Automated Malware Sandboxing with VMWare and Noriben

Noriben is a simple script that allows you to run malware within a sandbox to analyse what processes it runs, what files it modifies, and what changes it makes to a system.

Running malware locally makes sense when there is a reluctance to upload files to online services such as Malwr.

Though most malware is run locally using Cuckoo, this requires some considerable effort to setup properly across different non-Linux based environments, such as Windows or OS X.

Noriben is, in essence, a wrapper for procmon – using it to collect hundreds of thousands of events which are then passed through for analysis against a list of whitelisted events, thereby having a reductive effect on the total list which can be more easily analysed.

A neat method to create an automated malware sandbox environment is to install Noriben within a VNWare virtualised environment and then use the vmrun command to revert the VM to a previous snapshot, import the malware, run Noriben, and then output the file in a zipped format to the host system for review. This can be used to generate a malware report within a couple of minutes.

You can download Noriben from here and read more about automated sandboxing via VMWare at Ghetto Forensics