Malware Dynamic Analysis with REMnux

REMnux is a Linux toolkit for reverse engineering and analyzing malicious software.

Upgrade REMnux

Before starting analysis, upgrade the REMnux machine by running the following command.

remnux upgrade

Add Execute Permission

To analyze an executable, modify the permission to execute the file then run it.

chmod +x example.exe
./example.exe

Sniff C2 Server Packets

If the executable starts C2 server when dynamic analysis, we might be able to sniff packets using Wireshark. In Wireshark, filter by http for sniffing HTTP packets.

Using Process Monitor (Windows)

If our environment is Windows, start Process Monitor before dynamic analysis.
Process Monitor (ProcMon) is a Windows tool that analyze the behavior (real-time registry, file system, and process/threat activity) while analyzing malware.

In ProcMon, set "Process Name" "is" "executable.exe" then "Include" in the Process Monitor Filter, and click Add → OK.
After executing, we should see results appear in the ProcMon.
The first step is to unset all filters on the right of the tool bar, then set again a filter one by one.

• Show Registry Activity

  This filter allows us to determine if any significant Registry Modifications are executed by the binary. To focus on Registry Key Creations and Modifications, exclude RegOpenKey, RegQueryValue, RegQueryKey, RegCloseKey by right-clicking on the row of results.

• Show File System Activity

  This filter allows us to determint if the malware executes File Creations. To focus only on File Write events, exclude CreateFile, CreateFileMapping, QuerySecurityFile, QueryNameInformationFile, QueryBasicInformationFile, CloseFile, ReadFile.

• Show Network Activity

  This filter allows us to confirm if the malware attempts to make a network connection.