Buster Sandbox Analyzer

Buster Sandbox Analyzer is like an add-on for Sandboxie and it has been designed to analyze the behaviour of sandboxed processes. It checks the changes made to system and then evaluates if they are malware suspicious.

So Buster Sandbox Analyzer is a malware behaviour analyzer, similar to Norman Sandbox Analyzer, Anubis, Threat Expert, JoeBox, etc.

The advantage of Buster Sandbox Analyzer is that meanwhile most malware analyzers are on-line and are not interactive with the user, BSA (Buster Sandbox Analyzer) is managed by the user. Analysis may be more accurate when are done by experienced users but BSA will produce good results even for non experienced ones.

BSA web page is http://bsa.isoftware.nl/.

Direct link for download: http://bsa.isoftware.nl/bsa.rar

Before using BSA is necessary to read the manual. BSA is not an install and run program. For best results an appropiate configuration is required.

You can find a review about the tool here: Buster Sandbox Analyzer makes Sandboxie stronger

When I have time I will try to produce some video tutorials showing how to use BSA.

Thanks Buster. To be honest, I've never tried your tool. It sounds really rather excellent, and gets a lot of praise (no doubt deservedly).

I will try it out some time. Look forward to the video tutorials!

Stickied.

Buster Sandbox Analyzer is intended for malware analyzers and people that like trying software from dubious sources.

ssj100 wrote:Stickied.

Correct...tried it but was not able to do so.

Released Buster Sandox Analyzer 1.31.

Changes:

+ Improved malware behaviour detections.
+ Updated LOG_API library (normal and verbose).
+ Added a feature to delete sandbox folder contents.
+ Fixed some bugs.

Released Buster Sandbox Analyzer 1.33.

Changes:

+ Added a feature to run BSA from command line in automatic mode
+ Added Exeinfo support
+ Added extra information of dropped files
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed a bug

Released Buster Sandbox Analyzer 1.34.

Changes:

+ Added a feature to copy/move processed files in automatic mode
+ Added a feature to export RegHive to .REG format
+ Updated LOG_API
+ Removed HideDriver
+ Fixed a bug

Released Buster Sandbox Analyzer 1.36.

Changes:

+ Added support for ssdeep
+ Improved the support for DLL files
+ Report informations can be selected individually
+ Updated BSA.DAT
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.37.

Changes:

* Improved hiding feature
* Updated BSA.DAT
* Removed evaluation risk feature
* Fixed several bugs

Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer.

Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near but having other format.

I forgot to comment a new feature in version 1.37.

* Added "Version Information" feature. This feature will include a header in reports with the version and date of creation of reports.

Released Buster Sandbox Analyzer 1.38.

Changes:

+ Added risk evaluation module
+ Added several improvements
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.39.

Changes:

+ Fixed several bugs.

Released Buster Sandbox Analyzer 1.40.

Changes:

+ Usability improvement in File Hash, File Scanner, File Signature and automatic analysis features: last used folder will be remembered
+ Usability improvement in File Hash, File Scanner and File Signature features: added drag and drop support
+ Added Exeinfo support to File Signature feature
+ Improved File Hash feature: all hashes can be checked at VirusTotal at once, VirusTotal reports can be saved to disk

Did anyone in this forum try BSA?

Released Buster Sandbox Analyzer 1.42.

Changes:

+ Added a feature to capture screen in video (VLC installation required)
+ Added a feature to report direct disk writing attempts (Sandboxie 3.59.01 or newer version required)
+ Fixed a bug

Released Buster Sandbox Analyzer 1.44.

Changes:

+Changed the feature to do not show UDP packets. Now the feature will ignore UDP packets from PCAP captures and reports
+ Added a feature to minimize BSA when the feature to do video capture is enabled
+ Added a feature to compress to ZIP sandbox folder contents when “Keep Sandbox Files” is enabled
+ Added information related to date of submission in VirusTotal reports
+ Added several improvements
+ Updated LOG_API

Released Buster Sandbox Analyzer 1.45.

Changes:

+ Added a feature to produce reports in PDF format
+ Added support for new malware behaviours: get volume information, alternate data stream creation
+ Updated LOG_API

Released Buster Sandbox Analyzer 1.46.

Changes:

+ Added a feature to include information from reports into a SQL database
+ Added a custom manager for BSA´s SQL Database
+ Added a feature to load and save settings from file on demand
+ Added a feature to set a number of retries if connection to VirusTotal fails
+ Added a feature to launch automatically Explorer.exe in automatic mode
+ Added a feature to skip already processed files in automatic mode
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.47.

Changes:

+ Added a feature to run BSA in automatic mode monitorizing a folder for new files to analyze.
+ Added a feature to avoid processing files from a whitelist.
+ Improved analysis cancel event.
+ Fixed several bugs.

Released Buster Sandbox Analyzer 1.48.

Changes:

+ Added PDF statistics feature
+ Added support for a new malware behaviour: get computer name
+ Updated LOG_API
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.49.

Changes:

+ Added support for XML reports
+ Added support for TLS hooks detection
+ Improved PDF Statistics
+ Updated LOG_API verbose versions to include FindFirst/NextFile support
+ Updated support for new VirusTotal web service
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.50.

Changes:

+ Added multi-language support
+ Updated LOG_API
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.51.

Changes:

+ Added a custom driver to hide Sandboxie´s processes
+ Removed Hide Driver from package
+ Included new malware behaviour
+ Added File Renamer feature to utilities section
+ Updated LOG_API

Released Buster Sandbox Analyzer 1.52.

Changes:

+ Added support for HTML reports
+ Added a feature to remove sandbox folder contents automatically in manual mode
+ Included new malware behaviour
+ Updated LOG_API
+ Fixed several bugs

Released Buster Sandbox Analyzer 1.53.

Changes:

+ Added a new entry section to BSA.DAT: [Process_Code_Injection]
+ Added a new feature to dump executable processes in automatic mode
+ Added a feature that allows the user to select what behaviours must appear in the analysis report
+ Updated “Risk Evaluation Ratings”
+ Included new malware behaviour
+ Updated LOG_API