REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

  • Download REMnux as a virtual appliance or install the distro on an existing compatible system, such as SIFT Workstation.
  • Log into the REMnux virtual appliance as the user “remnux”, default password “malware”.
  • Use apt-get to install additional software packages if your system is connected to the Internet.
  • Run the update-remnux command to upgrade REMnux and update its software.
  • Switch keyboard layout by clicking the keyboard icon in the bottom right corner of the REMnux desktop.
  • On VMware, install VMware Tools using install-vmware-tools to adjust the screen size.

General Commands for Using REMnux

Shut down the systemshutdown
Reboot the systemreboot
Switch to a root shellsudo -s
Renew DHCP leaserenew-dhcp
See current IP addressmyip
Edit a text filescite file
View an image filefeh file
Start web serverhttpd start
Start SSH serversshd start

Statically Examine Files

Handle Network Interactions

Examine Browser Malware

Examine Document Files

Investigate Linux Malware

Volatility Memory Forensics Commands

Determine profilekdbgscan, imageinfo
Spot hidden processespsxview
List all processespslist, psscan
Show a registry keyprintkey -K key
Extract process imageprocdump
Extract process memorymemdump, vaddump
List open handles, files, DLLs and mutant objectshandles, filescan, dlllist, mutantscan
List services, drivers and kernel modulessvcscan, driverscan, modules, modscan
View network activitiesconnscan, connections,sockets, sockscan, netscan
View activity timelinetimeliner, evtlogs
Find and extract malwaremalfind, apihooks

Additional Resources

This cheat sheet for REMnux is distributed according to the Creative Commons v3 “Attribution” License.


About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. The perspectives expressed by Lenny on this site don't necessarily reflect the views of NCR or SANS.

Learn more