{"id":4022,"date":"2024-03-27T20:48:28","date_gmt":"2024-03-28T00:48:28","guid":{"rendered":"https:\/\/dft.wiki\/?p=4022"},"modified":"2026-06-08T10:50:51","modified_gmt":"2026-06-08T14:50:51","slug":"deplying-remnux-for-malware-analysis","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=4022","title":{"rendered":"Deplying REMnux for Malware Analysis"},"content":{"rendered":"<p><strong>REMnux<\/strong> is a Linux distribution based on Ubuntu 20.04 that offers a curated collection of free tools for reverse-engineering malicious software, out of the box [<a href=\"https:\/\/docs.remnux.org\/install-distro\/get-virtual-appliance\">Link<\/a>].<\/p>\n<p>It is distributed in many forms, but the most popular is the Virtual Appliance format: a self-contained system (a Linux distribution) built for a specific purpose.<\/p>\n<ul>\n<li>After deployment, <strong>create a snapshot<\/strong> or template of the base instance (VM).<\/li>\n<li>Before every investigation, <strong>create a fresh clone<\/strong> from the base instance.<\/li>\n<li>After the investigation, destroy the ephemeral clone or <strong>roll back to the snapshot<\/strong>.<\/li>\n<\/ul>\n<p><strong>WARNING:<\/strong> Any malware investigation is risky. Do not attempt it unless you are confident you know what you are doing. Network segregation and sandboxing are fundamental but are outside the scope of this post.<\/p>\n<hr \/>\n<p><strong>DEPLOYING ON PROXMOX (PVE 8.1)<\/strong><\/p>\n<p>On the Web UI:<\/p>\n<ul>\n<li><strong>Create<\/strong> a VM:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4026\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-45.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-45.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-45-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4027\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-54.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-54.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-06-54-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4028\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-07-53.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-07-53.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-07-53-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4029\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-03.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-03.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-03-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4030\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-34.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-34.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-34-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4031\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-42.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-42.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-42-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4032\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-47.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-47.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-47-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4033\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-50.png\" alt=\"\" width=\"740\" height=\"557\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-50.png 740w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-08-50-300x226.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<ul>\n<li><strong>Detach<\/strong> and <strong>Remove<\/strong> the Disk:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4034\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-09-46.png\" alt=\"\" width=\"1321\" height=\"400\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-09-46.png 1321w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-09-46-300x91.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-09-46-1024x310.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-09-46-768x233.png 768w\" sizes=\"auto, (max-width: 1321px) 100vw, 1321px\" \/><\/p>\n<p>On a session as <code>root<\/code>:<\/p>\n<pre>cd \/tmp\r\nwget \"https:\/\/gigenet.dl.sourceforge.net\/project\/remnux\/ova-general\/remnux-v7-focal.ova\"\r\ntar -xvf remnux-v7-focal.ova\r\ngunzip remnux-v7-focal-disk1.vmdk.gz\r\nqemu-img convert -f vmdk remnux-v7-focal-disk1.vmdk -O qcow2 remnux-v7-focal-disk1.qcow2\r\nqm importdisk <strong>110<\/strong> remnux-v7-focal-disk1.qcow2 <strong>local-lvm<\/strong>\r\nrm \/tmp\/remnux-*<\/pre>\n<p><strong>Note:<\/strong> Change the VM ID and storage name accordingly.<\/p>\n<p>On the Web UI:<\/p>\n<ul>\n<li><strong>Edit<\/strong> and <strong>Add<\/strong> the newly attached Disk:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4035\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-05.png\" alt=\"\" width=\"660\" height=\"400\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-05.png 660w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-05-300x182.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4036\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-53.png\" alt=\"\" width=\"609\" height=\"328\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-53.png 609w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-19-53-300x162.png 300w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4037\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-09.png\" alt=\"\" width=\"660\" height=\"400\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-09.png 660w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-09-300x182.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p><strong>Note:<\/strong> Mine says <strong>NVMe<\/strong> because that is the label I gave to my secondary storage.<\/p>\n<ul>\n<li>Enable booting from the Disk:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4038\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-24.png\" alt=\"\" width=\"698\" height=\"524\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-24.png 698w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-24-300x225.png 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4039\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-40.png\" alt=\"\" width=\"647\" height=\"275\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-40.png 647w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-40-300x128.png 300w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4040\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-46.png\" alt=\"\" width=\"698\" height=\"524\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-46.png 698w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-20-46-300x225.png 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/p>\n<ul>\n<li><strong>Start<\/strong> the VM:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4041\" src=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-26-13.png\" alt=\"\" width=\"1441\" height=\"1057\" srcset=\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-26-13.png 1441w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-26-13-300x220.png 300w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-26-13-1024x751.png 1024w, https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2024\/03\/Screenshot-from-2024-03-28-10-26-13-768x563.png 768w\" sizes=\"auto, (max-width: 1441px) 100vw, 1441px\" \/><\/p>\n<hr \/>\n<p><strong>MANAGING REMNUX<\/strong><\/p>\n<p><strong>Default credentials:<\/strong><\/p>\n<ul>\n<li>Username: <code>remnux<\/code><\/li>\n<li>Password: <code>malware<\/code><\/li>\n<\/ul>\n<p><strong>Note:<\/strong> Consider changing the default password.<\/p>\n<p><strong>System updates:<\/strong><\/p>\n<pre>sudo remnux upgrade\r\nsudo remnux update<\/pre>\n<p>If you run into any issues, try the following:<\/p>\n<pre>sudo apt update &amp;&amp; sudo apt autoremove -y &amp;&amp; sudo apt --fix-broken install<\/pre>\n<p><strong>Network Connectivity<\/strong><\/p>\n<p>Like any recent Ubuntu release, REMnux uses Netplan for network configuration.<\/p>\n<p>Identify the network interface name:<\/p>\n<pre>ip a<\/pre>\n<p>REMnux&#8217;s default configuration may not match the interface names assigned at deployment. Update the configuration as needed:<\/p>\n<pre>sudo nano \/etc\/netplan\/01-netcfg.yaml<\/pre>\n<p>Test then apply:<\/p>\n<pre>sudo netplan try\r\nsudo netplan apply<\/pre>\n<p><strong>Disabling Wayland (reverting to X11):<\/strong><\/p>\n<pre>\/etc\/gdm3\/custom.conf<\/pre>\n<pre>WaylandEnable=false<\/pre>\n<pre>sudo reboot<\/pre>\n<p><strong>Running in the Cloud:<\/strong><\/p>\n<pre>sudo nano \/etc\/remnux-config<\/pre>\n<ul>\n<li>Change the mode from <code>dedicated<\/code> to <code>cloud<\/code>.<\/li>\n<\/ul>\n<pre>sudo systemctl enable ssh\r\nsudo reboot<\/pre>\n<p><strong>Note:<\/strong> Avoid exposing it directly to the internet if possible.<\/p>\n<p><strong>Other Useful Commands:<\/strong><\/p>\n<pre>myip\r\ncabextract file.cab<\/pre>\n<hr \/>\n<p><strong>USING REMNUX<\/strong><\/p>\n<p>REMnux comes with a wide range of tools out of the box, including tools for:<\/p>\n<ul>\n<li>Examining <strong>Static Properties<\/strong> and <strong>Deobfuscation<\/strong> of binaries:\n<ul>\n<li>Windows Files\n<ul>\n<li>TrID &#8211; reveals file signature.<\/li>\n<li>Yara Rules &#8211; identifies common malicious capabilities.<\/li>\n<li>ExifTool &#8211; reads and writes metadata.<\/li>\n<li>DroidLysis &#8211; static analysis of APK files.<\/li>\n<li>zipdump.py &#8211; analyzes compressed files.<\/li>\n<li>msitools &#8211; creates, inspects, and extracts .msi files.<\/li>\n<li>re-search.py &#8211; searches files for common suspicious patterns using regular expressions.<\/li>\n<li>disitool &#8211; manipulates embedded digital signatures.<\/li>\n<li>Name-That-Hash &#8211; hash identification tool.<\/li>\n<li>Hash ID &#8211; hash identification tool.<\/li>\n<li>signsrch &#8211; finds patterns of common encryption, compression, or encoding algorithms.<\/li>\n<li>ssdeep &#8211; fuzzy hashing.<\/li>\n<li>wxHexEditor &#8211; hex editor.<\/li>\n<li>ClamAV &#8211; signature-based antivirus.<\/li>\n<li>bulk_extractor &#8211; extracts strings from files.<\/li>\n<li>Hachoir &#8211; views and edits binaries.<\/li>\n<li>Sleuth Kit &#8211; recovers files from disk.<\/li>\n<li>binwalk &#8211; extracts and analyzes firmware.<\/li>\n<li>Manalyze &#8211; static analysis of PE files.<\/li>\n<li>StringSifter &#8211; ranks strings by relevance from PE files.<\/li>\n<li>PEframe &#8211; analyzes PE and MS Office files.<\/li>\n<li>dllcharacteristics.py &#8211; reads and sets DLL characteristics of a PE file.<\/li>\n<li>PE Tree &#8211; examines the structure of PE files.<\/li>\n<li>pedump &#8211; extracts PE files.<\/li>\n<li>pecheck &#8211; analyzes properties of PE files.<\/li>\n<li>pev &#8211; analyzes and extracts PE files.<\/li>\n<li>PortEx &#8211; analyzes PE files.<\/li>\n<li>bearparser &#8211; parses PE files.<\/li>\n<li>debloat &#8211; removes junk content from bloated PE files.<\/li>\n<\/ul>\n<\/li>\n<li>Linux Files\n<ul>\n<li>pyelftools &#8211; library for parsing ELF and DWARF files.<\/li>\n<\/ul>\n<\/li>\n<li>.NET\n<ul>\n<li>dnfile &#8211; shows static properties.<\/li>\n<li>dotnetfile &#8211; shows static properties.<\/li>\n<\/ul>\n<\/li>\n<li>Deobfuscation\n<ul>\n<li>Malchive &#8211; static analysis of various aspects of malicious code.<\/li>\n<li>1768.py &#8211; analyzes Cobalt Strike beacons.<\/li>\n<li>cs-decrypt-metadata.py &#8211; decrypts Cobalt Strike metadata.<\/li>\n<li>CSCE &#8211; decrypts Cobalt Strike beacons.<\/li>\n<li>xortool &#8211; analyzes XOR-encoded data.<\/li>\n<li>RATDecoders &#8211; Python 3 decoder library for RATs.<\/li>\n<li>DC3-MWCP &#8211; parses configuration information from malware.<\/li>\n<li>Chepy &#8211; Python library and command-line tool for data transformation.<\/li>\n<li>Balbuzard &#8211; finds and deobfuscates patterns.<\/li>\n<li>xor-kpa.py &#8211; performs XOR known-plaintext attacks.<\/li>\n<li>NoMoreXOR.py &#8211; guesses a file&#8217;s 256-byte XOR key using frequency analysis.<\/li>\n<li>unXOR &#8211; deobfuscates XOR-encoded files.<\/li>\n<li>brxor.py &#8211; brute-forces XOR-encoded English word strings.<\/li>\n<li>xorBruteForcer.py &#8211; brute-forces XOR-encoded files.<\/li>\n<li>strdeob.pl &#8211; locates and decodes stack strings.<\/li>\n<li>ex_pe_xor.py &#8211; searches XOR-encoded data for signs of executable binaries.<\/li>\n<li>XORStrings &#8211; searches for XOR-encoded strings in a file.<\/li>\n<li>XORSearch &#8211; finds and decodes strings obfuscated using common techniques.<\/li>\n<li>FLOSS &#8211; extracts and deobfuscates strings from PE executables.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Statically Analyze Code<\/strong> from multiple languages and platforms:\n<ul>\n<li>BinNavi &#8211; IDE for disassembled code.<\/li>\n<li>Ghidra &#8211; reverse engineering suite developed by the NSA.<\/li>\n<li>Cutter &#8211; reverse engineering platform.<\/li>\n<li>Detect-It-Easy &#8211; reveals file properties.<\/li>\n<li>Qiling &#8211; emulates code execution across various OS and hardware platforms.<\/li>\n<li>Vivisect &#8211; examines and emulates binary files.<\/li>\n<li>objdump &#8211; disassembler.<\/li>\n<li>Bytehist &#8211; generates byte-usage histograms.<\/li>\n<li>UPX &#8211; packs and unpacks PE files.<\/li>\n<li>Speakeasy &#8211; emulates code execution.<\/li>\n<li>binee &#8211; analyzes I\/O operations of PE files by emulating execution.<\/li>\n<li>capa &#8211; detects suspicious capabilities in PE files.<\/li>\n<li>PyInstaller Extractor &#8211; extracts PyInstaller-generated PE files.<\/li>\n<li>Decompyle++ &#8211; Python bytecode decompiler.<\/li>\n<li>ExtractScripts &#8211; extracts scripts from HTML files.<\/li>\n<li>decode-vbe.py &#8211; decodes encoded VBS\/VBE scripts.<\/li>\n<li>cfr &#8211; Java decompiler.<\/li>\n<li>JAD Java Decompiler &#8211; Java decompiler.<\/li>\n<li>JD-GUI Java Decompiler &#8211; GUI Java decompiler.<\/li>\n<li>Java IDX Parser &#8211; analyzes Java IDX files.<\/li>\n<li>Javassist &#8211; Java bytecode engineering toolkit.<\/li>\n<li>Procyon &#8211; Java decompiler.<\/li>\n<li>de4dot &#8211; deobfuscates and unpacks .NET files.<\/li>\n<li>ILSpy &#8211; examines and decompiles .NET files.<\/li>\n<li>JADX &#8211; generates Java source code from .dex and .apk files.<\/li>\n<li>apktool &#8211; reverse engineering for .apk files.<\/li>\n<li>DroidLysis &#8211; analyzes .apk files.<\/li>\n<li>androguard &#8211; examines .apk files.<\/li>\n<li>AndroidProjectCreator &#8211; converts an .apk back to an Android Studio project.<\/li>\n<li>baksmali &#8211; disassembler for .dex files.<\/li>\n<li>dex2jar &#8211; examines .dex files.<\/li>\n<li>Frida &#8211; traces the execution of a process.<\/li>\n<li>radare2 &#8211; examines binary files.<\/li>\n<li>shcode2exe &#8211; converts 32 and 64-bit shellcode to a PE executable.<\/li>\n<li>shellcode2exe.bat &#8211; converts 32 and 64-bit shellcode to a PE executable.<\/li>\n<li>scdbg &#8211; traces and analyzes shellcode execution.<\/li>\n<li>runsc &#8211; traces and analyzes shellcode execution.<\/li>\n<li>bddisasm &#8211; Bitdefender disassembler.<\/li>\n<li>SpiderMonkey &#8211; Mozilla&#8217;s standalone JavaScript engine for deobfuscating JavaScript.<\/li>\n<li>objects.js &#8211; deobfuscates JavaScript.<\/li>\n<li>STPyV8 &#8211; Python 3 and JavaScript interop engine.<\/li>\n<li>JStillery &#8211; deobfuscates JavaScript.<\/li>\n<li>box-js &#8211; analyzes JavaScript.<\/li>\n<li>Rhino Debugger &#8211; GUI JavaScript debugger.<\/li>\n<li>PowerShell Core &#8211; runs PowerShell on Linux.<\/li>\n<li>GNU Project Debugger &#8211; multi-language debugger.<\/li>\n<li>edb &#8211; AArch32\/x86\/x86-64 debugger.<\/li>\n<li>ltrace &#8211; traces library calls.<\/li>\n<li>strace &#8211; traces system calls.<\/li>\n<\/ul>\n<\/li>\n<li>Performing <strong>Memory Forensics:<\/strong>\n<ul>\n<li>Volatility 3 &#8211; memory forensics framework.<\/li>\n<li>Volatility Framework &#8211; memory forensics framework.<\/li>\n<li>linux_mem_diff_tool &#8211; uses Volatility to compare two memory images.<\/li>\n<li>AESKeyFinder &#8211; finds 128-bit and 256-bit AES keys in a memory image.<\/li>\n<li>RSAKeyFinder &#8211; finds BER-encoded RSA private keys in a memory image.<\/li>\n<\/ul>\n<\/li>\n<li>Exploring <strong>Network<\/strong> and <strong>System Interactions:<\/strong>\n<ul>\n<li>Burp Suite CE &#8211; web pentesting suite.<\/li>\n<li>Network Miner Free Edition &#8211; packet sniffer.<\/li>\n<li>PolarProxy &#8211; intercepts and decrypts TLS traffic.<\/li>\n<li>CapTipper &#8211; HTTP sniffer.<\/li>\n<li>mitmproxy &#8211; MITM web proxy.<\/li>\n<li>tshark &#8211; packet sniffer.<\/li>\n<li>Wireshark &#8211; GUI packet sniffer.<\/li>\n<li>tcpdump &#8211; packet sniffer.<\/li>\n<li>ngrep &#8211; finds patterns in network traffic.<\/li>\n<li>tcpxtract &#8211; extracts files from network traffic.<\/li>\n<li>tcpflow &#8211; analyzes network flow.<\/li>\n<li>tcpick &#8211; packet sniffer.<\/li>\n<li>Unfurl &#8211; deconstructs and decodes data from a URL.<\/li>\n<li>thug &#8211; honeyclient for examining websites.<\/li>\n<li>Anomy &#8211; tunnels wget, ssh, sftp, ftp, and telnet through Tor.<\/li>\n<li>EPIC IRC Client &#8211; sniffs IRC traffic.<\/li>\n<li>fakedns &#8211; responds to DNS queries with fake IPs.<\/li>\n<li>dnsresolver.py &#8211; responds to DNS queries.<\/li>\n<li>fakemail &#8211; SMTP sniffer.<\/li>\n<li>accept-all-ips &#8211; intercepts traffic to all IPs.<\/li>\n<li>inspircd 3 &#8211; sniffs IRC traffic.<\/li>\n<li>INetSim &#8211; simulates common network services.<\/li>\n<li>FakeNet-NG &#8211; simulates common network services.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Analyzing Documents<\/strong> in many formats:\n<ul>\n<li>Tesseract OCR &#8211; extracts text from image files using optical character recognition.<\/li>\n<li>peepdf &#8211; analyzes PDF files.<\/li>\n<li>pdftool &#8211; identifies incremental updates to PDF files.<\/li>\n<li>pdf-parser.py &#8211; analyzes elements of PDF files.<\/li>\n<li>pdfid.py &#8211; identifies suspicious elements in PDF files.<\/li>\n<li>SSView &#8211; analyzes OLE2 structured storage files.<\/li>\n<li>oletools &#8211; analyzes OLE2 compound files.<\/li>\n<li>emldump &#8211; analyzes OLE2 compound files and EML files.<\/li>\n<li>msoffcrypto-tool &#8211; decrypts Microsoft Office files.<\/li>\n<li>msoffcrypto-crack.py &#8211; cracks passwords from encrypted files.<\/li>\n<li>pcodedmp &#8211; disassembles VBA p-code.<\/li>\n<li>pcode2code &#8211; decompiles VBA macro p-code.<\/li>\n<li>EvilClippy &#8211; modifies MS Office document properties.<\/li>\n<li>XLMMacroDeobfuscator &#8211; deobfuscates XLM macros from MS Office files.<\/li>\n<li>ViperMonkey &#8211; emulates VBA execution for analysis.<\/li>\n<li>rtfdump &#8211; analyzes RTF files.<\/li>\n<li>xmldump.py &#8211; extracts content from OOXML-formatted documents.<\/li>\n<li>msoffice-crypt &#8211; encrypts and decrypts OOXML documents.<\/li>\n<li>msg-extractor &#8211; extracts attachments from MSG files.<\/li>\n<li>msgconvert &#8211; converts MSG to MBOX files.<\/li>\n<li>mail-parser &#8211; parses raw SMTP and MSG files and generates objects.<\/li>\n<\/ul>\n<\/li>\n<li>Others:\n<ul>\n<li>Sysdig &#8211; exposes Linux system activity.<\/li>\n<li>ProcDOT &#8211; visualizes Process Monitor output.<\/li>\n<li>sandfly-processdecloak &#8211; finds hidden processes on Linux.<\/li>\n<li>Unhide &#8211; reveals hidden processes and connections on Linux.<\/li>\n<li>Automater &#8211; gathers OSINT on IPs, domains, hashes, etc.<\/li>\n<li>dissect &#8211; a DFIR framework and toolset.<\/li>\n<li>ioc_parser &#8211; extracts IOC objects from security report PDFs.<\/li>\n<li>ioc_writer &#8211; library for creating and editing OpenIOC objects.<\/li>\n<li>malwoverview &#8211; queries public APIs from malware repositories such as VirusTotal and HybridAnalysis.<\/li>\n<li>VirusTotal API &#8211; command-line tool for interacting with the VirusTotal API.<\/li>\n<li>virustotal-submit &#8211; submits files for analysis by VirusTotal.<\/li>\n<li>virustotal-search &#8211; searches for a hash in VirusTotal&#8217;s database.<\/li>\n<li>shodan &#8211; command-line tool for interacting with the Shodan API.<\/li>\n<li>PyPDNS &#8211; library for querying Passive DNS and IP address lookup services.<\/li>\n<li>pdnstool &#8211; queries Passive DNS online databases.<\/li>\n<li>DeXRAY &#8211; extracts and decodes data from antivirus quarantine files.<\/li>\n<li>Scalpel &#8211; carves content from binaries and disk images.<\/li>\n<li>nsrllookup &#8211; looks up file MD5 hashes in the NIST database.<\/li>\n<li>Yara &#8211; identifies and classifies malware samples using YARA rules.<\/li>\n<li>VBinDiff &#8211; compares binary files.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Run all the tools relevant to your investigation. Each one may offer a different perspective. Additional tools may be needed for special cases.<\/p>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p><strong>REMnux Alternative Installations<\/strong><\/p>\n<ul>\n<li>Docker container:\n<ul>\n<li>\n<pre>sudo docker run --rm -it -u remnux remnux\/remnux-distro:focal bash\r\nsudo docker run --rm -it -u remnux -d -p 22:22 -v \/LOCAL\/PATH:\/home\/remnux\/files remnux\/remnux-distro bash<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>On an existing system:\n<ul>\n<li>\n<pre>wget https:\/\/REMnux.org\/remnux-cli\r\nchmod +x remnux\r\nsudo mv remnux \/usr\/local\/bin\r\nsudo apt install gnupg curl -y\r\nsudo remnux install\r\nsudo reboot<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Or install from scratch (a lot of work).<\/li>\n<li>Or deploy it in the cloud.<\/li>\n<\/ul>\n<p>For those who use Kasm Desktops, it also works well as a disposable desktop workspace.<\/p>\n<p><strong>Malware Analysis on Windows<\/strong><\/p>\n<p>Check out <strong>FlareVM<\/strong> if you need to set up an existing Windows VM for malware analysis [<a href=\"https:\/\/github.com\/mandiant\/flare-vm\">Link<\/a>]. It is a collection of software installation scripts created by Mandiant.<\/p>\n<p><strong>Managed Cloud Malware Analysis Platform<\/strong><\/p>\n<p>For a hassle-free malware analysis experience with no infrastructure setup, rich statistics, and open-source intelligence integrations, check out <strong>ANY.RUN<\/strong> [<a href=\"https:\/\/any.run\/\">Link<\/a>].<\/p>\n","protected":false},"excerpt":{"rendered":"<p>REMnux is a Linux distribution based on Ubuntu 20.04 that offers a curated collection of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-4022","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4022"}],"version-history":[{"count":13,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4022\/revisions"}],"predecessor-version":[{"id":5628,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/4022\/revisions\/5628"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}