[*]
“Norimaci” is a straightforward and light-weight malware evaluation sandbox for macOS. This instrument was impressed by “Noriben“. Norimaci makes use of the options of OpenBSM or Monitor.app to watch macOS system exercise as a substitute of Sysinternals Course of Monitor (procmon).
Norimaci consists of three Python scripts.
- norimaci.py : Fundamental script
- openbsmconv.py : OpenBSM audit log converter
- monitorappconv.py : Monitor.app knowledge converter
OpenBSM is a framework to audit actions on macOS. Please see their web page for particulars.
Monitor.app is a free instrument which is made by FireEye. Please see their web page for particulars.
Why “Norimaci”?
My former colleague (@cci_forensics) steered this identify.
“Norimaci” is a coined phrase combining “Noriben” and “Macintosh”. It’s pronounced “Norimaki”, and it represents “のり巻き” in Japanese. It means “sushi roll” in English.
Noriben is a Japanese fashion lunch field that consists of minimal components. The components of norimaki are much like noriben (seaweed, rice, and different you like).
So, I made a decision to call this instrument “Norimaci”.
Requirement
- OS X 10.6 or later (I examined on macOS 10.13 – 10.15)
- VMware Fusion, Parallels, VirtualBox, and so forth.
- Python 3.5 or later
Non-obligatory requirement
Word that, Monitor.app helps solely macOS 10.12 – 10.14. You do not have to put in it, if you wish to execute malware on macOS 10.15 or later. It’s important to use OpenBSM as a substitute of it.
It’s important to set up libraries beneath from their supply repositories or pip, if you happen to use Norimaci with Monitor.app.
Making ready
Construct digital machines to execute malware
It’s important to construct a macOS VM to execute malware samples. As well as, it’s extremely really helpful to construct one other VM for pretend Web connections. As a result of, many malware try to attach their servers (e.g. C2 servers).
PolarProxy and INetSim are very helpful instruments to supply pretend HTTP/HTTPS and DNS companies. Please refer NETRESEC weblog to construct a pretend Web.
Edit /and so forth/safety/audit_control
In the event you use OpenBSM to watch system actions, you need to modify /and so forth/safety/audit_control file like beneath. As a result of, OpenBSM information audit logs about solely login and authentication by default. However, Norimaci wants extra sorts of audit logs (file creation, file deletion, course of execution, networking, and so forth).
The pc must be rebooted after the modification to use the setting.
#
# $P4: //depot/initiatives/trustedbsd/openbsm/and so forth/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,fc,fd,computer,nt,ex <- edit right here like this
minfree:5
naflags:lo,aa,fc,fd,computer,nt,ex <- edit right here like this
coverage:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
Utilization
Fundamental utilization with OpenBSM (most traditional utilization)
- Run norimaci.py with sudo.
- Run a pattern of malware (You possibly can run any sort of malware. For instance, DMG, PKG, Mach-O binary, and so forth).
- Await some time (Till, the malware can get their objective).
- Press “Ctrl + C ” on the acceptable time within the terminal the place Norimaci runs in.
- 2 sort of reviews are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv).
- Affirm reviews together with your favourite instruments (e.g. textual content editors, grep, much less, and so forth).
$ sudo python3 ./norimaci.py -m openbsm -o ./out/
Password:--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
[*] Launching OpenBSM agent...
[*] When runtime is full, press CTRL+C to cease logging.
^C
[*] Termination of OpenBSM agent commencing... please wait
[*] Changing OpenBSM knowledge ...
[*] Loading transformed macOS exercise knowledge ...
[*] Saving report back to: /Customers/macforensics/instruments/norimaci/out/Norimaci_14_Jan_20__15_55_093219.txt
[*] Saving timeline to: /Customers/macforensics/instruments/norimaci/out/Norimaci_14_Jan_20__15_55_093219_timeline.csv
Fundamental utilization with Monitor.app
Word: Monitor.app can’t run on macOS 10.15. However, it really works advantageous on macOS 10.14 or earlier.
- Run norimaci.py with sudo.
- Enter a password after Norimaci launches Monitor.app (Monitor.app wants a password to put in its kext).
- Run a pattern of malware (You possibly can run any sort of malware. For instance, DMG, PKG, Mach-O binary, and so forth).
- Await some time (Till, the malware can get their objective).
- Press “Ctrl + C ” on the acceptable time within the terminal the place Norimaci runs in.
- 2 sort of reviews are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv).
- Affirm reviews together with your favourite instruments (e.g. textual content editors, grep, much less, and so forth).
Assist of scripts
$ python3 ./norimaci.py -h--===[ Norimaci v0.1.0
--===[ Minoru Kobayashi [@unkn0wnbit]
utilization: norimaci.py [-h] [-m MONITOR] [-j JSON] [-bl OPENBSM_LOG] [-p PROCLIST]
[-ml MONITORAPP_LOG] [-o OUTPUT] [--force] [--debug]
Gentle weight sandbox which works with OpenBSM or Fireeye's Monitor.app
elective arguments:
-h, --help present this assist message and exit
-m MONITOR, --monitor MONITOR
Specify a program to watch macOS exercise. You possibly can
select 'openbsm' or 'monitorapp'.
-j JSON, --json JSON Path to a JSON file which is transformed by
'openbsmconv.py' or 'monitorappconv.py'.
-bl OPENBSM_LOG, --openbsm-log OPENBSM_LOG
Path to an OpenBSM log file.
-p PROCLIST, --proclist PROCLIST
Path to a course of record file to course of OpenBSM log
file. A file which has ".proclist" extnsion can be
used, if this feature shouldn't be specified.
-ml MONITORAPP_LOG, --monitorapp-log MONITORAPP_LOG
Path to a Monitor.app knowledge file.
-o OUTPUT, --output OUTPUT
Path to an output listing.
--force Allow to overwrite output recordsdata.
--debug Allow debug mode.
$ python3 ./openbsmconv.py -h
utilization: openbsmconv.py [-h] [-f FILE] [-p PROCLIST] [-o OUT] [-c] [-rp]
[--with-failure] [--with-failure-socket] [--force]
[--debug]Converts OpenBSM log file to JSON format.
elective arguments:
-h, --help present this assist message and exit
-f FILE, --file FILE Path to a bsm log file
-p PROCLIST, --proclist PROCLIST
Path to a course of record file
-o OUT, --out OUT Path to an output file
-c, --console Output JSON knowledge to stdout.
-rp, --use-running-proclist
Use present working course of record as a substitute of a present
course of record file. And, the method record is saved to a
file which locations in the identical listing of '--file' or
to a file which speci fied '--proclist'.
--with-failure Output information which has a failure standing too.
--with-failure-socket
Output information which has a failure standing too (associated
socket() syscall solely).
--force Allow to overwrite an present output file.
--debug Allow debug mode.
$ python3 ./monitorappconv.py -h
utilization: monitorappconv.py [-h] [-f FILE] [-o OUT] [-c] [--force] [--debug]Parses knowledge of Fireeye Monitor.app and converts it to JSON format. Please observe
that strings in JSON knowledge are saved as UTF-8.
elective arguments:
-h, --help present this assist message and exit
-f FILE, --file FILE Path to a saved knowledge of Monitor.app.
-o OUT, --out OUT Path to an output file.
-c, --console Output JSON knowledge to stdout.
--force Allow to overwrite an output file.
--debug Allow debug mode.
Demo
Analyze AppleJeus.A on macOS 10.15 Catalina with Norimaci. This demo film was made for Japan Safety Analyst Convention 2020 (JSAC2020)
Set up
git clone https://github.com/mnrkbys/norimaci.gitFuture Work
- YARA scanning
- VirusTotal scanning
Writer
License
[*]
