Buster Sandbox Analyzer

Utilities designed for use with Sandboxie
Locked
JMJ
Posts: 1
Joined: Thu Dec 27, 2012 12:10 pm

No Malware analysis button

Post by JMJ » Thu Dec 27, 2012 12:18 pm

Installed yesterday on XP SP3 with fresh install of Sandboxie both downloaded yesterday

I see the start analysis button which at the end of a run changes to finish analysis but I don't see and malware analysis button

What data can I collect to assist, or did I miis something in the install ?

Thanks

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: No Malware analysis button

Post by Buster » Thu Dec 27, 2012 12:33 pm

JMJ wrote:Installed yesterday on XP SP3 with fresh install of Sandboxie both downloaded yesterday

I see the start analysis button which at the end of a run changes to finish analysis but I don't see and malware analysis button

What data can I collect to assist, or did I miis something in the install ?
Analysis button was removed in a recent release. Now when you click "Finish Analysis" the malware analysis is performed automatically (before you had to click in "Malware Analysis" button). Then you can see analysis at:
Viewer > View Analysis Fields

You can also see individual files (Report.TXT, Analysis.TXT, etc) with other options in "Viewer" menu.

I hope that helps.

Regards.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Dec 27, 2012 12:35 pm

BSA 1.85 will have a feature at "Manual Analysis Options" to allow seeing malware analysis after analysis is finished.

sanaru
Posts: 2
Joined: Thu Dec 27, 2012 3:53 pm

Post by sanaru » Thu Dec 27, 2012 3:59 pm

This tool does seem great. I have installed and configured it and it works wonderfully on notepad.exe.

But when I run it on my target app, the app crashes on startup. It is caused by this line:

InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL

The log api file exists at that location, like I said, notepad.exe works fine.

How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Dec 27, 2012 5:16 pm

sanaru wrote:This tool does seem great. I have installed and configured it and it works wonderfully on notepad.exe.

But when I run it on my target app, the app crashes on startup. It is caused by this line:

InjectDll=C:\BSA\LOG_API\64\LOG_API32.DLL

The log api file exists at that location, like I said, notepad.exe works fine.

How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app.
What is your OS? Is it 32 or 64 bit?

sanaru
Posts: 2
Joined: Thu Dec 27, 2012 3:53 pm

Post by sanaru » Fri Dec 28, 2012 3:51 am

Buster wrote:
What is your OS? Is it 32 or 64 bit?
Windows 7 64-bit, running a 32-bit application.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Dec 28, 2012 6:08 am

sanaru wrote:The log api file exists at that location, like I said, notepad.exe works fine.

How could the injected dll cause the app to just crash? To prevent me from analyzing it? It is not a very sofisticated app.
May I get the app so I can take a closer look and see what´s wrong?

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Jan 05, 2013 4:05 pm

Buster Sandbox Analyzer 1.85 is going to be oficially announced as soon as I get the archive online at novirusthanks.org server.

1.85 version can be considered as a major update. It´s more stable and runs more smoothly than previous versions because I have removed several program dependecies (REG.EXE to extract info from registry, STRINGS.EXE to extract strings from files, ...) and now I use code directly from BSA application.

I will do more comments when it is out.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Jan 05, 2013 8:30 pm

Meanwhile the file is not up in the server you can download the new version from here:

http://rapidshare.com/files/3956133659/BSA185.RAR

or here:

http://www.woodmann.com/virusbuster/bsa.rar

List of changes:


+ Added a feature to run silently setups if possible in automatic mode

Options > Automatic Analysis Options > Setups > Run Silently if possible.

Used to run installation setups in silent mode (no user intervention required) when possible.

Note: BSA uses Exeinfo to identify installation setups.

Note: Inside “\DATA\SETUPS.DAT” there is a list of installer identifications and the associated command line to run the installer in silent mode. The list can be modified in order to add, modify or remove installers. The format of SETUPS.DAT is: string_to_identify_installer||arguments_to_include

Greetings to Brian for the idea and the research.


+ Added a feature to view malware analysis on finish in manual mode

Options > Manual Analysis Options > View Malware Analysis On Finish

Used to see malware analysis results after analysis is finished.

Remember that after closing malware analysis results window you can see it again clicking in:

View > View Analysis Fields


+ Added a feature to save connection information to CSV file in “Pcap Explorer” feature

Used to save to a CSV file type the information related to connections.


+ Added a feature to refresh BSA window

Certain sandboxed applications will mess with BSA window in a way that hides it. You can refresh the window to try to get BSA window visible again right-clicking BSA window at taskbar and selecting "Refresh".

Additionally from version 1.85, BSA will keep the position (the position it had before analysis starts) during analysis in automatic mode.


+ Removed several program dependencies (REG.EXE, STRINGS.EXE, …)

BSA should run more smoothly from version 1.85 because I removed some dependencies it had from several third part tools, mainly REG.EXE to get registry information and STRINGS.EXE to retrieve strings in files.

As a side effect from these changes, I would say (I am not able to confirm it yet) the problem with Sandboxie´s RegHive getting locked is gone. That means BSA is able to process large amounts of files without being interrupted.


+ DAT files moved to “DATA” folder

From version 1.85, BSA expects DAT files inside "\BSA\DATA" folder. DAT files are:

API.DAT
APK.DAT
BSA.DAT
BSA_USER.DAT
CHECKIP.DAT
MALICIOUS-DOMAINS.DAT
SETUPS.DAT


+ Improved “File Strings” feature

The feature is now faster than it was before and an option to sort strings alphabetically has been added.


+ Updated BSA.DAT
+ Updated LOG_API
+ Russian and Portuguese (Brazilian) have been updated.
+ Fixed several bugs

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Jan 06, 2013 2:46 pm

Released Buster Sandbox Analyzed 1.85.

Changes:

+Added a feature to run silently setups if possible in automatic mode
+Added a feature to view malware analysis on finish in manual mode
+Added a feature to save connection information to CSV file in “Pcap Explorer” feature
+Added a feature to refresh BSA window
+Removed several program dependencies (REG.EXE, STRINGS.EXE, …)
+DAT files move to “DATA” folder
+Improved “File Strings” feature
+Updated BSA.DAT
+Updated LOG_API
+Fixed several bugs

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Jan 07, 2013 1:37 pm

The days before I released BSA 1.85 I was testing the tool with a few thousand malware samples. I do that from time to time to check for bugs, specially when I introduce important changes in the code, as it was the case with version 1.85.

Counting the samples I have already processed in the past and the ones used to test version 1.85, probably I have used +100.000 samples for testing.

After BSA 1.85 release I have continued testing with the set of samples I picked to check that version. I usually test with 3 instances of BSA, so I can test more samples in the same time. I noticed one of the BSA instances was not running, so I have stopped the other 2 running instances and checked the sample that was running when the BSA instance stopped working.

After 100.000 samples processed, I have found other bug in BSA thanks to a sample. The sample was setting as creation date of a file the year 30332 or something like that, and the Delphi function SystemTimeToDateTime did not like the value and caused the application to crash.

On every BSA release I fix a few bugs, sometimes I just find only one and others three or four. After 85 versions released, BSA still has bugs here and there. :oops: So stay tuned and report me any problem you find.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Jan 07, 2013 2:17 pm

I also can confirm that the problem with RegHive being locked is gone.

maya
Posts: 4
Joined: Thu Jan 10, 2013 10:31 am

Post by maya » Thu Jan 10, 2013 10:44 am

Buster, just tried out the new version, quite stable compared with previous version I was using (1.8.1).
One question, I selected screenshot option, but didn't see any screenshot for a couple of samples I tried.

I read about a new type of malware that monitors the mouse movement and won't perform any activity until the left button is clicked and released. Feelings are that this might become common in future malware.
I was wondering then if a feature can be added into BSA that simulate mouse movement and button click when the sample being analyzed is not performed any activity.

Thanks. :D
Last edited by maya on Thu Jan 10, 2013 11:03 am, edited 1 time in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Jan 10, 2013 10:55 am

maya wrote:Buster, just tried out the new version, quite stable compared with previous version I was using (1.8.1).
Yes, version 1.85 makes really a difference in stability terms compared to previous versions.
maya wrote:I read about a new type of malware that monitors the mouse movement and won't perform any activity until the left button is clicked and released.
Right, Trojan.Upclicker.

http://blog.fireeye.com/research/2012/1 ... icker.html
maya wrote:Feelings are that this might become common in future malware.
I was wondering then if a feature can be added into BSA that simulate mouse movement and button click when the sample being analyzed is not performed any activity.
Mouse movement was something already performed in automatic analysis mode since a few versions ago.

In version 1.85 I added a checking and under specific circumstances BSA automatically simulates a left mouse clicking as anti-anti-vm trick. :wink:

maya
Posts: 4
Joined: Thu Jan 10, 2013 10:31 am

Post by maya » Thu Jan 10, 2013 11:06 am

Did you test that one on the upclicker sample?
I set it to run in automatic mode with timeout set to 1 minute. It just reported monitoring mouse messages.

Locked

Who is online

Users browsing this forum: No registered users and 2 guests