I wrote in the past an article about Sandboxie and its add-ons but I feel a such powerful security tool deserve a more in depth review. I run a small computers business and there are no rare the cases when people call me or come to me asking for an advice how to remove different malware from the computer, therefore I’m not lacking for malware samples for analysis. Always I ask people when the computer infection occur, what they did before to get that malware, trying to track the infection source. Unfortunately very often the reason why the people get their computers infected are themselves. The people behaviour on the Internet is slightly different in opposition with the behaviour in real life.
Peoples likes to download cracked software from untrusted and unverified sources, likes free sexy videos or likes to click on catchy sexy videos and naked girls photos from Facebook. In real life not anyone will dare to steal things or to take looong looong looks to sexy girls on the street, but on the Internet peoples hides themselves behind the computer screens. Well, sometimes you must pay the price for not being so wise. Don’t understand me wrong, I’m a normal man and I like also the sexy videos and naked girls(NO Facebook girls !) but I like too a clean computer because I know that my online private life and my banking accounts depends on that.
Furthermore, I’m aware of antivirus software limitations, when accordingly to NSSLabs everyday 50,000 of new malware are detected daily, when it comes to these new malware variants, the traditional signature based detection method are inexorable destined to fail.
Source : NSSLabs report
Enterprises are most at threat from fresh customized malware. Security companies share malware samples, but if no company sees or detects the malware, it could quietly circulate and potentially infect machines, stealing data. Even if it is undetected for a short period of time, it still is enough a window to infect a corporate network. As many as 50,000 new malicious programs are detected every day.
The malware creators do all possible efforts to makes their malware FUD (Fully Undetectable) for antiviruses and often they succeed. Simple and free security tools as start-up entries checkers, network and processes monitors, online malware analyzers or sandboxes reveal malware presence or help us to prevent the malware installation. In my security tools ranking, Sandboxie occupies one of the highest position for its benefits : running any program including the web browser in an isolated environment, any permanent changes to the system are not possible, thus any accidentally loaded malware will not be able to harm the system.
Running a sandboxed web browser you are able to delete all the browsing history or cookies with a mouse click from the sandbox folder. Besides that one of the most interesting use of the Sandboxie is to test and analyze the programs you don’t fully trust.
The infection source for a customer computer was a modified version of AVG Antivirus 8.0 installation program downloaded from a warez blog. The nice thing here is AVG offer Anti-Virus Edition for free, only AVG Internet Security is to be paid for. From the start I find weird to use Microsoft Self Extractor package as an installer:
OK, let’s go further and test the application, I open firstly Buster Sandbox Analyzer , shortly BSA a tool for monitoring the sandboxed application behaviour, files and registry changes (in the sandbox) and based on these it is able evaluate the security risks. The tool and instructions for installing it can be found on the official site : http://bsa.isoftware.nl or on the Sandboxie support forum. It is a good idea to use this tool as it saves raports with changes made by a sandboxed running application, API calls, network traffic if any and overall gives a better perspective about what it is happening inside the sandbox.
Now that we have BSA running, right click on the tested executable select defaultBox and select “Run Sandboxed”, the installer window appear with the title between number signs, that’s mean the application run sandboxed :
This is a very important stage because all possible malware can be found in the temporary folder of the sandbox. During the running of an infected installer, the embedded executables are dropped in the temporary folder. From there them can be copied somewhere else, submitted to online files analyzers as Anubis or virustotal.com or you can made further analysis on them yourself. Be very precautious and don’t run them accidentally and take note that many new trojans has anti-sandboxie module inside anti-VMware(virtual machine) or even anti-virustotal.com module and will stop the execution immediately they are detecting a virtual environment giving an execution error to the user. The code used in this anti modules is rather simple, it checks for environment variables–the full executables path, windows titles, their own application name(very often the online analyzers rename the samples submitted sample.exe), running processes(for example if filemon.exe or regmon.exe are running), loaded modules, for example there is anti-sandboxie code that checks using GetModuleHandle function if SbieDll.dll is loaded. If it’s loaded that mean the executable is sandboxed and GetModuleHandle function will return a handle for it, otherwise will return 0. Now, let’s dig in the sandbox, what can be found ? I made screenshots with full folders path for a better understanding :
The content of IXP001.TMP folder is very interesting :
You don’t need to be an expert to know that server.exe is a dubious program. The vast majority of new trojans or other malware are running on server-client principle. The server are inside the infected computer and supply data, files or informations at the hackers instructions the same how a web-site gives you the possibility to see web-page, navigate trough them or download and upload files. Of course the trojans can have any other names in many cases names that imitate legitimate files as ipodservice.exe or taskmrg.exe(see the difference to avoid a conflict with the existing file taskmgr.exe-taskmrg.exe), servicess.exe, but in this case the hacker does not bother to “better” rename it, its name is simply server.exe. Look further what I’ve found in C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS sandbox folder :
A lot of dubious executable files and here :
Another suspect file, host.exe with only 231 bytes in size ?!? I use a good and free executable viewer, named CFF Explorer, it has executable editor capabilities, hex editor, executables sections and resources editor, process and drivers viewer memory dumper and even a primitive disassembler for 32 ,64 bits and .NET files. Let’s continue, from the Context Menu(right click) > Open with CFF Explorer and click Hex Editor to have an image of this fake executable, host.exe.
As you maybe know, any real executable must begin with legendary MZ letters but this seems to be an HTML document with the .exe extension. However an URL can be distinguished :
http://sites.google.com/site/zeroburn000/host.exe
and if you put this in the browser address bar and navigate there, another host.exe file is served for download, a real malware executable file for sure with 23KB in size. This type of malware found in the analyzed installer is called a Downloader trojan, it will download and run without your knowledge another trojan or multiple malware from the web, causing multiple and deeper infections of your system. So far we found two trojans, server.exe from the sandbox temporary folder :
CRC32: 3230623B
MD5: C9066075AF479151FF6A4B48B4A318BC
SHA-1: CEBC95BD98BF6E44AF3BBFDB83E51EB3BF01B010
Here is the virustotal.com analysis report.
And now host.exe downloaded by me from the web for analysis :
CRC32: AFEE0DC1
MD5: 9097F72708417DDB609066C052B510F5
SHA-1: 369D10ECDEF0CA1D3F5B33B47186F46E884C68D0
Here is the virustotal.com report.
As you can see in the report, not all the antiviruses are able to detect this trojan, instead 77%, but this is a lucky case, bear in mind that if we deal with new trojans there is the possibility that none of the antivirus software to detect it. Well known antimalware as SUPERAntiSpyware, ClamAV or DrWeb, fail to detect this malware even now. OK, now I terminate all the sandboxed processes, let’s see what BSA report. First, the Malware Analyzer module :
Details, in partial screenshot for a little size of image :
The conclusion is Buster Sandbox Analyzer does very well its job, it detects a few malware activities on the sandbox and all these without any risk to get our system infected. It has also a files changes and registry changes viewer, online analyzers file submitter, reghive file viewer (for new created registry entries in the sandbox) and many other tools. After closing all programs from the sandbox, the temporary folder content is automatically deleted, but we saw all the actions and we are able to reach a conclusion about the analyzed software.
I hope you understand me now why I consider Sandboxie such a powerful security tool.
Keep safe !
so, you like naked girls…. why, are them cleaning your computer?
Glad you like Buster Sandbox Analyzer. 😉
Congratulations for your article, it´s very complete and interesting.
I would like to comment that, as you wrote, there is anti-sandboxie code and that´s why BSA includes countermeasures to hide Sandboxie from malwares. These countermeasures are applied in two steps:
1) Injecting LOG_API.DLL
2) Using HideDriver
Most malwares will be unable to detect Sandboxie´s presence when we use both procedures.
It´s also interesting to comment the use of the packet sniffer (WinPCap installation is required). With the packet sniffer we can know what sandboxed applicated made connections, from what port, to what port, and the IP address.
I guess we could write a book about the use of Buster Sandbox Analyzer and all its functions because it has many many possiblities.
If anyone has a doubt he can mail me or make a post at Sandboxie´s forum.
Regards.
This is the best and most extensive coverage of SandboxIE and Buster Sandbox Analyzer
I have seen!
I have started to install my programs in their individual sandboxes and run them from there.
I have not used BSA as yet, but your article makes it a lot more likely I will.
One thing I learned from Tzuk is that a sandboxed application can be copied and used with a
sandbox on another pc. This is a sort of portable application, just between SandboxIE installs.
Many thanks,
Jerry
onlinejobs, why is your website ranked as “Phishing or other scams”?
A Very nice article . Every time i check your blog i find a original perspective . Furthermore , as a new developer, i have to say that the structure of your site rocks . Can you post the name of the theme.
Released Buster Sandbox Analyzer 1.33.
Changes:
+ Added a feature to run BSA from command line in automatic mode
+ Added Exeinfo support
+ Added extra information of dropped files
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed a bug
Released Buster Sandbox Analyzer 1.36.
Changes:
+ Added support for ssdeep
+ Improved the support for DLL files
+ Report informations can be selected individually
+ Updated BSA.DAT
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.37.
Changes:
* Improved hiding feature
* Updated BSA.DAT
* Removed evaluation risk feature
* Fixed several bugs
Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer.
Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near but having other format.
Hey, I never really posted here but these days I want to thank you for performing these kinds of an excellent work.
Released Buster Sandbox Analyzer 1.38.
Changes:
+ Added risk evaluation module
+ Added several improvements
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.39.
Changes:
+ Fixed several bugs.
Released Buster Sandbox Analyzer 1.40.
Changes:
+ Usability improvement in File Hash, File Scanner, File Signature and automatic analysis features: last used folder will be remembered
+ Usability improvement in File Hash, File Scanner and File Signature features: added drag and drop support
+ Added Exeinfo support to File Signature feature
+ Improved File Hash feature: all hashes can be checked at VirusTotal at once, VirusTotal reports can be saved to disk
Released Buster Sandbox Analyzer 1.42.
Changes:
+ Added a feature to capture screen in video (VLC installation required)
+ Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required)
+ Fixed a bug
Great review! It totally reveals the power of using Sandboxie alongside BSA (and even with WinPCap.) Will be adding it to the arsenal.
Thanks.
P.S., those asking about the theme used should be viewing the page source. It appears to be FreshLife: http://www.freshthemes.com/demo/freshlife/
Released Buster Sandbox Analyzer 1.44.
Changes:
+Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports
+ Added a feature to minimize BSA when the feature to do video capture is enabled
+ Added a feature to compress to ZIP sandbox folder contents when “Keep Sandbox Files” is enabled
+ Added information related to date of submission in VirusTotal reports
+ Added several improvements
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.45.
Changes:
+ Added a feature to produce reports in PDF format
+ Added support for new malware behaviours: get volume information, alternate data stream creation
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.46.
Changes:
+ Added a feature to include information from reports into a SQL database
+ Added a custom manager for BSA´s SQL Database
+ Added a feature to load and save settings from file on demand
+ Added a feature to set a number of retries if connection to VirusTotal fails
+ Added a feature to launch automatically Explorer.exe in automatic mode
+ Added a feature to skip already processed files in automatic mode
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.47.
Changes:
+ Added a feature to run BSA in automatic mode monitorizing a folder for new files to analyze
+ Added a feature to avoid processing files from a whitelist
+ Improved analysis cancel event
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.48.
Changes:
+ Added PDF statistics feature
+ Added support for a new malware behaviour: get computer name
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.49.
Changes:
+ Added support for XML reports
+ Added support for TLS hooks detection
+ Improved PDF Statistics
+ Updated LOG_API verbose versions to include FindFirst/NextFile support
+ Updated support for new VirusTotal web service
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.50.
Changes:
+ Added multi-language support
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.51.
Changes:
+ Added a custom driver to hide Sandboxie´s processes
+ Removed Hide Driver from package
+ Included new malware behaviour
+ Added File Renamer feature to utilities section
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.52.
Changes:
+ Added support for HTML reports
+ Added a feature to remove sandbox folder contents automatically in manual mode
+ Included new malware behaviour
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.53.
Changes:
+ Added a new entry section to BSA.DAT: [Process_Code_Injection]
+ Added a new feature to dump executable processes in automatic mode
+ Added a feature that allows the user to select what behaviours must appear in the analysis report
+ Updated “Risk Evaluation Ratings”
+ Included new malware behaviour
+ Updated LOG_API
Released Buster Sandbox Analyzer 1.54.
Changes:
+ Added a new entry section to BSA.DAT: [File_Strings]
+ Added a feature to search for defined strings inside analyzed file
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviour
+ Updated LOG_API
+ Added portuguese (Brazil) language translation (thanks to Paulo Guzman)
Released Buster Sandbox Analyzer 1.55.
Changes:
+ Added Adobe Malware Classifier information
+ Included new malware behaviour at “Risk Evaluation Ratings”
Released Buster Sandbox Analyzer 1.56.
Changes:
+ Added the ability to run multiple analyses at the same time
+ Added new malware behaviours
+ Updated LOG_API
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Added russian language translation (thanks to gjf)
Released Buster Sandbox Analyzer 1.57.
Changes:
+ Added a feature to extract used APIs from dumped files
+ Added a feature to extract strings from dumped files
+ Added new malware behaviour
+ Fixed a bug
Released Buster Sandbox Analyzer 1.58.
Changes:
+ Added new malware behaviours
+ Added a feature to analyze automatically a file from shell menu
+ Added a feature to generate additional information from analyzed executable files
+ Added the option of deleting analyzed file at “Manage Processed file” feature
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Included Signsrch tool by Luigi Auriemma
+ Updated LOG_API
+ Updated Exeinfo to version 0.0.3.0
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.59.
Changes:
+ Updated LOG_API
+ Updated PEiD’s USERDB.TXT
+ Fixed several bugs
Note: This version contains important bugfixes.
Released Buster Sandbox Analyzer 1.60.
Changes:
+ Added a feature to analyze URLs
+ Added an option at “SQL > Report Manager” feature to import records from an external database
+ Added support for JSON reports
+ Added a feature to avoid screensaver activation while an analysis is being performed
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.61.
Changes:
+ Added a feature at “Risk Evaluation Ratings” to show hints related to malware behaviours
+ Modified the layout to show separately the file being processed from the number of files left to be processed
+ Added new malware behaviours
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.62.
Changes:
+ Added a feature to patch LOG_API automatically
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.63.
Changes:
+ Added “Aggressive Window Closer” feature
+ Added a feature to restore display settings if changed while analysis
+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Improved multiple malware analyses feature
+ Improved “Automate Setups” feature
+ Improved the speed processing certain files
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.64.
Changes:
+ Added new malware behaviours
+ Improved “Hide Driver “ manager
+ Improved anti anti-Sandboxie capabilities
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.66
Changes:
+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Improved “Dump Executable Processes” feature
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.67.
Changes:
+ Improved “[File_Strings]” section at BSA.DAT
+ Added “[Custom_LogAPI_Entries”] section to BSA.DAT
+ Added support for wildcards in RegistryExclude.TXT
+ Added support for Hexacorn´s HexDive tool
+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Added LOG_API support for 64-bit applications
Released Buster Sandbox Analyzer 1.68.
Changes:
+ Added support to analyze URLs from command line
+ Added support for FakeNet
+ Updated ssdeep tool to version 2.8
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.69.
Changes:
+ Added a feature to generate statistics
+ Updated “Report Manager” feature
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.70.
Changes:
+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Added deutsch language translation (thanks to AV-Comparatives)
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated HexDive
+ Updated SIGNSRCH.SIG
Released Buster Sandbox Analyzer 1.71.
Changes:
+ Added new malware behaviours
+ Added BSA_USER.DAT feature
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated BSA.DAT
+ Updated LOG_API
+ Updated Exeinfo
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.72.
Changes:
+ Added wildcard support for FileExclude.TXT and APIExclude.TXT
+ Updated Exeinfo
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.73.
Changes:
+ Added “Launch Internet Explorer” feature
+ Added new malware behaviours
+ Improved “Report Manager” feature
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.74.
Changes:
+ Added functionalities to locate bugs
+ Added analysis duration information to reports
+ Removed the option to include version information
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.75.
Changes:
+ Updated HexDive to version 0.4
+ Removed functionalities to locate bugs
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.76.
Changes:
+ Added a feature to check for API hooks
+ Added “Launch Custom Applications” feature
+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Removed “Launch Internet Explorer” and “Launch Windows Explorer” features
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.77.
Changes:
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.78.
Changes:
+ Added a feature to specify report folder in automatic mode
+ Improved “URL Analyzer” feature
+ Improved command line feature
+ Removed “Save Settings on Exit” feature
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.79.
Changes:
+ Added “Edit BSA_USER.DAT” feature
+ Improved typical error problem checkings
+ Udated BSA.DAT
+ Updated LOG_API
+ Updated malware behaviors
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.80.
Changes:
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated “URL Analyzer” feature
+ Udated BSA.DAT
+ Updated LOG_API
+ Updated malware behaviors
+ Updated HexDive
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.81.
Changes:
+ Updated LOG_API
+ Updated “URL Analyzer” feature
+ Updated “Check for Updates” feature
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.82.
Changes:
+ Added a feature to analyze Android applications
+ Added new malware behaviours
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Improved “Run Custom Command On Finish” feature
+ Updated LOG_API
+ Updated HexDive to version 0.6
+ Updated ExeInfo to version 0.0.3.2
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.83.
Changes:
+ Added new malware behaviours
+ Added the possibility of including comments in BSA.DAT
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Optimized file string search
+ Updated BSA.DAT
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.84.
Changes:
+ Added “[Custom_File_Entries]” section to BSA.DAT
+ Added a feature to extract files from PCap files in automatic mode
+ Added new malware behaviors
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ GUI has been redesigned
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed several bugs
Released Buster Sandbox Analyzed 1.85.
Changes:
+Added a feature to run silently setups if possible in automatic mode
+Added a feature to view malware analysis on finish in manual mode
+Added a feature to save connection information to CSV file in “Pcap Explorer” feature
+Added a feature to refresh BSA window
+Removed several program dependencies (REG.EXE, STRINGS.EXE, …)
+DAT files move to “DATA” folder
+Improved “File Strings” feature
+Updated BSA.DAT
+Updated LOG_API
+Fixed several bugs
Released Buster Sandbox Analyzer 1.86.
Changes:
+ LOG_API completely rewritten and improved
+ Added “Use Deep Dump Method” feature
+ Added “Send a Return Every 10 seconds” feature
+ Added a feature to show all logged APIs
+ Added a feature to save connection information to HTML file in “Pcap Explorer” feature
+ Added new malware behaviors
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Updated “Process Explorer” feature
+ Updated BSA.DAT
+ Updated PeID´s USERDB.TXT
+ Updated Exeinfo´s Ext_Detector.DLL
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.87.
Changes:
+ Added new malware behaviors
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Improved “Include VirusTotal Malware Information of Dropped Files” feature
+ Updated XML and Json format schemas
+ Updated LOG_API
+ Updated BSA.DAT
+ Fixed several bugs
Released Buster Sandbox Analyzer 1.88 – Final Release
Changes:
+ Added support for MAEC 3.0 reports
+ Fixed VirusTotal report information