This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.
Operate in REMnux as the user "remnux”. The default password for this account is “malware”.
Run privileged commands on REMnux using “sudo”.
Use “apt-get” to install additional software packages if your system is connected to the Internet.
Use “setxkbmap” to switch keyboard layout. For example, for German layout use “setxkbmap de".
You can switch the screen resolution using “xrandr” followed by the “xrandr -s” command.
If using VMware, you can install VMware Tools to auto-switch screen resolution.
|Shut down the system||shutdown|
|Reboot the system||reboot|
|Switch to a root shell||sudo –s|
|Renew DHCP lease||renew-dhcp|
|See current IP address||myip|
|Edit a text file||scite file|
|View an image file||feh file|
|Start web server||httpd start|
|Start SSH server||sshd start|
Intercept traffic and emulate some services with Honeyd (“farpd start”, then “honeyd start”).
Wrap network traffic with SSL using “stunnel”.
Retrieve websites with “wget” and “curl”.
Inspect malicious websites and traffic captures with “jsunpackn” after “cd ~remnux/jsunpackn”.
Emulate shellcode execution using “sctest -Svs”.
Scan the executable for suspicious characteristics and packer signatures using “pescanner”.
Check whether the file might be packed using “densityscout” and “bytehist”.
Explore the executable’s internals using “pyew”.
Identify file type using “trid” and “file”.
Extract metadata using “hachoir-metadata”.
Find and extract subfiles using “hachoir-subfile”.
Compare binary files using “vbindiff”.
Decompile Java class files using “jad” and “jd-gui”.
Analyze memory image files using “volatility”.
|Spot hidden processes||psxview|
|List all processes||pslist, psscan|
|Show a registry key||printkey -K key|
|Extract process image||procexedump|
|Extract process memory||memdump, vaddump|
|List open handles, files, DLLs and mutant objects||handles, filescan, dlllist, mutantscan|
|List services, drivers and kernel modules||svcscan, driverscan, modules, modscan|
|View network activities||connscan, connections,
sockets, sockscan, netscan
|View activity timeline||timeliner, evtlogs|
|Find and extract malware||malfind, apihooks|
Such malware analysis topics are covered in Lenny Zeltser's Reverse-Engineering Malware (REM) course, which he teaches at SANS Institute.
This cheat sheet for REMnux v3 is distributed according to the Creative Commons v3 “Attribution” License.
Take a look at my other security cheat sheets.
Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2014 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.