πŸ“„
πŸ“„
πŸ“„
πŸ“„
REMnux Documentation
Search…
πŸ“„
πŸ“„
πŸ“„
πŸ“„
REMnux Documentation
REMnux: A Linux Toolkit for Malware Analysis
Install the Distro
Get the Virtual Appliance
Install from Scratch
Add to an Existing System
Run REMnux as a Container
Keep the Distro Up to Date
Discover the Tools
Examine Static Properties
General
PE Files
ELF Files
Deobfuscation
Statically Analyze Code
Dynamically Reverse-Engineer Code
Perform Memory Forensics
Explore Network Interactions
Investigate System Interactions
Analyze Documents
Gather and Analyze Data
View or Edit Files
General Utilities
Run Tools in Containers
Docker Images of Malware Analysis Tools
Behind the Scenes
People
Technologies
License
Tips and More
REMnux Configuration Tips
REMnux Tool Tips
Malware Analysis Training
REMnux Website
Get Involved
Ask and Answer Questions
Write About the Tools
Add or Update Tools
Implement Enhancements
Powered By GitBook
Deobfuscation
Examine Static Properties

CyberChef

Decode and otherwise analyze data using this browser app.
Website: https://github.com/gchq/CyberChef/ Author: GCHQ License: Apache License 2.0: https://github.com/gchq/CyberChef/blob/master/LICENSE Notes: cyberchef State File: remnux.tools.cyberchef​

Malchive

Perform static analysis of various aspects of malicious code.
Website: https://github.com/MITRECND/malchive Author: The MITRE Corporation, https://github.com/MITRECND/malchive/graphs/contributors License: License 2.0: https://github.com/MITRECND/malchive/blob/main/LICENSE Notes: Malchive command-line tools start with the prefix malutil-. See utilities documentation for details. State File: remnux.python3-packages.malchive​

1768.py

Analyze Cobalt Strike beacons.
Website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: For an overview of this tool, see the Quick Tip article. State File: remnux.scripts.1768​

cs-decrypt-metadata.py

Decrypt Cobalt Strike metadata.

Cobalt Strike Configuration Extractor (CSCE) and Parser

Analyze Cobalt Strike beacons.
Website: https://github.com/strozfriedberg/cobaltstrike-config-extractor Author: Aon / Stroz Friedberg License: Apache License 2.0: https://github.com/strozfriedberg/cobaltstrike-config-extractor/blob/master/LICENSE Notes: csce, list-cs-settings State File: remnux.python3-packages.csce​

sets.py

Perform set operations on lines or bytes in text files.

xortool

Analyze XOR-encoded data.

RATDecoders

Python3 Decoders for Remote Access Trojans

DC3-MWCP

Parsing configuration information from malware.
Website: https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP Author: Defense Cyber Crime Center - United States Government License: Some parts Public Domain, some MIT License: https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP/blob/master/LICENSE.txt Notes: mwcp State File: remnux.python3-packages.dc3-mwcp​

unicode

Display Unicode character properties.
Website: https://github.com/garabik/unicode Author: Radovan Garabik License: GNU General Public License (GPL) v3: https://github.com/garabik/unicode/blob/master/COPYING State File: remnux.python3-packages.unicode​

Chepy

Decode and otherwise analyze data using this command-line tool and Python library.
Website: https://github.com/securisec/chepy Author: Hapsida Securisec: https://twitter.com/securisec License: GNU General Public License (GPL) v3: https://github.com/securisec/chepy/blob/master/LICENSE Notes: chepy State File: remnux.python3-packages.chepy​

Balbuzard

Extract and deobfuscate patterns from suspicious files.
Website: https://github.com/decalage2/balbuzard Author: Philippe Lagadec: https://twitter.com/decalage2 License: Free, custom license: https://github.com/decalage2/balbuzard Notes: balbuzard, bbcrack, bbharvest, bbtrans State File: remnux.python-packages.balbuzard​

base64dump

Locate and decode strings encoded in Base64 and other common encodings.
Website: https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: base64dump.py State File: remnux.scripts.base64dump​

xor-kpa.py

Implement a XOR known plaintext attack.

NoMoreXOR.py

Help guess a file's 256-byte XOR by using frequency analysis.
Website: https://github.com/hiddenillusion/NoMoreXOR Author: Glenn P. Edwards Jr. License: Free, unknown license State File: remnux.scripts.nomorexor​

unXOR

Deobfuscate XOR'ed files.
Website: https://github.com/tomchop/unxor/ Author: Thomas Chopitea License: Apache License 2.0: https://github.com/tomchop/unxor/blob/master/LICENSE State File: remnux.scripts.unxor​

brxor.py

Bruteforce XOR'ed strings to find those that are English words.
Website: https://github.com/REMnux/distro/blob/master/files/brxor.py Author: Alexander Hanel, Trenton Tait License: Free, unknown license State File: remnux.scripts.brxor​

xorBruteForcer.py

Bruteforce an XOR-encoded file.
Website: https://eternal-todo.com/category/bruteforcer Author: Jose Miguel Esparza License: Free, unknown license State File: remnux.scripts.xorbruteforcer​

strdeob.pl

Locate and decode stack strings in executable files.
Website: https://github.com/REMnux/distro/blob/master/files/strdeob.pl Author: TotalHash License: Free, unknown license State File: remnux.scripts.strdeob​

ex_pe_xor.py

Search an XOR'ed file for indications of executable binaries.
Website: http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html Author: Alexander Hanel License: Free, unknown license State File: remnux.scripts.ex_pe_xor​

cut-bytes.py

Cut out a part of a data stream.
Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain State File: remnux.scripts.cut-bytes​

format-bytes.py

Decompose structured binary data with format strings.

translate.py

Translate bytes according to a Python expression.
Website: https://blog.didierstevens.com/programs/translate/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain State File: remnux.scripts.translate​

XORStrings

Search for XOR encoded strings in a file.
Website: https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ Author: Didier Stevens License: Free, unknown license State File: remnux.packages.xorstrings​

XORSearch

Locate and decode strings obfuscated using common techniques.
Website: https://blog.didierstevens.com/programs/xorsearch/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: xorsearch State File: remnux.packages.xorsearch​

FLOSS

Extract and deobfuscate strings from PE executables.
Website: https://github.com/fireeye/flare-floss Author: FireEye Inc, Willi Ballenthin: https://twitter.com/williballenthin, Moritz Raabe License: Apache License 2.0: https://github.com/fireeye/flare-floss/blob/master/LICENSE.txt Notes: floss State File: remnux.packages.flare-floss​
Previous
ELF Files
Next - Discover the Tools
Statically Analyze Code
Last modified 4mo ago
Copy link
Contents
CyberChef
Malchive
1768.py
cs-decrypt-metadata.py
Cobalt Strike Configuration Extractor (CSCE) and Parser
sets.py
xortool
RATDecoders
DC3-MWCP
unicode
Chepy
Balbuzard
base64dump
xor-kpa.py
NoMoreXOR.py
unXOR
brxor.py
xorBruteForcer.py
strdeob.pl
ex_pe_xor.py
cut-bytes.py
format-bytes.py
translate.py
XORStrings
XORSearch
FLOSS