Buster Sandbox Analyzer

Official Website:
    http://bsa.isoftware.nl/
   
Active Forum links:
    http://www.sandboxie.com/phpbb/viewtopic.php?t=6557&postdays=0&postorder=asc&start=510
    http://www.kernelmode.info/forum/viewtopic.php?f=11&t=139
   
Setup and usage:
    http://www.youtube.com/watch?v=wXFpo78712M

Buster Sandbox Analyzer uses SandboxIE tool to gather the system modification information and later it does analysis on that information. It configures sandboxIE to load/inject a DLL into each and every sandboxed processes. This injected DLL hooks few functions inside the sandboxed process and sends that messages to the BSA running outside the sandbox through “Window Message”. BSA reads those output and analyze it.

Following configurations have been added to sandboxIE under “Default Box”:
    InjectDll=C:\tmp\bsa\LOG_API64.DLL
    OpenWinClass=TFormBSA
    NotifyDirectDiskAccess=y
    ProcessLimit1=20
    ProcessLimit2=30
    BoxNameTitle=n
    CopyLimitKb=102400
    CopyLimitSilent=y

Following configuration is added to sandboxIE under “UserSettings”:
    SbieCtrl_HideMessage=*

BSA.SYS:
It hides the sandboxie processes and other (configured)processes too. It hooks kernel level ZwQuerySystemInformation and modifies the result.
    sbiesvc.exe
    sbiectrl.exe
    sandboxiedcomlaunch.exe
    sandboxiecrypto.exe
    sandboxiebits.exe
    sandboxiewuau.exe
    sandboxierpcss.exe
    bsa.exe

LOG_API.DLL/LOG_API_VERBOSE.DLL/LOG_API64.DLL/LOG_API64_VERBOSE.DLL hooks the following API’s inside sandbox:
   OpenSCManagerA
    OpenSCManagerW
    OpenServiceA
    OpenServiceW
    CreateServiceA
    CreateServiceW
    StartServiceA
    StartServiceW
    ControlService
    OpenProcessToken
    AdjustTokenPrivileges
    AreAnyAccessesGranted
    GetUserNameA
    GetUserNameW
    GetCurrentHwProfileW
    RegCreateKeyA
    RegCreateKeyW
    RegCreateKeyExA
    RegCreateKeyExW
    RegOpenKeyA
    RegOpenKeyW
    RegOpenKeyExA
    RegOpenKeyExW
    RegDeleteKeyA
    RegDeleteKeyW
    RegDeleteValueA
    RegDeleteValueW
    RegEnumKeyA
    RegEnumKeyW
    RegSetValueA
    RegSetValueW
    RegSetValueExA
    RegSetValueExW
    ZwQueryVirtualMemory
    LoadLibraryExW
    CreateRemoteThread
    CreateRemoteThreadEx
    QueueUserAPC
    SuspendThread
    ResumeThread
    WriteProcessMemory
    CreateProcessInternalW
    CreateFileW
    FindFirstFileExW
    FindNextFileW
    FindFirstFileNameW
    FindNextFileNameW
    SearchPathW
    CreateFileMappingW
    CopyFileA
    CopyFileW
    MoveFileA
    MoveFileW
    CreateDirectoryW
    RemoveDirectoryW
    DeleteFileW
    GetModuleHandleW
    CreateMutexW
    CreateEventW
    OpenProcess
    CreateToolhelp32Snapshot
    IsDebuggerPresent
    OutputDebugStringA
    OutputDebugStringW
    CheckRemoteDebuggerPresent
    GetSystemDefaultLangID
    CreateNamedPipeA
    CreateNamedPipeW
    GetVolumeInformationW
    GetComputerNameW
    TerminateProcess
    NtLoadDriver
    RtlAdjustPrivilege
    NtSetInformationThread
    RtlSetProcessIsCritical
    CreateDCA
    CreateDCW
    BitBlt
    RasEnumEntriesA
    RasEnumEntriesW
    EnumProcessModules
    WNetOpenEnumA
    WNetOpenEnumW
    NetServerEnum
    NetShareEnum
    InternetGetConnectedState
    InternetConnectA
    InternetConnectW
    InternetOpenA
    InternetOpenW
    InternetOpenUrlA
    InternetOpenUrlW
    InternetReadFile
    HttpOpenRequestA
    HttpOpenRequestW
    URLDownloadToFileW
    URLDownloadToCacheFileW
    URLOpenStreamW
    URLOpenBlockingStreamW
    bind
    connect
    GetAsyncKeyState
    GetKeyState
    GetKeyboardState
    GetRawInputData
    SetWindowsHookExA
    SetWindowsHookExW
    keybd_event
    PrintWindow
    FindWindowA
    FindWindowW
    FindWindowExA
    FindWindowExW
    AttachThreadInput

Configuration files:
    BSA.DAT                                            -> Registry/File watch points.
    config\APIExclude.TXT             -> API’s to exclude
    config\MA-Calc.ini                       -> Risk calculation threshold
    config\MA-RATINGS.INI          -> Security ratings for each and every event.
    config\RegistryExclude.TXT    -> Registry entries to exclude from.
    config\WindowMessages.TXT  -> Windows messages to exclude from.

   
Other than that it has some analysis tools in one place like RegHive explorer
and Pcap explorer. It is nice.

It uses threshold based risk calculation. If you see minimum number of High/Medium/Low events then it reports a particular Risk.

List of events:
   Analyzed file deletes itself
    Backdoor functionality
    Bad digital signature
    Creation of Alternate Data Streams
    Creation of conflictive names
    Creation of events
    Creation of hidden files/folders
    Creation of processes
    Creation/modification of Autostart file
    Creation/modification of defined file type
    Creation/modification of defined file type in Autostart location
    Creation/modification of defined file type in Windows folder
    Creation/modification of defined registry Autostart location
    Creation/modification of defined registry entry
    Creation/modification of file in defined folder
    Creation/opening/starting of services
    Direct disk writing
    End Windows session
    Enumerate running processes
    Injection of code
    Internet connection
    Keyboard/mouse simulation input
    Keylogger functionality
    List entry names in a remote access phone book
    Load system drivers
    Localhost connection
    Modification of hosts file
    Modification of privileges
    Perform network share operations
    Private network connection
    Retrieve system default language ID
    Retrieve user name information
    Retrieve volume information
    Usage of anti-malware analyzer routines
    Retrieve computer name information
    TLS hooks
    Escalate process to system critical status
    Terminate Process

In the end, Malicious Actions it can detect:
   Defined file type created or modified in windows folder
    Defined file type created or modified
    Defined file type created or modified in Autostart location
    Defined AutoStart file created or modified
    Defined registry AutoStart location created or modified.
    Simulated keyboard or mouse input
    Connection to Internet
    Attempt to load system driver
    Attempt to end Windows session
    Start a service
    Hosts file modified
    Keylogger activity
    Backdoor activity
    Malware Analyzer detection routine
    Creation or opening of a service or event
    Custom folder/registry entry
    Network shares access
    Assorted suspicious actions

Advertisements
This entry was posted in Malware, Malware Analyzer and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s