https://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system
Malware Analysis Using RemNux
REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software.
This lightweight distro incorporates many tools for analyzing Windows and Linux malware,
examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.
After installing RemNux connect to internet and run the “update-remnux full” command.
Alternatively, you can add REMnux software to an existing SIFT Workstation system. To do that, run the following command on SIFT:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
http://sift.readthedocs.io/en/latest/
Below are some of the malware analysis tasks you can perform on REMnux. For the full listing of the many command-line tools available in this distro, see remnux.org.
[ SIFT (SANS Investigative Forensics Toolkit)
http://sift.readthedocs.io/en/latest/
]
https://remnux.org/docs/
https://www.decalage.info/en/security
https://www.digitalmunition.me/2015/06/remnux-v6-a-linux-toolkit-for-reverse-engineering-and-analyzing-malware/
Statically Examine Files
• Inspect file properties using pescanner, pestr, pyew, readpe, pedump,
peframe, signsrch, and readpe.py
• Investigate binary files in-depth using bokken, vivbin, udcli, RATDecoders,
radare2, yara, and wxHexEditor
• Deobfuscate contents with xorsearch, unxor.py, Balbuzard, NoMoreXOR.py,
brxor.py, and xortool
• Examine memory snapshots using Rekall and Volatility
• Assess packed files using densityscout, bytehist, packerid, and upx
• Extract and carve file contents using hachoir-subfile, bulk_extractor,
scalpel, foremost
• Scan files for malware signatures using clamscan after refreshing signatures with freshclam
• Examine and track multiple malware samples with mas, viper, maltrieve,
and Ragpicker
• Work with file hashes using nsrllookup, Automater, hash_id, ssdeep,
totalhash, virustotalsearch, and vt
• Define signatures with yaraGenerator.py, autorule.py, IOCextractor.py, and rule-editor
Handle Network Interactions
• Analyze network traffic with wireshark, ngrep, tcpick, tcpxtract, tcpflow,
and tcpdump
• Intercept all laboratory traffic destined for IP addresses using accept-all-ips
• Analyze web traffic with burpsuite, mitmproxy, CapTipper, and NetworkMiner
• Implement common network services using fakedns, fakesmtp, inetsim,
ircd start, and httpd start
Examine Browser Malware
• Deobfuscate JavaScript with SpiderMonkey (js), d8, rhino-debugger,
and Firebug
• Define JavaScript objects for SpiderMonkey using /usr/share/remnux/objects.js
• Clean up JavaScript with js-beautify
• Retrieve web pages with wget and curl
• Examine malicious Flash files with swfdump, flare, RABCDAsm, xxxswf.py, and extract_swf
• Analyze Java malware using idx_parser.py, cfr, jad, jd-gui, and Javassist
• Inspect malicious websites and domains using thug, Automater, pdnstool.py, and passive.py
Examine Document Files
• Analyze suspicious Microsoft Office documents with officeparser.py,
oletools, libolecf, and oledump.py
• Examine PDFs using pdfid, pdfwalker, pdf-parser, pdfdecompress,
pdfxray_lite, pyew, and peepdf
• Extract JavaScript or SWFs from PDFs using pdfextract, pdfwalker, pdf-parser, and swf_mastah
• Examine shellcode using shellcode2exe.py, sctest, dism-this,
unicode2hex-escaped, m2elf, and dism-this.py
Investigate Linux Malware
• Disassemble and debug binaries using bokken, vivbin, edb, gdb, udcli, radare2, and objdump
• Examine the system during behavioral analysis with sysdig, unhide, strace,
and ltrace
• Examine memory snapshots using Rekall and Volatility
• Decode Android malware using Androwarn and AndroGuard
Windows Memory Analysis – Rogue Processes Detection
* psxview Find hidden processes using cross-view # vol.py psxview
* pstree Display parent-process relationships # vol.py pstree
Windows Memory Analysis – Code Injection Detection
malfind Find injected code and dump sections
-p Show information only for specific PIDs
-o Provide physical offset of single process to scan
--dump-dir Directory to save memory sections
# vol.py malfind --dump-dir ./output_dir
ldrmodules Detect unlinked DLLs
-p Show information only for specific PIDs
-v Verbose: show full paths from three DLL lists
# vol.py ldrmodules –p 868 -v
Windows Memory Analysis – Dump Suspicious Processes
dlldump Extract DLLs from specific processes
-p Dump DLLs only for specific PIDs
-b Dump DLLs from process at base offset
-r Dump DLLs matching REGEX name
--dump-dir Directory to save extracted files
# vol.py dlldump --dump-dir=./output –r metsrv
moddump - Extract kernel drivers
-b Dump driver using base address (from modscan)
-r Dump drivers matching REGEX name
--dump-dir Directory to save extracted files
# vol.py moddump --dump-dir=./output –r gaopdx
procdump Dump process to executable sample
-p Dump only specific PIDs
-o Specify process by physical memory offset
-n Use REGEX to specify process
--dump-dir Directory to save extracted files
# vol.py procdump --dump-dir=./output –p 868
memdump Dump every memory section into a single file
-p Dump memory sections from these PIDs
-n Use REGEX to specify process
--dump-dir Directory to save extracted files
# vol.py memdump –dump-dir=./output –p 868
dumpfiles Dump File_Objects from file cache
-Q Extract using physical offset
-r Extract using REGEX (-i for case insensitive)
--dump-dir Directory to save extracted files
# vol.py dumpfiles –dump-dir=./output –r \\.exe
No comments:
Post a Comment