remnux::cheatsheet

tool REMnux malware triage
Start HereBest ToolsNetworkRecipes
01Start Here
What REMnux is for
- Linux toolkit for malware analysis
- static triage of suspicious files
- Office / PDF / script analysis
- IOC extraction
- controlled network observation
- quick analyst workstation with many tools already assembled

Best with:
- isolated lab
- Windows VM for detonation
- Burp / Wireshark / INetSim around it
Always do first
sha256sum sample
file sample
trid sample
exiftool sample
strings -a -n 6 sample | less
strings -el sample | less
binwalk sample
ent sample

Goal:
- identify exact format
- find URLs / PowerShell / suspicious APIs
- detect embedded data / packing
Decision tree
PE / ELF / script?
  → strings / FLOSS / capa / YARA / peframe / readelf

PDF?
  → pdfid.py / pdf-parser.py / peepdf

Office / OOXML / RTF?
  → oleid / olevba / oledump.py / msodde / mraptor

Need network behavior?
  → Burp / Wireshark / tshark / Zeek / Suricata / INetSim

Need runtime behavior?
  → paired Windows VM + snapshot + controlled network
02Best Tools by Use Case
File ID / metadata
file        # quick type guess
trid        # signature-based file identification
exiftool    # metadata / creator info / timestamps
xxd         # magic bytes, quick hex view
binwalk     # embedded archives / blobs / payloads
ent         # entropy signal for packing/encryption
Static malware triage
strings -a   # ASCII strings
strings -el  # UTF-16LE strings
floss        # decoded / stack strings
capa         # capability inference from code patterns
yara         # family / IOC / config rules
peframe      # PE triage
readelf      # ELF metadata / sections
radare2      # deeper reversing
Documents
pdfid.py       # suspicious PDF features
pdf-parser.py # objects / streams / JS / attachments
peepdf        # richer PDF workflow
oleid         # OLE risk indicators
olevba        # decode and extract VBA
oledump.py    # inspect OLE streams / embedded objects
msodde        # DDE checks
mraptor       # macro suspicion
03Network and Fake Services
Observe malware traffic
wireshark / tshark  # packet analysis
zeek                 # structured protocol logs
suricata             # signatures + EVE JSON
burpsuite            # HTTP/S interception
mitmproxy            # scriptable HTTP/S interception
Fake Internet / sinkholes
INetSim   # fake HTTP / DNS / FTP / SMTP and more
dnschef   # fake DNS answers / redirect domains to local IP

Use when:
- sample calls home
- you need to keep egress local
- you want repeatable malware behavior
- you want to catch second-stage downloads
Practical lab notes
- disable direct Internet if possible
- snapshot before detonation
- separate analyst VM and victim VM
- log all callbacks and DNS
- keep hashes and extracted artifacts organized
- save string dumps, YARA hits, and capa output
04Practical Recipes
PE / EXE triage
file sample.exe
strings -a -el sample.exe | tee strings.txt
floss sample.exe | tee floss.txt
capa sample.exe | tee capa.txt
peframe sample.exe | tee peframe.txt
yara rules.yar sample.exe
Document triage
oleid sample.doc
olevba --decode sample.doc
oledump.py sample.doc
msodde sample.doc
mraptor sample.doc

Then extract suspicious macro / blob and rerun main workflow on it.
PDF triage
pdfid.py sample.pdf
pdf-parser.py -a sample.pdf
pdf-parser.py --search javascript sample.pdf
pdf-parser.py -o <objid> -f -d dumped.bin sample.pdf