05-06-2011, 03:45 AM
Hi guys,
This is Bling111's tutorial about analyzing malware with Sandboxie + Buster Sandbox Analyzer. This tutorial is 100% made by me but the tools you find in this thread are not mine and I give full credits to the creators. This method is not 100% guarantee a file is not infected so never trust this tool solely. If you want to be sure pm me and I will analyze the file for you for free. I am aware there are many tutorials about Sandboxie but this tutorial is more about Buster Sandbox Analyzer which if very helpful and so this is a must read for anyone. Sit back and enjoy this tutorial!
First thing we need to do is download Sandboxie from here:
This is from the original site so it is malware free. Double click "SandboxieInstall.exe". It is located at the path you specified when you downloaded it. Just follow the setup. I do not expect to be problems at this point so I go a bit fast forward here.
You now have to download BSA (Buster Sandboxie Analyzer) from the following url:
This is again from the original site so it is 100% malware free. The application is portable. That means it doesn't need to be installed. Extract the file with your favorite extractor, for example: Winzip, Winrar or 7-zip.
![[Image: 07lwT.png]](http://i.imgur.com/07lwT.png)
First we are going to configure Sanboxie. Open Sanboxie Control as shown above.
![[Image: V4alR.png]](http://i.imgur.com/V4alR.png)
Open "Sandboxie Control". You should see the screen as shown in the picture. Go to "Sandboxie Control" -> "Configure" -> "Edit Configuration". Sandboxie now opens a text file with code you don't need to understand. I get the following code:
We have to paste some code in to let Sandboxie know it has to cooperate with BSA. We have to past the following code:
The first lines defines the path where you saved the BSA folder. In this case I saved the whole folder in "C:". You have to edit it to the path where you saved the folder. If I saved in in the D drive and under program files the upper line should be this:
Paste the code exactly where I paste it, see the example it is underneath "Enabled=y":
Save the changes and you are done on the Sandboxie side!
Now we will configure BSA. Open BSA by double clicking the file named "BSA.exe" in the folder you've downloaded. If you get an error message saying you are missing files check the folder named "PCAP" within the BSA folder and copy the files you are missing to the folder where BSA.exe is located.
![[Image: IQA7u.png]](http://i.imgur.com/IQA7u.png)
This is the screen you will first see. We have to enter an path at ''Sandbox folder to check". Underlined red in the picture. To find out which path we need to enter we first have to run something sandboxed. We do this by right clicking on any file and then clicking "Run sandboxed".
![[Image: Gha7s.png]](http://i.imgur.com/Gha7s.png)
You get an message. Just click on "Default Box" and then press "Ok". You now notice the program you ran opens! The great thing about Sandboxie is that every program you run are in an isolated area on your computer so they cannot harm your computer. Malware is sometimes able to not show in Sandboxie but it is not able to actually infect you. If you do not get what Sandboxie does visit this site:
You saw the program you ran sandboxed has started but where is Sandboxie? It is hidden in a system tray.
![[Image: Dag9c.png]](http://i.imgur.com/Dag9c.png)
To open Sandboxie simple double click the system tray icon. We do not want this at this point we first want to find the path we need. Right click on the system tray icon --> "Defaultbox" --> "Explore contents". As shown in the picture. First we get a pop-up. You just have to click "Ok". The folder that opens is the path we need. So just copy and past the path of that folder that just opened. In my case it is:
Paste this code in the section shown a few steps back. Before we start running files we have to press "Start Analysis" in BSA. You probably get an error message saying "Sandbox folder not empty!". Don't worry you just have to press "Delete Sandbox Folder contents and continue". Now we are ready to run a file you think might be infected sandboxed as shown a few steps back. Let it just run for about 10 seconds or so then press "Terminate All Programs" by right clicking the Sandboxie icon in the system tray.
![[Image: kMwZC.png]](http://i.imgur.com/kMwZC.png)
Now go back to BSA and click "Finish Analysis" then after that click "Malware Analyzer". You will get loads of information about the program you have just ran. Take a look at it I don't think I have to explain everything.
![[Image: 2hOfr.png]](http://i.imgur.com/2hOfr.png)
You can also click on details to get more information. This is not all! Navigate to BSA's folder and click on the a folder called "Reports". In that folder are three important text files:
FileDiff.txt shows you a report where you can see which files the application 'dropped'. That means you can see files the application made. For example if I have a file that creates a worm and saves it to C. Then I can see in the results it dropped the worm. This is an example log from FIleDiff.txt:
That is a normal log. There could be a big list but there also might be an empty log. In this log we see the application I ran created two files. One named "file1.exe" located in C: and on called "GDIPFONTCACHEV1.DAT" located in :\Documents and Settings\Administrator\Local Settings\Application Data\.
Next we have RegDiff.txt. This logs shows us all changes made to the register. If you do not know what the register is I advice you to take a look at this page:
This is a normal RegDiff.txt log:
This might be a bit confusing if you do not know much about the register. If this is the case you should look up some information about the register. It would be too much to explain in this thread.
Last but not least we have Report.txt. This file shows an general report which contains a lot of valuable information. This is an example report:
Take a look at the report and I think everything speaks for itself. There fore example is the IP adres and the port the software connects to! I know many people do not understand everything from the log but hee google is your friend.
BSA has many more very useful features. Check all the features by opening BSA and digging trough the main bar in the program.
To find out how BSA works and to make this tutorial took me a very long time! It just takes 5 seconds to say thank you. It will stimulate to make more tutorials.
Enjoy!
This is Bling111's tutorial about analyzing malware with Sandboxie + Buster Sandbox Analyzer. This tutorial is 100% made by me but the tools you find in this thread are not mine and I give full credits to the creators. This method is not 100% guarantee a file is not infected so never trust this tool solely. If you want to be sure pm me and I will analyze the file for you for free. I am aware there are many tutorials about Sandboxie but this tutorial is more about Buster Sandbox Analyzer which if very helpful and so this is a must read for anyone. Sit back and enjoy this tutorial!
First thing we need to do is download Sandboxie from here:
Code:
http://www.sandboxie.com/SandboxieInstall.exeThis is from the original site so it is malware free. Double click "SandboxieInstall.exe". It is located at the path you specified when you downloaded it. Just follow the setup. I do not expect to be problems at this point so I go a bit fast forward here.
You now have to download BSA (Buster Sandboxie Analyzer) from the following url:
Code:
http://bsa.isoftware.nl/bsa.rarThis is again from the original site so it is 100% malware free. The application is portable. That means it doesn't need to be installed. Extract the file with your favorite extractor, for example: Winzip, Winrar or 7-zip.
First we are going to configure Sanboxie. Open Sanboxie Control as shown above.
Open "Sandboxie Control". You should see the screen as shown in the picture. Go to "Sandboxie Control" -> "Configure" -> "Edit Configuration". Sandboxie now opens a text file with code you don't need to understand. I get the following code:
Code:
[GlobalSettings]
Template=7zipShellEx
Template=AdobeAcrobatReader
Template=OfficeLicensing
[DefaultBox]
ConfigLevel=7
AutoRecover=y
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
Enabled=y
[UserSettings_4BC00582]
SbieCtrl_UserName=administrator
SbieCtrl_NextUpdateCheck=865303913584
SbieCtrl_UpdateCheckNotify=y
SbieCtrl_ShowWelcome=n
SbieCtrl_WindowLeft=306
SbieCtrl_WindowTop=228
SbieCtrl_WindowWidth=660
SbieCtrl_WindowHeight=450
SbieCtrl_ActiveView=40022
SbieCtrl_ColWidthProcName=250
SbieCtrl_ColWidthProcId=70
SbieCtrl_ColWidthProcTitle=310
SbieCtrl_BoxExpandedView_DefaultBox=y
SbieCtrl_EditConfNotify=nWe have to paste some code in to let Sandboxie know it has to cooperate with BSA. We have to past the following code:
Code:
InjectDll=c:\bsa\log_api.dll
OpenWinClass=TFormBSAThe first lines defines the path where you saved the BSA folder. In this case I saved the whole folder in "C:". You have to edit it to the path where you saved the folder. If I saved in in the D drive and under program files the upper line should be this:
Code:
InjectDll=D:\Program Files\log_api.dllPaste the code exactly where I paste it, see the example it is underneath "Enabled=y":
Code:
[GlobalSettings]
Template=7zipShellEx
Template=AdobeAcrobatReader
Template=OfficeLicensing
[DefaultBox]
ConfigLevel=7
AutoRecover=y
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
Enabled=y
InjectDll=c:\bsa\log_api.dll
OpenWinClass=TFormBSA
[UserSettings_4BC00582]
SbieCtrl_UserName=administrator
SbieCtrl_NextUpdateCheck=865303913584
SbieCtrl_UpdateCheckNotify=y
SbieCtrl_ShowWelcome=n
SbieCtrl_WindowLeft=306
SbieCtrl_WindowTop=228
SbieCtrl_WindowWidth=660
SbieCtrl_WindowHeight=450
SbieCtrl_ActiveView=40022
SbieCtrl_ColWidthProcName=250
SbieCtrl_ColWidthProcId=70
SbieCtrl_ColWidthProcTitle=310
SbieCtrl_BoxExpandedView_DefaultBox=y
SbieCtrl_EditConfNotify=nSave the changes and you are done on the Sandboxie side!
Now we will configure BSA. Open BSA by double clicking the file named "BSA.exe" in the folder you've downloaded. If you get an error message saying you are missing files check the folder named "PCAP" within the BSA folder and copy the files you are missing to the folder where BSA.exe is located.
This is the screen you will first see. We have to enter an path at ''Sandbox folder to check". Underlined red in the picture. To find out which path we need to enter we first have to run something sandboxed. We do this by right clicking on any file and then clicking "Run sandboxed".
You get an message. Just click on "Default Box" and then press "Ok". You now notice the program you ran opens! The great thing about Sandboxie is that every program you run are in an isolated area on your computer so they cannot harm your computer. Malware is sometimes able to not show in Sandboxie but it is not able to actually infect you. If you do not get what Sandboxie does visit this site:
Code:
http://www.sandboxie.com/You saw the program you ran sandboxed has started but where is Sandboxie? It is hidden in a system tray.
To open Sandboxie simple double click the system tray icon. We do not want this at this point we first want to find the path we need. Right click on the system tray icon --> "Defaultbox" --> "Explore contents". As shown in the picture. First we get a pop-up. You just have to click "Ok". The folder that opens is the path we need. So just copy and past the path of that folder that just opened. In my case it is:
Code:
C:\Sandbox\Administrator\DefaultBoxPaste this code in the section shown a few steps back. Before we start running files we have to press "Start Analysis" in BSA. You probably get an error message saying "Sandbox folder not empty!". Don't worry you just have to press "Delete Sandbox Folder contents and continue". Now we are ready to run a file you think might be infected sandboxed as shown a few steps back. Let it just run for about 10 seconds or so then press "Terminate All Programs" by right clicking the Sandboxie icon in the system tray.
Now go back to BSA and click "Finish Analysis" then after that click "Malware Analyzer". You will get loads of information about the program you have just ran. Take a look at it I don't think I have to explain everything.
You can also click on details to get more information. This is not all! Navigate to BSA's folder and click on the a folder called "Reports". In that folder are three important text files:
Code:
FileDiff.txt
RegDiff.txt
Report.txtFileDiff.txt shows you a report where you can see which files the application 'dropped'. That means you can see files the application made. For example if I have a file that creates a worm and saves it to C. Then I can see in the results it dropped the worm. This is an example log from FIleDiff.txt:
Code:
= C:\file1.exe
= C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DATThat is a normal log. There could be a big list but there also might be an empty log. In this log we see the application I ran created two files. One named "file1.exe" located in C: and on called "GDIPFONTCACHEV1.DAT" located in :\Documents and Settings\Administrator\Local Settings\Application Data\.
Next we have RegDiff.txt. This logs shows us all changes made to the register. If you do not know what the register is I advice you to take a look at this page:
Code:
http://en.wikipedia.org/wiki/Windows_RegistryThis is a normal RegDiff.txt log:
Code:
machine\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C} = deleted registry key
machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = empty value key
machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\file1.exe = C:\file1.exe:*:Enabled:Windows Messanger
machine\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\local.exe = C:\Documents and Settings\Administrator\Application Data\local.exe:*:Enabled:Windows Messanger
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14739e38-6a96-11e0-9493-0018e73f9a1b}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{568ddc6e-021b-11e0-9174-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589c60c2-021f-11e0-9386-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589c60c3-021f-11e0-9386-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589c60c4-021f-11e0-9386-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData = C:\Documents and Settings\Administrator\Application Data
user\current_classes\*\shell\sandbox = deleted registry keyThis might be a bit confusing if you do not know much about the register. If this is the case you should look up some information about the register. It would be too much to explain in this thread.
Last but not least we have Report.txt. This file shows an general report which contains a lot of valuable information. This is an example report:
Code:
[ General information ]
* File name: c:\documents and settings\administrator\mijn documenten\downloads\local.exe-crypted.exe
* File length: 942680 bytes
* MD5 hash: e4a750f92b43e4b2c48b3b321d1c1069
* SHA1 hash: 17dba487a54dd5dd345fffb26c7e02d7645fcc56
* SHA256 hash: a4a0ab0f19b1c48dd8bf61fb68bcaf1ab6fabf97410421be76043be8c423f4ec
[ Changes to filesystem ]
* No changes
[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Creates value "file1.exe=C:\file1.exe:*:Enabled:Windows Messanger" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:
* Creates value "local.exe=C:\Documents and Settings\Administrator\Application Data\local.exe:*:Enabled:Windows Messanger" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox
[ Network services ]
* Backdoor functionality on port 0.
* Connects to "134.179.1.100" on port 3333.
[ Process/window information ]
* Keylogger functionality.
* Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-329068152-1965331169-1417001333-500MUTEX.DefaultS-1-5-21-329068152-1965331169-1417001333-500".
* Creates an event named "Global\CPFATE_3020_v4.0.30319".
* Creates process "(null),/file1.exe,(null)".
* Creates a mutex "DC596I04Z1".
* Disables privilege .
* Disables privilege SeCreateTokenPrivilege.
* Disables privilege SeAssignPrimaryTokenPrivilege.
* Disables privilege SeLockMemoryPrivilege.
* Disables privilege SeIncreaseQuotaPrivilege.
* Disables privilege SeMachineAccountPrivilege.
* Disables privilege SeTcbPrivilege.
* Disables privilege SeSecurityPrivilege.
* Disables privilege SeTakeOwnershipPrivilege.
* Disables privilege SeLoadDriverPrivilege.
* Disables privilege SeSystemProfilePrivilege.
* Disables privilege SeSystemtimePrivilege.
* Disables privilege SeProfileSingleProcessPrivilege.
* Disables privilege SeIncreaseBasePriorityPrivilege.
* Disables privilege SeCreatePagefilePrivilege.
* Disables privilege SeCreatePermanentPrivilege.
* Disables privilege SeBackupPrivilege.
* Disables privilege SeRestorePrivilege.
* Disables privilege SeShutdownPrivilege.
* Disables privilege SeDebugPrivilege.
* Disables privilege SeAuditPrivilege.
* Disables privilege SeSystemEnvironmentPrivilege.
* Disables privilege SeChangeNotifyPrivilege.
* Disables privilege SeRemoteShutdownPrivilege.
* Disables privilege SeUndockPrivilege.
* Disables privilege SeSyncAgentPrivilege.
* Enables privilege SeEnableDelegationPrivilege.
* Disables privilege SeManageVolumePrivilege.
* Disables privilege SeImpersonatePrivilege.
* Disables privilege SeCreateGlobalPrivilege/SeIncreaseWorkingSetPrivilege.
* Disables privilege SeTrustedCredManAccessPrivilege.
* Disables privilege SeRelabelPrivilege.
* Disables privilege SeCreateSymbolicLinkPrivilege.
* Disables privilege SeTimeZonePrivilege.
* Disables privilege SeUnsolicitedInputPrivilege.
* Creates process "(null),cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f,(null)".
* Creates process "(null),cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\file1.exe" /t REG_SZ /d "C:\file1.exe:*:Enabled:Windows Messanger" /f,(null)".
* Creates a mutex "SHIMLIB_LOG_MUTEX".
* Creates process "(null),cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\local.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\local.exe:*:Enabled:Windows Messanger" /f,(null)".
* Creates process "C:\WINDOWS\system32\reg.exe,REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f,C:\Documents and Settings\Administrator\Mijn documenten\Downloads".
* Creates process "C:\WINDOWS\system32\reg.exe,REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\file1.exe" /t REG_SZ /d "C:\file1.exe:*:Enabled:Windows Messanger" /f,C:\Documents and Settings\Administrator\Mijn documenten\Downloads".
* Creates process "C:\WINDOWS\system32\reg.exe,REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\local.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\local.exe:*:Enabled:Windows Messanger" /f,C:\Documents and Settings\Administrator\Mijn documenten\Downloads".Take a look at the report and I think everything speaks for itself. There fore example is the IP adres and the port the software connects to! I know many people do not understand everything from the log but hee google is your friend.
BSA has many more very useful features. Check all the features by opening BSA and digging trough the main bar in the program.
To find out how BSA works and to make this tutorial took me a very long time! It just takes 5 seconds to say thank you. It will stimulate to make more tutorials.
Enjoy!
A good tutorial.