Ok, ok, more final

Noriben.config

@@ -36,13 +36,14 @@ guest_malware_path = C:\Malware\malware_
 error_tolerance = 5
 dontrun = False
 #vm_snapshot = YourVMSnapshotNameHere
-#vm_snapshot = 1 Mar 21
-vm_snapshot = test_malware
 
 # VMware Settings:
-# vmrun = C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe    # For Windows
-vmrun = /Applications/VMware Fusion.app/Contents/Library/vmrun
+# Windows
+# vmrun = C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe
 # vmx = E:\VMs\Windows.vmwarevm\Windows.vmx
+
+# macOS
+vmrun = /Applications/VMware Fusion.app/Contents/Library/vmrun
 vmx = ~/VMs/Win10\ Malware.vmwarevm/Win10\ Malware.vmx
 
 # VirtualBox Settings:
@@ -61,7 +62,7 @@ vbox_uuid = c9a4e740-ed5f-42ae-ae31-e753319e3cc2  # Run: VBoxManage list vms
 
 # These entries are applied to all approvelists
 # If these entries appear in any context, then ignore that entry
-# TODO: Rewrite these to include their actual paths
+# TODO: Rewrite these to include their actual paths. Sometimes this isn't captured
 global_approvelist =
         VMwareUser.exe,      # VMware User Tools
         CaptureBAT.exe,      # CaptureBAT Malware Tool
@@ -114,7 +115,7 @@ file_approvelist =
         %%AllUsersProfile%%\Microsoft\Windows\AppRepository\StateRepository,
         %%AppData%%\Microsoft\Proof\*,
         %%AppData%%\Microsoft\Templates\*,
-        %%AppData%%\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms,
+        %%AppData%%\Microsoft\Windows\Recent\AutomaticDestinations\*,
         %%LocalAppData%%\Google\Drive\sync_config.db*,
         %%LocalAppData%%\GDIPFONTCACHEV1.DAT,
         %%LocalAppData%%\Microsoft\OneDrive\StandaloneUpdater\*,
@@ -142,6 +143,7 @@ file_approvelist =
         %%WinDir%%\System32\catroot2\edb....,
         %%WinDir%%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*,
         %%WinDir%%\System32\spool\drivers\*,
+        %%WinDir%%\System32\sru\SRU,
         %%WinDir%%\Temp\fwtsqmfile00.sqm,  # Software Quality Metrics (SQM) from iphlpsvc
 
         # Filter on requested access. Note, hard commas are not supported.

NoribenSandbox.py

@@ -1,7 +1,10 @@
 # Noriben Sandbox Automation Script
+# Brian Baskin
+# Part of the Noriben analysis repo
+# Source: github.com/rurik/Noriben
 #
 # Changelog:
-# V 2.0   - January 2023
+# V 2.0   - August 2023
 #       Placed all editable data into Noriben.config file.
 #       Cleaned up some logic and bugs
 #       Added basic support for VirtualBox... still TODO
@@ -541,7 +544,6 @@ def copy_file_to_zip(cmd_base, filename):
     Results:
          integer value of command line execution return code
     """
-
     global error_count
 
     cmd = '"{}" -gu {} -gp {} fileExistsInGuest {} "{}"'.format(config['vmrun'], config['vm_user'], config['vm_pass'],
@@ -570,6 +572,7 @@ def copy_file_to_zip(cmd_base, filename):
         return return_code
     return 0
 
+
 def main():
     """
     Primary code. This parses command line arguments, sets configuration options,
@@ -580,16 +583,19 @@ def main():
     Result:
         none
     """
-    global debug
-    global dontrun
     global config
     global error_count
+    global debug
+    global dontrun
+    global script_cwd
     global vm_hypervisor
 
     # Error count is a soft trigger used for mass-execution to track when there was an abnormal
     # number of issues that execution should just stop
     error_count = 0
 
+    script_cwd = os.path.dirname(os.path.abspath(__file__))
+
     parser = argparse.ArgumentParser()
     parser.add_argument('-f', '--file', help='filename', required=False)
     parser.add_argument('-d', '--debug', dest='debug', action='store_true', help='Show all commands for debugging',
@@ -624,15 +630,21 @@ def main():
 
     # Load config file first, then use additional args to override those values if necessary
     if args.config:
-        if file_exists(args.config):
+        config_cwd = os.path.join(script_cwd, 'Noriben.config')
+
+        if file_exists(args.config):  # Check arg path for current folder
             read_config(args.config)
+
+        elif file_exists(config_cwd):
+            read_config(config_cwd)
         else:
             print('[!] Config file {} not found!'.format(args.config))
             sys.exit(14)
 
 
     if not args.file and not args.dir:
-        print('[!] A filename or directory name are required. Run with --help for more options')
+        print(parser.print_help())
+        print('[!] A filename or directory name are required!')
         sys.exit(13)
 
     if args.recursive and not args.dir:

postexec.txt

@@ -1,6 +1,13 @@
-# exec launches the specified command line
-# execwait launches the specific command line and pauses until execution has completed (not guaranteed depending on program)
-# All commands require an absolute path to the executable 
+# Example post-execution script for Noriben
+#
+# All commands are run in the order specified here
+# All commands require an absolute path to the executable
+#
+# Valid commands:
+# exec <cmdline> will launch the specified command line
+# execwait <cmdline> will launch the specific command line and pauses until execution has completed (not guaranteed depending on program)
+# collect <file> will attempt to include specified file in the report ZIP
+# sleep <N> will sleep N number of seconds. Useful to let background processes catch up
 #
 exec C:\windows\system32\calc.exe
 execwait C:\windows\notepad.exe c:\test.txt