SBM Labs

Cyber Security Collaboration Project

Automated Malware Analysis in Sandbox
14 Mar 2015

Let's consider the case when you have discovered spread of the malware (for example, over Skype) and your antivirus does not detect it. So you need fast malware analysis in order to perform adequate measures for deleting threat from infected computers and prevent its spread.

We are going to use Sandboxie (http://www.sandboxie.com/) and Buster Sandbox Analyzer (http://bsa.isoftware.nl/). The essence of this analysis is launching malware in isolated environment and tracking its activity.

1. Download and install Sandboxie.

You will need restart your computer after installation. The rules of usage this software.

2. Download Buster Sandbox Analyzer.

Extract archive. For example, to C:\Program Files\Sandboxie\bsa\.

3. Create new sandbox with the name BSA.

Go to Sandboxie menu and click Sandbox -> Create new Sandbox.

4. Configure sandbox BSA.

Go to Sandboxie menu and click Configure -> Edit Configuration. Add to BSA configuration this line:

InjectDll=C:\Program Files\Sandboxie\bsa\LOG_API\LOG_API32.DLL

5. Launch command line (CMD) in sandbox BSA.

Right click to the CMD shortcut and select Run Sandboxied -> BSA.

6. Launch Buster Sandbox Analyzer.

Specify the path to the sandbox BSA. For example, c:\Sandbox\[username]\BSA. Then click Start Analysis and select Delete Sandbox Folder contents and continue.

7. Emulate malware activity.

Execute next list of commands in CMD:

c:\>echo test > test.txt
c:\>nslookup sbmlabs.com
c:\>telnet sbmlabs.com 80

Close CMD and click Finish Analysis in Buster Sandbox Analyzer.

8. View Buster Sandbox Analyzer report.

Go to Buster Sandbox Analyzer menu and click Viewer -> View Report

Ready.

I also recommend you to pay your attention to software Cuckoo Sandbox Open Source malware analysis.

Malware. Basic Static Analysis. Part 2.
Malware. Basic Static Analysis. Part 1.