminate correctly:
The executable crashed.

- Performs File Modification and Destruction:
The executable modifiesand destructs files which are not temporary.

- Spawns Processes:
The executable produces processes during the execution.

[=============================================================================]
Table of Contents
[=============================================================================]

- General information
- TEST.EX_.exe
a) Registry Activities
b) File Activities
c) Process Activities
- sys3.exe
a) Registry Activities
b) File Activities

[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 112 s
Report created: 09/04/11, 23:57:30 UTC
Termination reason: All tracked processes have exited
Program version: 1.75.3394

[#############################################################################]
2. TEST.EX_.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: TEST.EX_.exe
MD5: afb7773a0af4f0ebcd22d19cdabb7f66
SHA-1: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
File Size: 10240 Bytes
Command Line: "C:\TEST.EX_.exe"
Process-status
at analysis end: dead
Exit Code: 0

[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ],
Base Address: [0x73D90000 ], Size: [0x00027000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
Base Address: [0x77B40000 ], Size: [0x00022000 ]

[=============================================================================]
Ikarus Virus Scanner
[=============================================================================]
Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254)

[=============================================================================]
2.a) TEST.EX_.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\WPA\MediaCenter ],
Value Name: [ Installed ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ ItemSize ], Value: [ 779 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ ItemSize ], Value: [ 517 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ ItemSize ], Value: [ 918 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ ItemSize ], Value: [ 229 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ ItemSize ], Value: [ 370 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ],
Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ],
Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time

[=============================================================================]
2.b) TEST.EX_.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PHYSICALDRIVE0 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]
File Name: [ PHYSICALDRIVE0 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]
File Name: [ C:\TEST.EX_.exe ]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
File Name: [ C:\WINDOWS\system32\CRTDLL.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
2.c) TEST.EX_.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ], Command Line: [ ]
Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ], Command Line: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sys3.exe ]

[#############################################################################]
3. sys3.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Started by TEST.EX_.exe
Filename: sys3.exe
MD5: afb7773a0af4f0ebcd22d19cdabb7f66
SHA-1: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc
File Size: 10240 Bytes
Command Line: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sys3.exe
Process-status
at analysis end: dead
Exit Code: 0

[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\CRTDLL.dll ],
Base Address: [0x73D90000 ], Size: [0x00027000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]

[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],
Base Address: [0x5B860000 ], Size: [0x00055000 ]
Module Name: [ C:\WINDOWS\system32\WINSTA.dll ],
Base Address: [0x76360000 ], Size: [0x00010000 ]

[=============================================================================]
Ikarus Virus Scanner
[=============================================================================]
Trojan-Ransom.Win32.Mbro (Sig-Id: 1651254)

[=============================================================================]
3.a) sys3.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability ],
Value Name: [ ShutdownReasonUI ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
Value Name: [ ComputerName ], Value: [ PC ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time

[=============================================================================]
3.b) sys3.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Deleted:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\TEST.EX_.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systm.txt ]
File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\CRTDLL.dll ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\WINSTA.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]

[#############################################################################]
International Secure Systems Lab
http://www.iseclab.org

Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu

Contact: anubis@iseclab.org

Posted: Mon Sep 05, 2011 12:47 am

Norman Sandbox Analyzer

Code:

TEST.EX_ : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\TEST.EX_.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 10240 bytes.
* MD5 hash: afb7773a0af4f0ebcd22d19cdabb7f66.
* SHA1 hash: f7c0a34cebad3b18c12eefbf8b55a02eafed4adc.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\systm.txt.
* Creates file C:\WINDOWS\TEMP\sys3.exe.
* Deletes file C:\sample.exe.

[ Process/window information ]
* Creates process "sys3.exe".
* Checks if privilege "SeShutdownPrivilege" is available.
* Enables privilege SeShutdownPrivilege.

[ Signature Scanning ]
* C:\sample.exe (10240 bytes) : no signature detection.
* C:\WINDOWS\TEMP\systm.txt (13 bytes) : no signature detection.
* C:\WINDOWS\TEMP\sys3.exe (10240 bytes) : no signature detection.

Posted: Mon Sep 05, 2011 12:54 am

As you can see, Buster Sandbox Analyzer is the only malware analyzer that reports that there was an attempt
to end windows session (reboot) and an attempt to write directly to disk.

Posted: Mon Sep 05, 2011 1:19 pm

Bravo Buster! This is impressive indeed. Makes the commercial analyzers look like they were made by rookies Very Happy

Posted: Mon Sep 05, 2011 1:35 pm

I just re-released BSA 1.42 package.

I changed something related to the video screen capturing feature.

Posted: Mon Sep 05, 2011 1:45 pm

D1G1T@L wrote:

Bravo Buster! This is impressive indeed. Makes the commercial analyzers look like they were made by rookies Very Happy

It could not have been possible without tzuk´s collaboration.

I´m specially proud of the output reports. They are simple but at the same time complete, and they are easy to understand.

Posted: Sun Sep 18, 2011 4:50 pm

Released Buster Sandbox Analyzer 1.43.

Changes:

+ Replaced Buster Sandbox Analyzer with a custom logo. (thanks Antoni)
+ Maintenance release: minor changes.

I almost added all the features I had in the TO-DO list and fixed all known bugs. I just miss adding some statistics but such feature is not prioritary, that´s why this version should be the last one for a while.