REMNUX USAGE TIPS FOR MALWARE Emulate common network services using “fakedns”, Extract metadata using “hachoir-metadata”.

ANALYSIS ON LINUX
This cheat sheet outlines the tools and commands for
analyzing malicious software on REMnux Linux distro.
Getting Started with REMnux
Download REMnux from REMnux.org as a Live CD ISO
image file or a VMware/VirtualBox virtual appliance.
Operate in REMnux as the user “remnux”. The default
password for this account is “malware”.
Run privileged commands on REMnux using “sudo”.
Use “apt-get” to install additional software
packages if your system is connected to the Internet.
Use “setxkbmap” to switch keyboard layout. For
example, for German layout use “setxkbmap de”.
You can switch the screen resolution using “xrandr”
followed by the “xrandr -s” command.
If using VMware, you can install VMware Tools to
automatically adjust the screen size.
“fakesmtp” and “inetsim”. Find and extract subfiles using “hachoir-subfile”.
Wrap network traffic with SSL using “stunnel”. Compare binary files using “vbindiff”.
Examining Malicious Websites Find obfuscated or encrypted data with “xorsearch”,
Deobfuscate JavaScript with SpiderMonkey (“js”), “findaes”, “xortool”, “aeskeyfind”, “rsakeyfind”.
“d8”, “rhino-debugger” and Firebug.
Decompile Java class files using “jad” and “jd-gui”.
Define JavaScript objects using /usr/local/etc/def.js.
Analyze memory image files using “volatility”.
You can clean up JavaScript with “js-beautify”.
Volatility Memory Forensics Commands
Control web traffic with “burpsuite”, Tamper Data. Spot hidden processes psxview
Retrieve websites with “wget” and “curl”. List all processes pslist, psscan
Hide your origin with “tor start”, “usewithtor”.
Show a registry key printkey -K key
Examine malicious Flash files with “swfdump -Ddu”,
Extract process image procexedump
“flare”, RABCDAsm, and “xxxswf.py”.
Extract process memory memdump, vaddump
Inspect malicious websites and traffic captures with
“jsunpackn” after “cd ~remnux/jsunpackn”. List open handles, files, handles, filescan,
DLLs and mutant objects dlllist, mutantscan
Analyzing Malicious Document Files
Examine suspicious Microsoft Office documents with List services, drivers and svcscan, driverscan,
“pyOLEScanner.py” and “hachoir-urwid”. kernel modules modules, modscan

General Commands for Using REMnux
Shut down the system
Reboot the system
Switch to a root shell
Renew DHCP lease
See current IP address
Edit a text file
View an image file
Start web server
Navigate through PDFs using “pyew”, “peepdf” and View network connscan, connections,
“pdfwalker”. activities sockets, sockscan, netscan
shutdown
reboot Extract JavaScript or SWFs from PDFs using View activity timeline timeliner, evtlogs
“pdfextract”, “pdf.py” and “swf_mastah”. Find and extract malware malfind, apihooks
sudo –s
Examine PDFs using “pdfcop”, “pdf-parser”,
renew-dhcp Useful Configuration Files on REMnux
“pdfid”, “pdfdecompress” and “pdfxray_lite”.
myip Honeyd /etc/honeypot/honeyd.conf
Emulate shellcode execution using “sctest -Svs”.
scite file INetSim /etc/inetsim/inetsim.conf
Analyzing Executables and Other Files
feh file Web server /etc/thttpd/thttpd.conf
Scan the executable for suspicious characteristics and
httpd start packer signatures using “pescanner”. IRC server /etc/inspircd/inspircd.conf

Start SSH server sshd start Check whether the file might be packed using SSH server /etc/ssh/sshd_config

Analyzing Network Malware “densityscout” and “bytehist”. Aliases ~remnux/.bash_aliases

For IRC bots, start the IRC daemon (“ircd start”) and
the IRC client (“irc”).
Analyze network traffic with “wireshark”, “ngrep”
“tcpdump”, “pdnstool”, “NetworkMiner” and “nc”.
Intercept traffic and emulate some services with
Honeyd (“farpd start”, then “honeyd start”).
Explore the executable’s internals using “pyew”. Wget ~remnux/.wgetrc
Identify file type using “trid” and “file”. References
Scan files for malware signatures using “clamscan” Reverse-Engineering Malware Cheat Sheet
after refreshing signatures with “sudo freshclam”.
Analyzing Malicious Documents Cheat Sheet
Disassemble code using “radare”, “pyew”, “gdb” and
SANS Reverse-Engineering Malware Course
“objdump -Mintel -D”.

Authored by Lenny Zeltser for REMnux v3. Lenny writes a security blog at blog.zeltser.com and is active on Twitter as @lennyzeltser. Such malware analysis topics are covered in Lenny’s Reverse-
Engineering Malware (REM) course, which he teaches at SANS Institute—for details visit LearnREM.com. This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License.