[Jaxryley]

A lot of those screenlockers/ransomewares still lock the screen up if run via Sandboxie needing a reboot to get back control of the machine.

The malware is dead on reboot but to save a reboot and kill the sample without a reboot you could run the below batch file before executing any screenlockers via Sandboxie which will open a CMD window and run Sandboxie's terminate command every 20 seconds whilst the CMD windows is open.

Replace "DefaultBox" with the name of the sandbox you are using for testing.

Code: Select all

::20=20 sec.
@echo off
:START
ping 127.0.0.1 -n 20 > nul
start "" "C:\Program Files\Sandboxie\Start.exe" /box:DefaultBox /terminate
GOTO START 

[Xylitol]

or simply use a virtual machine and revert to snapshot when when finished.
virtualbox/vmware have the feature.

[Buster_BSA]

IMHO Sandboxie is much more light and efficient to manage malware than VMs.

An alternative to the batch file would be coding a shell for Sandboxie that allows to automatically terminate processes after a specified amount of time. I do that in a program I coded.

[Jaxryley]

Reverting to a snapshot or deleting undo disks in MS Virtual PC then you lose any droppers that you may want to harvest.

There are horses for different courses and I use both Sandboxie and MS VPC with it being easier to harvest any droppers from within the sandbox than looking throughout the whole system.

Prefer MS VPC as you can drag and drop files between host and VM and vice versa where I don't think Virtualbox has that feature?

Haven't tried VMWare.

[Xylitol]

vmware have the feature but you can just drag and drop from the host to the vm
after, if you want take a file outside.. it's by "copy/past"

edit: i've not the latest build on vmware but i've just see the update:

Code: Select all

VMware Workstation 7.1.3 is a FREE update for all VMware Workstation 7 users.

Highlights of VMware Workstation 7.1.3 are:

- Fixes required to enable drag and drop and create shared folders for Linux 2.6.35 kernel guests
- Changes to support Ubuntu 10.10 guests including an updated version of VMware Tools

See the VMware Workstation release notes for more details.

@Buster_BSA: personally i'm a usual virtual machine user for debug malwares.
how that work in sandboxies for debug a malware you launch olly in sandbox and then you load the malware with olly ? or you need to launch the malware and olly separated and then attach the malware to the debugger (if the malware have done already an ExitProcess!)

[Buster_BSA]

@Buster_BSA: personally i'm a usual virtual machine user for debug malwares.
how that work in sandboxies for debug a malware you launch olly in sandbox and then you load the malware with olly ? or you need to launch the malware and olly separated and then attach the malware to the debugger (if the malware have done already an ExitProcess!)

You can launch olly sandboxed and then load the malware with it.

I´ve done this several times with no troubles so far.