Analyze Files via Sandboxie+Buster Sandbox Analyzer+CCleaner

Please check to see if there’s anything that requires changing.

For this project, you will need the following:

Sandboxie

Buster Sandbox Analyzer (portable. Extract to a folder/drive of choice. For this tutorial, I’ll be using drive C:\ for convenience)

CCleaner (optional since it’s possible to clean the files using Sandboxie control. In any case, I find CCleaner more convenient because I can automatically clean the system and the sandbox in one shortcut).

Notepad

Backup/snapshot/vm/restore option (optional)

Steps:

  1. Edit sandboxie configuration via the Sandboxie Control Panel (Sandboxie Control Panel >> Configuration >> Edit Configuration).

*2. Under [Default Box] (found in your sandboxie.ini), add two lines:

<blockquote>[b]	InjectDll=C:\bsa\log_api.dll

OpenWinClass=TFormBSA[/b]</blockquote>

3.Run bsa.exe. Enter the folder to check (run Sandboxie Control, right click at the DefaultBox, then select Explore Contents.Copy the path from the explorer window to bsa.exe).

  1. Start Analysis.

  2. Drag the suspect file to Sandboxie Control. Click OK (alternatively, you can launch the Sandboxie Control Panel. On the Sandbox menu button, select Run Sandboxed, then Run Any Program). BSA’s API Call log should fill up.

  3. When the log stops, terminate the program in the Sandboxie Control (right-click on Defaultbox >> Terminate Programs >> Confirm), then go back to BSA to Stop Analysis.

  4. Click Malware Analyzer.

  5. After which, you can further analyze the files by browsing through the Sandbox folder and uploading them to ThreatExpert, NoVirusThanks, VirusTotal or Jotti where they will further analyze the files and send the results via email. You may also decide to archive the files and send them for analysis in ThreatExpert, NoVirusThanks and services of the like.

Additional Tasks

Some malware are capable of detecting sandboxes and will not run properly under them so as to avoid getting detected/analyzed. For this, you will have to hide Sandboxie processes:

  1. Rename “HideDriver.sys” to any random name (just bash the keyboard and remember to keep the .sys extension) such as P239djaio.sys.

  2. Launch HideDriverGUI.exe, and in the driver path, select the driver (followin the examples, C:\bsa\P239djaio.sys).

  3. For startup type, use “SERVICE_DEMAND_START”, then proceed to installing.

  4. Click Run.

  5. Launch Sandboxie and sandbox any random safe executable like notepad.exe (this is to have all sandboxie processes launched). Go to the Process tab from HideDriverGUI.exe and add Sandboxie processes one at a time (SbieSvc.exe, SbieCtrl.exe, SandboxieDComLaunch.exe, SandboxieRpcSs.exe, SandboxieCrypto.exe, etc.) Additionaly, hide important files as well like sandboxie.ini (in the Windows folder) and such.

After analysis, you would most probably want the malware removed from your system. If you have Faronics DeepFreeze/Wondershare Time Freeze/VMWare or any other tools of the same functionality, then it should be no trouble at all. However, in the absence of these paid software, you can opt for CCleaner.

  1. Launch CCleaner. Go to Options.

  2. In the Include tab on the left hand part, click Add.

  3. Select the Sandbox Folder, All Files for file types, and Include files and subfolders in the Options drop-down menu. Click OK.

  4. Run CCleaner after every analysis to finish the job.

*You can rename log_api.dll to any other name keeping the .dll extension. This is for security purposes.

Sources:

http://www.raymond.cc/blog/archives/2007/11/02/how-to-investigate-suspicious-file-using-sandboxie/

http://www.raymond.cc/blog/archives/2007/07/01/stop-virus-from-running-automatically-when-you-execute-files/

http://www.raymond.cc/blog/archives/2010/07/30/buster-sandbox-analyzer-makes-sandboxie-stronger/

http://www.piriform.com/docs/ccleaner/using-ccleaner/including-files-and-folders-for-cleaning

http://bsa.isoftware.nl/