Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Setting Up REMnux Environment

Tools and Software Setup:

  1. REMnux:

    • REMnux is a specialized Linux distribution designed for malware analysis.

    • Version: REMnux v7.

    • The appliance is available for download from the official REMnux website.

  2. Virtual Machine Guest Tools Installation:

    • VirtualBox:

      • Click on Devices in the VirtualBox menu.

      • Select Insert Guest Additions CD Image.

      • Run the installer to install the guest tools.

    • VMware or Other VM Hosting Software:

      • Check the respective documentation to install the guest tools.

    • Credentials:

      • Username: remnux

      • Password: malware

    • Post Installation:

      • Restart the operating system.

      • Enable Drag and Drop and Clipboard Sharing.

      • Test these features by dragging and dropping files (e.g., course archives) into a folder.

  3. Extracting Course Files:

    • Use the 7z command-line tool to extract course files:

      bashCopy code7z e re_nonmalware_samples.7z -oRE_nonmalware_samples

    • Extract the files into the folder RE_nonmalware_samples.

  4. IDA Freeware Installation:

    • Download the Linux version of IDA Freeware from the Hex-Rays website.

    • The installation package is a .run file.

    • Installation Steps:

      • Open a terminal in the folder where the IDA Freeware was downloaded.

      • Grant execute permissions to the installer using chmod:

        bashCopy codechmod +x idafree.run

      • Run the installer to install IDA Free.

    • Shortcut Configuration:

      • A shortcut for IDA Free is stored in the Desktop folder.

      • To make it globally accessible, move the shortcut to the shared applications folder.

  5. Setting Up FakeNet:

    • FakeNet: A network simulation tool that is useful for analyzing how malware interacts with the network.

    • Run FakeNet with root privileges using sudo.

    • Common Issue:

      • If you encounter an error related to DNS port (Port 53) already being used, the systemd-resolved service might be the cause.

    • Solution:

      • Disable the systemd-resolved service:

        bashCopy codesudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

      • Edit the Network Manager configuration file (/etc/NetworkManager/NetworkManager.conf):

        • Add the following line under the [main] section:

          bashCopy codedns=default

        • Save and exit the editor.

      • Restart the Network Manager service:

        bashCopy codesudo systemctl restart NetworkManager

    • Verification:

      • Run the lsof command to ensure that Port 53 is free:

        bashCopy codesudo lsof -i :53

      • FakeNet should now run smoothly.

  6. Final Step:

    • Take a snapshot of the VM state, which includes the configured REMnux environment and the course files, to preserve the setup for future analysis.

These notes cover the essential steps to set up the REMnux environment for ELF analysis, including installing necessary tools and configuring network settings for smooth operation.

PreviousAnalyzing Macro Code in Office DocumentsNextSetting Up and Configuring FakeNet in REMnux

Last updated 9 months ago