REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-page PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

  • Download REMnux as a virtual appliance or install the distro on an existing compatible system, such as SIFT Workstation.
  • Review REMnux documentation at REMnux.org/docs.
  • Stay logged into the REMnux virtual appliance as the user “remnux”; the default password “malware”.
  • Use apt-get to install additional software packages if your system is connected to the Internet.
  • Run the “update-remnux all” command to upgrade REMnux and update its software.
  • Switch the GUI keyboard layout by clicking the keyboard icon in the bottom right corner of the REMnux desktop.
  • Use setxkbmap to change the keyboard layout in the terminal window.
  • On VMware, install VMware Tools using install-vmware-tools to adjust the screen size.

General Commands for Using REMnux

Shut down the systemshutdown
Reboot the systemreboot
Switch to a root shellsudo -s
Renew DHCP leaserenew-dhcp
See current IP addressmyip
Edit a text filescite file
View an image filefeh file
Start web serverhttpd start
Start SSH serversshd start

Statically Examine Files

Handle Network Interactions

Examine Browser Malware

Examine Document Files

Investigate Linux Malware

Volatility Memory Forensics Commands

Determine profilekdbgscan, imageinfo
Set profile environment variableexport VOLATILITY_PROFILE=profile
Spot hidden processespsxview
List all processespslist, psscan, cmdline
Show a registry keyprintkey -K key
Extract process imageprocdump
Extract process memorymemdump, vaddump
List open handles, files, DLLs and mutant objectshandles, filescan, dlllist, mutantscan
List services, drivers and kernel modulessvcscan, driverscan, modules, modscan
View network activitiesconnscan, connections,sockets, sockscan, netscan
View activity timelinetimeliner, evtlogs
Find and extract hidden malwaremalfind, apihooks

This cheat sheet for REMnux is distributed according to the Creative Commons v3 “Attribution” License.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more