Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on run time indicators of malware. In a nutshell, it allows you to run your malware, hit a key press, and get a simple text report of the sample’s activities.
The tool allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.
It only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity.
- If you have a folder of YARA signature files, you can specify it with the
--yaraoption. Every new file create will be scanned against these signatures with the results displayed in the output results.
- If you have a VirusTotal API, place it into a file named “virustotal.api” (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results.
- You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use –hash to read them.
- You can automate the script for sandbox-usage. Using -t to automate execution time, and
--cmd "path\exe"to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample.
--generalizefeature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example,
C:\Users\malware_user\AppData\Roaming\malware.exewill be automatically resolved to
Download and install:
Step 1: Download and install Noriben
Step 2: Run the following command to use noriben noriben.py
Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH] [-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize] [--cmd CMD] [-d] optional arguments: -h, --help show this help message and exit -c CSV, --csv CSV Re-analyze an existing Noriben CSV file -p PML, --pml PML Re-analyze an existing Noriben PML file -f FILTER, --filter FILTER Specify alternate Procmon Filter PMC --hash HASH Specify MD5 file whitelist -t TIMEOUT, --timeout TIMEOUT Number of seconds to collect activity --output OUTPUT Folder to store output files --yara YARA Folder containing YARA rules --generalize Generalize file paths to their environment variables. Default: True --cmd CMD Command line to execute (in quotes) -d Enable debug tracebacks
Latest posts by William Fieldhouse (see all)
- A John McAfee-Backed ICO Exposed Thousands of Peoples Documents Due to Security Blunder - April 26, 2018
- Latest Hacking News Podcast #13 - April 17, 2018
- Latest Hacking News Podcast #12 - April 16, 2018