REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-page PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

  • Download REMnux as a virtual appliance or install the distro on an existing compatible system, such as SIFT Workstation.
  • Review REMnux documentation at REMnux.org/docs.
  • Stay logged into the REMnux virtual appliance as the user “remnux”; the default password “malware”.
  • Use apt-get to install additional software packages if your system is connected to the Internet.
  • Run the “update-remnux all” command to upgrade REMnux and update its software.
  • Switch the GUI keyboard layout by clicking the keyboard icon in the bottom right corner of the REMnux desktop.
  • Use setxkbmap to change the keyboard layout in the terminal window.
  • On VMware, install VMware Tools using install-vmware-tools to adjust the screen size.

General Commands for Using REMnux

Shut down the systemshutdown
Reboot the systemreboot
Switch to a root shellsudo -s
Renew DHCP leaserenew-dhcp
See current IP addressmyip
Edit a text filescite file
View an image filefeh file
Start web serverhttpd start
Start SSH serversshd start

Statically Examine Files

Handle Network Interactions

Examine Browser Malware

Examine Document Files

Investigate Linux Malware

Volatility Memory Forensics Commands

Determine profilekdbgscan, imageinfo
Set profile environment variableexport VOLATILITY_PROFILE=profile
Spot hidden processespsxview
List all processespslist, psscan, cmdline
Show a registry keyprintkey -K key
Extract process imageprocdump
Extract process memorymemdump, vaddump
List open handles, files, DLLs and mutant objectshandles, filescan, dlllist, mutantscan
List services, drivers and kernel modulessvcscan, driverscan, modules, modscan
View network activitiesconnscan, connections,sockets, sockscan, netscan
View activity timelinetimeliner, evtlogs
Find and extract hidden malwaremalfind, apihooks

This cheat sheet for REMnux is distributed according to the Creative Commons v3 “Attribution” License.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more