Docker Images of Malware Analysis Tools

The REMnux toolkit provides Docker images of popular malware analysis tools that you can run on any compatible system even without installing the REMnux distro. These images reside in the REMnux repository on Docker Hub, and are based on the files maintained in the REMnux Github repository.

In addition to the Docker images of individual tools, described below, you can run the REMnux distro inside a pre-built Docker container.

Docker is installed as part of the REMnux distro. If you're planning to run REMnux Docker images on another system, you may need to install Docker. The first time you run an image (e.g., using the docker run command), Docker will automatically download the image from Docker Hub, run it locally as an active container. Your system will need to be connected to the internet to retrieve the image; afterwards, Docker will use a locally cached copy. You can use the docker pull command to update the cached version of the image. To update all local images from a Linux-like shell, run:

docker images |cut -d' ' -f1 | grep -v REPOSITORY | xargs -I %s docker pull %s

The following Docker images of malware analysis tools are available as part of REMnux. If you have the expertise, consider adding to this collection by contributing a Dockerfile to the REMnux toolkit.

Thug Low-Interaction Honeyclient

Thug is a low-interaction honeyclient for examining suspicious websites. This tool was created by Angelo Dell'Aera. It's licensed under GNU General Public License (GPL) v2. In addition to being available as a Docker image, Thug is also installed as part of the REMnux distro.

One way to run Thug as a Docker image is to invoke it using the following command to open a shel in the container where you can run thug with the desired parameters, such as -F to enable file logging).

docker run --rm -it --entrypoint "/bin/bash" remnux/thug

The password for the container's user thug is thug. The remnux/thug image is hosted on its Docker Hub page.

JSDetox JavaScript Analysis Tool

JSDetox is a web-based tool for analyzing and deobfuscating JavaScript. It was created by Sven Taute and is licensed under GNU General Public License (GPL) v2.

You can use the following command to launch the JSDetox Docker image, with the application listening localy on TCP port 3000. You can then connect to http://localhost:3000 using your web browser:

docker run -d --rm --name jsdetox -p 3000:3000 remnux/jsdetox

To stop JSDetox, use the command docker stop jsdetox. The remnux/jsdetox image is hosted on its Docker Hub page.

Rekall Memory Forensic and Incident Response Framework

Rekall is a set of tools for extracting digital artifacts from memory and other aspects of a system when performing incident response. Its components were written by multiple people, and are licensed under GNU General Public License (GPL) v2.

To run Rekall, create a directory where you'll store the files you plan to examine. Then, use a command like this to open a shell inside the container where you can run rekall and have your evidence directry mapped as /home/nonroot/files inside the container:

docker run --rm -it -v <files_directory>:/home/nonroot/files remnux/rekall bash

The password for the container's user nonroot is nonroot. The remnux/rekall image is hosted on its Docker Hub page.

RetDec Retargetable Machine-Code Decompiler

RetDec is a decompiler that supports a variety of file formats, include PE and ELF, and several 32 and 64-bit architectures. It was created by Avast Software, and is licensed under MIT License with third-party components that are distributed under their own licenses.

To run RetDec, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run RetDec commands and have your local directory mapped as /tmp/files inside the container:

docker run -it --rm -v <files_directory>:/tmp/files remnux/retdec bash

The password for the container's user retdec is retdec. The remnux/retdec image is hosted on its its Docker Hub page.

The commands provided by RetDec include start with the retdec- prefix and include retdec-decompiler.py, retdec-unpacker, and retdec-fileinfo.

Radare2 Reverse-Engineering Framework

Radare2 is a reverse-engineering framework that includes a disassembler and analysis capabilities for a variety of executable formats and architectures. It's licensed under GNU Lesser General Public License (LGPL) v3.

To run Radare2, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run Radare2 commands and have your local directory mapped as /home/nonroot/workdir inside the container:

docker run --rm -it -v ~/workdir:/home/nonroot/workdir remnux/radare2

If you're planning to peform kernel-mode debugging, process tracing, or syscall tracing inside the container, then supply the parameters --cap-drop=ALL --cap-add=SYS_PTRACE when launching it.

The password for the container's user nonroot is nonroot. The remnux/radare2 image is hosted on its its Docker Hub page.

Viper Binary Analysis and Management Framework

Viper is a framework for analyzing and managing your collection of malware samples. It was created by Claudio Guarnieri and is licensed under BSD 3-Clause License.

To run Viper, create a directory where you'll store your malware samples. Then, use a command like this to open a shell inside the container where you can run viper and have your samples directory mapped as /home/nonroot/workdir inside the container:

docker run -it --rm -v ~/workdir:/home/nonroot/workdir remnux/viper

To run the "clamav" Viper plugin, the clamav-daemon must be running in the container. You can enable it by running the following command in the container:

sudo service clamav-daemon start

The password for the container's user nonroot is nonroot. The remnux/viper image is hosted on its its Docker Hub page.

Ciphey Automatic Decoder and Decrypter

Ciphey is designed to automatically recognize and decode/decrypt common encoding and encryption techniques, as outlined in its documentation. It was created by Brandon Skerritt and is licensed under MIT License. According the author, the tool uses "natural language processing & artifical intelligence, along with some common sense."

To run Ciphey using this Docker container, create a directory (e.g. ~/workdir) where you'll store your input file (e.g., input.txt). Then, use a command like this to run Ciphey and have your directory mapped into the container:

docker run -it --rm -v ~/workdir:/home/nonroot/workdir remnux/ciphey -f input.txt

Or for a text input on the command-line run:

docker run -it --rm remnux/ciphey "=MXazlHbh5WQgUmchdHbh1EIy9mZgQXarx2bvRFI4VnbpxEIBBiO4VnbNVkU"

The remnux/ciphey image is hosted on its Docker Hub page.