defencia/knowledge/malware analysis
REMnux · Static · Dynamic

Malware Analysis

Analysing an unknown sample — how it spreads, what it creates and what it contacts — gives the organisation a head start on blocking it. A REMnux-based static and dynamic workflow.

REMnuxStatic + dynamic

REMnux workflow

Inspired by Lenny Zeltser's talks. Download REMnux, update it (first run takes a while), then transfer the sample over SFTP (start sshd, find IP with ifconfig). Extract password-protected archives with p7zip.

sudo apt-get update
sftp://<ip-address>     # user: remnux
7z x filename.zip       # prompts for password
Get the sample onto REMnux and unpack it.

Static analysis

Look at API calls, strings and structure without running the file.

CommandWhat it shows
yara-rules <file>Match against YARA rules.
clamscan <file>AV scan (update first with freshclam).
manalyze <file>PE analysis — imports, compile date, language hints.
peframe <file>PE overview; can feed YARA.
pecheck <file>Entropy (hints at packing/compression/payload); look for overlay.
strings / pestr <file>Readable strings — and whether the two differ.

Dynamic analysis

Detonate the sample in an isolated VM and observe behaviour — new files and processes, network domains/IPs contacted. Always do this in a disposable, network-isolated environment.

Combine with the Kasm sandbox or a dedicated malware-lab VM on a separate network segment — never on your daily machine.