Scribd
Upload
102 views8 pages

ARTICLE

Analyzing Malicious Documents Cheat Sheet

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views8 pages

ARTICLE

Analyzing Malicious Documents Cheat Sheet

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

RMnux Usage Tips for

Malware Analsis on Linux

MOR ON

Information Securit
(https://zeltser.com/information-
securit)

Malicious Software
(https://zeltser.com/malicious-
This cheat sheet outlines the tools and commands for analzing ma-
software)
licious software on the RMnux Linux distriution (https://RM-
nux.org/). To print, use the one-page PDF (/media/docs/remnux-mal-
ware-analsis-tips.pdf) version; ou can also edit the Word
(/media/docs/remnux-malware-analsis-tips.docx) version for ou
You can learn the malware anal-
own needs. sis techniques that make use of
the tools installed and pre-con g-
Getting Started with RMnux ured on RMnux  taking Re-
verse-ngineering Malware train-
Download RMnux (https://remnux.org/docs/distro/get/) as a
ing (https://sans.org/for610) at
virtual appliance or install the distro on an existing compatile SANS Institute.
sstem, such as SIFT Workstation (http://digital-
If ou like this reference, take a
forensics.sans.org/communit/downloads).
look at m other IT and securit
Review RMnux documentation at RMnux.org/docs
cheat sheets (/cheat-sheets/).
(https://remnux.org/docs).
Sta logged into the RMnux virtual appliance as the user SHAR 

“remnux”; the default password “malware”.


Use apt-get to install additional software packages if our
sstem is connected to the Internet.
Run the “update-remnux all” command to upgrade RMnux and
update its software.
Switch the GUI keoard laout  clicking the keoard icon in
the ottom right corner of the RMnux desktop.
Use setxkmap to change the keoard laout in the terminal
window.
On VMware, install VMware Tools using install-vmware-tools to
adjust the screen size.

General Commands for Using RMnux


Shut down the sstem shutdown

Reoot the sstem reoot

Switch to a root shell sudo -s

Renew DHCP lease renew-dhcp

See current IP address mip

dit a text le scite le

View an image le feh le

Start we server httpd start

Start SSH server sshd start

Staticall xamine Files


Inspect le properties using pescanner
(https://code.google.com/p/malwarecookook/source/rowse/trunk/3/8/pescanner.p),
pestr (http://pev.sourceforge.net/), portex
(https://katjahahn.githu.io/Portx/), readpe, pedump
(http://pedump.me/), peframe
(https://githu.com/guelfowe/peframe), signsrch
(http://aluigi.altervista.org/mtoolz.htm), readpe.p
(https://githu.com/crackinglandia/ppe32).
Investigate inar les in-depth using okken
(https://inguma.eu/projects/okken), vivin
(http://visi.kenshoto.com/viki/Vivisect), udcli
(http://udis86.sourceforge.net/), RATDecoders
(https://githu.com/kevthehermit/RATDecoders), radare2
(https://githu.com/radare/radare2), ara
(http://plusvic.githu.io/ara/), wxHexditor
(http://sourceforge.net/projects/wxhexeditor/).
Deofuscate contents with xorsearch
(http://log.didierstevens.com/programs/xorsearch/), unxor.p
(https://githu.com/tomchop/unxor/), aluzard
(https://itucket.org/decalage/aluzard/wiki/Home), oss
(https://githu.com/ reee/ are- oss), rxor.p, xortool
(https://githu.com/hellman/xortool).
xamine memor snapshots using Rekall (http://www.rekall-
forensic.com/), Volatilit
(https://githu.com/volatilitfoundation/volatilit).
Assess packed les using densitscout
 LNNY ZLTSR (HTTPS://ZLTSR.COM/)  
(https://www.cert.at/downloads/software/densitscout_en.html),
(https://twitt
(http
tehist
(http://www.cert.at/downloads/software/tehist_en.html),
packerid (https://githu.com/sooshie/packerid), upx
(http://upx.sourceforge.net/), te-stats.p
(https://log.didierstevens.com/2015/11/09/te-stats-p/), diec
(http://ntinfo.iz/).
xtract and carve le contents using hachoir-su le
(https://itucket.org/hapo/hachoir/wiki/hachoir-su le),
ulk_extractor (https://githu.com/simsong/ulk_extractor/),
scalpel (http://www.forensicswiki.org/wiki/Scalpel), foremost
(http://foremost.sourceforge.net/).
Scan les for malware signatures using clamscan
(http://www.clamav.net/) after refreshing signatures with
freshclam (https://help.uuntu.com/communit/ClamAV).
xamine and track multiple malware samples with mas
(https://git.korelogic.com/masti .git/), viper
(https://githu.com/otherder/viper), maltrieve
(https://githu.com/technoskald/maltrieve), Ragpicker
(https://code.google.com/p/malware-crawler/).
Work with le hashes using nsrllookup
(https://githu.com/rjhansen/nsrllookup), Automater
(http://www.tekdefense.com/automater/), hash_id
(https://code.google.com/p/hash-identi er/), ssdeep
(http://ssdeep.sourceforge.net/), totalhash
(https://gist.githu.com/malc0de/10270150), virustotal-search
(http://log.didierstevens.com/programs/virustotal-tools/), vt
(https://githu.com/doomedraven/VirusTotalApi).
De ne signatures with araGenerator.p
(https://githu.com/Xen0ph0n/YaraGenerator), autorule.p
(http://joxeankoret.com/log/2012/04/29/extracting-inar-
patterns-in-malware-sets-and-generating-ara-rules/),
IOCextractor.p
(https://githu.com/stephenrannon/IOCextractor), rule-editor
(https://githu.com/ifontarensk/Ruleditor).

Handle Network Interactions


Analze network tra c with wireshark
(http://www.wireshark.org), ngrep (http://ngrep.sourceforge.net/),
tcpick (http://tcpick.sourceforge.net/), tcpxtract
(http://tcpxtract.sourceforge.net/), tcp ow
(https://githu.com/simsong/tcp ow), tcpdump
(http://www.tcpdump.org/), dshell
(https://githu.com/USArmResearchLa/Dshell).
Intercept all laorator tra c destined for IP addresses using
accept-all-ips.
Analze we tra c with urpsuite
(http://portswigger.net/urp/prox.html), mitmprox
(https://mitmprox.org/), CapTipper
(https://githu.com/omriher/CapTipper), NetworkMiner
(http://www.netresec.com/?page=NetworkMiner).
Implement common network services using fakedns
(http://code.activestate.com/recipes/491264-mini-fake-dns-
server/), fakesmtp, inetsim (http://www.inetsim.org/), fakenet.p
(https://githu.com/ reee/ are-fakenet-ng), “httpd start”.

xamine rowser Malware


Deofuscate JavaScript with SpiderMonke
(https://developer.mozilla.org/en/SpiderMonke) ( js), d8
(http://code.google.com/p/v8/), rhino-deugger
(http://www.mozilla.org/rhino/deugger.html) and ox-js
(https://githu.com/CapacitorSet/ox-js).
De ne JavaScript ojects for SpiderMonke using
/usr/share/remnux/ojects.js.
Clean up JavaScript with js-eautif (https://githu.com/einars/js-
eautif).
Retrieve we pages with wget and curl.
xamine malicious Flash les with swfdump
(http://www.swftools.org/swfdump.html), are
(http://www.nowrap.de/ are.html), RACDAsm
(https://githu.com/CerShadow/RACDAsm#readme),
xxxswf.p (http://hooked-on-
mnemonics.logspot.com/2011/12/xxxswfp.html), extract_swf
(https://gist.githu.com/noonat/821548).
Analze Java malware using idx_parser.p
(https://githu.com/Rurik/Java_IDX_Parser/), cfr
(http://www.enf.org/other/cfr/), jad (http://varaneckas.com/jad),
jd-gui (http://jd.enow.ca/), Javassist (http://www.javassist.org).
Inspect malicious wesites and domains using thug
(https://githu.com/u er/thug), Automater
(http://www.tekdefense.com/automater/), pdnstool.p
(https://githu.com/chrislee35/passivedns-client), passive.p, pt-
client (https://githu.com/passivetotal/pthon_api).

xamine Document Files


Analze suspicious Microsoft O ce documents with oletools
(http://www.decalage.info/pthon/oletools), liolecf
(https://githu.com/lial/liolecf), oledump.p
(http://log.didierstevens.com/programs/oledump-p/), mso ce-
crpt (https://githu.com/herumi/mso ce).
xamine PDFs using pd d, pdfwalker, pdf-parser
(http://log.didierstevens.com/programs/pdf-tools/),
pdfdecompress, pdfxra_lite
(https://githu.com/9/pdfxra_lite#readme), pew
(http://code.google.com/p/pew/wiki/PDFAnalsis), peepdf
(http://log.zeltser.com/post/6780160077/peepdf-malicious-pdf-
analsis).
xtract JavaScript or SWFs from PDFs using pdfextract
(http://code.google.com/p/origami-pdf/wiki/GettingStarted),
pdfwalker, pdf-parser
(http://log.didierstevens.com/programs/pdf-tools/), swf_mastah
(http://log.zeltser.com/post/12615013257/extracting-swf-from-
pdf-using-swf-mastah).
xamine shellcode using shellcode2exe.p
(https://zeltser.com/convert-shellcode-to-asseml/), sctest
(http://liemu.carnivore.it/), dism-this.p (http://hooked-on-
mnemonics.logspot.com/2012/10/dism-thisp.html),
unicode2hex-escaped, ase64dump.p
(https://log.didierstevens.com/2017/07/02/update-
ase64dump-p-version-0-0-7/).

Investigate Linux Malware


Disassemle and deug inaries using okken
(https://inguma.eu/projects/okken), vivin
(http://visi.kenshoto.com/viki/Vivisect), ed
(http://codef00.com/projects#deugger), gd
(http://www.sourceware.org/gd/), udcli
(http://udis86.sourceforge.net/), radare2
(https://githu.com/radare/radare2), ojdump
(http://en.wikipedia.org/wiki/Ojdump).
xamine the sstem during ehavioral analsis with ssdig
(http://www.ssdig.org/), unhide (http://www.unhide-
forensics.info/), strace (https://sourceforge.net/projects/strace/),
ltrace (http://ltrace.org/).
xamine memor snapshots using Rekall (http://www.rekall-
forensic.com/), Volatilit
(https://githu.com/volatilitfoundation/volatilit), VolDi .p
(https://githu.com/RMnux/docs/lo/master/tools/VolDi .md),
linux_mem_di .p
(https://githu.com/monnappa22/linux_mem_di _tool).
Decode Android malware using Androwarn
(https://githu.com/maaaaz/androwarn), AndroGuard
(https://githu.com/androguard/androguard).
Volatilit Memor Forensics Commands
Determine pro le kdgscan, imageinfo

Set pro le environment export


variale VOLATILITY_PROFIL=pro le

Spot hidden processes psxview

List all processes pslist, psscan, cmdline

Show a registr ke printke -K ke

xtract process image procdump

xtract process memor memdump, vaddump

List open handles, les, DLLs handles, lescan, dlllist,


and mutant ojects mutantscan

List services, drivers and svcscan, driverscan, modules,


kernel modules modscan

View network activities connscan, connections,sockets,


sockscan, netscan

View activit timeline timeliner, evtlogs

Find and extract hidden mal nd, apihooks


malware

This cheat sheet for RMnux is distriuted according to the Creative


Commons v3 “Attriution” License (http://creativecommons.org/li-
censes//3.0/).

Updated Septemer 1, 2017

DID YOU LIK THIS?

Follow me for more of the good stu .

Aout the Author


Lenn Zeltser is a seasoned usiness and technolog leader with
extensive information securit experience. He uilds innovative endpoint
defense solutions as VP of Products at Minerva Las
(https://www.minerva-las.com/). He also trains incident response and
digital forensics professionals at SANS Institute (https://sans.org/). Lenn
frequentl speaks at industr events, writes articles and has co-authored
ooks. He has earned the prestigious GIAC Securit xpert designation,
has an MA from MIT Sloan and a Computer Science degree from the
Universit of Pennslvania.

Learn more (https://zeltser.com/aout)

Copright © 1995-2017 Lenn Zeltser. All rights reserved.

You might also like