10. Appendix C – Utilities & Analysis
Utilities is a menu containing features related to malware analysis. These features may not improve malware detection capabilities but will be useful in the process of analyzing malware samples.
Explorer > Memory Explorer
Memory Explorer feature is used to acquire the physical memory, dump it to disk and visualize the contents.
The memory image on disk can be displayed in several modes: text, binary, hexadecimal, unicode and unicode/hex. Each mode can be configured with next options: word wrap, OEM font and non-printable.
You can jump to any position of the image using the "Position" feature.
You can also jump directly to the beginning or the end of the file with the buttons.
There are two search methods: string and hexadecimal.
The hexadecimal search can be used separating hexadecimal values with or without spaces.
The "Dump Memory" button will dump the physical memory to disk. Image will be saved under "Dumps" folder with the filename "physmem.dmp".
Dumping the physical memory may take a while, specially in slow computers.
When calling the "Memory Explorer" feature, if a "Dumps\physmem.dmp" exists already it can be loaded.
Note: This feature will be available only in manual analysis mode.
Explorer > Pcap Explorer
Pcap Explorer feature is used to do off-line network forensic analysis.
When you open a .pcap file the packets will be presented on screen. The information displayed is: Source Address, Source Port, Destination Address, Destination Port, type of packet. At the bottom BSA will show how many packets have the .pcap file and the size of current packet.
Packet contents will be displayed when you click a packet.
Right-clicking in the packet window you can select:
Filter Packets: Used to display the packets using user specified parameters.
Right-click again to remove filters.
Follow TCP Stream: This feature is used to display a TCP session.
The session can be displayed in several formats: text, binary, hexadecimal, ...
You can keep the session file checking the "Keep session file on exit" option.
Note: Session files will be stored under \BSA\PCAP\Sessions folder.
From “Utilities” menu you can select:
Extract Contents: This feature is used to drop to disk files from http sessions and mail attachments. Dropped files will be saved to \BSA\PCAP\Captures folder.
The feature of dropping to disk mail attachments from .pcap files is unique, no other tool does this.
Show Information: This feature is used to view URLs requested and DNS queried.
Note: DNS query information comes from UDP packets and these packets can proceed from sandboxed or unsandboxed applications. Therefore the information displayed here may be wrong.
You can save the displayed information using "Files > Save Information To Disk".
Search: You can search for packet contents introducing a text string or an hexadecimal string.
From “File” menu is also available:
Pcap Splitter:. This feature is used when you want to analyze a very big .pcap file. In this case is better to split the big file into smaller .pcap files.
For doing this you load the big .pcap file from "File > Open Original". After loading the file BSA will present packet information sorted by "TCP" or "UDP" type of packet and then by "Source IP", "Destination IP", "Source Port" and "Destination "Port". The feature works by drag&drop.
Let´s say you want to generate a .pcap file with packets containing only the port 80 as "Source Port". You drag the "80" from "Original Capture > Source Port" and you drop it in the "New Capture > Source Port" window.
You can combine different ports and IPs to create the new capture file.
Note: Pcap Explorer feature is compatible with .pcap files created with Wireshark or NetworkMiner .e.g.
Save Connection Information to CSV: Used to save to a CSV file type the information related to connections.
Explorer > PE Explorer
PE Explorer fearure is used to obtain information about PE files like sections, imports, exports, resources, etc.
Resources can be saved to disk right-clicking on items.
Explorer > Process Explorer
Process Explorer feature is used to view running processes.
If you click in a process, loaded modules will be listed.
Right clicking a process is possible to dump it to disk or dump the region that belongs to that process.
Right clicking a module is possible to dump it to disk.
"Overwrite dumps": When this feature is enabled dumps are ovewritten. When disabled dumps get different file names.
"Realign sections": This feature is used to realign file sections.
"Refresh List" : Used to update running processes list.
Pressing F5 will also refresh running processes list.
When BSA is running in a 64 bits system, only 32 bits processes will be available for dumping.
In some cases Process Explorer will be able to list hidden processes.
Columns can be sorted in ascendant/descendant order clicking in the column name.
When dumping regions, if BSA detects an executable, consecutive regions will be dumped all together.
Note: This feature will be available only in manual analysis mode.
Explorer > RegHive Explorer
RegHive Explorer fearure is used to view the Windows Registry modifications performed by sandboxed applications.
These modifications are stored by Sandboxie in "RegHive" file, which can be found in the root directory of the sandbox folder.
RegHive Explorer will show the values of the keys when available.
It´s possible to show the real windows registry and synchronize reghive contents with real windows registry contents in order to compare modifications more easily.
Buster Sandbox Analyzer´s RegHive Explorer is the only feature in the world specifically designed to show Sandboxie´s reghive files.
File > File Disassembler
File disassembler feature is used to disassemble PE, NE, MZ, COM, ELF and binary file formats.
File > File Hash
File Hash feature provides the hash of a specified file or files contained in a folder.
Available hashes are: CRC32, MD5, SHA-1 and SHA-256.
Hashes can be selected individually and they can be showed in lower or upper case.
When a folder is processed you can choose to process subfolders or not.
Additionally you can specify what file types (extensions) will be processed. If the option is not enabled all files will be processed.
Right clicking the window showing results you can:
"Save Results to File": Saves results to the file you specify.
"Check Hash at VirusTotal": This option will be available only when MD5, SHA-1 or SHA-256 has been completely selected. This feature will open default browser and will load "http://www.virustotal.com/buscaHash.html" web page. Selected hash will be copied to clipboard so it can be easily pasted on "Search" field.
File > File Hex Editor
Buster Sandbox Analyzer includes a built-in hex editor coded by Markus Stephany using his component TMPHexEditor.
File Hex Editor has a limitation: files over about 1 GB will report an "Out of memory error".
File > File Signature
File Signature feature provides information about what file packer, if any, was used to compress a file, or in case of not being packed, what compiler was used to build a file.
To obtain this information Buster Sandbox Analyzer uses PEiD and Exeinfo.
PEiD´s signatures are stored in USERDB.TXT file. This file can be edited in order to add detection for more packers and compilers.
"Process a DB" compares our USERDB.TXT with other database and will save new signatures to file.
"Process a File" shows the file signature of a single file.
"Process a Folder" shows the file signatures of the files inside a specified folder.
"Process a Folder" has next options:
"Include Subfolders": Root folder and subfolders will be processed.
"Process only EXE/DLL": BSA will only show signatures from EXE/DLL files.
Right clicking in the results window you can save results to a specified file.
File > File Scanner
File Scanner feature is used to send files for analysis to VirusTotal.
Files can be selected individually or by folder (subfolder files not included).
Right clicking in the send list window you can delete an item or clear the send list.
It´s possible to drag and drop files to send list window.
File > File Strings
File Strings feature is used to show the strings from a specified file.
The string to search can be defined using next options:
"Minimum char length”: Specifies what is the minimun length of the string. Minimum is 3 chars.
"Maximum char length": Specifies what is the maximum length of the string. If "0" is specified then there is no maximum.
"Lower case ASCII letters (a-z)": a-z letters will be included in the search.
"Upper case ASCII letters (A-Z)": A-Z letters will be included in the search.
"Numbers (0-9)": 0-9 numbers will be included in the search.
"Space": Space char will be included in the search.
"Punctuation": Punctuation chars will be included in the search.
"Symbols": Symbol chars will be included in the search.
"Show unique strings": Only one string found per search will be shown.
"Ascii/Unicode/Ascii-Unicode": You can specify if the strings must be Ascii, Unicode or both.
File > File Renamer
File Renamer feature is used to rename file names and extensions.
File names can be renamed to CRC32, MD5, SHA1 or SHA256 hashes.
File extensions will be renamed to proper extension when they are known. If a file extension is unknown you can choose between keeping actual extension or renaming it to a default extension.
This feature offers the possibility of renaming a file or a folder. It also can rename only file names, only file extensions or both.
LOG_API > LOG_API Patcher
This feature automatically modifies the LOG_API you select (any version) to match with the title of the application. This is required for multiple malware analyses.
Malware Analyzer > Risk Evaluation Calculator/Ratings
"Risk Evaluation Calculator" module defines the minimum amount of alerts of each level to reach high, medium and low risk.
"Risk Evaluation Ratings" module allows the user to configure what "weight" has each malicious action. Each listed action can have one of the next risk levels: none, low, medium or high.
You have a checkbox near each malicious action. When enabled, the malicious action will be displayed in the analysis report.
The "weight" will be applied to each malicious action independently of if it is checked or not the checkbox.
Included in BSA package you can find a configuration file of example, but you can define the ratings and the settings with your own specifications.
Do not forget to enable "Options > Common Analysis Options > Reports > Additional Options > Include Risk Evaluation" to include the evaluation risk in the malware analysis report.
This feature offers a list of online malware analyzer. When you click in one item of the list, a link in your browser will be opened where you can submit a sample for analysis.
Reports > Save Report
This feature saves reports to "Saved Reports" folder. Report.TXT must exist. This feature is used in manual mode, after creating a report if you want to save it.
Sandbox > Folder
"Copy Contents": This feature copies contents from sandbox folder to the folder you specify.
"Delete Contents": This feature deletes contents from sandbox folder.
"Explore Contents": This feature opens an instance of Windows Explorer at sandbox folder.
Sandbox > RegHive
"Export To .REG": This feature is used to export Sandboxie´s RegHive file, which is in binary format, to a .REG file, which is text.
SQL > Report Manager
Note: Only the reports containing SHA256 file information will be added to SQL database.
This feature is used to manage the SQL database created with the information from reports.
The database has 4 tables: ANALYZED_FILE, DROPPED_FILE, MODIFIED_FILE, DELETED_FILE.
The primary key for all tables is the SHA256 hash, that´s why it´s mandatory that this information appears in the report.
When you manage an entry from ANALYZED_FILE table next tabs with information will be available: File Information, Antivirus Detections, Dropped Files, Modified Files, Deleted Files, Malware Behaviour and Malware Analysis.
In "File Information" and "Antivirus Detections" will be displayed several entries, in the rest of tabs only will be displayed the information relative to the selected file. The selected file is the selected row.
When you manage entries from DROPPED_FILE or MODIFIED_FILE tables, only "File Information" and "Antivirus Detections" tabs will be displayed.
When you manage entries from DELETED_FILE table only the "Deleted Files" tab will be displayed.
You can right-click in the window with results to get additional functionalities. You can copy to clipboard the MD5, SHA1 or SHA256 information. Also you can save results to a CSV file.
When you manage entries from other tables than ANALYZED_FILE, you can also copy to clipboard the SHA256 of the file that originated the entry.
"Operations with Records > Delete Selected Record": This feature is used to remove an entry from database. The record deleted will be the selected row.
"Predefined Queries": There is a predefined query which is used to list those analyzed files that were not detected by any antivirus from VirusTotal.
“Tools > Import Records From Database": As Buster Sandbox Analyzer can perform several analyses at the same time, the information will be splitted in different SQLite databases. With this feature you can centralize all the information importing records from different databases into a single one.
“Tools > Statistics”: You can generate Top 10 statistics about PE packers identified by PEiD or Exeinfo and Top 10 statistics about threats identified by the antivirus products used by VirusTotal.
"Tools > Update Database from Report": This feature is used when you want to update the information relative to one record which is already present in the database. This feature will remove the entry or entries from database and will replace the information with the one from the report you supply.
This feature is used, e.g., when you analyze a file and VirusTotal was down, so the antivirus information is missing. Then you can use this feature to remove the entry with missing information and replace it with information from a report that does not miss any information.
"SQL Expression Generator": BSA includes a query generator for that people that does not know SQL. With this feature is very simple to look for information inside the database. You just need to specify from what table you want the information (ANALYZED_FILE, DROPPED_FILE, MODIFIED_FILE, DELETED_FILE) and the required conditions for the search.
Example: List all entries in ANALYZED_FILE WHERE MD5 IS xxxxxxxxxx
In this example you are telling that you want to see all entries from ANALYZED_FILE table where the MD5 is a certain MD5.
You must press "Execute" button to perform the query to the database.
For the people knowing SQL I included a "Custom SQL Command". This feature allows you to type your own queries or operations.
Note: Certain custom queries could crash BSA.
SQL > Whitelist Manager
Note: This feature only accepts SHA256 entries.
This feature is used to manage the whitelist database.
Whitelist database contains a list of files that you know are not malicious, so you do not want that BSA processes them. These files would be analyzed, dropped and modified files.
"Tools > Add Entries From File": This is the feature used to add new entries to whitelist database. You must supply a file, in plain text, with the list of SHA256 hashes. One hash per line. It does not matter if the hashes are in low or uppercase.
There is a custom SQL command feature for the people knowing SQL.
If you click on "Show All" button, all entries will be displayed.
If you right-click in the window list, you have a feature to delete a record.
Analysis is a menu containing features related to the analysis of specific malware.
Android > APK Analyzer
This feature is used to analyze Android applications (APK files). It has next options:
Keep source code: Used to keep the decompiled source code of the analyzed application for further analyses.
Scan in VirusTotal: Used to include in the analysis the information provided by VirusTotal.
Inside APK.DAT file is included a list of companies supporting adware and the domain associated to them. This file can be edited in order to include more entries.
Capture-BAT > Capture-BAT Log Analyzer
Capture-BAT Log Analyzer is a feature designed to analyze those files that can not be analyzed under Sandboxie due the restrictions imposed for security reasons.
Capture-BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture_BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture-BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
More information at: https://www.honeynet.org/node/315
Capture-BAT Log Analyzer will parse the log generated with Capture-BAT and the Pcap file when available. Information from log/pcap file will be loaded into the corresponding tabs: Files, Registry, Processes, Network Traffic.
With that information a report and an analysis will be performed. The results will be loaded into: Report and Analysis tabs.
First time we use Capture-BAT Log Analyzer feature we will be asked to configure the folders corresponding to Windows, startup and common startup. They are necessary to produce accurate analysis.
Note: We must consider that the path to those folders in current computer are not necessarily the same than the ones from the computer where the log was produced. We must define the paths according to the ones from the computer the log was done.
Sadly Capture-BAT´s logs will not be as rich in information as the ones we can obtain when we use Sandboxie+Buster Sandbox Analyzer. In consequence the reports and the analysis produced from Capture-BAT´s logs will not be as accurate. Anyway most of the times they will be enough suitable to know if malicious actions were performed so Capture-BAT´s logs are an excellent complement to the Sandboxie+BSA combo.
PDF > PDF Statistics
This feature is used to analyze PDF file format. The feature saves a report with the PDF statistics from the PDFs found in the folder provided.
URL > URL Analyzer
This feature allows to analyze a single URL providing the link or a list of them from a file.
If the URL points to an executable file (EXE), the file will be downloaded and then analyzed, otherwise Buster Sandbox Analyzer will use the web browser you define to analyze URLs.
Note: It is recommend you configure IE or any other web browser with low security settings.
You can define user agent string to be sent when contacting the server and also if you want to use system proxy settings or not. If you do not want to use system proxy settings disable the checkbox.