Noriben is a Python-primarily based script that works along with Sysinternals Procmon to mechanically accumulate, analyze, and file on runtime signs of malware. In a nutshell, it lets you run your malware, hit a keypress, and get a easy textual content file of the pattern’s actions.
Noriben lets you now not most effective run malware very similar to a sandbox, however to additionally log gadget-broad occasions when you manually run malware in techniques specific to creating it run. For instance, it could actually concentrate as you run malware that calls for various command line choices. Or, watch the gadget as you step thru malware in a debugger.
Noriben most effective calls for Sysinternals procmon.exe (or procmon64.exe) to function. It calls for no pre-filtering (regardless that it could very much assist) because it incorporates a large number of white checklist pieces to cut back undesirable noise from gadget task.
When you have a folder of YARA signature information, you’ll specify it with the –yara possibility. Each new report create will probably be scanned in opposition to those signatures with the consequences displayed within the output effects.
When you have a VirusTotal API, position it right into a report named “virustotal.api” (or embed at once within the script) to auto-put up MD5 report hashes to VT to get the collection of viral effects.
You’ll be able to upload lists of MD5s to auto-forget about (comparable to your entire gadget information). Use md5deep and throw them right into a textual content report, use –hash to learn them.
You’ll be able to automate the script for sandbox-utilization. The use of -t to automate execution time, and –cmd “pathexe” to specify a malware report, you’ll mechanically run malware, reproduction the consequences off, after which revert to run a brand new pattern.
The –generalize characteristic will mechanically replace absolute paths with Home windows surroundings paths for higher IOC building. For instance, C:Usersmalware_userAppDataRoamingmalware.exe will probably be mechanically resolved to %AppDatapercentmalware.exe.
--===[ Noriben v1.6 ]===--
--===[ @bbaskin ]===--
utilization: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [--hash HASH]
[-t TIMEOUT] [--output OUTPUT] [--yara YARA] [--generalize]
[--cmd CMD] [-d]
not obligatory arguments:
-h, --help display this assist message and go out
-c CSV, --csv CSV Re-analyze an current Noriben CSV report
-p PML, --pml PML Re-analyze an current Noriben PML report
-f FILTER, --filter FILTER
Specify exchange Procmon Clear out PMC
--hash HASH Specify MD5 report whitelist
-t TIMEOUT, --timeout TIMEOUT
Collection of seconds to gather task
--output OUTPUT Folder to retailer output information
--yara YARA Folder containing YARA regulations
--generalize Generalize report paths to their surroundings variables.
--cmd CMD Command line to execute (in quotes)
-d Allow debug tracebacks