REMnux Usage Tips for Malware Analysis on Linux

This cheat sheet outlines the tools and commands for analyzing malicious software on the REMnux Linux distribution. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.

Getting Started with REMnux

  • Download REMnux as a virtual appliance or install the distro on an existing compatible system, such as SIFT Workstation.
  • Log into the REMnux virtual appliance as the user “remnux”, default password “malware”.
  • Use apt-get to install additional software packages if your system is connected to the Internet.
  • Run the update-remnux command to upgrade REMnux and update its software.
  • Switch keyboard layout by clicking the keyboard icon in the bottom right corner of the REMnux desktop.
  • On VMware, install VMware Tools using install-vmware-tools to adjust the screen size.

General Commands for Using REMnux

Shut down the systemshutdown
Reboot the systemreboot
Switch to a root shellsudo -s
Renew DHCP leaserenew-dhcp
See current IP addressmyip
Edit a text filescite file
View an image filefeh file
Start web serverhttpd start
Start SSH serversshd start

Statically Examine Files

Handle Network Interactions

Examine Browser Malware

Examine Document Files

Investigate Linux Malware

Volatility Memory Forensics Commands

Determine profilekdbgscan, imageinfo
Spot hidden processespsxview
List all processespslist, psscan
Show a registry keyprintkey -K key
Extract process imageprocdump
Extract process memorymemdump, vaddump
List open handles, files, DLLs and mutant objectshandles, filescan, dlllist, mutantscan
List services, drivers and kernel modulessvcscan, driverscan, modules, modscan
View network activitiesconnscan, connections,sockets, sockscan, netscan
View activity timelinetimeliner, evtlogs
Find and extract malwaremalfind, apihooks

Additional Resources

This cheat sheet for REMnux is distributed according to the Creative Commons v3 “Attribution” License.


About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more