Announcing Noriben

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.

Noriben is an ideal solution for many unusual malware instances, such as those that would not run from within a standard sandbox environment. These files perhaps required command line arguments, or had VMware/OS detection that had to be actively debugged, or extremely long sleep cycles. These issues go away with Noriben. Simply run Noriben, then run your malware in a way that will make it work. If there is active protection, run it within OllyDbg/Immunity while Noriben is running and bypass any anti-analysis checks. If it has activity that changes over days, simply kick off Noriben and the malware for a long weekend and process your results when you return to work.

Noriben only requires Sysinternals procmon.exe. You may optionally first tailor Procmon to your particular VM, a step that is unique to each individual person and their environment, in order to filter out the noise of benign activity from logs. Alternatively, the filtering within Procmon can be kept sparse and you could instead place numerous filters from within Noriben to filter out the noise. (My personal preference is to perform moderate filtering from within Procmon and the rest from Noriben, which allows me to quickly remove filters for specific malware that likes to mimic benign services.) If you create Procmon filters, simply save the file as ProcmonConfiguration.pmc and save it in the same folder as Noriben.py

Simply run Noriben and wait for it to setup. Once prompted, run your malware in another window. When the malware has reached a point of activity necessary for analysis, stop Noriben by pressing Ctrl-C. Noriben will then stop the logging, gather all of the data, and process a report for you. It then generates three files, all timestamped: a Procmon PML database, a text CSV document, and a text TXT file. The PML and CSV files constitute the main source of activity, with the TXT being the final report made after applying filters. Found too many false positives in your report? Simply delete the TXT file, add filters to Noriben.py directly, and rerun it with the "-r <filename>.csv" option to re-run analysis from the CSV.

Noriben - Origins

To counter this problem, many organizations have found themselves putting a greater weight on automated tools. The industry targeting this particular segment has exploded in the past two years, with multiple large companies coming out with a large number of tools to help strained teams, but at large financial costs.

As a resourceful analyst of a small team, usually called to help out in surge support for others, I've had to find ways to work smarter with the tools I have. While setting up a Cuckoo sandbox server is a free and preferred method for quick analysis, I needed something more nimble and portable. This issue came up when I assisted on a response and was given a laptop upon arrival, one that lacked most basic malware tools. Working alongside a team of junior analysts, we had a large mountain of files to analyze, with no ready access to the Internet to analyze files quickly. The answer came with using simple tools already on the network, used by the system administrators, namely the Sysinternals Procmon. Procmon is already in the arsenal of most malware analysts as a way to monitor system activity during dynamic analysis. By using native functionality within Procmon, a comma delimited file (CSV) file can be generated, which was then analyzed through specifically tailored grep searches. That effort turned into a way of automating the process to be used by dozens of people. After months of personal usage and testing, then end result was Noriben.

Noriben in Action

In my last blog post, I showed one of my recent tools for parsing Java IDX files, a forensic byproduct of Java-based malware infections. In that post we talked about the first-stage malware attack which was used solely to drop a file named hehda.exe to the user's Temporary folder. What was that executable and what does it do? Let's turn to Noriben:


Place your Noriben files (Noriben.py, procmon.exe, and optionally ProcmonConfiguration.pmc) into any standard Windows virtual machine. Then copy your malware to the VM.
Run Noriben and you will receive the following text:




After awhile I see the original malware file, hehda.exe, disappear from my desktop. I wait about a minute and then press Ctrl-C to stop the scan. The following text is then displayed:



Notepad then automatically opens the resulting text report shows a lot of data, seen below at the following link (because the output is so large):

Original Report

Now, this could be better. So, I adjust my filters by adding in the items that don't interest me. I do this on the fly with this instance of Noriben.py within the VM, knowing that the changes are particular to this VM and that the new filters will be erased when I revert my snapshot. I then rescan my file by using "Noriben.py -r", as shown below:



The resulting report is much easier to process:

Filtered Report

From this, we can see a few items of high notability. The processes show Hehda.exe being executed, and then spawning cmd.exe:

[CreateProcess] Explorer.EXE:1432 > "C:\Documents and Settings\Administrator\Desktop\hehda.exe" [Child PID: 2520]
[CreateProcess] hehda.exe:2520 > "C:\WINDOWS\system32\cmd.exe" [Child PID: 3444]

By following cmd.exe's PID, we can see it is later responsible for deleting hehda.exe.
Hehda.exe drops a few very interesting files, including:

[CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\n  [MD5: cfaddbb43ba973f8d15d7d2e50c63476]
[CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\n [MD5: cfaddbb43ba973f8d15d7d2e50c63476]

Right away, a Google search on this MD5 value returns many interesting results that tell us that the file was virus scanned as ZeroAccess. The filenames themselves are also indicative of ZeroAccess.

How did this file gain persistence on the victim machine? Now that we see the files, we can peruse the registry values and see the following items:

[CreateKey] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}
[CreateKey] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
[SetValue] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel  =  Both
[SetValue] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\(Default)  =  C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\n.

And what other damage did it do? Well, it looks like it took out a few notable services, including those for the Windows Firewall and Windows Security Center:

[SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\DeleteFlag  =  1
[SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Start  =  4
[SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\DeleteFlag  =  1
[SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\Start  =  4

[UDP] hehda.exe:2520 > google-public-dns-a.google.com:53
[UDP] google-public-dns-a.google.com:53 > hehda.exe:2520
[HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80
[TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520
[UDP] hehda.exe:2520 > 83.133.123.20:53
[UDP] svchost.exe:1032 > 239.255.255.250:1900
[UDP] services.exe:680 > 206.254.253.254:16471
[UDP] services.exe:680 > 190.254.253.254:16471
[UDP] services.exe:680 > 182.254.253.254:16471
[UDP] services.exe:680 > 180.254.253.254:16471
[UDP] services.exe:680 > 135.254.253.254:16471
[UDP] services.exe:680 > 134.254.253.254:16471
[UDP] services.exe:680 > 117.254.253.254:16471
[UDP] services.exe:680 > 115.254.253.254:16471
[UDP] services.exe:680 > 92.254.253.254:16471
[UDP] services.exe:680 > 88.254.253.254.dynamic.ttnet.com.tr:16471
[UDP] services.exe:680 > 254.253.254.87.dynamic.monaco.mc:16471


The large list of IP addresses to UDP port 16471 are another big indicator for ZeroAccess. Upon doing open research, you'll find that the dropped file "@" is a list of IP addresses used to bootstrap the malware onto the botnet network. Additionally we see a request to "50.22.196.70-static.reverse.softlayer.com", the known domain for the MaxMind Geolocational service API, giving the botnet owners a sense of where in the world your computer lies.

Conclusions / Post Analysis Mitigation

The goal of Noriben is to provide very quick and simple answers to your questions, either to a more in-depth analysis of an infected system, a better understanding of a malware's capabilities without static analysis, or to quickly craft network filters to look for (and block) other infections. What files were created? What MD5s should I scan for? What network hosts and ports are being used? The pure text report allows you to quickly see data and copy/paste it to a relevant solution.

Noriben is not a turn-key solution. While the built-in filters will remove most innocuous items, the user will likely need to adjust and add new filters to remove additional benign entries. It's highly recommended to run Noriben in your VM and run benign applications to modify the built-in filters to meet your particular operating system.  Editing is extremely easy, just edit Noriben.py with any text editor and add new items to the respective black list.

Noriben is hosted on GitHub

P.S. Why call it Noriben? Noriben (海苔弁) is a very simple Japanese lunch box. Noriben are plentiful in shops, provide your basic nourishment, and are a staple meal for a struggling family. It felt only appropriate to analogize it to Noriben.py, a very simple sand box that provides basic indicators, can directly feed your security solutions, and fits easily within the budget of any organization.