Creating a Malware Sandbox in Seconds with Noriben.

Happy New Years!

As part of the new year, let's make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample malware analysis sandbox script to use for the analysis and reverse engineering that I performed on a daily basis. Let's show how you can perform analysis of malware within just a few seconds with almost no setup at all.

1. Introduction
2. Automating Sandboxing with VMware
3. How you can help! Even with no technical background!
4. Download Information

For those who are already familiar with Noriben, feel skip to the second section to see the new content.

[UPDATE: In the year since this was written, I've made a new Python-based frontend. You'll find it in the same repo as NoribenSandbox.py. It's a much better option for many.]

Introduction

If you've followed me on Twitter, or kept up with this blog, you would be familiar with Noriben. If not, it's a very simple script. In typical behavior analysis one would run malware within a sandbox to see exactly what files it creates, what processes it runs, and what changes it makes to the system. The most common way that many defense teams use is to upload the file to a central anti-virus testing site like VirtusTotal and to online sandboxes like Malwr and those using Cuckoo.

For teams who are leery of uploading their files to the Internet, which is especially inadvisable for APT-related investigations. As advanced actors monitor online sites to see if their files are uploaded, they can determine if their free reign within the environment comes to an end and an IR response has started.

Running malware locally is most commonly performed through Cuckoo, an awesome and open-source sandbox application designed for malware that produces very comprehensive results. However, there is is arguably considerable effort required to set up Cuckoo correctly, with multiple sites offering walkthroughs for various environments. While relatively easy to install on Linux, installing on Windows or OSX can be frustrating for many. And, in my case, I'm often on the road with a random laptop and need to make a sandbox very quickly.

If you take a malware analysis training course, you've also likely been exposed to the SysInternals Procmon tool to monitor a system's environment. For those with more vintage knowledge, you learned Regmon and Filemon. Others use Regshot, a tool that is inadequate for many malware as it doesn't track finite changes within runtime.

Noriben is a simple wrapper for Procmon to collects hundreds of thousands of events then uses a custom set of whitelisted system events to reduce this down to a few dozen for quick review. For more, take a look at the slide deck I put together for the 2015 Black Hat Arsenal:

Malware with No Strings Attached Part 1 - Dynamic Analysis

I had the honor of lecturing for Champlain College's graduate level Malware Analysis course this week. One of the aspects of the lecture was showing off dynamic analysis with my Noriben script and some of the indicators I would look for when running malware.

While every malware site under the sun can tell you how to do malware dynamic analysis, I wanted to write a post on how I, personally, perform dynamic analysis. Some of the things I look for, some things I've learned to ignore, and how to go a little bit above and beyond to answer unusual questions. And, if the questions can't be answered, how to obtain good clues that could help you or another analyst understand the data down the road.

Additionally. I've been meaning to write up a malware analysis post for awhile, but haven't really found any malware that's been really interesting enough. Most were overly complex, many overly simple, and most just too boring to write on. Going back through prior incidents, I remembered a large scale response we worked involving a CoreFlood compromise. While this post won't be on the same malware, it's from a similar variant:

MD5: 4f45df18209b840a2cf4de91501847d1
SSDEEP: 768:ofATWbDPImK/fJQTR5WSgRlo5naTKczgYtWc5bCQHg:uk6chnWESgRKcnWc5uF
Size: 48640 bytes

Note: I cannot host the file here, but it can be obtained through VirusTotal (for those with privileges) or directly from Malwr with a free registered account.

This is not a ground-breaking malware sample. The techniques here are not new. I want to simply show a typical workflow of analyzing malware and overcoming the challenges that appear in doing so.

There are multiple levels of complexity to this sample, too much for a single post, including ways in which it encrypts embedded data and strings. Therefore, this post will focus on the dynamic artifacts of running the malware and examining the files left behind. On the next post, we'll use IDA Pro to dig deeper into reversing the logic used by the malware.

Noriben version 1.4 released

It's been a few months since the last official release of Noriben. The interim time has been filled with a few ninja-edits of updated filters, and wondering what to put in next.

Noriben started out as a simple wrapper to Sysinternals procmon to automatically gather all of the runtime details for malware analysis within a VM. It then filters out all the unnecessary system details until what's left is a fairly concise view of what the malware did to the system while running. It is a great alternative to a dedicated sandbox environment. More details on Noriben can be found here.

Over the months I was ecstatic to hear of organizations using Noriben in various roles. Many had modified the script to use it as an automated sandbox to run alongside their commercial products, which was exactly one of my goals for the script. However, the current requirement of manual interaction was an issue and I saw many ugly hacks of how people bypassed it. The new version should take care of that issue.

This was originally a release for version 1.3, which I pushed up on Friday. However, I received quite a bit of feedback for other new features and so quickly I pushed up version 1.4.

In the new version 1.4, I've introduced a few new features:

• A non-interactive mode that runs for a specified number of seconds on malware that is specified from the command line
• The ability to generalize strings, using Windows environment variables
• The ability to specify an output directory

Non-Interactive Mode
The non-interactive mode was needed for a long time, and I apologize it took some time to implement it, as it was a very easy addition. It can be set in one of two ways:
The beginning of the source has a new line:

timeout_seconds = 0

By setting this to a value other than zero, Noriben will automatically wait that number of seconds to monitor the file system. This can be hardcoded for automated implementations, such as in a sandbox environment.

This value can also be overridden with a command line option of --timeout (-t). When using this argument, Noriben will enable the timeout mode and use the specified number of seconds. This is useful if you have a particularly long runtime sample. Even if Noriben.py was modified to have a 120-second timeout, you can override this on the command line with a much greater value (3600 seconds, for example).

Noriben now also lets you note the malware from the command line, making it completely non-interactive:

Noriben.py --cmd "C:\malware\bad.exe www.badhost.com 80" --timeout 300

This command line will launch bad.exe, with a given command line, for a period of 5 minutes. At such time, Noriben will stop monitoring the malware, but it will continue to run.

Output Directory
An alternate output directory can be specified on the command line with --output. If this folder does not exist, it will be created. If Noriben is unable to create the directory, such as when it doesn't have access (e.g. C:\Windows\System32\), then it will give an error and quit.


String Generalization
One requested feature was to replace the file system paths with the Windows environment variables, to make them generic. Many people copy and paste their Noriben results which may show system-specific values, such as "C:\Documents and Settings\Bob\malware.exe". This string will be generalized to "%UserProfile%\malware.exe".

This feature is turned off by default, but can be enabled by changing a setting in the file:

generalize_paths = False

Or by setting --generalize on the command line.


All in all, these features could be summed up with:

Noriben.py --output C:\Logs\Malware --timeout 300 --generalize --cmd "C:\Malware\evil.exe"

Download Noriben