Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet. For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.
Once you have Sandboxie and BSA set up on your malware analysis environment you can start playing around with malware, but sometimes the malware might not run enough without a valid network connection or the malware might start with a beacon to google.com to check for connectivity. That is where FakeNet helps BSA, as it redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst.
Generally, you shouldn’t use your real internet connection (Remember good OPSEC from Chapter 14?) while you analyze malware but you still want to get network information anyway, so FakeNet is a simple solution.
To run BSA with FakeNet take the following steps:
- Download and decompress FakeNet to a folder.
- Edit FakeNet.cfg and change “OutputOptions DumpOutput:No Fileprefix:output” to “OutputOptions DumpOutput:Yes Fileprefix:output”.
- Run Sandboxie and BSA
- In BSA select the following:
- Options->Analysis Mode->Automatic
- Options->Automatic Analysis Options->FakeNet Mode
- Options->Common Analysis Options->Packet Sniffer->Save Capture to File
- Select “Start Analysis”
- Browse to the FakeNet installation folder when prompted
- Select the time in minutes you want BSA to allow the malware to run
- Browse to the folder containing your malware when prompted
This causes BSA to use FakeNet while performing its analysis. You may notice that BSA generates a lot more output using FakeNet than without an Internet connection. With FakeNet, there is an added file “Connections.txt” in its results and this contains the FakeNet output showing all of the connections that occurred during analysis. There will also be a PCAP generated which contains all of the packets from FakeNet.
I performed analysis using BSA on a piece of malware named “WebServer2.exe” and without FakeNet nothing really happened. I didn’t even see registry changes or file changes. Once I enabled FakeNet and reran BSA, the malware ended up doing a lot more since FakeNet gave a response to the beacon. The malware also ended up performing several GET and POST request that weren’t seen without FakeNet enabled in BSA.