Noriben is a python based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In short, it allows you to run your malware, and get a simple text report of the malware’s activities.
This tool only requires Sysinternals procmon.exe (or procmon64.exe) to operate. Noriben is an ideal solution for many unusual malware instances, such as those that would not run from within a standard sandbox environment. These files perhaps required command line arguments or had VMware/OS detection that had to be actively debugged or extremely long sleep cycles. These issues go away with Noriben.
Simply run Noriben, then run your malware in a way that will make it work. If there is active protection, run it within OllyDbg/Immunity while Noriben is running and bypass any anti-analysis checks. If it has an activity that changes over days, simply kick off Noriben and the malware for a long weekend and process your results when you return to work.
- If you have a folder of YARA signature files, you can specify it with the –yara option. Every new file will be scanned against these signatures with the results displayed in the output results.
- If you have a VirusTotal API, place it into a file named “virustotal.api” (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results.
- You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use –hash to read them.
- You can automate the script for sandbox-usage. Using -t to automate execution time, and –cmd “pathexe” to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample.
- The –generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development.
