A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #23274  by EP_X0FF
 Fri Jul 04, 2014 3:24 am
Here is your bat
Code: Select all
:l
if not exist "C:\DOCUME~1\User\0016~1\F29E35~1.BIN" goto e
del /Q /F "C:\DOCUME~1\User\0016~1\F29E35~1.BIN"
goto l
:e
del /Q /F "C:\DOCUME~1\User\APPLIC~1\4763869.bat"

What you want is ready-to-use AV style sandbox (with detailed logs, all data collection and timed memory dumps). No Sandboxie cannot do this. It is still "Sandbox IE" nothing more.

Additionally it is kinda strange that you cannot extract this bat yourself, especially when this sample drops it at first usual breakpoint.
 #23279  by Buster_BSA
 Fri Jul 04, 2014 7:50 am
0.chloe wrote:
Buster_BSA wrote:Sandboxie does not save the file because the file would not be saved if you run the malware in a real system, so it is perfectly normal.
I understand that, but I want to have the file saved, it's essential for further investigate how the malware works.

So Sandboxie does not save dropped files?
Sandboxie is just a sandbox software, not a malware analysis tool.

If you want to keep all files, then you should use other contributed utility like this:

http://forums.sandboxie.com/phpBB3/view ... 22&t=16656
 #23298  by rnd.usr
 Mon Jul 07, 2014 12:48 am
EP_X0FF wrote:Additionally it is kinda strange that you cannot extract this bat yourself, especially when this sample drops it at first usual breakpoint.
Yes, but maybe I want to create an automated analysis tool based on BSA that collects all dropped files and so on?

Nah, but I just pointed out that Sandboxie did not save dropped files which is basic stuff for dynamic analysis. Dammit, this is an easy malware, can almost use notepad as disassembler lol.
Buster_BSA wrote:Sandboxie is just a sandbox software, not a malware analysis tool.

If you want to keep all files, then you should use other contributed utility like this:

http://forums.sandboxie.com/phpBB3/view ... 22&t=16656
Was exactly what I was looking for! Huge thanks and case closed :)
 #23300  by EP_X0FF
 Mon Jul 07, 2014 5:04 am
0.chloe wrote:
EP_X0FF wrote:Additionally it is kinda strange that you cannot extract this bat yourself, especially when this sample drops it at first usual breakpoint.
Yes, but maybe I want to create an automated analysis tool based on BSA that collects all dropped files and so on?
A very bad idea.

1) SandboxIE restricts most of actions that application can do. Some apps will crash, some do not work, some work in totally restricted mode.
2) Most of malware aware about sandboxie and in comparison to VM sandboxie cannot be hidden from sophisticated detection.
3) Running actual malware on your own PC even if it "sandboxed" is a high risk. Bugs and exploits inside sandboxie are present and unknown and in comparison to true VM they will directly affect on your actual environment.

Your results will be incomplete and wrecked.

If you look for automated analysis tool then virtual machine + your own behaviour logger is the only way. That's how Anubis, malwr, CAMAS, VirusTotal etc works.
 #23303  by Buster_BSA
 Mon Jul 07, 2014 10:29 am
EP_X0FF wrote:If you look for automated analysis tool then virtual machine + your own behaviour logger is the only way. That's how Anubis, malwr, CAMAS, VirusTotal etc works.
The ideal would be a software like Cuckoo Sandbox (malwr) with the features/reports from BSA. The most similar to that is Joe Sandbox but it is not public.
 #23304  by rnd.usr
 Mon Jul 07, 2014 8:21 pm
EP_X0FF wrote:If you look for automated analysis tool then virtual machine + your own behaviour logger is the only way. That's how Anubis, malwr, CAMAS, VirusTotal etc works.
Yup, I have my very own machine for automatic analysis. It's basically Virtualbox with --nictrace and dumpguestcore and 2 tools(API-sniffer and RWX-dumper). It's not the best tool but it's always fun to create your own thing. I've tried Cuckoo but the behavioral function never works for me.

The problem is that my tools kinda sucks. I have no program to monitor the I/O(filemon sucks because it does not store buffers), so that's why I'am in this thread looking for solutions. Although I've got an answer from Buster_BSA the problem about more advanced malware occur, like kernel hooks and code injection/process replacement/bootkits will fail in Sandboxie.

I have physical machines running XP and W7, but no tools.. So if you guys have any good tips on tools I'll be very happy to hear them.
 #23306  by EP_X0FF
 Tue Jul 08, 2014 7:19 am
0.chloe wrote:
EP_X0FF wrote:If you look for automated analysis tool then virtual machine + your own behaviour logger is the only way. That's how Anubis, malwr, CAMAS, VirusTotal etc works.
Yup, I have my very own machine for automatic analysis. It's basically Virtualbox with --nictrace and dumpguestcore and 2 tools(API-sniffer and RWX-dumper). It's not the best tool but it's always fun to create your own thing. I've tried Cuckoo but the behavioral function never works for me.

The problem is that my tools kinda sucks. I have no program to monitor the I/O(filemon sucks because it does not store buffers), so that's why I'am in this thread looking for solutions. Although I've got an answer from Buster_BSA the problem about more advanced malware occur, like kernel hooks and code injection/process replacement/bootkits will fail in Sandboxie.

I have physical machines running XP and W7, but no tools.. So if you guys have any good tips on tools I'll be very happy to hear them.
Have you looked how for example camas or vt/malwr (vbox vm) do this monitoring?
 #23312  by rnd.usr
 Tue Jul 08, 2014 11:25 am
EP_X0FF wrote:
0.chloe wrote:Have you looked how for example camas or vt/malwr (vbox vm) do this monitoring?
Well, yes. First of all is Cuckoo using Cuckoomon: https://github.com/cuckoobox/cuckoomon for it's hooking and monitoring. Then there's the Behavior-plugin: https://github.com/cuckoobox/cuckoo/blo ... ehavior.py

So yeah, there's a lot to learn if I want to hack something out of an already working(not for me) auto-analysis VM. I think the best way is just to keep it simple as possible.

I have one method, it's by compare the original disc image with the disc after I ran the malware, then I can find some files(not wipe:d). I need some automated machines because I kinda want to build something that Xyli did with Zbotscan. Now that malwr uses an API I can use that one and then code an parser for grepping the whole report, but jeez that's not professional.

Do you remember dirwatch_uifrom SysAnalyzer? Is basically exactly what I want because it saves files on modification. I mean, is it hard to just build a driver that hooks NtCreateFile and NtDeleteFile and does like "copy on write"-kinda thing?
  • 1
  • 28
  • 29
  • 30
  • 31
  • 32