Noriben - Portable, Simple, Malware Analysis Sandbox

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.
Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options, or user interaction. Or, to watch the system as you step through malware in a debugger.
Noriben running against malware checking for VM
Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.
This script allows you to automate the execution of Noriben within a guest VM and retrieve the reports. It currently runs on OSX (but will be ported) and is responsible for: spinning up a predefined VM and snapshot, copying the malware to the VM, starting Noriben and the malware, waiting a predetermined period of time, copying the results to the host as a ZIP, and taking a screen capture of the VM. You can even use --update to automatically copy the newest Noriben from your host, so that you don't have to continually make new snapshots when you make a change to the script.
Noriben Automation Script in Action

--===[ Noriben v1.7.2
--===[ @bbaskin
usage: [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH]
                  [--hashtype {MD5,SHA1,SHA256}] [--headless] [-t TIMEOUT]
                  [--output OUTPUT] [--yara YARA] [--generalize] [--cmd CMD]

optional arguments:
  -h, --help            show this help message and exit
  -c CSV, --csv CSV     Re-analyze an existing Noriben CSV file
  -p PML, --pml PML     Re-analyze an existing Noriben PML file
  -f FILTER, --filter FILTER
                        Specify alternate Procmon Filter PMC
  --hash HASH           Specify hash whitelist file
  --hashtype {MD5,SHA1,SHA256}
                        Specify hash type
  --headless            Do not open results on VM after processing
  -t TIMEOUT, --timeout TIMEOUT
                        Number of seconds to collect activity
  --output OUTPUT       Folder to store output files
  --yara YARA           Folder containing YARA rules
  --generalize          Generalize file paths to their environment variables.
                        Default: True
  --cmd CMD             Command line to execute (in quotes)
  -d, --debug           Enable debugging

No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.