-
Notifications
You must be signed in to change notification settings - Fork 222
Home
Noriben is a Python-based script that works in conjunction with SysInternals Procmon (Process Monitor) to automatically collect, analyze, and report on runtime indicators of malware and suspicious system behavior. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the system's activity after running an attack.
While there are many well developed and fully featured sandboxes, such as Cuckoo, they all have various limitations that impacted the way I do malware analysis. Noriben was written specifically to fill these gaps. Noriben is an ideal solution for many unusual malware instances, such as those that would not run from within a standard sandbox environment. These files perhaps required command line arguments, or had VMware/OS detection that had to be actively debugged, or extremely long sleep cycles.
One common instance to use Noriben is with malware that is VM and Sandbox aware. Throwing the sample into any existing sandbox will most likely result in a report with no artifacts as the malware didn't run. Some applications look for manual user activity, such as mouse movement and clicking. Other malware may infect the WinHTTP stack and only trigger when a web browser is used. By just launching Noriben in the background, all of the system behavior is logged as the analyst manually controls the system to give the impression of a normal user. Once the file has been detonated, the results can be reviewed as a standard sandbox report.
In rarer cases are malware samples that require command line options in order to run. Launching these executables within a sandbox would immediately fail as the malware does not have the arguments to operate. However, an analyst manually controlling the malware while Noriben is running can quickly gather all system artifacts from various command line options.
Even more interesting, Noriben has been used by pentesters to determine what system artifacts exist when launching an attack against a system or service. By monitoring files created or registry entries modified, a security analyst can determine all artifacts that result from running an attack, a PowerShell command, or a Javascript-based web page.
It's commonly a scenario where an analyst may have a proper sandbox environment in a home lab but on the road has only a laptop. In working with various Sales Engineers and Support individuals from security companies, there were many times where they needed an immediate malware answer out of their hotel room. Noriben was designed to be used with little effort, little setup, and little maintenance. Even if you don't have a dedicated malware VM, any Windows VM will do! Even your corporate environment!
Noriben (海苔弁) is a very simple Japanese lunch box: Nori (seaweed) plus Bento (lunchbox). Noriben are plentiful in shops, provide basic nourishment, and are a staple meal for a struggling family. It felt only appropriate to analogize it to Noriben: a very simple sand box that provides basic indicators, can directly feed your security solutions, and fits easily within the budget of any organization.