Buster Sandbox Analyzer v1.11

[xsD0sx]

Buster Sandbox Analyzer v1.11

 Buster Sandbox Analyzer is a useful and powerful tool for 
people that want to know if a program has a malware behaviour,
 or for people that want to have a fast and general idea of what 
a malware does, or just for people interested in knowing what´s 
installed and where when they run a program.

A big advantage of Buster Sandbox Analyzer compared to other
 systems doing the same task is that BSA can be better, more
 accurate and report more or less information depending of the 
user, meanwhile other analyzers will be as good or as bad as 
their designers did it. 

Analysis and report examples

 Email-Worm.Win32.NetSky.p

Analysis:

Detailed report of suspicious malware actions:
Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe

Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe

Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.
Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.
Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.
Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.

Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

[ General information ]

* Filename: c:\test\test.exe

* File length: 16384 bytes

* MD5 hash: 9d7006e30fdf15e9c8e03e62534b3a3e

* SHA1 hash: e92e8baed155215b38b02b280268b63b9a151528

* SHA256 hash:

1cfd62b017f237699f20d8c099d510fd0b360e86257056ad6e05d7d96e0a245c


[ Changes to filesystem ]

* Creates file D:\WINDOWS\AVBgle.exe

* Creates file D:\WINDOWS\base64.tmp

[ Changes to registry ]

* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run

* Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in

key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"


[ Network services ]

* Looks for an Internet connection.

* Connects to "212.27.42.58 (free.fr)" on port 25.

* Connects to "72.14.221.27 (1e100.net)" on port 25.

* Connects to "64.12.138.153 (aol.com)" on port 25.

* Connects to "72.167.238.201 (secureserver.net)" on port 25.


[ Process/window information ]

* Creates a mutex Bgl_*L*o*o*s*e*.

* Creates a mutex _!MSFTHISTORY!_.

* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.

* Creates a mutex d:!documents and settings!test!cookies!.

* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.

* Creates a mutex RasPbFile.

* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".

P2P-Worm.Win32.Goldun.a

Analysis:

Detailed report of suspicious malware actions:

Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll

Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName = 6D00630066004300430034002E0064006C006C000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys

Detected backdoor listening on port: 4050
Created a service named: MCFservice
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504

Report:

[ General information ]

* Filename: c:\test\test.exe

* File length: 20049 bytes

* MD5 hash: a1f9189a474ca1b73dff4ebe05621981

* SHA1 hash: d33271300cb3487e11df8eb162f5cc92fbd4790e

* SHA256 hash: 6b0104d0514aefef7b67e89c4d7ac8a58be2ecfb5648e3a595271d07ce05b07b

[ Changes to filesystem ]

* Creates file D:\WINDOWS\system32\mcfCC4.dll
* Creates file D:\WINDOWS\system32\mcfdrv.sys

[ Changes to registry ]

* Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc

* Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

* Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

* Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

* Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

[ Network services ]

* Backdoor functionality on port 4050.

[ Process/window information ]

* Creates a service named "MCFservice".
* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504". 

#################################

HomePage: h**p://bsa.qnea.de/

Download: h**p://bsa.qnea.de/bsa.rar

#################################

[virusz]

mersi, chiar aveam nevoie, am gasit parca o versiune mai veche dar n-am cautat versiuni mai noi.. , ai dat cumva de norman sandbox analyzer ?