Malware Dynamic Analysis with REMnux

REMnux is a Linux toolkit for reverse engineering and analyzing malicious software.

Upgrade REMnux

Before starting analysis, upgrade the REMnux machine by running the following command.

remnux upgrade


Add Execute Permission

To analyze an executable, modify the permission to execute the file then run it.

chmod +x example.exe
./example.exe


Sniff C2 Server Packets

If the executable starts C2 server when dynamic analysis, we might be able to sniff packets using Wireshark. In Wireshark, filter by http for sniffing HTTP packets.


Using Process Monitor (Windows)

If our environment is Windows, start Process Monitor before dynamic analysis.
Process Monitor (ProcMon) is a Windows tool that analyze the behavior (real-time registry, file system, and process/threat activity) while analyzing malware.

In ProcMon, set "Process Name" "is" "executable.exe" then "Include" in the Process Monitor Filter, and click Add → OK.
After executing, we should see results appear in the ProcMon.
The first step is to unset all filters on the right of the tool bar, then set again a filter one by one.