Buster Sandbox Analyzer
Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys.
Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections.
From all these changes we will obtain the necessary information to evaluate the “risk” of some of the actions taken by sandboxed applications.
Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur.
Even if Buster Sandbox Analyzer´s main goal is to evaluate if sandboxed processes have a malware behavior, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where.
Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc.
All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed.
Buster Sandbox Analyzer is freeware. If you like this software, please, buy a license of Sandboxie
- Download a copy of BSA
What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a “malware analysis system.”
What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Why should you use it?
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization. In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they work and what they would do/did on your systems when deployed and understand the context, the motivations and the goals of a breach.
In this way you are able to more effectively understand the incident, respond to it and protect yourself for the future.
There are infinite other contexts where you might need to deploy a sandbox internally, from analyzing an internal breach to proactively scouting wildly distributed threats, collect actionable data and analyzing the ones actively targeting your infrastructure or products.
In any of these cases you’ll find Cuckoo to be perfectly suitable, incredibly customizable and well… free!
What does it produce?
Cuckoo generates a handful of different raw data which include:
- Native functions and Windows API calls traces
- Copies of files created and deleted from the filesystem
- Dump of the memory of the selected process
- Full memory dump of the analysis machine
- Screenshots of the desktop during the execution of the malware analysis
- Network dump generated by the machine used for the analysis
In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:
- JSON report
- HTML report
- MAEC report
- MongoDB interface
- HPFeeds interface
Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.
- Download a copy of Cuckoo
Sophisticated malware attacks against enterprises and government agencies are on the rise, and the traditional arsenal of defensive technologies is no longer enough. Propel your organization into action with sophisticated malware analysis.
ThreatTrack Security’s ThreatAnalyzer (formerly GFI SandBox software) is your best defense against Advanced Persistent Threats (APTs) and custom-targeted attacks. It swiftly and accurately vets suspicious files and URLs in a monitored sandbox software environment to determine how they execute, the system changes they make and the network traffic they generate. Armed with this malware analysis, you can identify and completely eliminate these threats from your network. Block malicious inbound and outbound network traffic, remediate changes made to your network and know with certainty that your network is free of a particular threat.
Used in the most sensitive environments – including government security, defense and intelligence agencies – ThreatAnalyzer is an integral component of the U.S. cybersecurity infrastructure, and should be an essential tool in your enterprise cyber-defense.
ThreatAnalyzer is a paid service. You can request a demo by clicking the following link:
is part of the MobWorm project
and provides static and dynamic malware analysis for Android OS smartphones.
This service is still under continuous development and is run purely as a research tool and a best effort service. We reserve the right to take it down at any point for maintenance or other reasons.
If you want to stay informed about the state of development or system updates you should visit our blog or follow us on twitter
- Submit Android Malware Sample
DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:
- Hashes for the analyzed package
- Incoming/outgoing network data
- File read and write operations
- Started services and loaded classes through DexClassLoader
- Information leaks via the network, file and SMS
- Circumvented permissions
- Cryptography operations performed using Android API
- Listing broadcast receivers
- Sent SMS and phone calls
Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.
The release has only been tested on Linux and Mac OS. If you do not have the Android SDK, download it from http://developer.android.com/sdk/index.html. The following libraries are required: pylab and matplotlib to provide visualization of the analysis result.
- Download DroidBox for Android 2.3 Beta
- Download DroidBox RC
Malwasm is a tool based on Cuckoo Sandbox available here.
Malwasm was designed to help people that do reverse engineering. Malwasm step by step:
- the malware to analyse is executed through Cuckoo Sandbox
- during the execution, malwasm logs all activites of the malware with pintool
- all activities are stored in a database (Postgres)
- a web service is available to visualize and manage the data stored in the database
Malwasm provides these features:
- offline programs debugging
- possibility to go back or forward in the execution’s time (with a time slide bar)
- states of registers and flags
- values of the stack/heap/data
- “Following dump” options
- fully works in the browser
- Download Malwasm v0.2 (compatible cucko 0.5)