Malware Dynamic Analysis with REMnux
Last modified: 2023-07-19
REMnux is a Linux toolkit for reverse engineering and analyzing malicious software.
Upgrade REMnux
Before starting analysis, upgrade the REMnux machine by running the following command.
remnux upgrade
Add Execute Permission
To analyze an executable, modify the permission to execute the file then run it.
chmod +x example.exe
./example.exe
Sniff C2 Server Packets
If the executable starts C2 server when dynamic analysis, we might be able to sniff packets using Wireshark. In Wireshark, filter by http for sniffing HTTP packets.
Using Process Monitor (Windows)
If our environment is Windows, start Process Monitor before dynamic analysis.
Process Monitor (ProcMon) is a Windows tool that analyze the behavior (real-time registry, file system, and process/threat activity) while analyzing malware.
In ProcMon, set "Process Name" "is" "executable.exe" then "Include" in the Process Monitor Filter, and click Add → OK.
After executing, we should see results appear in the ProcMon.
The first step is to unset all filters on the right of the tool bar, then set again a filter one by one.
-
Show Registry Activity
This filter allows us to determine if any significant Registry Modifications are executed by the binary. To focus on Registry Key Creations and Modifications, exclude RegOpenKey, RegQueryValue, RegQueryKey, RegCloseKey by right-clicking on the row of results.
-
Show File System Activity
This filter allows us to determint if the malware executes File Creations. To focus only on File Write events, exclude CreateFile, CreateFileMapping, QuerySecurityFile, QueryNameInformationFile, QueryBasicInformationFile, CloseFile, ReadFile.
-
Show Network Activity
This filter allows us to confirm if the malware attempts to make a network connection.