Remnux
REMnux VM is a specialised Linux distro which already includes tools like Volatility, YARA, Wireshark, oledump, and INetSim. It also provides a sandbox-like environment for dissecting potentially malicious software without risking your primary system.
- It’s provides a set up and ready to go lab environment without the hassle of manual installations.
- Website: remnux.org ↗
- Docs: docs.remnux.org ↗
Setup#
The remnux VM is available to download as a Virtual Appliance File.
- Download the preferred OVA file from here ↗. (Seperate OVS file for virtualbox is available)
- Import the file in the VM manager (VirtualBox).
- Complete Setup.
Default credentials are as following:
Username: remnux
Password: malware- To update remnux run:
remnux install - Consider taking a snapshot of your REMnux virtual machine, so you can return it to a known good state if the need arises.
File analysis#
use oledump.py to conduct static analysis on a potentially malicious Excel document.
Oledump.py is a Python tool that analyzes OLE2 files, commonly called Structured Storage or Compound File Binary Format. OLE stands for Object Linking and Embedding, a proprietary technology developed by Microsoft. OLE2 files are typically used to store multiple data types, such as documents, spreadsheets, and presentations, within a single file. This tool is handy for extracting and examining the contents of OLE2 files, making it a valuable resource for forensic analysis and malware detection.
- https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py ↗
- https://blog.didierstevens.com/programs/oledump-py/ ↗
- https://github.com/decalage2/oletools ↗
- https://decalage.info/python/oletools/ ↗
Example output:
$ oledump.py agenttesla.xlsm
A: xl/vbaProject.bin
A1: 468 'PROJECT'
A2: 62 'PROJECTwm'
A3: m 169 'VBA/Sheet1'
A4: M 688 'VBA/ThisWorkbook'
A5: 7 'VBA/_VBA_PROJECT'
A6: 209 'VBA/dir'In OleDump’s file analysis,
-
if there is a VBA script embedded in the document, oledump will assign it with an index (eg: A) and show it.
-
The A (index) +Numbers are called data streams.
-
If the data stream has the capital letter M it means there is a Macro there.
-
To look into the actual data stream of interest, we can use the parameter
-s 4, wherein the-sparameter is short for-selectand the number four(4) as the data stream of interest is in the 4th place. Eg:oledump.py file.xlsm -s 4(To focus onA4: M 'VBA/ThisWorkbook')- This will produce the output in hex format.
-
You can use the parameter
--vbadecompressin addition to the previous command to automatically decompress any compressed VBA macros into a more readable format:oledump.py sile.xlsm -s 4 --vbadecompress
Network Activity Analysis#
During dynamic analysis, it is essential to observe the behaviour of potentially malicious software—especially its network activities.
There are many approaches to this. We can create a whole infrastructure, a virtual environment with different core machines, and more.
But there is a tool inside REMnux VM called INetSim: Internet Services Simulation Suite which we can use to simulate a real network.
- First we need to change the INetSim configuration at
/etc/inetsim/inetsim.confand look for the value#dns_default_ip 0.0.0.0and change it the IP of our remnux VM. - Run
sudo inetsimto start the tool. Ensure you see the sentence “Simulation running” at the bottom of the result - Then open a browser and go to our REMnux’s IP address, skip the security warning and you should be redirected to the INetSim’s homepage.
- Try to do activities mimic a malware’s behaviour, like reach out to a server or URL and then download a file.
- Go back to your REMnux VM and stop INetSim. By default, it will create a report on its captured connections. This is usually saved in /var/log/inetsim/report/ directory.