Skip to content

KrakoX/remnux-malware-analysis

BranchesTags

Repository files navigation

CI Python License

REMnux Malware Analysis

Static malware analysis inside an ephemeral REMnux Docker container. The sample is never executed — all tooling runs in an isolated, network-disabled container. Results are scored, IOCs extracted, and a Markdown report written automatically.

Quick start

docker pull remnux/remnux-distro
git clone https://github.com/KrakoX/remnux-malware-analysis
cd remnux-malware-analysis
python analyze.py /path/to/sample.exe

No Python dependencies — stdlib only. YARA rules download automatically on first run.

How it works

  1. Detect — spin up a fresh REMnux container, stage the sample, collect hashes and file type
  2. Preprocess — decompress or decrypt if needed (PDF, encrypted Office documents)
  3. Run — execute tools matched to the file category and chosen depth
  4. Unpack — for archives, extract inner files and analyse each independently
  5. Report — score findings, extract IOCs, query VirusTotal (optional), write a Markdown report

Container flags: --network none, --cap-drop ALL, --memory 2g, --pids-limit 256.

Usage

python analyze.py sample.exe                       # standard depth
python analyze.py sample.exe --depth deep          # full tool suite
python analyze.py sample.exe --output-dir ./reports

Depth

Depth Tools
quick hashes, file type, entropy, packer detection
standard (default) + strings, YARA, format-specific tools (olevba, pdf-parser, etc.)
deep + capa, manalyze, deobfuscators

Supported file types

pe · elf · pdf · ole2 · ooxml · rtf · archive · script · pyc · onenote · email · shellcode · unknown

YARA rules

Downloaded automatically on first run, cached at ~/.local/share/yara-rules/, refreshed every 7 days:

VirusTotal (optional)

Set VIRUSTOTAL_API_KEY in your environment:

export VIRUSTOTAL_API_KEY=your_key_here

Or create a config file at the project root (gitignored):

[virustotal]
api_key = YOUR_KEY_HERE

Get a free key at virustotal.com. Adds detection count, threat label, first-seen date, and community YARA matches to the report.

Development

See CONTRIBUTING.md for setup, testing, and PR guidelines.

To clean up containers left over after a failed run:

docker ps -a --filter "name=remnux-analysis" --format "{{.ID}}" | xargs docker rm -f

See ARCHITECTURE.md for internals.

License

MIT

About

Static malware analysis in an isolated REMnux container — scored findings, IOC extraction, Markdown report.

Topics

static-malware-analysis remnux

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages