I know a few people swears by Sandboxie is the ultimate tool to analyze malwares but it is very common for crypters and remote administration tools nowadays to have anti-sandbox module meaning whenever it detected that it is being analyzed or ran in sandbox environment, it will automatically terminate itself to prevent from being analyzed. If you’ve missed my previous article on why I test and analyze software from real windows environment, then you should read it first.
Today I received an email from Jerry sharing with me on a very useful addition to Sandboxie called Buster Sandbox Analyzer. Basically it is similar to online file behavior analyzers such ThreatExpert, Joebox, Anubis but with the help of Sandboxie, you can have the same function on your computer without wait time. Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious. In order to use Buster Sandbox Analyzer, you have to correctly set up Sandboxie first, then only Buster Sandbox Analyzer would work perfectly.
The good thing about using Buster Sandbox Analyzer is it includes countermeasures against malwares detecting Sandboxie’s presence. So even if the malware contains anti-sandboxie code, you can still get to analyze the malware in Sandbox. Here’s a simple guide on how I set up Buster Sandbox Analyzer.
1. Download and install Sandboxie.
2. Download Buster Sandbox Analyzer and extract the RAR archive into C:\bsa\
3. Run Sandboxie Control, click Configure at the menu bar, and select Edit Configuration.
4. Your default text editor will open with [GlobalSettings], [DefaultBox] and [UserSettings_xxxxxxx]. At [DefaultBox], at the end of the line, add the 2 lines below and save it.
InjectDll=C:\bsa\log_api.dll
OpenWinClass=TFormBSA
It should look like the screenshot below.
5. To analyze a malware, go to C:\bsa\ and run bsa.exe. The most important thing to fill up here is the “Sandbox folder to check”. This is the path of where the Sandboxie contents are dropped to. To get this location, run Sanboxie Control, right click at Sandbox Defaultbox and select Explore Contents. A window explorer will now open, copy the path and paste it to the “Sandbox folder to check”.
6. Click the Start Analysis button and click “Delete Sandbox Folder contents and continue“.
7. Now drag the file that you want to analyze and drop it to Sandboxie Control window. By default the “DefaultBox” is selected and just click the OK button.
8. Go to Buster Sandbox Analyzer and you should see a lot of information at the API Call Log. When the API Call Log has stopped, go back to Sandboxie Control window, right click on Sandbox Defaultbox and select Terminate Programs. Click Yes to confirm the termination.
9. Again go back to Buster Sandbox Analyzer and click Stop Analysis button.
10. Then click Malware Analyzer button. There are 2 tabs on the Malware Behavior Analyzer Module which is the Malicious Actions and Details. The malicious actions tab tells you if the file that you analyzed has performed any malicious actions. As for the details tab, it shows a more detailed report on where is the file dropped, auto startup addition, injection, keylogger, connection and etc.
The results above is the analysis of the Cybergate RAT public version with “Anti Sandboxie” enabled. As you can see, the anti sandboxie feature for Cybergate RAT no longer works, thanks to Buster Sandbox Analyzer.
Update: I’ve left out how to hide Sandboxie. Fortunately you can follow the easy step-by-step guide on this page on how to use HideDriver to hide Sandboxie’s process. It would also help if you rename the default LOG_API.dll file to another one. You should also have WinPCap installed in order to run Buster Sandbox Analyzer for a correct network activity reporting.