Noriben – Your Personal, Portable Malware Sandbox

April 17, 2013
By

Post to Twitter Post to Facebook Post to Reddit

“Noriben is the simplest bento, with nori dipped in soy sauce covering cooked rice.” – Wikipedia.org

Well less to do with Japanese lunches and more to do with analyzing malware… Local malware analyst extraordinaire Brian “@bbaskin” Baskin, recently released a new Python-based tool called Noriben. The problem Brian was trying to solve revolved around being called out to do malware analysis with only the Windows resources he was given onsite. Often these computers lacked his standard arsenal of tools so he needed something portable to use in these situations.

Enter Noriben … with the only requirement being Python and Sysinternals Procmon. To get started simply:

  • Run Noriben (noriben.py at any command prompt),
  • Execute your malware and let it run its course, and
  • Hit Ctrl-C and examine the Notepad text file that pops up.

Initiate Noriben by running noriben.py from the command line, execute the malware, and hit Ctrl-C after the malware has run its course.

The Notepad text file that pops up contains sections dedicated to Processes Created, File Activity, Registry Activity, Network Traffic, and Unique Hosts. The initial reports can become quite cumbersome so Noriben also creates a CSV file that analysts can later examine with filters. The process is again fairly simple.

  • Find the activities in the initial text file that are not of interested,
  • Add them to the filters list in the noriben.py file, and
  • Run Noriben again against the CSV file (noriben.py -r).

Obviously a full malware analysis environment like Cuckoo is the preferred method but in a pinch Brian’s Noriben is there…

You can find out more about Noriben in a recent post Brian wrote or just head right to the source on its GitHub repository.

#####

Today’s post pic is from Wikipedia.org. See ya!

Tags: , , ,

11 Responses to Noriben – Your Personal, Portable Malware Sandbox

  1. novainfosec (@novainfosec) on April 17, 2013 at 7:01 pm

    #NOVABLOGGER: Noriben – Your Personal, Portable Malware Sandbox http://t.co/hBcttTStZb http://t.co/cYHF0lcT4I

  2. Packetknife Too (@PacketknifeToo) on April 17, 2013 at 8:53 pm

    Noriben – Your Personal, Portable Malware Sandbox http://t.co/ChPhjZQT9i

  3. Jason Holbrook (@ocean11) on April 17, 2013 at 10:21 pm

    Your Personal, Portable Malware Sandbox http://t.co/ANY5wQ60iy

  4. 0xerror (@0xerror) on April 18, 2013 at 11:26 am

    Noriben – Your Personal, Portable Malware Sandbox | NoVA Infosec https://t.co/FrsWVJxC9V) by @grecs

  5. @geeknik on April 19, 2013 at 9:20 am

    Noriben – Your personal, portable #malware sandbox http://t.co/jyn5FUdxsd

  6. grecs (@grecs) on April 20, 2013 at 6:01 pm

    Noriben – Your Personal, Portable Malware Sandbox – find out more here http://t.co/H6g6PDSUYG

  7. @tjadanel on April 22, 2013 at 12:11 pm

    Noriben – Your Personal, Portable Malware Sandbox http://t.co/bKnNNjafQJ

  8. @nixfreakz on April 22, 2013 at 4:27 pm

    Portable malware analysis sandbox env.
    http://t.co/fKrsKT9afm

  9. totalhash on October 10, 2013 at 9:56 pm

    Are there any online versions of Noriben via a pseudo proxy? If so, we’ll add it here:

    http://totalhash.com/malware-sandbox-programs/

  10. grecs on October 11, 2013 at 2:23 pm

    totalhash: Not that I know of… Nice page btw…

  11. totalhash on October 12, 2013 at 3:49 pm

    Thanks! We’re trying to make malware sandbox results more accessible and findable to the masses with a new twist.

    I like the simplicity that Noriben provides.

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.