Noriben – Your Personal, Portable Malware Sandbox

“Noriben is the simplest bento, with nori dipped in soy sauce covering cooked rice.” – Wikipedia.org

Well less to do with Japanese lunches and more to do with analyzing malware… Local malware analyst extraordinaire Brian “@bbaskin” Baskin, recently released a new Python-based tool called Noriben. The problem Brian was trying to solve revolved around being called out to do malware analysis with only the Windows resources he was given onsite. Often these computers lacked his standard arsenal of tools so he needed something portable to use in these situations.

Enter Noriben … with the only requirement being Python and Sysinternals Procmon. To get started simply:

  • Run Noriben (noriben.py at any command prompt),
  • Execute your malware and let it run its course, and
  • Hit Ctrl-C and examine the Notepad text file that pops up.

Initiate Noriben by running noriben.py from the command line, execute the malware, and hit Ctrl-C after the malware has run its course.

The Notepad text file that pops up contains sections dedicated to Processes Created, File Activity, Registry Activity, Network Traffic, and Unique Hosts. The initial reports can become quite cumbersome so Noriben also creates a CSV file that analysts can later examine with filters. The process is again fairly simple.

  • Find the activities in the initial text file that are not of interested,
  • Add them to the filters list in the noriben.py file, and
  • Run Noriben again against the CSV file (noriben.py -r).

Obviously a full malware analysis environment like Cuckoo is the preferred method but in a pinch Brian’s Noriben is there…

You can find out more about Noriben in a recent post Brian wrote or just head right to the source on its GitHub repository.

#####

Today’s post pic is from Wikipedia.org. See ya!

11 comments for “Noriben – Your Personal, Portable Malware Sandbox

  1. April 17, 2013 at 7:01 pm

    #NOVABLOGGER: Noriben – Your Personal, Portable Malware Sandbox http://t.co/hBcttTStZb http://t.co/cYHF0lcT4I

  2. April 17, 2013 at 8:53 pm

    Noriben – Your Personal, Portable Malware Sandbox http://t.co/ChPhjZQT9i

  3. April 17, 2013 at 10:21 pm

    Your Personal, Portable Malware Sandbox http://t.co/ANY5wQ60iy

  4. April 18, 2013 at 11:26 am

    Noriben – Your Personal, Portable Malware Sandbox | NoVA Infosec https://t.co/FrsWVJxC9V) by @grecs

  5. April 19, 2013 at 9:20 am

    Noriben – Your personal, portable #malware sandbox http://t.co/jyn5FUdxsd

  6. April 20, 2013 at 6:01 pm

    Noriben – Your Personal, Portable Malware Sandbox – find out more here http://t.co/H6g6PDSUYG

  7. April 22, 2013 at 12:11 pm

    Noriben – Your Personal, Portable Malware Sandbox http://t.co/bKnNNjafQJ

  8. April 22, 2013 at 4:27 pm

    Portable malware analysis sandbox env.
    http://t.co/fKrsKT9afm

  9. October 10, 2013 at 9:56 pm

    Are there any online versions of Noriben via a pseudo proxy? If so, we’ll add it here:

    http://totalhash.com/malware-sandbox-programs/

  10. October 11, 2013 at 2:23 pm

    totalhash: Not that I know of… Nice page btw…

  11. October 12, 2013 at 3:49 pm

    Thanks! We’re trying to make malware sandbox results more accessible and findable to the masses with a new twist.

    I like the simplicity that Noriben provides.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.