From Collaborative RCE Tool Library
X86 Sandboxes
| Tool name: | Anubis |
| ||
|---|---|---|---|---|
| Author: | Secure Systems Lab, Vienna University of Technology | |||
| Website: | http://anubis.iseclab.org | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free Online Service | |||
| Description: | Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Buster Sandbox Analyzer |
| ||
|---|---|---|---|---|
| Author: | Buster | |||
| Website: | http://bsa.isoftware.nl/ | |||
| Current version: | 1.38 | |||
| Last updated: | July 28, 2011 | |||
| Direct D/L link: | http://bsa.isoftware.nl/bsa.rar | |||
| License type: | Free | |||
| Description: | Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious. The changes made to system can be of several types: file system changes, registry changes and port changes. A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information. Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys. Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections. From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications. Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur. Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where. Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc. All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed. 6. Program history Version 1.38 Released on 28 July 2011: * Added risk evaluation module * Added several improvements * Fixed several bugs Version 1.37 Released on 17 July 2011 * Improved hiding feature * Updated BSA.DAT * Removed evaluation risk feature * Fixed several bugs * Added "Version Information" feature Version 1.36 Released on 24 June 2011 Added support for ssdeep Improved the support for DLL files Report informations can be selected individually Updated BSA.DAT Fixed several bugs Version 1.35 Released on 17 June 2011 Added HideDriver again Added LOG_API version for 64 bit systems Fixed several bugs Version 1.34 Released on 25 May 2011 Added a feature to copy/move processed files in automatic mode Added a feature to export RegHive to .REG format Updated LOG_API Removed HideDriver Fixed a bug Version 1.33 Released on 21 May 2011 Added a feature to run BSA from command line in automatic mode Added Exeinfo support Updated BSA.DAT Updated LOG_API Added extra information of dropped files Fixed a bug Version 1.32 Released on 09 May 2011 Added a feature to include av identifications from VirusTotal on reports. Improved “Automated Setup” feature Version 1.31 Released on 25 April 2011 Improved malware behaviour detections Updated LOG_API library (normal and verbose) Added a feature to delete folder contents Fixed some bugs Version 1.30 Released on 20 April 2011 Added a feature to automate setups when running in automatic mode Added a feature to run a custom command after an automatic analysis finishes BSA will report the creation of hidden folders Fixed a cosmetic bug Version 1.29 Released on 09 April 2011 Added a feature to resume automatic mode analysis Added a feature to close certain window messages when running in automatic mode Version 1.28 Released on 28 March 2011 Included two versions of LOG_API.DLL: One of them will not show file/registry operations so BSA will run faster Invalid Win32 PE files will be reported Added a feature to include Digital Signature information for dropped files Added a feature to rename automatically processed files to their proper extension Added a feature to do not process unknown file types Added a feature that allows to adjust the time limit in minutes or seconds Added a feature to take screenshots of sandboxed windows when running in automatic mode When a non PE file is processed the file being processed will appear at report and the application that launched it too Version 1.27 Released on 15 March 2011 Added an option to remember last position on screen Added a feature to include file entropy information of Win32 files. Added a feature to include file type information on new created files. Version 1.26 Released on 06 March 2011 Added new entry to BSA.DAT BSA will remember last used Sandbox folder Improved the method to detect Sandboxie´s presence Fixed some bugs Version 1.25 Released on 16 January 2011 Included an utility to load DLL files. Fixed a bug in Buster Sandbox Analyzer. Version 1.24 Released on 16 November 2010 Fixed a bug in Buster Sandbox Analyzer. Version 1.23 Released on 01 June 2010 Fixed a bug in Buster Sandbox Analyzer. Version 1.22 Released on 30 May 2010 Added automatic malware analysis. Added digital signature checking. Removed "Check Ports" feature. Updated LOG_API library. Version 1.21 Released on 13th May 2010 Added a time limit for analysis. Changes in BSA.DAT: Added [Custom_Folder_Entries] section. Upated [File_Types_Modified] section to [File_Types_Created_Modified]. Updated Capture-BAT Log Analyzer feature. Updated malware analysis in Buster Sandbox Analyzer. Version 1.20 Released on 06th May 2010 Added Capture-BAT Log Analyzer feature. Fixed bugs in Buster Sandbox Analyzer. Updated LOG_API library. Version 1.19 Released on 22th April 2010 Added Pcap Explorer feature. Improved the packet sniffer. Updated LOG_API library. Version 1.18 Released on 24th March 2010 Fixed a problem with memory usage Version 1.17 Released on 22th March 2010 Improved File Hash and RegHive Explorer features Fixed bugs in Buster Sandbox Analyzer, File Hash and RegHive Explorer features Version 1.16 Released on 16th March 2010 Added RegHive Explorer feature Updated LOG_API library Version 1.15 Released on 09th March 2010 Added Memory Explorer feature Updated BSA.DAT Updated LOG_API library Updated Buster Sandbox Analyzer Fixed a bug in Buster Sandbox Analyzer Version 1.14 Released on 01st March 2010 Added PE Explorer feature Added File Disassembler feature Version 1.13 Released on 25th February 2010 Added Process Explorer feature Fixed bugs in Buster Sandbox Analyzer and LOG_API library Version 1.12 Released on 13th February 2010 Added File Scanner feature Version 1.11 Released on 09th February 2010 Added File Hex Editor feature Version 1.10 Released on 04th February 2010 Added File Hash, File Strings and some other features Version 1.09 Released on 28th January 2010 Added File Signatures feature Updated LOG_API library Version 1.08 Released on 23th January 2010 Added a packet sniffer Updated BSA.DAT Updated LOG_API library Version 1.07 Released on 12th January 2010 Added detection of new malicious activities Updated BSA.DAT Updated LOG_API library Version 1.06 Released on 01th January 2010 Added Sandboxie hidden capabilities Improved BSA.DAT (thanks to nick s) Fixed a bug in Buster Sandbox Analyzer LOG_API library completely rewritten Version 1.05 Released on 13th December 2009 Added "Assorted suspicious actions" Fixed several bugs in Buster Sandbox Analyzer Updated LOG_API library Version 1.04 Released on 09th December 2009 Added support for network shares Added a feature to allow wildcards in BSA.DAT Added a feature to ignore when sandbox folder is not empty Added a feature to check for updates on start Updated LOG_API library Version 1.03 Released on 07th December 2009 Updated BSA.DAT with new registry AutoStart locations Added a feature to save user settings Added a feature to include in Report.TXT the hashes of created files Improved Report.TXT information Updated LOG_API library Fixed a few bugs in Buster Sandbox Analyzer Version 1.02 Released on 04th December 2009 Added MD5, SHA1 and SHA256 hashing Added custom registry entry checking Added a feature to check for updates Fixed a few bugs in Buster Sandbox Analyzer Fixed a bug in LOG_API library Version 1.01 Released on 28th November 2009 Added backdoor and keylogger detection capabilities Added Event and Service creation detection capabilities Added malware analyzer detection capabilities Added the option of visualizing report files directly from the tool Fixed a bug related to the creation of port differences Version 1.0 Released on 23th November 2009 First official version of Buster Sandbox Analyzer | |||
| Also listed in: | File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ThreatExpert |
| ||
|---|---|---|---|---|
| Author: | ThreatExpert Ltd. | |||
| Website: | http://www.threatexpert.com/submit.aspx | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free Service | |||
| Description: | ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. Good behavioral analysis! | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CWSandbox |
| ||
|---|---|---|---|---|
| Author: | Sunbelt | |||
| Website: | http://www.cwsandbox.org | |||
| Current version: | 2.0 | |||
| Last updated: | ||||
| Direct D/L link: | http://www.cwsandbox.org/?page=submit | |||
| License type: | Free use (web application) | |||
| Description: | CWSandbox - Behavior-based Malware Analysis Malicious software artifacts like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Upon discovery, such malware must be analyzed to determine the danger which it poses. Because of the speed in which malware spreads and the large number of new malware samples which appear every day, malware analysis calls for automation. CWSandbox is an approach to automatically analyze malware which is based on behavior analysis: malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored. From these observations, CWSandbox is able to automatically generate a detailed report which greatly simplifies the task of a malware analyst. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Joebox |
| ||
|---|---|---|---|---|
| Author: | Joe Security | |||
| Website: | http://www.joebox.org | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free Service | |||
| Description: | Joebox is a simple sandbox application with a unique special concept. It is designed for automatic behaviour analysis of malware on Windows based operating systems. Key Features: * Modular design and structure * XML and HTML based analysis reports * 100% complete network traffic reports * Applicable on Windows XP and Windows Vista * No emulation or virtualization software necessary * Ability to build and differentiate behaviour baselines * Scalable to analyse several binaries at once * Analyses exe, dlls and even sys * Fully scriptable * Simply extensible * Highly configurable | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | malwareanalyzer |
| ||
|---|---|---|---|---|
| Author: | beenudel1986 | |||
| Website: | http://code.google.com/p/malwareanalyzer/ | |||
| Current version: | 2.6.3 | |||
| Last updated: | October 31, 2010 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | Malwareanalyzer can be useful for: 1. String based analysis for registry , API calls , IRC Commands , DLL's called and VM Aware. 2. Display detailed headers of PE with all its section details, import and export symbols etc. 3.On Distro , can perform an ascii dump of the PE along with other options ( check --help argument). 4. For windows , it can generate various section of a PE : DOS Header , DOS Stub, PE File Header , Image Optional Header , Section Table , Data Directories , Sections 5. ASCII dump on windows machine. 6. Code Analysis ( disassembling ) 7. Online malware checking ( www.virustotal.com ) 8. Check for Packer from the Database. 9. Tracer functionality : Can be used to identify anti-debugging Calls tricks , File system manipulations Calls Rootkit Hooks, Keyboard Hooks , DEP Setting Change | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Norman SandBox |
| ||
|---|---|---|---|---|
| Author: | Norman | |||
| Website: | http://www.norman.com/microsites/nsic | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free Online service | |||
| Description: | Norman Sandbox Information Center (NSIC) is a web site that offers * Free uploads of program files that you suspect are malicious or infected by malicious components, and instant analysis by Norman SandBox. The result is also sent you by email. * Comprehensive statistics of files that are uploaded to NSIC during the latest day, week and month. You will then be able to see tendencies in the creation of malicious software. * In-dept information about the analysis performed by Norman SandBox of each malicious file that is uploaded. * Search facility in all analyses after Registry keys, file names, etc. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Pokas x86 Emulator for Generic Unpacking |
| ||
|---|---|---|---|---|
| Author: | Amr Thabet | |||
| Website: | http://sourceforge.net/projects/x86emu/ | |||
| Current version: | 1.0.0.0 | |||
| Last updated: | July 18, 2010 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | GPL | |||
| Description: | Pokas x86 Emulator is an Application-Only emulator created for generic unpacking and testing the antivirus detection algorithms. This Emulator has many features some of them are: 1. Has an assembler and a disassembler from and to mnemonics. 2. Support adding new APIs and adding the emulation function to them. 3. Support a very powerful debugger that has a parser that parses the condition you give and create a very fast native code that perform the check on this condition. 4. Support seh and support tib, teb, peb and peb_ldr_data. 5. It monitors all the memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory. 6. it support 6 APIs:GetModuleHandleA, LoadLibrayA, GetProcAddress, VirtualAlloc, VirtualFree and VirtualProtect. 7. With all of these it's FREE and open source. It successfully emulates: 1. UPX 2. FSG 3. MEW 4. Aspack 5. PECompact 6. Morphine But it does contain bugs and it still in the beta version. It surely will be fixed soon ith the help of your feedback. It still doesn't support multithreading and doesn't support Linux ELF executables. It's still working only on windows but the Linux version will be available soon. you can download it from https://sourceforge.net/projects/x86emu/ AmrThabet amr.thabet_*at*_student.alx.edu.eg | |||
| Also listed in: | Assembler IDE Tools, Assemblers, Automated Unpackers, Debuggers, Disassembler Libraries, Disassemblers, OEP Finders, PE Executable Editors, Programming Libraries, Tracers, Unpacking Tools, Virtual Machines, X86 Disassembler Libraries, X86 Emulators | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Sandboxie |
| ||
|---|---|---|---|---|
| Author: | Ronen Tzur | |||
| Website: | http://www.sandboxie.com | |||
| Current version: | 3.42 | |||
| Last updated: | December 1, 2009 | |||
| Direct D/L link: | N/A | |||
| License type: | Shareware | |||
| Description: | Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. You can also access all the changes that were made during the program execution. | |||
| Also listed in: | File Monitoring Tools, File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Sunbelt Sandbox |
| ||
|---|---|---|---|---|
| Author: | Sunbelt | |||
| Website: | http://research.sunbelt-software.com/Submit.aspx | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free Online Service | |||
| Description: | Submit a malware sample to our automated sandbox server to see what the malware would do to your computer if it were installed. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
