[Mr.Bojangles]

CreateToolhelp32Snapshot
Module32First
Module32Next
LoadLibrary
SWbemServices
GetModuleHandle

log_api should at least handle those..lots more around virtual memory and threading. PE structs seem ok.

log_api handle those ones already (except SWbemServices) and some others related to the things you mention.

If you want, you can download last BSA package from here and review it. Then you can suggest improvments about things it misses.

I use it. I'm on 1.32.

-PEiD is obsolete now, and all the sigs for it are scattered and old anyway, use exeinfo instead.
-view connections is always grayed, I have wireshark and winpcap latest versions installed(win7 x64)
-In your malware analyses output note access to popular app authentication storage(this will snag a lot of kiddy malware as this is about all they do these days)
-do all loadlibrary variants
-refine interface

I haven't looked much into your stealth, I mainly just use it occasionally to test stuff, mostly .NET stuff where AVs really fail and I don't want to manually decrypt..

[Buster_BSA]

-PEiD is obsolete now, and all the sigs for it are scattered and old anyway, use exeinfo instead.

I just checked and doesn´t seem to fit what I need as it can not run from command line.

-view connections is always grayed, I have wireshark and winpcap latest versions installed(win7 x64)

Did you define the interface to use?

Options > Common Analysis Options > Packet Sniffer > Select Adapter

-In your malware analyses output note access to popular app authentication storage(this will snag a lot of kiddy malware as this is about all they do these days)

I don´t understand what you mean with this, sorry.

-do all loadlibrary variants

Even if you only see "LoadLibrary", I think all the variants are covered. I just use the same name for all them.

-refine interface

I´m afraid I´m null doing interfaces. :roll:

I haven't looked much into your stealth, I mainly just use it occasionally to test stuff, mostly .NET stuff where AVs really fail and I don't want to manually decrypt..

For the average malware (over 95% I´ld say) BSA´s measures are enough to hide Sandboxie. Maybe someone else more skilled than me could do it better.

[Buster_BSA]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (password is virus). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

Does anyone know how this sample detects Sandboxie´s presence?

[Buster_BSA]

I just found that ExeInfo can run from command line.

[EP_X0FF]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (password is virus). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

Does anyone know how this sample detects Sandboxie´s presence?

It has VB crypter over Themida.

[Buster_BSA]

It has VB crypter over Themida.

AFAIK Themida compressed files are compatible with Sandboxie, aren´t they?

If that´s correct we could assume that VB crypter is the culprit of stopping the execution when it´s running under Sandboxie. I will investigate that, thanks!

[Buster_BSA]

Released Buster Sandbox Analyzer 1.33.

Changes:

+ Added a feature to run BSA from command line in automatic mode
+ Added Exeinfo support
+ Added extra information of dropped files
+ Updated BSA.DAT
+ Updated LOG_API
+ Fixed a bug

[Buster_BSA]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (password is virus). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

Maybe the problem is that the malware checks for inline hooks (LOG_API.DLL adds them).

Try to run the malware with LOG_API.DLL not injected and see how it goes.

[Buster_BSA]

Re-released BSA 1.33 package to fix a severe problem in LOG_API.

[Buster_BSA]

What does your tool do to hide sandboxie? from what I see it just uses codeproject HideDriver to hide sandboxie processes, and x64 users are screwed.

Good news. I was doing some research and I think I was able to find a way to hide Sandboxie on x64 (32 bit stuff, of course).

On next BSA release HideDriver will not be included anymore. All the hiding will be done from LOG_API.