REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

  • Download REMnux as a virtual appliance or install the distro on an existing compatible system, such as SIFT Workstation.
  • Log into the REMnux virtual appliance as the user “remnux”, default password “malware”.
  • Use apt-get to install additional software packages if your system is connected to the Internet.
  • Run the update-remnux command to upgrade REMnux and update its software.
  • Switch keyboard layout by clicking the keyboard icon in the bottom right corner of the REMnux desktop.
  • On VMware, install VMware Tools using install-vmware-tools to adjust the screen size.

General Commands for Using REMnux

Shut down the system shutdown
Reboot the system reboot
Switch to a root shell sudo -s
Renew DHCP lease renew-dhcp
See current IP address myip
Edit a text file scite file
View an image file feh file
Start web server httpd start
Start SSH server sshd start

Statically Examine Files

Handle Network Interactions

Examine Browser Malware

Examine Document Files

Investigate Linux Malware

Volatility Memory Forensics Commands

Determine profile kdbgscan, imageinfo
Spot hidden processes psxview
List all processes pslist, psscan
Show a registry key printkey -K key
Extract process image procdump
Extract process memory memdump, vaddump
List open handles, files, DLLs and mutant objects handles, filescan, dlllist, mutantscan
List services, drivers and kernel modules svcscan, driverscan, modules, modscan
View network activities connscan, connections,sockets, sockscan, netscan
View activity timeline timeliner, evtlogs
Find and extract malware malfind, apihooks

Additional Resources

This cheat sheet for REMnux is distributed according to the Creative Commons v3 “Attribution” License.


About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more