Congratulations on the coverage Buster! you deserve it. That was a stellar review

Released Buster Sandbox Analyzer 1.60.

Changes:

+ Added a feature to analyze URLs
+ Added an option at “SQL > Report Manager” feature to import records from an external database
+ Added support for JSON reports
+ Added a feature to avoid screensaver activation while an analysis is being performed
+ Updated LOG_API
+ Fixed several bugs

A few comments about the new release...

+ Added a feature to analyze URLs

I consider interesting the new feature that allows analyzing URLs. A single URL can be analyzed providing the link, or many URLs can be processed loading them from a file: one URL per line.

If the URL points to an executable file (EXE), the file will be downloaded and then executed in order to be analyzed, otherwise Internet Explorer will be used to launch the page.

It is recommend to configure IE with low security settings so malwares will be noticed more easily.


+ Added an option at “SQL > Report Manager” feature to import records from an external database

As Buster Sandbox Analyzer can perform several analyses at the same time, the information will be written to several SQL databases. If you want to have the information together, you can use this feature to import records from different databases.


+ Added a feature to avoid screensaver activation while an analysis is being performed

I noticed a weird behaviour when the screensaver get activated while an analysis is being performed. To avoid this problem Buster Sandbox Analyzer will disable screensaver while analyzing.

I also noticed that Sandboxie does not allow to a sandbox program to change the status of the screensaver. If the screensaver is disabled, it is not possible to enabled it from Sandboxie. Instead the time out can be changed and some malwares will change it.

To prevent this situation, Buster Sandbox Analyzer saves the status and the time out of the screensaver before start analyzing, and when finished, these values are restored.


+ Fixed several bugs

I have tested Buster Sandbox Analyzer with several thousand malwares. Product of this intensive testing I have fixed some bugs that could be produced in certain situations.

Buster Sandbox Analyzer has been enhanced and now it will run more smoothly with malwares that produce a lot of output in LOG_API.

Re-released BSA 1.60 to fix some bugs.

Released Buster Sandbox Analyzer 1.61.

Changes:

+ Added a feature at “Risk Evaluation Ratings” to show hints related to malware behaviours
+ Modified the layout to show separately the file being processed from the number of files left to be processed
+ Added new malware behaviours
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Updated LOG_API
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.62.

Changes:

+ Added a feature to patch LOG_API automatically
+ Updated LOG_API
+ Fixed several bugs

A few comments about the new release...

Version 1.62 fixes a bug that becomes important when a large set of malware samples are analyzed.


Added a feature to patch LOG_API automatically

With this feature you just need to select the LOG_API file to modify and BSA will do the rest of the work automatically.

Released Buster Sandbox Analyzer 1.63.

Changes:

+ Added “Aggressive Window Closer” feature
+ Added a feature to restore display settings if changed while analysis
+ Added new malware behaviours
+ Improved “Additional Information” feature
+ Improved multiple malware analyses feature
+ Improved “Automate Setups” feature
+ Improved the speed processing certain files
+ Included new malware behaviours at “Risk Evaluation Ratings”
+ Fixed several bugs

A few comments about the new release...

First I must thank tzuk for introducing in Sandboxie the necessary feature to get multiple malware analyses working perfectly in Buster Sandbox Analyzer.

From version 1.63, BSA will be able to assign events logged by Sandboxie to the proper BSA instance.

In the time between version 1.62 and 1.63 release I have tested almost 30,000 malware samples. This intensive testing helped me to fix a few more bugs and introduce new features like this:

- If a sandboxed process changes display resolution, BSA will restore previous settings.

I have also improved already existing features, like the feature to automate setups or the feature to include additional information about processed file.

I improved also the processing speed of certain files: files that crash and instead waiting for malware analysis time to finish, that processes will be closed inmediately.

I introduced two new malware behaviours: connection to FTP server and connection to SMTP server (send an e-mail).

Right now I am collaborating with several persons in order to improve features and malware behaviours.

My TO-DO list is almost empty: I just miss adding a few statistics using the information stored in the SQL database.

As usual feedback, bug reports, suggestions, questions, ... whatever will be welcome.

your program (bsa) is a great add to the great program (sandboxie)!

But.... I experience strange behavior.
If process ctfmon.exe is running in normal windows (XP SP3) each tested program have red flags "keyloger activity" and "assorted
suspicious actions"
details:
Detailed report of suspicious malware actions:
Created a mutex named: CTF.Asm.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: CTF.Compart.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: CTF.Layouts.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: CTF.LBES.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1604221776-1177238915-1003MUTEX.DefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: CTF.TMD.MutexDefaultS-1-5-21-507921405-1604221776-1177238915-1003
Created a mutex named: MSCTF.Shared.MUTEX.MDO
Detected keylogger functionality

RegDiff
machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete = 01000000
machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket\UseGlobalSettings = 01000000
machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents = C:\Documents and Settings\All Users\Documents
machine\software\microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop = C:\Documents and Settings\All Users\Desktop
user\current\software\classes\SymbolicLinkValue = 5C00520045004700490053005400520059005C0055005300450052005C00530061006E00640062006F0078005F0061007200690067006F006C0064005F0041004200550053005400450052005C0075007300650072005C00630075007200720065006E0074005F0063006C0061007300730065007300
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43fb83f2-adef-11df-b38d-0040d09cf3f6}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0a-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0b-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d46da0c-ad3e-11df-9b43-806d6172696f}\BaseClass = Drive
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal = C:\Documents and Settings\XXX\My Documents
user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop = C:\Documents and Settings\XXX\Desktop


if ctfmon.exe is off: no red flags
Its bug or normal behavior?

Thanks!



ctfmon is like a supervisor so it messes with active windows. My suggestion: disable ctfmon. I have it disabled myself.

An alternative way to avoid the mess would be adding to exclussion lists the entries you listed.

These two are written by Sandboxie, but the value should be 00000001 and not as displayed. Buster perhaps you need to fix the endianness of the values displayed?

The endianness is present in REGDIFF.TXT which is raw data. In Report.TXT appears correctly.

working in LUA (Surun) and sandboxie is blacklisted in SuRun

got 3 red flags
Detected keylogger functionality
Detected process privilege elevation
Got computer name
Opened a service named: SuRunSVC


how workaround this?

kabaczek124: sorry but I do not understand what you mean. You will have to ellaborate a bit more.