Release of REMnux 7.0, distribution for malware analysis

Five years after the publication of the last issue formed new release of a specialized Linux distribution REM nux 7.0, designed to study and reverse engineer malware code. During the analysis, REMnux allows you to provide an isolated laboratory environment in which you can emulate the operation of a specific attacked network service in order to study the behavior of malware in conditions close to real. Another area of ​​application for REMnux is to study the properties of malicious inserts on websites implemented in JavaScript.

The distribution is built on the Ubuntu 18.04 package base and uses the LXDE user environment. The web browser comes with Firefox with the NoScript add-on. The distribution kit includes a fairly complete collection of tools for analyzing malware, utilities for reverse engineering code, programs for studying PDF and office documents modified by cybercriminals, and tools for monitoring system activity. Size boot image REMnux, built for launch inside virtualization systems is 5.2 GB. In the new release, all offered tools have been updated, the composition of the distribution kit has been significantly expanded (the size of the virtual machine image has doubled). The list of proposed utilities is divided into categories.

The kit includes the following Tools:

• Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Kiosks, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper, yaraPcap.py;
• Analysis of malicious Flash videos: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare;
• Java analysis: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, javasis, CFR;
• JavaScript parsing: Rhino Debugger, ExtractScripts, Spider Monkey, V8, js beautifier;
• PDF parsing: AnalyzePDF, Pdfobjflow, pdfid, pdf parser, peepdf, Origami, PDF X-RAY Lite, pdftk, swf_mastah, qpdf, pdfresurrect;
• Analysis of Microsoft Office documents: office parser, pyOLEScanner.py, oletools, libolecf, oledump, emldump, MSGConvert, base64dump.py, unicode;
• Shellcode analysis: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe;
• Bringing confusing code into a readable form (deobfuscation): unXOR, XORStrings, ex_pe_xor, XORSearch, brxor.py, xortool, NoMoreXOR, XORBruteForcer, Osprey, FLOSS
• Extracting string data: strdeobj, pestr, strings;
• File recovery: Foremost, Scalpel, bulk_extractor, Chopper;
• Monitoring of network activity: Wireshark, ngrep, TCP Dump, tcpick;
• Network Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips;
• Network Utilities: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel, Just-Metadata;
• Working with a collection of malware examples: Maltrieve, Ragpicker, Viper, MASTIFFF, Density Scout;
• Definition of signatures: YaraGenerator, IOCextractor, autorule, Rule Editor, ioc-parser;
• Scanning: Yara, ClamAV, TRIDEM, Exif Tool, virustotal-submit, Disitool;
• Working with hashes: nsrllookup, Kiosks, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi;
• Malware analysis for Linux: sysdig, unhide
• Disassemblers: vivisect, Udis86, objdump;
• Debuggers: Evan's Debugger (EDB), GNU Project Debugger (GDB);
• Tracing systems: strace, ltrace
• Investigate: Radar 2, Pyew, Bucks, m2elf, ELF Parser;
• Working with text data: SciTE, geany, Vim;
• Working with images: feh, Imagemagick;
• Working with binary files: wxHexEditor, VBinDiff;
• Memory dump analysis: Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Recall, linux_mem_diff_tool;
• Analysis of executable PE files UPX, Bytehist, Density Scout, PackerID, objdump, Udis86, vivisect, Signsrch, pescanner, ExeScan, pev, Peframe, pedump, Bucks, RATDecoders, Pyew, readpe.py, PyInstaller Extractor, DC3-MWCP;
• Mobile Malware Analysis: Androwarn, AndroGuard.

Source: opennet.ru