From Collaborative RCE Tool Library

Jump to: navigation, search

Buster Sandbox Analyzer

Tool name: Buster Sandbox Analyzer
Rating: 5.0 (1 vote)
Author: Buster                        
Website: http://bsa.qnea.de
Current version: 1.03
Last updated: December 07, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious.

The changes made to system can be of several types: file system changes, registry changes and port changes.

A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information.

Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.

Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.

From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications.

Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.

Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.

Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.

All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.
Related URLs:
Forum thread with release announcements for this tool:
http://sandboxie.com/phpbb/viewtopic.php?t=6557
The tool used for data acquiry before analysis (Sandboxie):
http://www.woodmann.com/collaborative/tools/index.php/Sandboxie


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Buster_Sandbox_Analyzer"


If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (192)
   Categorized by Tool Type  (1095)
   Anti Anti Test Tools  (15)
   Assemblers  (18)
   Code Coverage Tools  (13)
   Code Injection Tools  (35)
   Code Ripping Tools  (2)
   Crypto Tools  (12)
   Data Extraction Tools  (19)
   Debuggers  (47)
   Decompilers  (20)
   Deobfuscation Tools  (14)
   Dependency Analyzer Tools  (5)
   Diff Tools  (40)
   Binary Diff Tools  (5)
   Document Diff Tools  (1)
   Executable Diff Tools  (8)
   File System Diff Tools  (7)
   Image Diff Tools  (2)
   Registry Diff Tools  (6)
   System Diff Tools  (3)
   Text Diff Tools  (6)
   Disassemblers  (53)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (35)
   Executable File Editors & Patchers  (85)
   Firefox Extensions  (3)
   GUI Manipulation Tools  (17)
   Hardware Reversing Tools  (24)
   Hex Editors  (13)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (12)
   Memory Data Tracing Tools  (7)
   Memory Patchers  (4)
   Memory Search Tools  (7)
   Monitoring Tools  (124)
   API Monitoring Tools  (18)
   Active Directory Monitoring Tools  (1)
   Bus Monitoring Tools  (5)
   Debug Output Monitoring Tools  (1)
   Disk Monitoring Tools  (2)
   Driver & IRP Monitoring Tools  (1)
   Exception Monitoring Tools  (4)
   File Monitoring Tools  (7)
   Hook Detection Tools  (12)
   Install Monitoring Tools  (4)
   Kernel Filter Monitoring Tools  (1)
   Memory Data Tracing Tools  (7)
   Named Pipe Monitoring Tools  (1)
   Network Monitoring Tools  (10)
   Parallel Comm Monitoring Tools  (2)
   Process Monitoring Tools  (5)
   Registry Monitoring Tools  (9)
   Serial Comm Monitoring Tools  (1)
   SysCall Monitoring Tools  (5)
   Thread Monitoring Tools  (2)
   Tracers  (18)
   USB Monitoring Tools  (3)
   Window Monitoring Tools  (3)
   Network Tools  (18)
   Network Monitoring Tools  (10)
   Network Proxy Tools  (7)
   Packers  (16)
   Patch Packaging Tools  (11)
   Profiler Tools  (11)
   Programming Libraries  (39)
   Regular Expression Tools  (3)
   Resource Editors  (12)
   Reverse Engineering Frameworks  (7)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (7)
   Technical PoC Tools  (7)
   Test and Sandbox Environments  (21)
   Online Multi Engine AV Scanners  (3)
   Virtual Machines  (7)
   X86 Emulators  (2)
   X86 Sandboxes  (9)
   Tool Extensions  (157)
   Tool Hiding Tools  (5)
   Tool Signatures  (16)
   Tracers  (18)
   Unpacking Tools  (67)
   Needs New Category  (2)