Thursday, 25 May 2017

Malware Analysis + RemNux

 Malware Analysis Using RemNux

REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software.

This lightweight distro incorporates many tools for analyzing Windows and Linux malware,
examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

After installing RemNux connect to internet and run the “update-remnux full” command.

Alternatively, you can add REMnux software to an existing SIFT Workstation system. To do that, run the following command on SIFT:

wget --quiet -O - | sudo bash

Below are some of the malware analysis tasks you can perform on REMnux. For the full listing of the many command-line tools available in this distro, see

 [ SIFT (SANS Investigative Forensics Toolkit)

 Statically Examine Files

• Inspect file properties using pescanner, pestr, pyew, readpe, pedump,
      peframe, signsrch, and
• Investigate binary files in-depth using bokken, vivbin, udcli, RATDecoders,
     radare2, yara, and wxHexEditor
• Deobfuscate contents with xorsearch,, Balbuzard,,, and xortool
• Examine memory snapshots using Rekall and Volatility
• Assess packed files using densityscout, bytehist, packerid, and upx
• Extract and carve file contents using hachoir-subfile, bulk_extractor,
    scalpel, foremost
• Scan files for malware signatures using clamscan after refreshing signatures with freshclam
• Examine and track multiple malware samples with mas, viper, maltrieve,
    and Ragpicker
• Work with file hashes using nsrllookup, Automater, hash_id, ssdeep,
   totalhash, virustotalsearch, and vt
• Define signatures with,,, and rule-editor

 Handle Network Interactions

• Analyze network traffic with wireshark, ngrep, tcpick, tcpxtract, tcpflow,
   and tcpdump
• Intercept all laboratory traffic destined for IP addresses using accept-all-ips
• Analyze web traffic with burpsuite, mitmproxy, CapTipper, and NetworkMiner
• Implement common network services using fakedns, fakesmtp, inetsim,
   ircd start, and httpd start

 Examine Browser Malware

• Deobfuscate JavaScript with SpiderMonkey (js), d8, rhino-debugger,
  and Firebug
• Define JavaScript objects for SpiderMonkey using /usr/share/remnux/objects.js
• Clean up JavaScript with js-beautify
• Retrieve web pages with wget and curl
• Examine malicious Flash files with swfdump, flare, RABCDAsm,, and extract_swf
• Analyze Java malware using, cfr, jad, jd-gui, and Javassist
• Inspect malicious websites and domains using thug, Automater,, and

 Examine Document Files

• Analyze suspicious Microsoft Office documents with,
  oletools, libolecf, and
• Examine PDFs using pdfid, pdfwalker, pdf-parser, pdfdecompress,
  pdfxray_lite, pyew, and peepdf
• Extract JavaScript or SWFs from PDFs using pdfextract, pdfwalker, pdf-parser, and swf_mastah
• Examine shellcode using, sctest, dism-this,
  unicode2hex-escaped, m2elf, and

 Investigate Linux Malware

• Disassemble and debug binaries using bokken, vivbin, edb, gdb, udcli, radare2, and objdump
• Examine the system during behavioral analysis with sysdig, unhide, strace,
   and ltrace
• Examine memory snapshots using Rekall and Volatility
• Decode Android malware using Androwarn and AndroGuard

 Windows Memory Analysis – Rogue Processes Detection

* psxview Find hidden processes using cross-view # psxview
* pstree Display parent-process relationships # pstree

 Windows Memory Analysis – Code Injection Detection

malfind        Find injected code and dump sections
-p     Show information only for specific PIDs
-o     Provide physical offset of single process to scan
--dump-dir  Directory to save memory sections
                        # malfind --dump-dir ./output_dir
ldrmodules  Detect unlinked DLLs
-p                 Show information only for specific PIDs
-v                 Verbose: show full paths from three DLL lists
                        # ldrmodules –p 868 -v

 Windows Memory Analysis – Dump Suspicious Processes

dlldump      Extract DLLs from specific processes
-p Dump      DLLs only for specific PIDs
-b Dump      DLLs from process at base offset
-r Dump      DLLs matching REGEX name
--dump-dir    Directory to save extracted files
 # dlldump --dump-dir=./output –r metsrv

moddump - Extract kernel drivers
-b  Dump driver using base address (from modscan)
-r  Dump drivers matching REGEX name
--dump-dir        Directory to save extracted files
# moddump --dump-dir=./output –r gaopdx

procdump Dump process to executable sample
-p Dump only specific PIDs
-o Specify process by physical memory offset
-n Use REGEX to specify process
--dump-dir       Directory to save extracted files
   # procdump --dump-dir=./output –p 868

memdump Dump every memory section into a single file
-p Dump memory sections from these PIDs
-n Use REGEX to specify process
--dump-dir       Directory to save extracted files
    # memdump –dump-dir=./output –p 868

dumpfiles Dump File_Objects from file cache
-Q Extract using physical offset
-r Extract using REGEX (-i for case insensitive)
--dump-dir       Directory to save extracted files
    # dumpfiles –dump-dir=./output –r \\.exe

No comments:

Post a Comment