Tools

T1204

REMnux

A practical guide to REMnux for SOC analysts — the Linux distro for malware analysis, pre-installed tools, install and setup guide, common workflows for reverse engineering and triage, and integration with sandbox environments.

View on Graph

What REMnux Is and Why Analysts Use It

  • REMnux is a Ubuntu-based Linux distribution maintained by Lenny Zeltser that bundles hundreds of malware analysis tools into a single VM or Docker image. It is the standard toolkit for SOC malware triage and reverse engineering.
  • MITRE ATT&CK maps malware analysis to supporting T1204 (User Execution) detection — understanding what a file does informs response decisions.
  • The value of REMnux is that it eliminates tool setup time. Instead of spending hours installing Python packages, reverse engineering frameworks, and analysis utilities, an analyst spins up a REMnux VM and has immediate access to everything they need for static analysis, dynamic analysis, memory forensics, and network simulation.
  • It is typically used alongside a Windows analysis sandbox (like FLARE VM) — REMnux handles Linux malware, network analysis, and tools while the Windows VM handles PE analysis.

Installation and Setup

System Requirements

ResourceMinimumRecommended
RAM2 GB8 GB
Disk20 GB60 GB (sample storage)
CPU1 core4 cores
HypervisorVirtualBox, VMware, or Hyper-VVirtualBox (free)

Installation Methods

# Method 1 — Download VM image (recommended)
# Download from: https://docs.remnux.org/install/get-the-appliance
# Import into VirtualBox or VMware

# Method 2 — Install on existing Ubuntu
wget https://remnux.org/install-ubuntu.sh
chmod +x install-ubuntu.sh
sudo ./install-ubuntu.sh

# Method 3 — Docker
docker pull remnux/remnux-docker
docker run -it remnux/remnux-docker

# Method 4 — SaltStack-based install (for customization)
sudo apt update && sudo apt install -y salt-minion
sudo wget -O /tmp/remnux.sls https://remnux.org/remnux.sls
sudo salt-call --local state.apply remnux.sls

First Boot — Post-Installation Tasks

# Update tool packages
sudo remnux update

# Verify installation — list all installed tools
remnux tools

# Set up network simulation tools (for safe malware execution)
sudo remnux netsim-setup

Tool Categories on REMnux

Static Analysis Tools

ToolWhat It DoesHow to Use
fileIdentify file typefile suspicious.exe
stringsExtract printable strings`strings suspicious.exe
exiftoolExtract file metadataexiftool suspicious.exe
pev (readpe, pescan, ispe)PE file analysisreadpe suspicious.exe
peframePE file analysis with heuristic detectionpeframe suspicious.exe
flossFLARE Obfuscated String Solver — extracts obfuscated stringsfloss suspicious.exe
radare2Reverse engineering frameworkr2 suspicious.exe
capaIdentify malware capabilitiescapa suspicious.exe
detect-it-easy (die)Detect packers, compilers, protectorsdiec suspicious.exe
upxUPX pack/unpackupx -d packed.exe

Dynamic Analysis Tools (Safe Execution)

ToolWhat It DoesHow to Use
Fakenet-NGSimulate network services — intercepts malware C2sudo fakenet -c /etc/fakenet/fakenet.ini
INetSimSimulate common internet services (HTTP, DNS, SMTP)sudo inetsim
Dumpcap / tsharkNetwork packet capturesudo tshark -i lo -w capture.pcap
straceTrace system callsstrace -o syscalls.log ./suspicious
ltraceTrace library callsltrace ./suspicious

Memory Forensics Tools

ToolWhat It DoesHow to Use
Volatility 3Memory analysis frameworkvol -f memory.dump windows.pslist
RekallMemory analysis framework (older, but still useful)rekall -f memory.dump pslist
LiMELinux Memory Extractorsudo insmod lime.ko path=mem.lime format=lime
MemProcFSMount memory dump as filesystemmemprocfs.exe -device memory.dump -forensic 1

YARA and Signature Tools

ToolWhat It DoesHow to Use
YARAPattern-matching tool for malware classificationyara -s rules.yar suspicious.exe
yara-pythonPython bindings for YARApython3 -c "import yara"
yarGenGenerate YARA rules from malware samplesyarGen -m /samples/ -o /output/
signsrchSearch for signatures in binariessignsrch suspicious.exe

Network Analysis Tools

ToolWhat It DoesHow to Use
WiresharkNetwork traffic analysis (GUI)wireshark
tsharkNetwork traffic analysis (CLI)tshark -r capture.pcap
ngrepGrep for network trafficngrep -d any "POST" port 80
tcpdumpPacket capturesudo tcpdump -i any -c 100 -w capture.pcap
netcatNetwork connection testingnc -vz 185.220.101.45 443

Common REMnux Workflows

Workflow 1 — Static Triage of a Suspicious PE

# 1. Identify file type
file suspicious.exe

# 2. Compute hashes
sha256sum suspicious.exe
md5sum suspicious.exe

# 3. Extract strings (including obfuscated)
strings suspicious.exe | grep -i "http"
floss suspicious.exe | grep -iE "https?://|C:\\"

# 4. Check for packers
diec suspicious.exe

# 5. Analyze PE structure
readpe suspicious.exe | grep -A 10 "Sections"

# 6. Identify capabilities
capa suspicious.exe

# 7. Check against VirusTotal (requires API key)
curl -s --request GET \
  --url "https://www.virustotal.com/api/v3/files/$(sha256sum suspicious.exe | awk '{print $1}')" \
  --header "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'

Workflow 2 — Dynamic Analysis with Network Simulation

# 1. Start network simulation
sudo fakenet -c /etc/fakenet/fakenet.ini -d
# Or: sudo inetsim

# 2. Capture all traffic from the analysis
sudo tcpdump -i lo -w analysis.pcap &

# 3. Run the suspicious file in an isolated VM
./suspicious.exe

# 4. After execution, analyze captured traffic
tshark -r analysis.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

# 5. Check what the malware tried to do
cat /var/log/fakenet/protocol/http.log

Workflow 3 — Memory Dump Analysis

# 1. If you have a memory dump from the infected system:
vol -f memory.dump windows.pslist
vol -f memory.dump windows.netscan
vol -f memory.dump windows.cmdline

# 2. Check for suspicious processes
vol -f memory.dump windows.pslist | grep -iE "powershell|rundll|cscript|wscript|svchost"

# 3. Check network connections from the dump
vol -f memory.dump windows.netscan

# 4. Dump a suspicious process for further analysis
vol -f memory.dump windows.memmap.Memmap --pid 1234 --dump

REMnux + FLARE VM — The Standard Analysis Pair

AspectREMnuxFLARE VM
OSLinux (Ubuntu)Windows
Best forStatic analysis, Linux malware, network sim, YARA, memory forensicsPE analysis, debugging (x64dbg), .NET analysis, dynamic execution
Tool focusCLI tools, Python scripts, network simulatorsGUI tools, debuggers, process monitoring
Malware typeELF, cross-platform, network analysisPE (EXE, DLL), .NET, PowerShell, VBA
NetworkCan safely simulate network servicesNeeds network simulation — use REMnux as DNS/HTTP sinkhole

Recommended setup:

  • Run REMnux on a host-only VM network
  • Run FLARE VM on the same host-only network
  • Configure FLARE VM to use REMnux as its DNS and gateway
  • Execute malware in FLARE VM; REMnux catches all outbound traffic

Maintaining REMnux

# Update all tools
sudo remnux update

# Verify all tools are working
remnux check

# Install additional Python packages
sudo remnux python-packages install yara-python

# Reset REMnux to defaults
sudo remnux reset

# View tool documentation
remnux help <toolname>

Sources