onigiri

onigiri - remote malware triage script

Check my blog about the purpose.

Preparation

Install Python

You need both of Python x86 (for volatility) / x64 (for F-Response COM DLLs) if installed F-Response binaries are 64-bit
- Set the x86 python path to g_x86_python_path or specify -p option

Install the following Python packages

Install Volatility Framework and openioc_scan

Volatility Installation
- Set the vol.py/plugins paths to g_vol_path and g_vol_plugins_path or specify -o and -l options
openioc_scan

Download FTK Imager CLI version

FTK Imager CLI version
- Set the path to g_ftk_path or specify -t option

Open TCP ports

examiner: tcp/5681
victim: tcp/3260-3261 (Consultant), tcp/445 (Consultant+Covert, Enterprise)

Configure F-Response

Set examinerIP/username/password for iSCSI authentication and enable PhysicalMemory/FlexdiskAPI
Save fresponse.ini on F-Response Consultant Connector (consultant and Consultant+Covert only)

Usage

Run F-Response License Manager Monitor on the examiner machine then start it

Run R-Response agent program on the victim machine then start it using GUI tools (consultant and Consultant+Covert only)
Run this script and check the result
- Type -h for help
  - Specify the folder path including fresponse.ini (consultant and Consultant+Covert only). fresponse.ini should be generated on Consultant Connector, not Enterprise Management Console
  - Specify credentials of domain admin or local built-in Administrator account (Enterprise only)

Trouble Shooting

COM Errors

If any errors about win32com, try following:

Check the COM DLL (e.g., FCCCTRLx64.dll, FEMCCTRLx64.dll) architecture. You need x64 python and win32com for x64 DLL.
Check the COM API CLSIDs in registry (e.g., search FCCCTRL or FEMCCTRL). If not found, register COM Dlls using regsvr32 command. You need x86 regsvr32 (under C:\Windows\SysWOW64) if your COM DLL is 32-bit version.

regsvr32 "C:\Program Files\F-Response\FEMCCTRLx64.dll"

Memory Acquisition Failure of Win8.1 x64 machines

I checked physical memory acquisition through F-Response didn't work on some conditions:

The target OS is Win8.1 x64
The RAM size is big (e.g., 8GB or 16GB)

Specifically, process data structures (_EPROCESS) become null. I sent the report to F-Response and I'm waiting for the reply.

If you have DumpIt commercial version, you can use it combined with PsExec for secure memory acquisition (specify -a option and more).

Exception when getting "Targets"

Unless you start GUI application (Consultant Connector or Enterprise Management Console), you may encounter the following exception.

Traceback (most recent call last):
  File "onigiri.py", line 476, in <module>
    main()
  File "onigiri.py", line 463, in main
    fres.acquire(args.ram, file_cats, args.scan, args.alternative)
  File "onigiri.py", line 260, in acquire
    self.acquire_ram(computer, alternative)
  File "onigiri.py", line 53, in acquire_ram
    targets = victim.Targets
  File "C:\Python27_x64\lib\site-packages\win32com\client\dynamic.py", line 511, in __getattr__
    ret = self._oleobj_.Invoke(retEntry.dispid,0,invoke_type,1)
  pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, u'FEMCCTRL.Machine.1', u'iSCSI failed with a non-standard error, please contact support and provide the HRESULT code indicated.', None, 0, -268500930), None)

Please run GUI app before using onigiri.

What's "Onigiri"?

Onigiri is a Japanese soul food, made with plain rice, wrapped in nori (seaweed), sometimes filled with pickled ume (umeboshi), kombu, tarako, or any other salty or sour ingredient as a natural preservative. Onigiri makes rice portable and easy to eat as well as preserving it. I named this tool after its convenience, inspired by Noriben.

License

GNU GPLv2

TakahiroHaruyama/onigiri