Noriben sandbox: deal with malware in minutes

Noriben sandbox: deal with malware in minutes

 

We hope that everyone can do better in the new year, especially for faster and more effective analysis of malware. Several years ago, I built a malware analysis sandbox script for daily analysis and reverse work. Now let me show you how to analyze malware in a few seconds without too many settings.

Introduction

If you have followed me on Twitter or have some knowledge about the previous content of this blog, you may be familiar with Noriben. In any case, I will first introduce it as a very simple script. In the analysis of typical behaviors, malicious software may be run in the sandbox to see how it is created, how it runs processes, and what impact it has on the system. Most teams use the method of Uploading malware to anti-virus testing websites such as mongostotal, online sandboxes such as Malwr, or local Cuckoo sandboxes.

For those teams that upload files to the Internet, I can only say that this behavior is unwise for APT attacks. If hackers are interested, they can find that their files have been uploaded to the online monitoring website.

Local Malware detection can usually be done through Cuckoo, which is a good open-source sandbox that can be used to analyze malware and obtain comprehensive analysis results. However, it is actually quite difficult to use this stuff, and it is relatively difficult to set it correctly in different environments. It is relatively easy to install in Linux, but it is a little painful to install in Windows and OSX. As far as I am concerned, taking out a laptop from the outside may require a sandbox to start work.

If you have been trained on malware analysis, you may also use SysInternals Procmon to monitor the system environment. Some may have learned to use Regmon and Filemon, which are all antique knowledge. Some people may use Regshot, which is not keeping up with the times.

Noriben is a simple packaging Rebuild of the Procmon tool that collects thousands of events and then uses custom whitelist settings to streamline and review the system. The following is a part of the Arsenal sub-Conference of the 2015 Black Hat conference. The ppt is as follows:

http://www.slideshare.net/bbaskin/slideshelf

This video has not paid much attention to the details of the tool itself. You can check it here:

http://www.ghettoforensics.com/noriben

Automated sandbox in Vmware

Noriben requires you to run malware interactively in the sandbox. After Noriben is started, it collects overall system information when you run malware. When analysts want to interact with malware in the sandbox, they will use it to collect malicious indicators, such as VM checks in this video.

 

Youtube: https://www.youtube.com/watch? V = kmCzAmqMeTY

However, this article emphasizes that you can extract data directly from your host system in an automated way to avoid the above situations. Then, submit the sample and receive the result report.

After the vmrun command in Vmware is used, the script restores the VM to a known snapshot, copies the malware, runs Noriben, and finally packs the report. From the following command line, we can get the malware report of a file within 60 seconds. below is the bash script of OSX:

#!/bin/bash#Noriben Sandbox Automation Script#Responsible for:#* Copying malware into a known VM#* Running malware sample#* Copying off results##Ensure you set the environment variables below to match your systemif [ ! -f $1 ]; then echo "Please provide executable filename as an argument." echo "For example:" echo "$0 ~/malware/ef8188aa1dfa2ab07af527bab6c8baf7" exitfi DELAY=10MALWAREFILE=$1VMRUN="/Applications/VMware Fusion.app/Contents/Library/vmrun"VMX="/Users/bbaskin/VMs/RSA Victim.vmwarevm/Windows XP Professional.vmx"VM_SNAPSHOT="Baseline"VM_USER=AdministratorVM_PASS=passwordFILENAME=$(basename $MALWAREFILE)NORIBEN_PATH="C:\\Documents and Settings\\$VM_USER\\Desktop\\Noriben.py"ZIP_PATH=C:\\Tools\\zip.exeLOG_PATH=C:\\Noriben_Logs  "$VMRUN" -T ws revertToSnapshot "$VMX" $VM_SNAPSHOT"$VMRUN" -T ws start "$VMX""$VMRUN" -gu $VM_USER  -gp $VM_PASS copyFileFromHostToGuest "$VMX" "$MALWAREFILE" C:\\Malware\\malware.exe"$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" C:\\Python27\\Python.exe "$NORIBEN_PATH" -d -t $DELAY --cmd "C:\\Malware\\Malware.exe" --output "$LOG_PATH"if [ $? -gt 0 ]; then    echo "[!] File did not execute in VM correctly."    exitfi"$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" "$ZIP_PATH" -j C:\\NoribenReports.zip "$LOG_PATH\\*.*"if [ $? -eq 12 ]; then    echo "[!] ERROR: No files found in Noriben output folder to ZIP."    exitfi"$VMRUN" -gu $VM_USER -gp $VM_PASS copyFileFromGuestToHost "$VMX" C:\\NoribenReports.zip $PWD/NoribenReports_$FILENAME.zip

Obviously, this script requires you to edit some content and set the correct path. The default value is "C: \ Malware \ malware.exe". Run Noriben with the administrator account and output the result to C: \ Noriben_Logs \.

Here, we have a video that uses this script to scan malicious files:

 

Youtube: https://www.youtube.com/watch? V = Xpt6RdBElCQ

Similarly, the following is a script used on Github to run on Windows:

Noriben Sandbox Automation Script:Responsible for::* Copying malware into a known VM:* Running malware sample:* Copying off results::Ensure you set the environment variables below to match your system@echo offif "%1"=="" goto HELPif not exist "%1" goto HELP set DELAY=10set CWD=%CD%set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"set VMX="e:\VMs\WinXP_Malware\WinXP_Malware.vmx"set VM_SNAPSHOT="Baseline"SET VM_USER=Administratorset VM_PASS=passwordset FILENAME=%~nx1set NORIBEN_PATH="C:\Documents and Settings\%VM_USER%\Desktop\Noriben.py"set LOG_PATH="C:\Noriben_Logs"set ZIP_PATH="C:\Tools\zip.exe"   %VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT%%VMRUN% -T ws start %VMX%%VMRUN% -gu %VM_USER%  -gp %VM_PASS% copyFileFromHostToGuest %VMX% "%1" C:\Malware\malware.exeecho %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH%%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH%if %ERRORLEVEL%==1 goto ERROR1%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% -j C:\NoribenReports.zip %LOG_PATH%\*.*%VMRUN% -gu %VM_USER%  -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zipgoto END :ERROR1echo [!] File did not execute in VM correctly.goto END :HELPecho Please provide executable filename as an argument.echo For example:echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7goto END :END

Similar scripts can also be applied to VirtualBox. However, I encountered a problem when using guestcontrol copyto to copy files between a VM and a physical machine. However, you can try it.

How to help me

As an open-source software developer, the biggest problem is to handle bugs in detail. I am currently the only developer of this script software, so I have written some introductions here. I hope everyone will submit bugs. After all, everyone has their own ideas.

If you want to help me, I am very grateful. There are two ways to help:

Help me improve it with your programming knowledge. Help me develop a new whitelist filter.

The first one can only make a small number of people, but more people can help me with the second one. I used my VM to create a whitelist filter. However, after seeing other people's reports, I found that many contents can be added to my white list. An analyst once sent me a report containing hundreds of columns, and my own system generated a lot less. There are many unanticipated back-end applications, such as ngen.exe (local image generator ).

You can download the script software to your vmvm and run it for several minutes. In this case, you need to simply open the calculator or notepad, stop the application, and finally give the generated result to me. Because no malware is running in this case, the results should be added to the White List. Please email me the result report. My address is [email protected].

Download Information

Finally, attach the script software address:

https://github.com/Rurik/Noriben

You can download Noriben. Py and run it. Of course, it would be better if you download ProcmonConfiguration. Pmc and put it together with the script file. This configuration file contains a large number of system whitelists, which can reduce the number of logs generated by up to 10 MB.