18 January 2016

Creating a Malware Sandbox in Seconds with Noriben.

Happy New Years!

As part of the new year, let's make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample malware analysis sandbox script to use for the analysis and reverse engineering that I performed on a daily basis. Let's show how you can perform analysis of malware within just a few seconds with almost no setup at all.

  1. Introduction
  2. Automating Sandboxing with VMware
  3. How you can help! Even with no technical background!
  4. Download Information

For those who are already familiar with Noriben, feel skip to the second section to see the new content.

[UPDATE: In the year since this was written, I've made a new Python-based frontend. You'll find it in the same repo as NoribenSandbox.py. It's a much better option for many.]

Introduction


If you've followed me on Twitter, or kept up with this blog, you would be familiar with Noriben. If not, it's a very simple script. In typical behavior analysis one would run malware within a sandbox to see exactly what files it creates, what processes it runs, and what changes it makes to the system. The most common way that many defense teams use is to upload the file to a central anti-virus testing site like VirtusTotal and to online sandboxes like Malwr and those using Cuckoo.

For teams who are leery of uploading their files to the Internet, which is especially inadvisable for APT-related investigations. As advanced actors monitor online sites to see if their files are uploaded, they can determine if their free reign within the environment comes to an end and an IR response has started.

Running malware locally is most commonly performed through Cuckoo, an awesome and open-source sandbox application designed for malware that produces very comprehensive results. However, there is is arguably considerable effort required to set up Cuckoo correctly, with multiple sites offering walkthroughs for various environments. While relatively easy to install on Linux, installing on Windows or OSX can be frustrating for many. And, in my case, I'm often on the road with a random laptop and need to make a sandbox very quickly.

If you take a malware analysis training course, you've also likely been exposed to the SysInternals Procmon tool to monitor a system's environment. For those with more vintage knowledge, you learned Regmon and Filemon. Others use Regshot, a tool that is inadequate for many malware as it doesn't track finite changes within runtime.

Noriben is a simple wrapper for Procmon to collects hundreds of thousands of events then uses a custom set of whitelisted system events to reduce this down to a few dozen for quick review. For more, take a look at the slide deck I put together for the 2015 Black Hat Arsenal:




_____


______

This post won't really focus on the details tool itself. You can check out it's main page here: www.ghettoforensics.com/noriben

Automating Sandboxing from VMware


Typical usage of Noriben requires that you run it interactively within a sandbox while running your malware. After running Noriben, it collects overall system artifacts as you run malware. Many analysts use it to collect malware indicators for when they need to interact with the malware within the sandbox, such as with this video that does VM checking:


However, this blog post is to highlight an automated way to avoid this and to submit samples, and receive the resulting reports, directly from your host system.

By using VMware's vmrun command, the script will revert the VM to a known snapshot, copy the malware in, run Noriben, then zip and extract the report out. From the command line, one can receive a malware report within 60 seconds on a file. Below is an example of the bash script that runs from OSX. The final version can be found on Github, but below is just to show the overall structure of it:



#!/bin/bash
#Noriben Sandbox Automation Script
#Responsible for:
#* Copying malware into a known VM
#* Running malware sample
#* Copying off results
#
#Ensure you set the environment variables below to match your system
if [ ! -f $1 ]; then
 echo "Please provide executable filename as an argument."
 echo "For example:"
 echo "$0 ~/malware/ef8188aa1dfa2ab07af527bab6c8baf7"
 exit
fi

DELAY=10
MALWAREFILE=$1
VMRUN="/Applications/VMware Fusion.app/Contents/Library/vmrun"
VMX="/Users/bbaskin/VMs/RSA Victim.vmwarevm/Windows XP Professional.vmx"
VM_SNAPSHOT="Baseline"
VM_USER=Administrator
VM_PASS=password
FILENAME=$(basename $MALWAREFILE)
NORIBEN_PATH="C:\\Documents and Settings\\$VM_USER\\Desktop\\Noriben.py"
ZIP_PATH=C:\\Tools\\zip.exe
LOG_PATH=C:\\Noriben_Logs


"$VMRUN" -T ws revertToSnapshot "$VMX" $VM_SNAPSHOT
"$VMRUN" -T ws start "$VMX"
"$VMRUN" -gu $VM_USER  -gp $VM_PASS copyFileFromHostToGuest "$VMX" "$MALWAREFILE" C:\\Malware\\malware.exe
"$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" C:\\Python27\\Python.exe "$NORIBEN_PATH" -d -t $DELAY --cmd "C:\\Malware\\Malware.exe" --output "$LOG_PATH"
if [ $? -gt 0 ]; then
    echo "[!] File did not execute in VM correctly."
    exit
fi
"$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" "$ZIP_PATH" -j C:\\NoribenReports.zip "$LOG_PATH\\*.*"
if [ $? -eq 12 ]; then
    echo "[!] ERROR: No files found in Noriben output folder to ZIP."
    exit
fi
"$VMRUN" -gu $VM_USER -gp $VM_PASS copyFileFromGuestToHost "$VMX" C:\\NoribenReports.zip $PWD/NoribenReports_$FILENAME.zip

Obviously, this script needs minor editing on your part to establish the correct paths. By default it places the malware sample as "C:\Malware\malware.exe", runs Noriben off the desktop of the Administrator account, and outputs the results to "C:\Noriben_Logs\".

In action, here's a video of a malware file being scanned using this script:



Similarly, there's a script on Github for those running a Windows host. The final version can be found on Github, but below is just to show the overall structure of it:


:Noriben Sandbox Automation Script
:Responsible for:
:* Copying malware into a known VM
:* Running malware sample
:* Copying off results
:
:Ensure you set the environment variables below to match your system
@echo off
if "%1"=="" goto HELP
if not exist "%1" goto HELP

set DELAY=10
set CWD=%CD%
set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"
set VMX="e:\VMs\WinXP_Malware\WinXP_Malware.vmx"
set VM_SNAPSHOT="Baseline"
SET VM_USER=Administrator
set VM_PASS=password
set FILENAME=%~nx1
set NORIBEN_PATH="C:\Documents and Settings\%VM_USER%\Desktop\Noriben.py"
set LOG_PATH="C:\Noriben_Logs"
set ZIP_PATH="C:\Tools\zip.exe"



%VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT%
%VMRUN% -T ws start %VMX%
%VMRUN% -gu %VM_USER%  -gp %VM_PASS% copyFileFromHostToGuest %VMX% "%1" C:\Malware\malware.exe
echo %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH%
%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH%
if %ERRORLEVEL%==1 goto ERROR1
%VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% -j C:\NoribenReports.zip %LOG_PATH%\*.*
%VMRUN% -gu %VM_USER%  -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zip
goto END

:ERROR1
echo [!] File did not execute in VM correctly.
goto END

:HELP
echo Please provide executable filename as an argument.
echo For example:
echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7
goto END

:END


A similar script can be written for VirtualBox. However, I ran into numerous issues getting the "guestcontrol copyto" to copy files in and out. If you'd like to take a stab at this, based on the code above, feel free!

How you can help!


As the developer of open-source software, the biggest hurdle is in handling every edge case. I am the sole developer (currently) of Noriben, therefore it is geared and written to my experiences. I love getting bug reports because (a) I know people are using it and (b) each person's system has its own unique qualities.

If you want to provide the most help for me there are two ways that I would greatly appreciate!

  1. Help me with the development through leveraging your programming expertise to improve it.
  2. Help to develop new white list filters.

The first is limited to a small set of people, but anyone can help with the second! The white list filters I use are based primarily off of my own VMs. But, as I've seen with others' reports, there are numerous other items that could be whitelisted. I had one analyst send me a report that had hundreds of items, whereas my own system typically produces less than two dozen. He simply had a lot of backend applications that I was not expecting (such as ngen.exe). Someone else had print drivers continuously being updated. 

To help, right now, download the files here into your VM and simply run it. Let it run for a minute or two without malware. Simply run Calc or Notepad. Then stop collection and send me the results. As there is no malware running, the results shown should likely be whitelisted for everyone. Take this and email your files to me (feel free to scrub any proprietary information) at brian @@ thebaskins.com.

Download Information


Noriben is hosted publicly on Github at: https://github.com/Rurik/Noriben.
At a minimum, you can download Noriben.py and be up and running. It is preferable that you also download ProcmonConfiguration.pmc and store it alongside Noriben.py. This configuration file contains numerous pre-analysis whitelists that could reduce your process logs from hundreds of megabytes to less than 10MB.


Thanks for reading and hopefully this will help you improve your defenses and incident response reaction times for the new year!

5 comments:

  1. Hi! A stupid question but is Python supposed to be installed on the VM Host or the VM Guest?

    ReplyDelete
    Replies
    1. Not stupid at all. Running Noriben will require Python to be installed within the guest. Make sure that Python.exe is either in the PATH or is associated with .py files so that it can run easily.

      To run the frontend tool (NoribenSandbox.py), you'd also need Python on the host. However, there is an old, and slightly unsupported, set of non-Python frontends (NoribenSandbox.bat and NoribenSandbox.sh) which will work with some modifications but lose a lot of functionality.

      My goal, soon, is to have Noriben.py being a compiled executable so that it won't need Python on the guest.

      When you're testing, make sure you run each script with '-d' to enable debug, so that you can see where you may need to change your configuration to fit. Today is 22 April, by the end of this weekend (hopefully) or within the next week I'll be pushing an updated version of both Noriben.py and NoribenSandbox.py.

      Thanks for the comment!

      Delete
  2. Hi Brian,
    Most of the modern malware are equipped with anti-virtualization tech. When you set up your vm, did you harden your vm to prevent detect?

    ReplyDelete
    Replies
    1. I tend to have very little anti-VM checks in my environments. While there are samples that check for VMs, there are also some that only work within VM environments. One of this tool's greatest uses is that you can run it while debugging, so that you can manually bypass or verify those checks.

      To that end, I'd recommend a tool like pafish (https://github.com/a0rtega/pafish) or Al-khaser (https://github.com/LordNoteworthy/al-khaser) to scan within your VM to let you know which items to disable.

      Delete
  3. Hi!

    Would like to know whether is there a writeup for the setting up of Noriben for VM Host and VM Guest? This tool is quite interesting, however have problems with the configuration

    ReplyDelete