Noriben is a Python-based script that works together with Sysinternals Procmon to routinely accumulate, analyze, and report on runtime indicators of malware. In a nutshell, it permits you to run your malware, hit a keypress, and get a easy textual content report of the pattern’s actions.
Noriben permits you to not solely run malware much like a sandbox, however to additionally log system-broad occasions when you manually run malware in methods specific to creating it run. For instance, it will possibly hear as you run malware that requires various command line choices. Or, watch the system as you step by way of malware in a debugger.
Noriben solely requires Sysinternals procmon.exe (or procmon64.exe) to function. It requires no pre-filtering (although it might tremendously assist) because it incorporates quite a few white record gadgets to scale back undesirable noise from system exercise.
If you will have a folder of YARA signature information, you’ll be able to specify it with the –yara choice. Every new file create shall be scanned towards these signatures with the outcomes displayed within the output outcomes.
If you will have a VirusTotal API, place it right into a file named “virustotal.api” (or embed immediately within the script) to auto-submit MD5 file hashes to VT to get the variety of viral outcomes.
You can add lists of MD5s to auto-ignore (resembling your entire system information). Use md5deep and throw them right into a textual content file, use –hash to learn them.
You can automate the script for sandbox-utilization. Using -t to automate execution time, and –cmd “pathexe” to specify a malware file, you’ll be able to routinely run malware, copy the outcomes off, after which revert to run a brand new pattern.
The –generalize function will routinely substitute absolute paths with Windows surroundings paths for higher IOC improvement. For instance, C:Usersmalware_userAppDataRoamingmalware.exe shall be routinely resolved to %AppDatapercentmalware.exe.
--===[ Noriben v1.6 ]===-- --===[ @bbaskin ]===-- utilization: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH] [-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize] [--cmd CMD] [-d] optionally available arguments: -h, --help present this assist message and exit -c CSV, --csv CSV Re-analyze an current Noriben CSV file -p PML, --pml PML Re-analyze an current Noriben PML file -f FILTER, --filter FILTER Specify alternate Procmon Filter PMC --hash HASH Specify MD5 file whitelist -t TIMEOUT, --timeout TIMEOUT Number of seconds to gather exercise --output OUTPUT Folder to retailer output information --yara YARA Folder containing YARA guidelines --generalize Generalize file paths to their surroundings variables. Default: True --cmd CMD Command line to execute (in quotes) -d Enable debug tracebacks