I also tweet, blog and . Contact Me|Research

REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

Download REMnux from REMnux.org as a Live CD ISO image file or a VMware/VirtualBox virtual appliance.

Operate in REMnux as the user "remnux”. The default password for this account is “malware”.

Run privileged commands on REMnux using “sudo”.

Use “apt-get” to install additional software packages if your system is connected to the Internet.

Use “setxkbmap” to switch keyboard layout. For example, for German layout use “setxkbmap de".

You can switch the screen resolution using “xrandr” followed by the “xrandr -s” command.

If using VMware, you can install VMware Tools to auto-switch screen resolution.

General Commands for Using REMnux

Shut down the system shutdown
Reboot the system reboot
Switch to a root shell sudo –s
Renew DHCP lease renew-dhcp
See current IP address myip
Edit a text file scite file
View an image file feh file
Start web server httpd start
Start SSH server sshd start

Tools for Analyzing Network Malware

For IRC bots, start the IRC daemon (“ircd start”) and the IRC client (“irc”).

Analyze network traffic with “wireshark”, “sudo tcpdump”, “sudo ngrep”, “pdnstool”, “NetworkMiner” and “nc”.

Intercept traffic and emulate some services with Honeyd (“farpd start”, then “honeyd start”).

Emulate common network services using “fakedns”, “fakesmtp” and “inetsim”.

Wrap network traffic with SSL using “stunnel”.

Examining Malicious Websites

Deobfuscate JavaScript with SpiderMonkey (“js”), “d8”, “rhino-debugger” and Firebug.

Define JavaScript objects using /usr/local/etc/def.js.

You can clean up JavaScript with “js-beautify”.

Control web traffic with “burpsuite” and Tamper Data.

Retrieve websites with “wget” and “curl”.

Hide your origin with “tor start”, “usewithtor”.

Examine malicious Flash files with “swfdump -Ddu”, “flare”, RABCDAsm, and “xxxswf.py”.

Inspect malicious websites and traffic captures with “jsunpackn” after “cd ~remnux/jsunpackn”.

Analyzing Malicious Document Files

Examine suspicious Microsoft Office documents with “pyOLEScanner.py” and “hachoir-urwid”.

Navigate through PDFs using “pyew”, “peepdf” and “pdfwalker”.

Extract JavaScript or SWFs from PDFs using “pdfextract”, “pdf.py” and “swf_mastah”.

Examine PDFs using “pdfcop”, “pdf-parser”, “pdfid”, “pdfdecompress” and “pdfxray_lite”.

Emulate shellcode execution using “sctest -Svs”.

Analyzing Executables and Other Files

Scan the executable for suspicious characteristics and packer signatures using “pescanner”.

Check whether the file might be packed using “densityscout” and “bytehist”.

Explore the executable’s internals using “pyew”.

Identify file type using “trid” and “file”.

Scan files for malware signatures using “clamscan” after refreshing signatures with “sudo freshclam”.

Disassemble code using “radare”, “pyew”, “gdb” and “objdump -Mintel -D”.

Extract metadata using “hachoir-metadata”.

Find and extract subfiles using “hachoir-subfile”.

Compare binary files using “vbindiff”.

Find obfuscated or encrypted data with “xorsearch”, “findaes”, "xortool", “aeskeyfind” and “rsakeyfind”.

Decompile Java class files using “jad” and “jd-gui”.

Analyze memory image files using “volatility”.

Volatility Memory Forensics Commands

Spot hidden processes psxview
List all processes pslist, psscan
Show a registry key printkey -K key
Extract process image procexedump
Extract process memory memdump, vaddump
List open handles, files, DLLs and mutant objects handles, filescan, dlllist, mutantscan
List services, drivers and kernel modules svcscan, driverscan, modules, modscan
View network activities connscan, connections,
sockets, sockscan, netscan
View activity timeline timeliner, evtlogs
Find and extract malware malfind, apihooks

Useful Configuration Files on REMnux

Honeyd /etc/honeypot/honeyd.conf
INetSim /etc/inetsim/inetsim.conf
Web server /etc/thttpd/thttpd.conf
IRC server /etc/inspircd/inspircd.conf
SSH server /etc/ssh/sshd_config
Aliases ~remnux/.bash_aliases
Wget ~remnux/.wgetrc

Post-Scriptum

Such malware analysis topics are covered in Lenny Zeltser's Reverse-Engineering Malware (REM) course, which he teaches at SANS Institute.

This cheat sheet for REMnux v3 is distributed according to the Creative Commons v3 “Attribution” License.

Take a look at my other security cheat sheets.


Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and .