Containers for Malware Analysis
Tools make the job
Having the right tools at hand can make any job a breeze. It is also helpful to have a good working knowledge of the tools you use. In this case running containers like Docker or Podman are easily deployable in my work environment. So I decided to leverage the fact that REMnux offers Docker containers.
This makes running powerful tools for small jobs extremely easy. I have been using this approach recently with much success for analyzing malicious links. Let’s take a look at how I set up my containers for this task.
Setup REMnux in a Container
REMnux offers several container images as well the full REMnux distro in a container. The container technology they chose is Docker but I have chosen to use Podamn. Podman seems to have better support in Windows as well as Linux. So I can have Podman running in both the Malware Analysis station and on my Windows machine. This gives me the flexibility to test on either machine or platform.
Install REMnux container
podman pull docker.io/remnux/remnux-distro:focal
Run REMnux as a Transient container
podman run --rm -it -u remnux remnux/remnux-distro:focal bash
--rm Remove the container after it exists (not the image)
-it Connect the container to the terminal
-u remnux Logged in user
remnux/remnux-distro:focal Container image to use, in this case use the local image
bash Login shell
Investigating a malicious link
To investigate a link REMnux offers so many awesome tools. I will cover THUG, which is a “honeyclient”. A honeyclient is a tool that mimicks the behavior of a web browser. Useful for analyzing what a link does when a user clicks on it.
thug -u winchrome49 "[LINKGOESHERE]"
Once it begins to “load” the suspicious site it executes any code that may be on the site. Once it is done running/loading the page it dumps a report. The report contains a summary of what occured plus you get any malicious artifacts that the page may have downloaded.
In one exercise I did a suspicous page downloaded an executable and I was able to run the
file command from the container to find it was indeed a malicous executable.
Take time to learn and experiment
Working in cybersecurity can be overwhelming. Especially, when you are staring at a new issue and get stuck on where to start. Just remember that there is a great number of tools that can help when you get stuck. Sometimes it just helps to start with the basics. Like seeing what a suspicious link does. Then you can move on to finding solutions to fix the issue.
If you enjoyed or found any of the content on my site helpful, you can buy me a cup of coffee or send some bitcoin ⚡ so I can continue to bring you amazing content for free!
You can Buy Me A Coffee
Tip with some Sats
- Keyboard: Keyboardio Atreus (JWICk Ultimate Black Linear)
- Mouse: MX Master (Original)