As part of the new year, let's make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample malware analysis sandbox script to use for the analysis and reverse engineering that I performed on a daily basis. Let's show how you can perform analysis of malware within just a few seconds with almost no setup at all.
- Introduction
- Automating Sandboxing with VMware
- How you can help! Even with no technical background!
- Download Information
For those who are already familiar with Noriben, feel skip to the second section to see the new content.
[UPDATE: In the year since this was written, I've made a new Python-based frontend. You'll find it in the same repo as NoribenSandbox.py. It's a much better option for many.]
Introduction
If you've followed me on Twitter, or kept up with this blog, you would be familiar with Noriben. If not, it's a very simple script. In typical behavior analysis one would run malware within a sandbox to see exactly what files it creates, what processes it runs, and what changes it makes to the system. The most common way that many defense teams use is to upload the file to a central anti-virus testing site like VirtusTotal and to online sandboxes like Malwr and those using Cuckoo.
For teams who are leery of uploading their files to the Internet, which is especially inadvisable for APT-related investigations. As advanced actors monitor online sites to see if their files are uploaded, they can determine if their free reign within the environment comes to an end and an IR response has started.
Running malware locally is most commonly performed through Cuckoo, an awesome and open-source sandbox application designed for malware that produces very comprehensive results. However, there is is arguably considerable effort required to set up Cuckoo correctly, with multiple sites offering walkthroughs for various environments. While relatively easy to install on Linux, installing on Windows or OSX can be frustrating for many. And, in my case, I'm often on the road with a random laptop and need to make a sandbox very quickly.
If you take a malware analysis training course, you've also likely been exposed to the SysInternals Procmon tool to monitor a system's environment. For those with more vintage knowledge, you learned Regmon and Filemon. Others use Regshot, a tool that is inadequate for many malware as it doesn't track finite changes within runtime.
Noriben is a simple wrapper for Procmon to collects hundreds of thousands of events then uses a custom set of whitelisted system events to reduce this down to a few dozen for quick review. For more, take a look at the slide deck I put together for the 2015 Black Hat Arsenal:
_____
______
This post won't really focus on the details tool itself. You can check out it's main page here: www.ghettoforensics.com/noriben
Automating Sandboxing from VMware
Typical usage of Noriben requires that you run it interactively within a sandbox while running your malware. After running Noriben, it collects overall system artifacts as you run malware. Many analysts use it to collect malware indicators for when they need to interact with the malware within the sandbox, such as with this video that does VM checking:
However, this blog post is to highlight an automated way to avoid this and to submit samples, and receive the resulting reports, directly from your host system.
By using VMware's vmrun command, the script will revert the VM to a known snapshot, copy the malware in, run Noriben, then zip and extract the report out. From the command line, one can receive a malware report within 60 seconds on a file. Below is an example of the bash script that runs from OSX. The final version can be found on Github, but below is just to show the overall structure of it:
#!/bin/bash #Noriben Sandbox Automation Script #Responsible for: #* Copying malware into a known VM #* Running malware sample #* Copying off results # #Ensure you set the environment variables below to match your system if [ ! -f $1 ]; then echo "Please provide executable filename as an argument." echo "For example:" echo "$0 ~/malware/ef8188aa1dfa2ab07af527bab6c8baf7" exit fi DELAY=10 MALWAREFILE=$1 VMRUN="/Applications/VMware Fusion.app/Contents/Library/vmrun" VMX="/Users/bbaskin/VMs/RSA Victim.vmwarevm/Windows XP Professional.vmx" VM_SNAPSHOT="Baseline" VM_USER=Administrator VM_PASS=password FILENAME=$(basename $MALWAREFILE) NORIBEN_PATH="C:\\Documents and Settings\\$VM_USER\\Desktop\\Noriben.py" ZIP_PATH=C:\\Tools\\zip.exe LOG_PATH=C:\\Noriben_Logs "$VMRUN" -T ws revertToSnapshot "$VMX" $VM_SNAPSHOT "$VMRUN" -T ws start "$VMX" "$VMRUN" -gu $VM_USER -gp $VM_PASS copyFileFromHostToGuest "$VMX" "$MALWAREFILE" C:\\Malware\\malware.exe "$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" C:\\Python27\\Python.exe "$NORIBEN_PATH" -d -t $DELAY --cmd "C:\\Malware\\Malware.exe" --output "$LOG_PATH" if [ $? -gt 0 ]; then echo "[!] File did not execute in VM correctly." exit fi "$VMRUN" -T ws -gu $VM_USER -gp $VM_PASS runProgramInGuest "$VMX" "$ZIP_PATH" -j C:\\NoribenReports.zip "$LOG_PATH\\*.*" if [ $? -eq 12 ]; then echo "[!] ERROR: No files found in Noriben output folder to ZIP." exit fi "$VMRUN" -gu $VM_USER -gp $VM_PASS copyFileFromGuestToHost "$VMX" C:\\NoribenReports.zip $PWD/NoribenReports_$FILENAME.zip
Obviously, this script needs minor editing on your part to establish the correct paths. By default it places the malware sample as "C:\Malware\malware.exe", runs Noriben off the desktop of the Administrator account, and outputs the results to "C:\Noriben_Logs\".
In action, here's a video of a malware file being scanned using this script:
Similarly, there's a script on Github for those running a Windows host. The final version can be found on Github, but below is just to show the overall structure of it:
:Noriben Sandbox Automation Script :Responsible for: :* Copying malware into a known VM :* Running malware sample :* Copying off results : :Ensure you set the environment variables below to match your system @echo off if "%1"=="" goto HELP if not exist "%1" goto HELP set DELAY=10 set CWD=%CD% set VMRUN="C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" set VMX="e:\VMs\WinXP_Malware\WinXP_Malware.vmx" set VM_SNAPSHOT="Baseline" SET VM_USER=Administrator set VM_PASS=password set FILENAME=%~nx1 set NORIBEN_PATH="C:\Documents and Settings\%VM_USER%\Desktop\Noriben.py" set LOG_PATH="C:\Noriben_Logs" set ZIP_PATH="C:\Tools\zip.exe" %VMRUN% -T ws revertToSnapshot %VMX% %VM_SNAPSHOT% %VMRUN% -T ws start %VMX% %VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromHostToGuest %VMX% "%1" C:\Malware\malware.exe echo %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH% %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% C:\Python27\Python.exe %NORIBEN_PATH% -d -t %DELAY% --cmd "C:\Malware\Malware.exe" --output %LOG_PATH% if %ERRORLEVEL%==1 goto ERROR1 %VMRUN% -T ws -gu %VM_USER% -gp %VM_PASS% runProgramInGuest %VMX% %ZIP_PATH% -j C:\NoribenReports.zip %LOG_PATH%\*.* %VMRUN% -gu %VM_USER% -gp %VM_PASS% copyFileFromGuestToHost %VMX% C:\NoribenReports.zip %CWD%\NoribenReports_%FILENAME%.zip goto END :ERROR1 echo [!] File did not execute in VM correctly. goto END :HELP echo Please provide executable filename as an argument. echo For example: echo %~nx0 C:\Malware\ef8188aa1dfa2ab07af527bab6c8baf7 goto END :END
A similar script can be written for VirtualBox. However, I ran into numerous issues getting the "guestcontrol copyto" to copy files in and out. If you'd like to take a stab at this, based on the code above, feel free!
How you can help!
As the developer of open-source software, the biggest hurdle is in handling every edge case. I am the sole developer (currently) of Noriben, therefore it is geared and written to my experiences. I love getting bug reports because (a) I know people are using it and (b) each person's system has its own unique qualities.
If you want to provide the most help for me there are two ways that I would greatly appreciate!
- Help me with the development through leveraging your programming expertise to improve it.
- Help to develop new white list filters.
The first is limited to a small set of people, but anyone can help with the second! The white list filters I use are based primarily off of my own VMs. But, as I've seen with others' reports, there are numerous other items that could be whitelisted. I had one analyst send me a report that had hundreds of items, whereas my own system typically produces less than two dozen. He simply had a lot of backend applications that I was not expecting (such as ngen.exe). Someone else had print drivers continuously being updated.
To help, right now, download the files here into your VM and simply run it. Let it run for a minute or two without malware. Simply run Calc or Notepad. Then stop collection and send me the results. As there is no malware running, the results shown should likely be whitelisted for everyone. Take this and email your files to me (feel free to scrub any proprietary information) at brian @@ thebaskins.com.
Download Information
Noriben is hosted publicly on Github at: https://github.com/Rurik/Noriben.
At a minimum, you can download Noriben.py and be up and running. It is preferable that you also download ProcmonConfiguration.pmc and store it alongside Noriben.py. This configuration file contains numerous pre-analysis whitelists that could reduce your process logs from hundreds of megabytes to less than 10MB.
Thanks for reading and hopefully this will help you improve your defenses and incident response reaction times for the new year!
Hi! A stupid question but is Python supposed to be installed on the VM Host or the VM Guest?
ReplyDeleteNot stupid at all. Running Noriben will require Python to be installed within the guest. Make sure that Python.exe is either in the PATH or is associated with .py files so that it can run easily.
DeleteTo run the frontend tool (NoribenSandbox.py), you'd also need Python on the host. However, there is an old, and slightly unsupported, set of non-Python frontends (NoribenSandbox.bat and NoribenSandbox.sh) which will work with some modifications but lose a lot of functionality.
My goal, soon, is to have Noriben.py being a compiled executable so that it won't need Python on the guest.
When you're testing, make sure you run each script with '-d' to enable debug, so that you can see where you may need to change your configuration to fit. Today is 22 April, by the end of this weekend (hopefully) or within the next week I'll be pushing an updated version of both Noriben.py and NoribenSandbox.py.
Thanks for the comment!
Hi Brian,
ReplyDeleteMost of the modern malware are equipped with anti-virtualization tech. When you set up your vm, did you harden your vm to prevent detect?
I tend to have very little anti-VM checks in my environments. While there are samples that check for VMs, there are also some that only work within VM environments. One of this tool's greatest uses is that you can run it while debugging, so that you can manually bypass or verify those checks.
DeleteTo that end, I'd recommend a tool like pafish (https://github.com/a0rtega/pafish) or Al-khaser (https://github.com/LordNoteworthy/al-khaser) to scan within your VM to let you know which items to disable.
Hi!
ReplyDeleteWould like to know whether is there a writeup for the setting up of Noriben for VM Host and VM Guest? This tool is quite interesting, however have problems with the configuration