I know a few people swears by Sandboxie is the ultimate tool to analyze malwares but it is very common for crypters and remote administration tools nowadays to have anti-sandbox module meaning whenever it detected that it is being analyzed or ran in sandbox environment, it will automatically terminate itself to prevent from being analyzed. If you’ve missed my previous article on why I test and analyze software from real windows environment, then you should read it first.
Today I received an email from Jerry sharing with me on a very useful addition to Sandboxie called Buster Sandbox Analyzer. Basically it is similar to online file behavior analyzers such ThreatExpert, Joebox, Anubis but with the help of Sandboxie, you can have the same function on your computer without wait time. Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious. In order to use Buster Sandbox Analyzer, you have to correctly set up Sandboxie first, then only Buster Sandbox Analyzer would work perfectly.
The good thing about using Buster Sandbox Analyzer is it includes countermeasures against malwares detecting Sandboxie’s presence. So even if the malware contains anti-sandboxie code, you can still get to analyze the malware in Sandbox. Here’s a simple guide on how I set up Buster Sandbox Analyzer.
1. Download and install Sandboxie.
2. Download Buster Sandbox Analyzer and extract the RAR archive into C:\bsa\
3. Run Sandboxie Control, click Configure at the menu bar, and select Edit Configuration.
4. Your default text editor will open with [GlobalSettings], [DefaultBox] and [UserSettings_xxxxxxx]. At [DefaultBox], at the end of the line, add the 2 lines below and save it.
InjectDll=C:\bsa\log_api.dll
OpenWinClass=TFormBSA
It should look like the screenshot below.
5. To analyze a malware, go to C:\bsa\ and run bsa.exe. The most important thing to fill up here is the “Sandbox folder to check”. This is the path of where the Sandboxie contents are dropped to. To get this location, run Sanboxie Control, right click at Sandbox Defaultbox and select Explore Contents. A window explorer will now open, copy the path and paste it to the “Sandbox folder to check”.
6. Click the Start Analysis button and click “Delete Sandbox Folder contents and continue“.
7. Now drag the file that you want to analyze and drop it to Sandboxie Control window. By default the “DefaultBox” is selected and just click the OK button.
8. Go to Buster Sandbox Analyzer and you should see a lot of information at the API Call Log. When the API Call Log has stopped, go back to Sandboxie Control window, right click on Sandbox Defaultbox and select Terminate Programs. Click Yes to confirm the termination.
9. Again go back to Buster Sandbox Analyzer and click Stop Analysis button.
10. Then click Malware Analyzer button. There are 2 tabs on the Malware Behavior Analyzer Module which is the Malicious Actions and Details. The malicious actions tab tells you if the file that you analyzed has performed any malicious actions. As for the details tab, it shows a more detailed report on where is the file dropped, auto startup addition, injection, keylogger, connection and etc.
The results above is the analysis of the Cybergate RAT public version with “Anti Sandboxie” enabled. As you can see, the anti sandboxie feature for Cybergate RAT no longer works, thanks to Buster Sandbox Analyzer.
Update: I’ve left out how to hide Sandboxie. Fortunately you can follow the easy step-by-step guide on this page on how to use HideDriver to hide Sandboxie’s process. It would also help if you rename the default LOG_API.dll file to another one. You should also have WinPCap installed in order to run Buster Sandbox Analyzer for a correct network activity reporting.
Related posts:
Released Buster Sandbox Analyzer 1.63.
Changes:
+ Added “Aggressive Window Closer” feature
+ Added a feature to restore display settings if changed while analysis
+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Improved multiple malware analyses feature
+ Improved “Automate Setups” feature
+ Improved the speed processing certain files
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.62.
Changes:
+ Added a feature to patch LOG_API automatically
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.61.
Changes:
+ Added a feature at “Risk Evaluation Ratings” to show hints related to malware behaviours
+ Modified the layout to show separately the file being processed from the number of files left to be processed
+ Added new malware behaviours
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.60.
Changes:
+ Added a feature to analyze URLs
+ Added an option at “SQL > Report Manager” feature to import records from an external database
+ Added support for JSON reports
+ Added a feature to avoid screensaver activation while an analysis is being performed
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.59.
Changes:
+ Updated LOG_API
+ Updated PEiD’s USERDB.TXT
+ Fixed several bugs
Note: This version contains important bugfixes.
Released Buster Sandbox Analyzer 1.58.
Changes:
+ Added new malware behaviours
+ Added a feature to analyze automatically a file from shell menu
+ Added a feature to generate additional information from analyzed executable files
+ Added the option of deleting analyzed file at “Manage Processed file” feature
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Included Signsrch tool by Luigi Auriemma
+ Updated LOG_API
+ Updated Exeinfo to version 0.0.3.0
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.57.
Changes:
+ Added a feature to extract used APIs from dumped files
+ Added a feature to extract strings from dumped files
+ Added new malware behaviour
+ Fixed a bug
Released Buster Sandbox Analyzer 1.55.
Changes:
+ Added Adobe Malware Classifier information
+ Included new malware behaviour at “Risk Evaluation Ratings”
Released Buster Sandbox Analyzer 1.54.
Changes:
+ Added a new entry section to BSA.DAT: [File_Strings]
+ Added a feature to search for defined strings inside analyzed file
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviour
+ Updated LOG_API
+ Added portuguese (Brazil) language translation (thanks to Paulo Guzman)
Released Buster Sandbox Analyzer 1.53.
Changes:
+ Added a new entry section to BSA.DAT: [Process_Code_Injection]
+ Added a new feature to dump executable processes in automatic mode
+ Added a feature that allows the user to select what behaviours must appear in the analysis report
+ Updated “Risk Evaluation Ratings”
+ Included new malware behaviour
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.52.
Changes:
+ Added support for HTML reports
+ Added a feature to remove sandbox folder contents automatically in manual mode
+ Included new malware behaviour
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.51.
Changes:
+ Added a custom driver to hide Sandboxie´s processes
+ Removed Hide Driver from package
+ Included new malware behaviour
+ Added File Renamer feature to utilities section
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.50.
Changes:
+ Added multi-language support
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.49.
Changes:
+ Added support for XML reports
+ Added support for TLS hooks detection
+ Improved PDF Statistics
+ Updated LOG_API verbose versions to include FindFirst/NextFile support
+ Updated support for new VirusTotal web service
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.48.
Changes:
+ Added PDF statistics feature
+ Added support for a new malware behaviour: get computer name
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.47.
Changes:
+ Added a feature to run BSA in automatic mode monitorizing a folder for new files to analyze
+ Added a feature to avoid processing files from a whitelist
+ Improved analysis cancel event
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.46.
Changes:
+ Added a feature to include information from reports into a SQL database
+ Added a custom manager for BSA´s SQL Database
+ Added a feature to load and save settings from file on demand
+ Added a feature to set a number of retries if connection to VirusTotal fails
+ Added a feature to launch automatically Explorer.exe in automatic mode
+ Added a feature to skip already processed files in automatic mode
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.45.
Changes:
+ Added a feature to produce reports in PDF format
+ Added support for new malware behaviours: get volume information, alternate data stream creation
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.44.
Changes:
+Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports
+ Added a feature to minimize BSA when the feature to do video capture is enabled
+ Added a feature to compress to ZIP sandbox folder contents when “Keep Sandbox Files” is enabled
+ Added information related to date of submission in VirusTotal reports
+ Added several improvements
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.42.
Changes:
+ Added a feature to capture screen in video (VLC installation required)
+ Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required)
+ Fixed a bug
Released Buster Sandbox Analyzer 1.40.
Changes:
+ Usability improvement in File Hash, File Scanner, File Signature and automatic analysis features: last used folder will be remembered
+ Usability improvement in File Hash, File Scanner and File Signature features: added drag and drop support
+ Added Exeinfo support to File Signature feature
+ Improved File Hash feature: all hashes can be checked at VirusTotal at once, VirusTotal reports can be saved to disk
Released Buster Sandbox Analyzer 1.39.
Changes:
+ Fixed several bugs.
Released Buster Sandbox Analyzer 1.38.
Changes:
+ Added risk evaluation module
+ Added several improvements
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.37.
Changes:
* Improved hiding feature
* Updated BSA.DAT
* Removed evaluation risk feature
* Fixed several bugs
Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer.
Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near but having other format.
Released Buster Sandbox Analyzer 1.36.
Changes:
+ Added support for ssdeep
+ Improved the support for DLL files
+ Report informations can be selected individually
+ Updated BSA.DAT
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.33.
Changes:
+ Added a feature to run BSA from command line in automatic mode
+ Added Exeinfo support
+ Added extra information of dropped files
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed a bug
I’ve just started using BSA..I must say, its an excellent tool..Thanks a lot, Raymond, for this BSA usage guide.
“where is is the web of Buster Sandbox?”
bsa.isoftware.nl/
where is is the web of Buster Sandbox? thanks you very much and who made the Buster Sandbox?
Thank you very much Raymond! Fantastic Tutorial!
Genome: Read the manual (the PDF) or the README.TXT
Windows error on bsa.exe wcap.dll is missing
david: Where CWSandbox can be downloaded?
Thnx for such a informative article..can u please help with CWandbox? i wanna know how to use it as i need 2 use it 4 my project
Wassim: InjectDll points to the path where LOG_API.DLL is located. Meanwhile the file is located on the same place you will not have to change the path.
First thank for this tip. I have just one question. I’m using portable sandboxie with my usb pen drive. I want to know if I have to change each time the path of “InjectDll=C:\bsa\log_api.dll” to the path of my pen drive?
Thank you for your help.
michael: Buster Sandbox Analyzer tracks registry changes.
AssamIsTea & Chandra: Probably the file is detected because some malwares make a bad use of that program, but it´s legit.
You can check about it here:
codeproject.com/KB/system/hide-driver.aspx
Is there any way to track the registery (reg changes) by the applications ran under sandboixe?
Kaspersky detected Trojan program from “hidedriverGUI.exe” on bsa.rar. Trojan programs is trojan-clicker.win32.agent.mvt.
is this dangerous?
Oh, I forgot my verb. “…my computer froze when I clicked on the link again”.
For some reason, Kaspersky labeled Buster Sandbox Analyzer as a trojan. Of course, it has to be a false positive, but my computer after trying to click on the link again. I’m sure my computer just sucks.
It is too complicate to set up for working with Sandboxie, I prefer wait for a future Sandboxie version with can do the whole thing alone !!!
Thanks Raymond. But i just use an old desktop PC to do stuff that may risk my security. And re-image it afterwords.
thank you Raymond. you Rock.
Have you heard of Anti-Sandbox code with norman check this page my.stargazer.at/2006/11/07/anti-sandbox-code-anhand-von-norman/
1101doc: Because returnil is not meant to analyze malwares. It’s for restoring back any changes with a reboot. Totally different uses.
Wow! This is a very good tool, thanks Ray for analyzing its prowess.
Why not Returnil?
THX a bunch for this info Raymond…
Can we use Buster Sandbox analyzer with Comodo SandBox feature, I am currently using COMODO…
It has no configuration file like SandBoxie, any other way you know…
its indeed a great tool…..an excellent compliment to sbie
great one thanks raymond, currently using comodo sandbox.
Thank you very much for the detailed review about my tool.