Aerosol Posted January 5, 2015 Report Share Posted January 5, 2015 1. IntroductionBuster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.The changes made to system can be of several types: file system changes, registry changes and port changes.A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.From all these changes we will obtain the necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (Sandboxie - Sandbox software for application isolation and secure Web browsing), an excellent tool created by Ronen Tzur.Even if Buster Sandbox Analyzer´s main goal is to evaluate if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie.Actually there are web services, software and hardware doing the same task than Buster Sandbox Analyzer.Web services:http://www.joesecurity.org/(Joebox)Anubis: Analyzing Unknown Binaries(Anubis)http://www.norman.com/security_center/security_tools/submit_file(Norman)http://www.gfi.com/malware-analysis-tool/(GFI Sandbox)ThreatExpert - Automated Threat Analysis(Threat Expert)Comodo Instant Malware Analysis(Comodo Instant Malware Analysis)http://www.xandora.net/cloudantivirus/(Autovin - Automated Tools for Virus Incidents)https://aerie.cs.berkeley.edu/(BitBlaze Malware Analysis Service - Offline)Eureka Malware Analysis Page(EUREKA Malware Analysis)http://www.xandora.net/xangui/(Suspicious File Analyzer)Malbox System(Malbox)http://vicheck.ca/(ViCheck)http://netscty.com/Services/Sandbox(Network Security Investigations)http://www.malwr.com/(Cuckoo)https://www.codexsolution.com/soluciones/products/codex-malware- analyzer/submit-sample(Jambo)Malware analyzing software:Blog reviewer and articles | Blog reviewer and articles from the web(Cuckoo)http://www.norman.com/enterprise/all_products/malware_analyzer/norman_sandbox_analyzer(Norman Sandbox Analyzer)Minibis - CERT.at(Minibis)http://zerowine.sourceforge.net(Zero Wine)Zero Wine Tryouts | Official Website(Zero Wine Tryouts)Malware Analyser(Malware Analyser)Malware analyzing hardware:McAfee Acquires ValidEdge Sandboxing Technology | McAfee(validEDGE)Web services are free of charge and can be used publicly.Zero Wine is an open source project but it has been abandoned.Zero Wine Tryouts is a resumed version of Zero Wine.Minibis has not been updated since 2011-06.01 .Norman Sandbox Analyzer is a professional malware analyzer and it´s oriented to professionals due the price of the product. The same happens with validEDGE and GFI Sandbox. Joe Sandbox is also paid software.You can download Buster Sandbox Analyzer from here or here.MD5: c5b4fba39d6c8250311d8333633893ceYou can download version 1.88 Update 4 (Only BSA.EXE) from here. Quote Link to comment Share on other sites More sharing options...
