REMnux Usage Tips for Malware Analysis on Linux - Cheat Sheet



3810006986270Authored by Lenny Zeltser for REMnux v7. Lenny writes a security blog at and is active on Twitter as @lennyzeltser. Many REMnux tools and techniques are discussed in the Reverse-Engineering Malware course at SANS Institute, which Lenny co-authored. This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License.020000Authored by Lenny Zeltser for REMnux v7. Lenny writes a security blog at and is active on Twitter as @lennyzeltser. Many REMnux tools and techniques are discussed in the Reverse-Engineering Malware course at SANS Institute, which Lenny co-authored. This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License.REmnux Usage Tips for Malware Analysis on LinuxThis cheat sheet outlines some of the commands and tools for analyzing malware using the REMnux distro.Get Started with REMnuxGet REMnux as a virtual appliance, install the distro on a dedicated system, or add it to an existing one.Review REMnux documentation at docs..Keep your system up to date by periodically running “remnux upgrade” and “remnux update”.Become familiar with REMnux malware analysis tools available as Docker images.Know default logon credentials: remnux/malwareOperate Your REMnux SystemShut down the systemshutdownReboot the systemrebootSwitch to a root shellsudo -sRenew DHCP leaserenew-dhcpSee current IP addressmyipEdit a text filecode fileView an image filefeh fileStart web serverhttpd startStart SSH serversshd startAnalyze Windows ExecutablesStatic Properties: manalyze, peframe, pefile, exiftool, clamscan, pescan, portex, bearcommander, pecheckStrings and Deobfuscation: pestr, bbcrack, brxor.py, base64dump, xorsearch, flarestrings, floss, cyberchefCode Emulation: binee, capa, vivbinDisassemble/Decompile: ghidra, cutter, objdump, r2Unpacking: bytehist, de4dot, upxReverse-Engineer Linux BinariesStatic Properties: trid, exiftool, pyew, readelf.pyDisassemble/Decompile: ghidra, cutter, objdump, r2Debugging: edb, gdbBehavior Analysis: ltrace, strace, frida, sysdig, unhideInvestigate Other Forms of Malicious CodeAndroid: apktool, droidlysis, androgui.py, baksmali, dex2jarJava: cfr, procyon, jad, jd-gui, idx_parser.pyPython: pyinstxtractor.py, pycdcJavaScript: js, js-file, objects.js, box-jsShellcode: shellcode2exe.bat, scdbg, xorsearch PowerShell: pwsh, base64dumpFlash: swfdump, flare, flasm, swf_mastah.py, xxxswfExamine Suspicious DocumentsMicrosoft Office Files: vmonkey, pcodedmp, olevba, xlmdeobfuscator, oledump.py, msoffice-crypt, ssviewRTF Files: rtfobj, rtfdumpEmail Messages: emldump, msgconvertPDF Files: pdfid, pdfparser, pdfextract, pdfdecrypt, peepdf, pdftk, pdfresurrect, qpdf, pdfobjflowGeneral: base64dump, tesseract, exiftoolExplore Network InteractionsMonitoring: burpsuite, networkminer, polarproxy, mitmproxy, wireshark, tshark, ngrep, tcpxtractConnecting: thug, nc, tor, wget, curl, irc, ssh, unfurlServices: fakedns, fakemail, accept-all-ips, nc, httpd, inetsim, fakenet, sshd, myipGather and Analyze DataNetwork: Automater.py, shodan, ipwhois_cli.py, pdnstoolHashes: malwoverview.py, nsrllookup, Automater.py, vt, virustotal-search.pyFiles: yara, scalpel, bulk_extractor, ioc_writerOther: dexray, viper, time-decode.pyOther Analysis TasksMemory Forensics: vol.py, vol3, linux_mem_diff.py, aeskeyfind, rsakeyfind, bulk_extractorFile Editing: wxHexEditor, scite, code, xpdf, convert File Extraction: 7z, unzip, unrar, cabextractUse Docker Containers for AnalysisThug Honeyclient: remnux/thugJSDetox JavaScript Analysis: remnux/jsdetoxRekall Memory Forensics: remnux/recallRetDec Decompiler: remnux/retdecRadare2 Reversing Framework: remnux/radare2Ciphey Automatic Decrypter: remnux/cipheyViper Binary Analysis Framework: remnux/viperREMnux in a Container: remnux/remnux-distroInteract with Docker ImagesList local imagesdocker imagesUpdate local imagedocker pull imageDelete local imagedocker rmi imageidDelete unused resourcesdocker system pruneOpen a shell inside a transient containerdocker run --rm -it image bashMap a local TCP port 80 to container’s port 80docker run --rm -it -p 80:80 image bashMap your current directory into containerdocker run --rm -it -v .:dir image bash ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download