📄
REMnux Documentation
  • REMnux: A Linux Toolkit for Malware Analysis
  • Install the Distro
    • Get the Virtual Appliance
    • Install from Scratch
    • Add to an Existing System
    • Run REMnux as a Container
    • Keep the Distro Up to Date
  • Discover the Tools
    • Examine Static Properties
      • General
      • PE Files
      • ELF Files
      • .NET
      • Deobfuscation
    • Statically Analyze Code
      • General
      • Unpacking
      • PE Files
      • Python
      • Scripts
      • Java
      • .NET
      • Flash
      • Android
    • Dynamically Reverse-Engineer Code
      • General
      • Shellcode
      • Scripts
      • ELF Files
    • Perform Memory Forensics
    • Explore Network Interactions
      • Monitoring
      • Connecting
      • Services
    • Investigate System Interactions
    • Analyze Documents
      • General
      • PDF
      • Microsoft Office
      • Email Messages
    • Gather and Analyze Data
    • View or Edit Files
    • General Utilities
  • Run Tools in Containers
    • Docker Images of Malware Analysis Tools
  • Behind the Scenes
    • People
    • Technologies
      • SaltStack Management
      • REMnux Installer
      • State Files Without the REMnux Installer
      • Debian Packages
      • Website and Docs
    • License
  • Tips and More
    • REMnux Configuration Tips
    • REMnux Tool Tips
    • Malware Analysis Training
    • REMnux Website
  • Get Involved
    • Ask and Answer Questions
    • Write About the Tools
    • Add or Update Tools
      • Contribute a Salt State File
      • Contribute a Debian Package
      • Contribute a Dockerfile
    • Implement Enhancements
Powered by GitBook
On this page
  • Thug Low-Interaction Honeyclient
  • Binary Refinery
  • JSDetox JavaScript Analysis Tool
  • de4js JavaScript Deobfuscator and Unpacker
  • Rekall Memory Forensic and Incident Response Framework
  • RetDec Retargetable Machine-Code Decompiler
  • Rizin Reverse-Engineering Framework
  • Radare2 Reverse-Engineering Framework
  • Viper Binary Analysis and Management Framework
  • Ciphey Automatic Decoder and Decrypter
  1. Run Tools in Containers

Docker Images of Malware Analysis Tools

PreviousGeneral UtilitiesNextPeople

Last updated 2 years ago

The REMnux toolkit provides images of popular malware analysis tools that you can run on any compatible system even without installing the REMnux distro. These images reside in the , and are based on the files maintained in the .

In addition to the Docker images of individual tools, described below, you can run the .

Docker is installed as part of the REMnux distro. If you're planning to run REMnux Docker images on another system, you may need to . The first time you run an (e.g., using the docker run command), Docker will automatically download the image from Docker Hub, run it locally as an active . Your system will need to be connected to the internet to retrieve the image; afterwards, Docker will use a locally cached copy. You can use the docker pull command to update the cached version of the image. To update all local images from a Linux-like shell, run:

docker images |cut -d' ' -f1 | grep -v REPOSITORY | xargs -I %s docker pull %s

The following Docker images of malware analysis tools are available as part of REMnux. If you have the expertise, consider adding to this collection by to the REMnux toolkit.

Thug Low-Interaction Honeyclient

is a low-interaction honeyclient for examining suspicious websites. This tool was created by Angelo Dell'Aera. It's licensed under . In addition to being available as a Docker image, as part of the REMnux distro.

One way to run Thug as a Docker image is to invoke it using the following command to open a shel in the container where you can run thug with the desired parameters, such as -F to enable file logging).

docker run --rm -it --entrypoint "/bin/bash" remnux/thug

The password for the container's user thug is thug. The remnux/thug image is hosted on .

Binary Refinery

The ™ is a collection of Python scripts that implement transformations of binary data such as compression and encryption. You can chain the tools as necessary to achieve your objective. This toolkit is authored by Jesko Hüttenhain and licensed under the .

To run Binary Refinery tools within the "remnux/binary-refinery" container, create a directory where you'll store your input files, e.g. ~/workdir. Then, use a command like this to launch the container and have your directory mapped as /home/nonroot/workdir inside the container:

docker run -it --rm -v ~/workdir:/home/nonroot/workdir remnux/binary-refinery

The binary-refinery Docker image is hosted in .

For documentation about this toolkit, including the listing of its tools, see and .

JSDetox JavaScript Analysis Tool

You can use the following command to launch the JSDetox Docker image, with the application listening locally on TCP port 3000. You can then connect to http://localhost:3000 using your web browser:

docker run -d --rm --name jsdetox -p 3000:3000 remnux/jsdetox

de4js JavaScript Deobfuscator and Unpacker

You can use the following command to launch the de4js Docker image, with the application listening locally on TCP port 4000. You can then connect to http://localhost:4000/de4js/ using your web browser:

 docker run -d --rm -p 4000:4000 -p 35729:35729 --name de4js remnux/de4js

It's important to remember the trailing slash as part of the de4js URL http://localhost:4000/de4js/.

Rekall Memory Forensic and Incident Response Framework

To run Rekall, create a directory where you'll store the files you plan to examine. Then, use a command like this to open a shell inside the container where you can run rekall and have your evidence directry mapped as /home/nonroot/files inside the container:

docker run --rm -it -v <files_directory>:/home/nonroot/files remnux/rekall bash

RetDec Retargetable Machine-Code Decompiler

To run RetDec, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run RetDec commands and have your local directory mapped as /tmp/files inside the container:

docker run -it --rm -v <files_directory>:/tmp/files remnux/retdec bash

The commands provided by RetDec include start with the retdec- prefix and include retdec-decompiler.py, retdec-unpacker, and retdec-fileinfo.

Rizin Reverse-Engineering Framework

To run Rizin, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run Rizin commands (rizin and others that start with rz-) and have your local directory mapped as /home/nonroot/workdir inside the container:

docker run --rm -it -v ~/workdir:/home/nonroot/workdir remnux/rizin

If you're planning to peform kernel-mode debugging, process tracing, or syscall tracing inside the container, then supply the parameters --cap-drop=ALL --cap-add=SYS_PTRACE when launching it.

Radare2 Reverse-Engineering Framework

To run Radare2, create a directory where you'll store the files you plan to examine. Then, open a shell inside the container where you can run Radare2 commands and have your local directory mapped as /home/nonroot/workdir inside the container:

docker run --rm -it -v ~/workdir:/home/nonroot/workdir remnux/radare2

If you're planning to peform kernel-mode debugging, process tracing, or syscall tracing inside the container, then supply the parameters --cap-drop=ALL --cap-add=SYS_PTRACE when launching it.

Viper Binary Analysis and Management Framework

To run Viper, create a directory where you'll store your malware samples. Then, use a command like this to open a shell inside the container where you can run viper and have your samples directory mapped as /home/nonroot/workdir inside the container:

docker run -it --rm -v ~/workdir:/home/nonroot/workdir remnux/viper

To run the "clamav" Viper plugin, the clamav-daemon must be running in the container. You can enable it by running the following command in the container:

sudo service clamav-daemon start

Ciphey Automatic Decoder and Decrypter

To run Ciphey using this Docker container, create a directory (e.g. ~/workdir) where you'll store your input file (e.g., input.txt). Then, use a command like this to run Ciphey and have your directory mapped into the container:

docker run -it --rm -v ~/workdir:/home/nonroot/workdir remnux/ciphey -f input.txt

Or for a text input on the command-line run:

docker run -it --rm remnux/ciphey "=MXazlHbh5WQgUmchdHbh1EIy9mZgQXarx2bvRFI4VnbpxEIBBiO4VnbNVkU"

is a browser-based tool for analyzing and deobfuscating JavaScript. It was created by and is licensed under .

To stop JSDetox, use the command docker stop jsdetox. The remnux/jsdetox image is hosted on .

is a browser-based tool for deobfuscating and unpacking JavaScript. It was created by Zzbaivong and is licensed under . If you don't want to run de4js locally using the Docker image outlined below, you can use .

To stop de4js, use the command docker stop de4js. The remnux/de4js image is hosted on .

is a set of tools for extracting digital artifacts from memory and other aspects of a system when performing incident response. Its components were , and are licensed under .

The password for the container's user nonroot is nonroot. The remnux/rekall image is hosted on .

is a decompiler that supports a variety of file formats, include PE and ELF, and several 32 and 64-bit architectures. It was created by , and is licensed under with that are distributed under their own licenses.

The password for the container's user retdec is retdec. The remnux/retdec image is hosted on its .

is a reverse-engineering framework that includes a disassembler and analysis capabilities for a variety of executable formats and architectures. It's licensed under . This is a .

The password for the container's user nonroot is nonroot. The remnux/rizin image is hosted on its .

is a reverse-engineering framework that includes a disassembler and analysis capabilities for a variety of executable formats and architectures. It's licensed under .

The password for the container's user nonroot is nonroot. The remnux/radare2 image is hosted on its .

is a framework for analyzing and managing your collection of malware samples. It was created by and is licensed under .

The password for the container's user nonroot is nonroot. The remnux/viper image is hosted on its .

is designed to automatically recognize and decode/decrypt common encoding and encryption techniques, as . It was created by and is licensed under . According the author, the tool uses "natural language processing & artifical intelligence, along with some common sense."

The image is hosted on its .

JSDetox
Sven Taute
GNU General Public License (GPL) v2
its Docker Hub page
de4js
MIT License
the version hosted on its author's website
its Docker Hub page
Rekall
written by multiple people
GNU General Public License (GPL) v2
its Docker Hub page
RetDec
Avast Software
MIT License
third-party components
its Docker Hub page
Rizin
GNU Lesser General Public License (LGPL) v3
fork of the Radare2 project
its Docker Hub page
Radare2
GNU Lesser General Public License (LGPL) v3
its Docker Hub page
Viper
Claudio Guarnieri
BSD 3-Clause License
its Docker Hub page
Ciphey
outlined in its documentation
Brandon Skerritt
MIT License
remnux/ciphey
Docker Hub page
Docker
REMnux repository on Docker Hub
REMnux Github repository
REMnux distro inside a pre-built Docker container
install Docker
image
container
contributing a Dockerfile
Thug
GNU General Public License (GPL) v2
its Docker Hub page
Binary Refinery
3-Clause BSD License
the REMnux Docker Hub repository
https://binref.github.io
https://github.com/binref/refinery
Thug is also installed