norimaci: simple and lightweight malware analysis sandbox for macOS

Norimaci

“Norimaci” is a simple and lightweight malware analysis sandbox for macOS. This tool was inspired by “Noriben“. Norimaci uses the features of OpenBSM or Monitor.app to monitor macOS system activity instead of Sysinternals Process Monitor (procmon).

Norimaci consists of 3 Python scripts.

• norimaci.py : Main script
• openbsmconv.py : OpenBSM audit log converter
• monitorappconv.py : Monitor.app data converter

OpenBSM is a framework to audit activities on macOS. Please see their web site for details.

Monitor.app is a free tool which is made by FireEye. Please see their web site for details.

Install

git clone https://github.com/mnrkbys/norimaci.git

Usage

Basic usage with OpenBSM (most standard usage)

1. Run norimaci.py with sudo.
2. Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on).
3. Wait for a while (Until, the malware can get their goal).
4. Press “Ctrl + C ” at the appropriate time in the terminal where Norimaci runs in.
5. 2 kind of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv).
6. Confirm reports with your favorite tools (e.g. text editors, grep, less, etc).

   $ sudo python3 ./norimaci.py -m openbsm -o ./out/
   
   Password:
   
   
   
   --===[ Norimaci v0.1.0
   
   --===[ Minoru Kobayashi [@unkn0wnbit]
   
   [*] Launching OpenBSM agent...
   
   [*] When runtime is complete, press CTRL+C to stop logging.
   
   ^C
   
   [*] Termination of OpenBSM agent commencing... please wait
   
   [*] Converting OpenBSM data ...
   
   [*] Loading converted macOS activity data ...
   
   [*] Saving report to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219.txt
   
   [*] Saving timeline to: /Users/macforensics/tools/norimaci/out/Norimaci_14_Jan_20__15_55_093219_timeline.csv

Basic usage with Monitor.app

Note: Monitor.app can not run on macOS 10.15. But, it works fine on macOS 10.14 or earlier.

1. Run norimaci.py with sudo.
2. Enter a password after Norimaci launches Monitor.app (Monitor.app needs a password to install its kext).
3. Run a sample of malware (You can run any type of malware. For example, DMG, PKG, Mach-O binary, and so on).
4. Wait for a while (Until, the malware can get their goal).
5. Press “Ctrl + C ” at the appropriate time in the terminal where Norimaci runs in.
6. 2 kinds of reports are generated (Norimaci_dd_Mon_yy__hh_mm_ffffff.txt and Norimaci_dd_Mon_yy__hh_mm_ffffff_timeline.csv).
7. Confirm reports with your favorite tools (e.g. text editors, grep, less, etc).

Demo

Tutorial

Copyright (C) 2020 Minoru Kobayashi

Source: https://github.com/mnrkbys/