Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
2154 lines (2144 sloc) 118 KB
<html xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Excel.Sheet>
<meta name=Generator content="Microsoft Excel 15">
<link rel=File-List href="remnux-tools-sheet_files/filelist.xml">
<style id="remnux-tools-sheet_24838_Styles">
<!--table
{mso-displayed-decimal-separator:"\.";
mso-displayed-thousand-separator:"\,";}
.xl6524838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:700;
font-style:normal;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:center;
vertical-align:middle;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl6624838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:400;
font-style:normal;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:general;
vertical-align:top;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl6724838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:400;
font-style:italic;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:general;
vertical-align:top;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl6824838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:400;
font-style:normal;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:center;
vertical-align:top;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl6924838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:400;
font-style:normal;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:left;
vertical-align:top;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl7024838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:windowtext;
font-size:10.0pt;
font-weight:700;
font-style:normal;
text-decoration:none;
font-family:Arial, sans-serif;
mso-font-charset:0;
mso-number-format:General;
text-align:left;
vertical-align:middle;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
.xl7124838
{padding-top:1px;
padding-right:1px;
padding-left:1px;
mso-ignore:padding;
color:#0563C1;
font-size:10.0pt;
font-weight:400;
font-style:normal;
text-decoration:underline;
text-underline-style:single;
font-family:Arial;
mso-generic-font-family:auto;
mso-font-charset:0;
mso-number-format:General;
text-align:left;
vertical-align:top;
mso-background-source:auto;
mso-pattern:auto;
white-space:normal;}
-->
</style>
<title>REMnux Tools</title>
</head>
<body>
<!--[if !excel]>&nbsp;&nbsp;<![endif]-->
<!--The following information was generated by Microsoft Excel's Publish as Web
Page wizard.-->
<!--If the same item is republished from Excel, all information between the DIV
tags will be replaced.-->
<!----------------------------->
<!--START OF OUTPUT FROM EXCEL PUBLISH AS WEB PAGE WIZARD -->
<!----------------------------->
<div id="remnux-tools-sheet_24838" align=center x:publishsource="Excel">
<h1 style='color:black;font-family:Arial;font-size:14.0pt;font-weight:800;
font-style:normal'>REMnux Tools</h1>
<table border=0 cellpadding=0 cellspacing=0 width=2144 class=xl6624838
style='border-collapse:collapse;table-layout:fixed;width:1607pt'>
<col class=xl6924838 width=307 style='mso-width-source:userset;mso-width-alt:
10461;width:230pt'>
<col class=xl6924838 width=129 style='width:96pt'>
<col class=xl6924838 width=406 style='mso-width-source:userset;mso-width-alt:
13858;width:305pt'>
<col class=xl6924838 width=367 style='mso-width-source:userset;mso-width-alt:
12509;width:275pt'>
<col class=xl6924838 width=202 style='mso-width-source:userset;mso-width-alt:
6877;width:151pt'>
<col class=xl6924838 width=733 style='mso-width-source:userset;mso-width-alt:
25019;width:550pt'>
<tr class=xl6524838 height=30 style='mso-height-source:userset;height:22.5pt'>
<td height=30 class=xl7024838 width=307 style='height:22.5pt;width:230pt'>Category</td>
<td class=xl7024838 width=129 style='width:96pt'>Tool Name</td>
<td class=xl7024838 width=406 style='width:305pt'>How to Invoke (Basic
Command)</td>
<td class=xl7024838 width=367 style='width:275pt'>Description</td>
<td class=xl7024838 width=202 style='width:151pt'>Package</td>
<td class=xl7024838 width=733 style='width:550pt'>Tool Source/Info</td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View Files: Binary</td>
<td class=xl6924838 width=129 style='width:96pt'>VBinDiff</td>
<td class=xl6924838 width=406 style='width:305pt'>vbindiff</td>
<td class=xl6924838 width=367 style='width:275pt'>Compare binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>vbindiff (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.cjmweb.net/vbindiff/">http://www.cjmweb.net/vbindiff/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View Files: Binary</td>
<td class=xl6924838 width=129 style='width:96pt'>wxHexEditor</td>
<td class=xl6924838 width=406 style='width:305pt'>wxHexEditor</td>
<td class=xl6924838 width=367 style='width:275pt'>Graphical hex editor</td>
<td class=xl6924838 width=202 style='width:151pt'>wxhexeditor (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://sourceforge.net/projects/wxhexeditor/">http://sourceforge.net/projects/wxhexeditor/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View Files: Documents</td>
<td class=xl6924838 width=129 style='width:96pt'>Xpdf</td>
<td class=xl6924838 width=406 style='width:305pt'>xpdf</td>
<td class=xl6924838 width=367 style='width:275pt'>PDF viewer</td>
<td class=xl6924838 width=202 style='width:151pt'>xpdf (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.foolabs.com/xpdf/">http://www.foolabs.com/xpdf/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View FIles: Images</td>
<td class=xl6924838 width=129 style='width:96pt'>feh</td>
<td class=xl6924838 width=406 style='width:305pt'>feh</td>
<td class=xl6924838 width=367 style='width:275pt'>Image viewer</td>
<td class=xl6924838 width=202 style='width:151pt'>feh (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://feh.finalrewind.org/">http://feh.finalrewind.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View Files: Images</td>
<td class=xl6924838 width=129 style='width:96pt'>ImageMagick</td>
<td class=xl6924838 width=406 style='width:305pt'>display</td>
<td class=xl6924838 width=367 style='width:275pt'>Image viewer</td>
<td class=xl6924838 width=202 style='width:151pt'>imagemagick (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.imagemagick.org/">http://www.imagemagick.org/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Edit
and View Files: Text</td>
<td class=xl6924838 width=129 style='width:96pt'>Geany</td>
<td class=xl6924838 width=406 style='width:305pt'>geany</td>
<td class=xl6924838 width=367 style='width:275pt'>Powerful text editor with
an integrated developer environment</td>
<td class=xl6924838 width=202 style='width:151pt'>geany (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.geany.org/">http://www.geany.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Edit
and View Files: Text</td>
<td class=xl6924838 width=129 style='width:96pt'>SciTE</td>
<td class=xl6924838 width=406 style='width:305pt'>scite</td>
<td class=xl6924838 width=367 style='width:275pt'>Simple, yet powerful text
editor</td>
<td class=xl6924838 width=202 style='width:151pt'>scite (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.scintilla.org/SciTE.html">http://www.scintilla.org/SciTE.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Flash</td>
<td class=xl6924838 width=129 style='width:96pt'>extract_swf</td>
<td class=xl6924838 width=406 style='width:305pt'>extract_swf.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract Flash object from
files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://gist.github.com/noonat/821548">https://gist.github.com/noonat/821548</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Flash</td>
<td class=xl6924838 width=129 style='width:96pt'>flare</td>
<td class=xl6924838 width=406 style='width:305pt'>flare</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract and decompile
ActionScript from SWF files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-flare (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.nowrap.de/flare.html">http://www.nowrap.de/flare.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Flash</td>
<td class=xl6924838 width=129 style='width:96pt'>RABCDAsm</td>
<td class=xl6924838 width=406 style='width:305pt'>rabcdasm, abcexport</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine ActionScript from
Flash files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-rabcdasm (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/CyberShadow/RABCDAsm">https://github.com/CyberShadow/RABCDAsm</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Flash</td>
<td class=xl6924838 width=129 style='width:96pt'>SWF Tools</td>
<td class=xl6924838 width=406 style='width:305pt'>swfdump, swfextract,
swfstrings, etc.</td>
<td class=xl6924838 width=367 style='width:275pt'>A toolkit for examining,
creating and modifying Flash files</td>
<td class=xl6924838 width=202 style='width:151pt'>swftools (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.swftools.org/">http://www.swftools.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Flash</td>
<td class=xl6924838 width=129 style='width:96pt'>xxxswf</td>
<td class=xl6924838 width=406 style='width:305pt'>xxxswf.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract Flash objects from
other files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://bitbucket.org/Alexander_Hanel/xxxswf">https://bitbucket.org/Alexander_Hanel/xxxswf</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Java</td>
<td class=xl6924838 width=129 style='width:96pt'>CFR</td>
<td class=xl6924838 width=406 style='width:305pt'>cfr</td>
<td class=xl6924838 width=367 style='width:275pt'>Decompile Java class files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-cfr (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.benf.org/other/cfr/">http://www.benf.org/other/cfr/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Java</td>
<td class=xl6924838 width=129 style='width:96pt'>Jad</td>
<td class=xl6924838 width=406 style='width:305pt'>jad</td>
<td class=xl6924838 width=367 style='width:275pt'>Java Decompiler</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-jad (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://varaneckas.com/jad">http://varaneckas.com/jad</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: Java</td>
<td class=xl6924838 width=129 style='width:96pt'>Java Cache IDX Parser</td>
<td class=xl6924838 width=406 style='width:305pt'>idx_parser.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine Java IDX files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/Rurik/Java_IDX_Parser/">https://github.com/Rurik/Java_IDX_Parser/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Java</td>
<td class=xl6924838 width=129 style='width:96pt'>Java Decompiler</td>
<td class=xl6924838 width=406 style='width:305pt'>jd-gui</td>
<td class=xl6924838 width=367 style='width:275pt'>Decompile Java class files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-jd-gui (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://jd.benow.ca/">http://jd.benow.ca/</a></td>
</tr>
<tr class=xl6724838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>ExtractScripts</td>
<td class=xl6924838 width=406 style='width:305pt'>extractscripts.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract JavaScript scripts
from an HTML file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/extractscripts/">http://blog.didierstevens.com/programs/extractscripts/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>JS Beautifier</td>
<td class=xl6924838 width=406 style='width:305pt'>js-beautify</td>
<td class=xl6924838 width=367 style='width:275pt'>Reformat JavaScript scripts
to improve their readability</td>
<td class=xl6924838 width=202 style='width:151pt'>jsbeautifier (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/einars/js-beautify">https://github.com/einars/js-beautify</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>JSDetox</td>
<td class=xl6924838 width=406 style='width:305pt'>jsdetox</td>
<td class=xl6924838 width=367 style='width:275pt'>Decode obfuscated
JavaScript</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux/jsdetox (Docker)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.relentless-coding.com/projects/jsdetox/">http://www.relentless-coding.com/projects/jsdetox/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>objects.js</td>
<td class=xl6924838 width=406 style='width:305pt'>js -f
/usr/share/remnux/objects.js -f malware.js</td>
<td class=xl6924838 width=367 style='width:275pt'>Library of JavaScript
objects commonly defined by a browser or a PDF reader</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-config (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>Rhino Debugger</td>
<td class=xl6924838 width=406 style='width:305pt'>rhino-debugger</td>
<td class=xl6924838 width=367 style='width:275pt'>Standalone JavaScript
debugger</td>
<td class=xl6924838 width=202 style='width:151pt'>rhino (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Debugger">https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Debugger</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>SpiderMonkey</td>
<td class=xl6924838 width=406 style='width:305pt'>js, js-didier</td>
<td class=xl6924838 width=367 style='width:275pt'>JavaScript engine from
Mozilla</td>
<td class=xl6924838 width=202 style='width:151pt'>libmozjs-24-bin (APT),
<br>
remnux-js-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey">https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: JavaScript</td>
<td class=xl6924838 width=129 style='width:96pt'>V8</td>
<td class=xl6924838 width=406 style='width:305pt'>d8</td>
<td class=xl6924838 width=367 style='width:275pt'>Command-line shell (d8) for
the JavaScript engine from Google (V8)</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-v8 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/v8/">https://code.google.com/p/v8/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Automater</td>
<td class=xl6924838 width=406 style='width:305pt'>cd /opt/remnux-automater
&amp;&amp; ./Automater.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Look up URL/Domain, IP and
MD5 hash details</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-automater (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.tekdefense.com/automater/">http://www.tekdefense.com/automater/</a></td>
</tr>
<tr class=xl6724838 height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Burp Proxy Free Edition</td>
<td class=xl6924838 width=406 style='width:305pt'>burpsuite</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze and interact with
websites in a controlled manner</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-burpsuite-free (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://portswigger.net/burp/">http://portswigger.net/burp/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>CapTipper</td>
<td class=xl6924838 width=406 style='width:305pt'>cd /opt/remnux-captipper
&amp;&amp; sudo ./CapTipper.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine network traffic and
carve PCAP capture files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-captipper (apt)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/omriher/CapTipper">https://github.com/omriher/CapTipper</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>YaraPcap</td>
<td class=xl6924838 width=406 style='width:305pt'>yaraPcap.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Scan and carve PCAP files
for contents that match your Yara signatures</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/kevthehermit/YaraPcap">https://github.com/kevthehermit/YaraPcap</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>curl</td>
<td class=xl6924838 width=406 style='width:305pt'>curl</td>
<td class=xl6924838 width=367 style='width:275pt'>Command-line tool for
retrieving website contents</td>
<td class=xl6924838 width=202 style='width:151pt'>curl (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://curl.haxx.se/">http://curl.haxx.se/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Firefox</td>
<td class=xl6924838 width=406 style='width:305pt'>firefox</td>
<td class=xl6924838 width=367 style='width:275pt'>Web browser</td>
<td class=xl6924838 width=202 style='width:151pt'>firefox (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.mozilla.org/firefox">http://www.mozilla.org/firefox</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>mitmproxy</td>
<td class=xl6924838 width=406 style='width:305pt'>mitmproxy, mitmdump</td>
<td class=xl6924838 width=367 style='width:275pt'>Intercept, modify, replay
and save HTTP and HTTPS traffic</td>
<td class=xl6924838 width=202 style='width:151pt'>mitmproxy (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://mitmproxy.org/">http://mitmproxy.org/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Network Miner Free Edition</td>
<td class=xl6924838 width=406 style='width:305pt'>NetworkMiner</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine network traffic and
carve PCAP capture files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-network-miner (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.netresec.com/?page=NetworkMiner">http://www.netresec.com/?page=NetworkMiner</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>pdns</td>
<td class=xl6924838 width=406 style='width:305pt'>passive.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Perform passive DNS lookups</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-python-pdns (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/REMnux/distro/blob/v6/passive.py">https://github.com/REMnux/distro/blob/v6/passive.py</a></td>
</tr>
<tr class=xl6724838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>pdnstool</td>
<td class=xl6924838 width=406 style='width:305pt'>pdnstool</td>
<td class=xl6924838 width=367 style='width:275pt'>Perform passive DNS lookups</td>
<td class=xl6924838 width=202 style='width:151pt'>passivedns-client (Gem)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/chrislee35/passivedns-client">https://github.com/chrislee35/passivedns-client</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>tcpflow</td>
<td class=xl6924838 width=406 style='width:305pt'>tcpflow</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine network traffic and
carve PCAP capture files</td>
<td class=xl6924838 width=202 style='width:151pt'>tcpflow (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/simsong/tcpflow">https://github.com/simsong/tcpflow</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>tcpxtract</td>
<td class=xl6924838 width=406 style='width:305pt'>tcpxtract</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract files from network
traffic</td>
<td class=xl6924838 width=202 style='width:151pt'>tcpxtract (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://tcpxtract.sourceforge.net/">http://tcpxtract.sourceforge.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Thug</td>
<td class=xl6924838 width=406 style='width:305pt'>thug.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Honeyclient for
investigating suspicios websites</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux/thug (Docker)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/buffer/thug">https://github.com/buffer/thug</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Tor</td>
<td class=xl6924838 width=406 style='width:305pt'>tor start</td>
<td class=xl6924838 width=367 style='width:275pt'>Tools for directing network
traffic through anonymizing proxies</td>
<td class=xl6924838 width=202 style='width:151pt'>tor (APT)<br>
torsocks (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://www.torproject.org/">https://www.torproject.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Browser Malware: Websites</td>
<td class=xl6924838 width=129 style='width:96pt'>Wget</td>
<td class=xl6924838 width=406 style='width:305pt'>wget</td>
<td class=xl6924838 width=367 style='width:275pt'>Command-line tool for
retrieving website contents</td>
<td class=xl6924838 width=202 style='width:151pt'>wget (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://www.gnu.org/software/wget/">https://www.gnu.org/software/wget/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>emldump</td>
<td class=xl6924838 width=406 style='width:305pt'>emldump.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine suspicious MIME
files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://isc.sans.edu/diary/Malicious+Word+Document+This+Time+The+Maldoc+Is+A+MIME+File/19673/">https://isc.sans.edu/diary/Malicious+Word+Document+This+Time+The+Maldoc+Is+A+MIME+File/19673/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>MSGConvert</td>
<td class=xl6924838 width=406 style='width:305pt'>msgconvert</td>
<td class=xl6924838 width=367 style='width:275pt'>Convert Microsoft email
clients' .MSG files to mime/mbox (RFC822) .EML file format</td>
<td class=xl6924838 width=202 style='width:151pt'>package
libemail-outlook-message-perl (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.matijs.net/software/msgconv/">http://www.matijs.net/software/msgconv/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>libolecf</td>
<td class=xl6924838 width=406 style='width:305pt'>olecfexport, olecfinfo,
olecfmount</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze OLE2 files</td>
<td class=xl6924838 width=202 style='width:151pt'>libolecf-tools (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/libyal/libolecf">https://github.com/libyal/libolecf</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>officeparser</td>
<td class=xl6924838 width=406 style='width:305pt'>officeparser.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract embedded files and
macros from office documents</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/unixfreak0037/officeparser">https://github.com/unixfreak0037/officeparser</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>oledump</td>
<td class=xl6924838 width=406 style='width:305pt'>oledump.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine suspicious
Microsoft Office files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/oledump-py/">http://blog.didierstevens.com/programs/oledump-py/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>oletools</td>
<td class=xl6924838 width=406 style='width:305pt'>olevba, olebrowse,
oletimes, rtfobj, pyxswf, etc.</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze OLE2 files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-oletools (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Microsoft Office</td>
<td class=xl6924838 width=129 style='width:96pt'>pyOLEScanner.py</td>
<td class=xl6924838 width=406 style='width:305pt'>pyOLEScanner.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine suspicious
Microsoft Office files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/Evilcry/PythonScripts/blob/master/pyOLEScanner.py">https://github.com/Evilcry/PythonScripts/blob/master/pyOLEScanner.py</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>AnalyzePDF</td>
<td class=xl6924838 width=406 style='width:305pt'>AnalyzePDF.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine a malicious PDF
file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/hiddenillusion/AnalyzePDF">https://github.com/hiddenillusion/AnalyzePDF</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>Origami</td>
<td class=xl6924838 width=406 style='width:305pt'>pdfwalker, pdfextract,
pdfcop, etc.</td>
<td class=xl6924838 width=367 style='width:275pt'>Framework for examining,
creating and modifying PDF files</td>
<td class=xl6924838 width=202 style='width:151pt'>origami (Gem)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/origami-pdf/">https://code.google.com/p/origami-pdf/</a></td>
</tr>
<tr class=xl6724838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>PDF X-RAY Lite</td>
<td class=xl6924838 width=406 style='width:305pt'>pdfxray_lite.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine the PDF document
structure and contents</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pdfxray-lite (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/9b/pdfxray_lite">https://github.com/9b/pdfxray_lite</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>pdfid</td>
<td class=xl6924838 width=406 style='width:305pt'>pdfid</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate common suspicious
artifacts in a PDF file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/pdf-tools/">http://blog.didierstevens.com/programs/pdf-tools/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>Pdfobjflow</td>
<td class=xl6924838 width=406 style='width:305pt'>pdf-parser.py |
pdfobjflow.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Visualizes the output from
pdf-parser</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.aldeid.com/wiki/Pdfobjflow">http://www.aldeid.com/wiki/Pdfobjflow</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>pdf-parser</td>
<td class=xl6924838 width=406 style='width:305pt'>pdf-parser.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine a suspicious PDF
file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/pdf-tools/">http://blog.didierstevens.com/programs/pdf-tools/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>PDFtk</td>
<td class=xl6924838 width=406 style='width:305pt'>pdftk</td>
<td class=xl6924838 width=367 style='width:275pt'>Edit PDF files</td>
<td class=xl6924838 width=202 style='width:151pt'>pdftk (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/">http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>peepdf</td>
<td class=xl6924838 width=406 style='width:305pt'>peepdf</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze suspicious PDF
files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-peepdf (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases">http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>swf_mastah</td>
<td class=xl6924838 width=406 style='width:305pt'>swf_mastah</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract Flash SWF objects
from PDF files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pdfxray-lite (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.9bplus.com/snatching-swf-from-pdfs-made-easier/">http://blog.9bplus.com/snatching-swf-from-pdfs-made-easier/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>qpdf</td>
<td class=xl6924838 width=406 style='width:305pt'>qpdf</td>
<td class=xl6924838 width=367 style='width:275pt'>Perform structural,
content-preserving transformations on PDF files.</td>
<td class=xl6924838 width=202 style='width:151pt'>qpdf (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://qpdf.sourceforge.net/">http://qpdf.sourceforge.net/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Document Files: PDF</td>
<td class=xl6924838 width=129 style='width:96pt'>pdfresurrect</td>
<td class=xl6924838 width=406 style='width:305pt'>pdfresurrect</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze and help extract
older &quot;hidden&quot; versions of the PDF file's contents from the PDF
file.</td>
<td class=xl6924838 width=202 style='width:151pt'>pdfresurrect (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/enferex/pdfresurrect">https://github.com/enferex/pdfresurrect</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Shellcode</td>
<td class=xl6924838 width=129 style='width:96pt'>dism-this</td>
<td class=xl6924838 width=406 style='width:305pt'>dism-this.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze disassembled data
within file objects</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://hooked-on-mnemonics.blogspot.com/2012/10/dism-thispy.html">http://hooked-on-mnemonics.blogspot.com/2012/10/dism-thispy.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Shellcode</td>
<td class=xl6924838 width=129 style='width:96pt'>sctest</td>
<td class=xl6924838 width=406 style='width:305pt'>sctest</td>
<td class=xl6924838 width=367 style='width:275pt'>Emulate shellcode execution</td>
<td class=xl6924838 width=202 style='width:151pt'>libemu2 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://libemu.carnivore.it/">http://libemu.carnivore.it/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Shellcode</td>
<td class=xl6924838 width=129 style='width:96pt'>shellcode2exe.py</td>
<td class=xl6924838 width=406 style='width:305pt'>shellcode2exe.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Create a Windows executable
file out of shellcode</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py">https://github.com/MarioVilas/shellcode_tools/blob/master/shellcode2exe.py</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
Document Files: Shellcode</td>
<td class=xl6924838 width=129 style='width:96pt'>unicode2hex-escaped</td>
<td class=xl6924838 width=406 style='width:305pt'>unicode2hex-escaped</td>
<td class=xl6924838 width=367 style='width:275pt'>Clean up and convert
Unicode to hex</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-config (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Document Files: Shellcode</td>
<td class=xl6924838 width=129 style='width:96pt'>unicode2raw</td>
<td class=xl6924838 width=406 style='width:305pt'>unicode2raw</td>
<td class=xl6924838 width=367 style='width:275pt'>Clean up and convert
Unicode to raw</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-config (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
FIle Properties and Contents: Define</td>
<td class=xl6924838 width=129 style='width:96pt'>Autorule</td>
<td class=xl6924838 width=406 style='width:305pt'>autorule.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Automatically define Yara
signatures for a set of files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/">http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
FIle Properties and Contents: Define</td>
<td class=xl6924838 width=129 style='width:96pt'>IOCextractor</td>
<td class=xl6924838 width=406 style='width:305pt'>IOCextractor.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract IOCs from a text
report file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/stephenbrannon/IOCextractor">https://github.com/stephenbrannon/IOCextractor</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
FIle Properties and Contents: Define</td>
<td class=xl6924838 width=129 style='width:96pt'>Rule Editor</td>
<td class=xl6924838 width=406 style='width:305pt'>rule-editor</td>
<td class=xl6924838 width=367 style='width:275pt'>Edit IOC Yara, Snort and
OpenIOC rules</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-rule-editor (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/ifontarensky/RuleEditor">https://github.com/ifontarensky/RuleEditor</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
FIle Properties and Contents: Define</td>
<td class=xl6924838 width=129 style='width:96pt'>ioc-parser</td>
<td class=xl6924838 width=406 style='width:305pt'>iocp</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract indicators of
compromise from security reports in PDF format</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-ioc-parser (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/armbues/ioc_parser">https://github.com/armbues/ioc_parser</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
FIle Properties and Contents: Define</td>
<td class=xl6924838 width=129 style='width:96pt'>YaraGenerator</td>
<td class=xl6924838 width=406 style='width:305pt'>yaraGenerator.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Generate Yara rules for
designated files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/Xen0ph0n/YaraGenerator">https://github.com/Xen0ph0n/YaraGenerator</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>Hash Identifier</td>
<td class=xl6924838 width=406 style='width:305pt'>hash_id</td>
<td class=xl6924838 width=367 style='width:275pt'>Identify the different
types of hashes used to encrypt data and especially passwords</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/hash-identifier/">https://code.google.com/p/hash-identifier/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>nsrllookup</td>
<td class=xl6924838 width=406 style='width:305pt'>nsrllookup</td>
<td class=xl6924838 width=367 style='width:275pt'>Look up file hashes on an
NSRL database server</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-nsrllookup (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/rjhansen/nsrllookup">https://github.com/rjhansen/nsrllookup</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>ssdeep</td>
<td class=xl6924838 width=406 style='width:305pt'>ssdeep</td>
<td class=xl6924838 width=367 style='width:275pt'>Define and scan for a
&quot;fuzzy&quot; signature of a file</td>
<td class=xl6924838 width=202 style='width:151pt'>ssdeep (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://ssdeep.sourceforge.net/">http://ssdeep.sourceforge.net/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>totalhash</td>
<td class=xl6924838 width=406 style='width:305pt'>totalhash.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Look up a suspicious file
hash in the totalhash.com database</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://gist.github.com/malc0de/10270150">https://gist.github.com/malc0de/10270150</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>virustotal-search</td>
<td class=xl6924838 width=406 style='width:305pt'>virustotal-search.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Look up a suspicious file
hash in the virustotal.com database</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/virustotal-tools/">http://blog.didierstevens.com/programs/virustotal-tools/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Hashes</td>
<td class=xl6924838 width=129 style='width:96pt'>VirusTotalApi</td>
<td class=xl6924838 width=406 style='width:305pt'>vt</td>
<td class=xl6924838 width=367 style='width:275pt'>Interact with VirusTotal
from the command-line</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-virustotalapi (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/doomedraven/VirusTotalApi">https://github.com/doomedraven/VirusTotalApi</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>ClamAV</td>
<td class=xl6924838 width=406 style='width:305pt'>clamscan</td>
<td class=xl6924838 width=367 style='width:275pt'>Clam antivirus engine</td>
<td class=xl6924838 width=202 style='width:151pt'>clamav-daemon (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.clamav.net/">http://www.clamav.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
file properties and contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>Disitool</td>
<td class=xl6924838 width=406 style='width:305pt'>disitool.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Manipulate digital
signatures of Windows executables</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/disitool/">http://blog.didierstevens.com/programs/disitool/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>ExifTool</td>
<td class=xl6924838 width=406 style='width:305pt'>exiftool</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract file properties</td>
<td class=xl6924838 width=202 style='width:151pt'>libimage-exiftool-perl
(APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.sno.phy.queensu.ca/~phil/exiftool/">http://www.sno.phy.queensu.ca/~phil/exiftool/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>TrID</td>
<td class=xl6924838 width=406 style='width:305pt'>trid, tridupdate</td>
<td class=xl6924838 width=367 style='width:275pt'>Identify file types</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-trid (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://mark0.net/soft-trid-e.html">http://mark0.net/soft-trid-e.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>virustotal-submit</td>
<td class=xl6924838 width=406 style='width:305pt'>virustotal-submit.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Submit samples to
VirusTotal</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/virustotal-tools/">http://blog.didierstevens.com/programs/virustotal-tools/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
File Properties and Contents: Scan</td>
<td class=xl6924838 width=129 style='width:96pt'>Yara</td>
<td class=xl6924838 width=406 style='width:305pt'>yara</td>
<td class=xl6924838 width=367 style='width:275pt'>Identify and classify
malware samples</td>
<td class=xl6924838 width=202 style='width:151pt'>yara (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://plusvic.github.io/yara/">http://plusvic.github.io/yara/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>AESKeyFinder</td>
<td class=xl6924838 width=406 style='width:305pt'>aeskeyfind</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate embedded AES keys</td>
<td class=xl6924838 width=202 style='width:151pt'>aeskeyfind (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>findaes</td>
<td class=xl6924838 width=406 style='width:305pt'>findaes</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate embedded AES keys</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-findaes (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://jessekornblum.livejournal.com/269749.html">http://jessekornblum.livejournal.com/269749.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>Rekall</td>
<td class=xl6924838 width=406 style='width:305pt'>rekall</td>
<td class=xl6924838 width=367 style='width:275pt'>Memory forensics tool and
framework</td>
<td class=xl6924838 width=202 style='width:151pt'>rekall (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.rekall-forensic.com/">http://www.rekall-forensic.com/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>RSAKeyFinder</td>
<td class=xl6924838 width=406 style='width:305pt'>rsakeyfind</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate embedded RSA keys</td>
<td class=xl6924838 width=202 style='width:151pt'>rsakeyfind (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>Volatility Framework</td>
<td class=xl6924838 width=406 style='width:305pt'>vol.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Memory forensics tool and
framework</td>
<td class=xl6924838 width=202 style='width:151pt'>python-volatility (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/volatilityfoundation/volatility">https://github.com/volatilityfoundation/volatility</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>VolDiff</td>
<td class=xl6924838 width=406 style='width:305pt'>VolDiff.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Spot changes in memory
images using Volatility</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/aim4r/VolDiff">https://github.com/aim4r/VolDiff</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Examine
Memory Snapshots</td>
<td class=xl6924838 width=129 style='width:96pt'>linux_mem_diff_tool</td>
<td class=xl6924838 width=406 style='width:305pt'>linux_mem_diff.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Spot changes in memory
images using Volatility</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'>https://github.com/monnappa22/linux_mem_diff_tool</td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Extract
and Decode Artifacts: Carving</td>
<td class=xl6924838 width=129 style='width:96pt'>bulk_extractor</td>
<td class=xl6924838 width=406 style='width:305pt'>bulk_extractor, then
BBViewer</td>
<td class=xl6924838 width=367 style='width:275pt'>Scan a disk image, a file,
or a directory of files and extracts useful information</td>
<td class=xl6924838 width=202 style='width:151pt'>bulk-extractor (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/simsong/bulk_extractor/">https://github.com/simsong/bulk_extractor/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Carving</td>
<td class=xl6924838 width=129 style='width:96pt'>Foremost</td>
<td class=xl6924838 width=406 style='width:305pt'>foremost</td>
<td class=xl6924838 width=367 style='width:275pt'>Carve contents of files</td>
<td class=xl6924838 width=202 style='width:151pt'>foremost (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://foremost.sourceforge.net/">http://foremost.sourceforge.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Carving</td>
<td class=xl6924838 width=129 style='width:96pt'>Hachoir</td>
<td class=xl6924838 width=406 style='width:305pt'>hachoir-subfile,
hachoir-metadata, hachoir-urwid</td>
<td class=xl6924838 width=367 style='width:275pt'>View, edit and carve
contents of various binary file types</td>
<td class=xl6924838 width=202 style='width:151pt'>python-hachoir-* (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://bitbucket.org/haypo/hachoir">https://bitbucket.org/haypo/hachoir</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Carving</td>
<td class=xl6924838 width=129 style='width:96pt'>pe-carv.py</td>
<td class=xl6924838 width=406 style='width:305pt'>pe-carv.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Carve out PE files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://hooked-on-mnemonics.blogspot.com/2013/03/pe-carvpy-ascii-hex-and-overlays.html">http://hooked-on-mnemonics.blogspot.com/2013/03/pe-carvpy-ascii-hex-and-overlays.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Carving</td>
<td class=xl6924838 width=129 style='width:96pt'>Scalpel</td>
<td class=xl6924838 width=406 style='width:305pt'>scalpel</td>
<td class=xl6924838 width=367 style='width:275pt'>Carve contents of files</td>
<td class=xl6924838 width=202 style='width:151pt'>scalpel (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.forensicswiki.org/wiki/Scalpel">http://www.forensicswiki.org/wiki/Scalpel</a></td>
</tr>
<tr height=68 style='height:51.0pt'>
<td height=68 class=xl6924838 width=307 style='height:51.0pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>Balbuzard</td>
<td class=xl6924838 width=406 style='width:305pt'>balbuzard.py<br>
bbcrack.py<br>
bbharvest.py<br>
bbtrans.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract and decode
suspicious patterns from malicious files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-balbuzard (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://bitbucket.org/decalage/balbuzard/wiki/Home">https://bitbucket.org/decalage/balbuzard/wiki/Home</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>brxor.py</td>
<td class=xl6924838 width=406 style='width:305pt'>brxor.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Bruteforce all possible
1-byte XOR keys and show the resulting strings that include an English word.</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/REMnux/distro/blob/v6/brxor.py">https://github.com/REMnux/distro/blob/v6/brxor.py</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>FLOSS</td>
<td class=xl6924838 width=406 style='width:305pt'>floss</td>
<td class=xl6924838 width=367 style='width:275pt'>Automatically extract
obfuscated strings from malware</td>
<td class=xl6924838 width=202 style='width:151pt'>flare-floss (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/fireeye/flare-floss">https://github.com/fireeye/flare-floss</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>ex_pe_xor</td>
<td class=xl6924838 width=406 style='width:305pt'>ex_pe_xor.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Carve out single-byte XOR
encoded executables from files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html">http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>NoMoreXOR</td>
<td class=xl6924838 width=406 style='width:305pt'>NoMoreXOR.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Guess 256-byte XOR keys by
using frequency analysis</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/hiddenillusion/NoMoreXOR">https://github.com/hiddenillusion/NoMoreXOR</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>unXOR</td>
<td class=xl6924838 width=406 style='width:305pt'>unxor.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Guess a XOR key via
known-plaintext attacks</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/tomchop/unxor/">https://github.com/tomchop/unxor/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>XORBruteForcer</td>
<td class=xl6924838 width=406 style='width:305pt'>xorBruteForcer.py</td>
<td class=xl6924838 width=367 style='width:275pt'>implements a XOR
bruteforcing of a given file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://eternal-todo.com/category/bruteforce">http://eternal-todo.com/category/bruteforce</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>XORSearch</td>
<td class=xl6924838 width=406 style='width:305pt'>xorsearch</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate and decode strings
obfuscated using common techniques</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/programs/xorsearch/">http://blog.didierstevens.com/programs/xorsearch/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>XORStrings</td>
<td class=xl6924838 width=406 style='width:305pt'>xorstrings</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate and decode
XOR-obfuscated strings</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/">http://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Extract
and Decode Artifacts: Deobfuscate</td>
<td class=xl6924838 width=129 style='width:96pt'>xortool</td>
<td class=xl6924838 width=406 style='width:305pt'>xortool<br>
xortool-xor</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate and deobuscate
contents encoded using a multi-byte XOR cipher</td>
<td class=xl6924838 width=202 style='width:151pt'>xortool (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/hellman/xortool">https://github.com/hellman/xortool</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Extract Strings</td>
<td class=xl6924838 width=129 style='width:96pt'>pestr</td>
<td class=xl6924838 width=406 style='width:305pt'>pestr</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract strings from a PE
file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pev (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://pev.sourceforge.net/">http://pev.sourceforge.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Extract Strings</td>
<td class=xl6924838 width=129 style='width:96pt'>unicode</td>
<td class=xl6924838 width=406 style='width:305pt'>unicode</td>
<td class=xl6924838 width=367 style='width:275pt'>Display character
properties for Unicode characters</td>
<td class=xl6924838 width=202 style='width:151pt'>unicode (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/garabik/unicode">https://github.com/garabik/unicode</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Extract Strings</td>
<td class=xl6924838 width=129 style='width:96pt'>base64dump.py</td>
<td class=xl6924838 width=406 style='width:305pt'>base64dump.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract base64 strings from
file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-didier (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://blog.didierstevens.com/2015/07/05/base64dump-py-version-0-0-1/">http://blog.didierstevens.com/2015/07/05/base64dump-py-version-0-0-1/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Extract
and Decode Artifacts: Extract Strings</td>
<td class=xl6924838 width=129 style='width:96pt'>strdeobj</td>
<td class=xl6924838 width=406 style='width:305pt'>strdeobj.pl</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract and decode strings
defined as arrays</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://totalhash.com/download/strdeob.pl.txt">http://totalhash.com/download/strdeob.pl.txt</a></td>
</tr>
<tr class=xl6724838 height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Investigate
Linux Malware: Debug</td>
<td class=xl6924838 width=129 style='width:96pt'>Evan's Debugger (EDB)</td>
<td class=xl6924838 width=406 style='width:305pt'>edb</td>
<td class=xl6924838 width=367 style='width:275pt'>Debug EFL binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-edb-debugger (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://codef00.com/projects#debugger">http://codef00.com/projects#debugger</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Linux Malware: Debug</td>
<td class=xl6924838 width=129 style='width:96pt'>GDB</td>
<td class=xl6924838 width=406 style='width:305pt'>gdb</td>
<td class=xl6924838 width=367 style='width:275pt'>A powerful debugger</td>
<td class=xl6924838 width=202 style='width:151pt'>gdb-minimal (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.sourceware.org/gdb/">http://www.sourceware.org/gdb/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Linux Malware: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>m2elf</td>
<td class=xl6924838 width=406 style='width:305pt'>m2elf.pl</td>
<td class=xl6924838 width=367 style='width:275pt'>Create an ELF binary file
out of shellcode</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/XlogicX/m2elf">https://github.com/XlogicX/m2elf</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Linux Malware: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>ELF Parser</td>
<td class=xl6924838 width=406 style='width:305pt'>elfparser</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically analyze
suspicious ELF binaries</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'>http://elfparser.com/</td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Investigate
Linux Malware: System</td>
<td class=xl6924838 width=129 style='width:96pt'>Sysdig</td>
<td class=xl6924838 width=406 style='width:305pt'>sysdig</td>
<td class=xl6924838 width=367 style='width:275pt'>Track and examine local
system activities on a Linux system</td>
<td class=xl6924838 width=202 style='width:151pt'>sysdig (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.sysdig.org/">http://www.sysdig.org/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Investigate
Linux Malware: System</td>
<td class=xl6924838 width=129 style='width:96pt'>Unhide</td>
<td class=xl6924838 width=406 style='width:305pt'>unhide</td>
<td class=xl6924838 width=367 style='width:275pt'>Find local hidden processes
or connections on a Linux system</td>
<td class=xl6924838 width=202 style='width:151pt'>unhide (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.unhide-forensics.info/">http://www.unhide-forensics.info/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Linux Malware: Trace</td>
<td class=xl6924838 width=129 style='width:96pt'>ltrace</td>
<td class=xl6924838 width=406 style='width:305pt'>ltrace</td>
<td class=xl6924838 width=367 style='width:275pt'>Trace library calls</td>
<td class=xl6924838 width=202 style='width:151pt'>ltrace (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a href="http://ltrace.org/">http://ltrace.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Linux Malware: Trace</td>
<td class=xl6924838 width=129 style='width:96pt'>strace</td>
<td class=xl6924838 width=406 style='width:305pt'>strace</td>
<td class=xl6924838 width=367 style='width:275pt'>Trace system calls and
signals</td>
<td class=xl6924838 width=202 style='width:151pt'>strace (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://sourceforge.net/projects/strace/">http://sourceforge.net/projects/strace/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Mobile Malware</td>
<td class=xl6924838 width=129 style='width:96pt'>AndroGuard</td>
<td class=xl6924838 width=406 style='width:305pt'>androlyze.py, androdiff.py,
androrisk.py, apkviewer.py, etc.</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze Android
applications</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-androguard (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/androguard/androguard">https://github.com/androguard/androguard</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Investigate
Mobile Malware</td>
<td class=xl6924838 width=129 style='width:96pt'>Androwarn</td>
<td class=xl6924838 width=406 style='width:305pt'>cd /opt/remnux-androwarn
&amp;&amp; ./androwarn.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Android static code
analyzer</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-androwarn (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/maaaaz/androwarn">https://github.com/maaaaz/androwarn</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Capstone</td>
<td class=xl6924838 width=406 style='width:305pt'>from capstone import *</td>
<td class=xl6924838 width=367 style='width:275pt'>Multi-architecture
disassembly framework</td>
<td class=xl6924838 width=202 style='width:151pt'>python-capstone (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.capstone-engine.org/">http://www.capstone-engine.org/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Cybox</td>
<td class=xl6924838 width=406 style='width:305pt'>import cybox</td>
<td class=xl6924838 width=367 style='width:275pt'>Python library for parsing,
manipulating, and generating CybOX content</td>
<td class=xl6924838 width=202 style='width:151pt'>cybox (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/CybOXProject/python-cybox">https://github.com/CybOXProject/python-cybox</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Disass</td>
<td class=xl6924838 width=406 style='width:305pt'>from disass.Disass32 import
Disass32</td>
<td class=xl6924838 width=367 style='width:275pt'>Binary analysis library for
Python</td>
<td class=xl6924838 width=202 style='width:151pt'></td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://bitbucket.org/cybertools/disass">https://bitbucket.org/cybertools/disass</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>diStorm3</td>
<td class=xl6924838 width=406 style='width:305pt'>import distorm3</td>
<td class=xl6924838 width=367 style='width:275pt'>Library for disassembling
binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>distorm3 (PIP), <br>
libdistorm64-1 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/distorm/">https://code.google.com/p/distorm/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>IOC Writer</td>
<td class=xl6924838 width=406 style='width:305pt'>from ioc_writer import…</td>
<td class=xl6924838 width=367 style='width:275pt'>Python library for creating
and editing OpenIOC objects</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-ioc-writer</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/mandiant/ioc_writer">https://github.com/mandiant/ioc_writer</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Javassist</td>
<td class=xl6924838 width=406 style='width:305pt'>Import
/usr/share/java/javassist.jar</td>
<td class=xl6924838 width=367 style='width:275pt'>Analyze Java bytecode</td>
<td class=xl6924838 width=202 style='width:151pt'>libjavassist-java (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.javassist.org/">http://www.javassist.org</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>OfficeDissector</td>
<td class=xl6924838 width=406 style='width:305pt'>import officedissector</td>
<td class=xl6924838 width=367 style='width:275pt'>Examine suspicious
Microsoft Office XML-based files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-officedissector
(APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/grierforensics/officedissector">https://github.com/grierforensics/officedissector</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>olefile</td>
<td class=xl6924838 width=406 style='width:305pt'>import olefile</td>
<td class=xl6924838 width=367 style='width:275pt'>Python library to
read/write MS OLE2 files</td>
<td class=xl6924838 width=202 style='width:151pt'>olefile (PIP)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.decalage.info/olefile">http://www.decalage.info/olefile</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>pefile</td>
<td class=xl6924838 width=406 style='width:305pt'>import pefile</td>
<td class=xl6924838 width=367 style='width:275pt'>A library for examining PE
file contents</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pefile (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/pefile/">https://code.google.com/p/pefile/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>pyexiftool</td>
<td class=xl6924838 width=406 style='width:305pt'>import exiftool</td>
<td class=xl6924838 width=367 style='width:275pt'>Python wrapper library for
the ExifTool</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pyexiftool (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://smarnach.github.io/pyexiftool/">http://smarnach.github.io/pyexiftool/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>pylibemu</td>
<td class=xl6924838 width=406 style='width:305pt'>import pylibemu</td>
<td class=xl6924838 width=367 style='width:275pt'>Library for accessing
Libemu functionality</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pylibemu (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/buffer/pylibemu">https://github.com/buffer/pylibemu</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>pyssdeep</td>
<td class=xl6924838 width=406 style='width:305pt'>from ssdeep import ssdeep</td>
<td class=xl6924838 width=367 style='width:275pt'>Python wrapper library for
the ssdeep tool</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-python-ssdeep (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/pyssdeep/">https://code.google.com/p/pyssdeep/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>PyV8</td>
<td class=xl6924838 width=406 style='width:305pt'>import PyV8</td>
<td class=xl6924838 width=367 style='width:275pt'>Python wrapper library for
the Google V8 engine</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pyv8 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/pyv8/">https://code.google.com/p/pyv8/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>xortools</td>
<td class=xl6924838 width=406 style='width:305pt'>from xortools import
rolling_xor</td>
<td class=xl6924838 width=367 style='width:275pt'>Library for decoding
XOR-obfuscated contents</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/hiddenillusion/yara-goodies/blob/master/xortools.py">https://github.com/hiddenillusion/yara-goodies/blob/master/xortools.py</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Yara Library</td>
<td class=xl6924838 width=406 style='width:305pt'>import yara</td>
<td class=xl6924838 width=367 style='width:275pt'>Python library to identify
and classify malware samples</td>
<td class=xl6924838 width=202 style='width:151pt'>libyara3, python-yara,
libyara-dev (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://plusvic.github.io/yara/">http://plusvic.github.io/yara/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Library</td>
<td class=xl6924838 width=129 style='width:96pt'>Yara Rules</td>
<td class=xl6924838 width=406 style='width:305pt'>yara /opt/remnux-rules/ …</td>
<td class=xl6924838 width=367 style='width:275pt'>Rules/signatures for
spotting malicious characteristics in files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-rules (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/Yara-Rules/rules">https://github.com/Yara-Rules/rules</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>EPIC IRC Client</td>
<td class=xl6924838 width=406 style='width:305pt'>irc</td>
<td class=xl6924838 width=367 style='width:275pt'>IRC client</td>
<td class=xl6924838 width=202 style='width:151pt'>epic5 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.epicsol.org/">http://www.epicsol.org/</a></td>
</tr>
<tr class=xl6724838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>Netcat</td>
<td class=xl6924838 width=406 style='width:305pt'>nc</td>
<td class=xl6924838 width=367 style='width:275pt'>Flexible network client and
server</td>
<td class=xl6924838 width=202 style='width:151pt'>netcat (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://netcat.sourceforge.net/">http://netcat.sourceforge.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>prettyping.sh</td>
<td class=xl6924838 width=406 style='width:305pt'>pping</td>
<td class=xl6924838 width=367 style='width:275pt'>Ping a host while looking
pretty</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://bitbucket.org/denilsonsa/small_scripts/src/3ec16014c839ea0852fae492813ad2293bd61155/prettyping.sh">https://bitbucket.org/denilsonsa/small_scripts/src/3ec16014c839ea0852fae492813ad2293bd61155/prettyping.sh</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>set-static-ip</td>
<td class=xl6924838 width=406 style='width:305pt'>set-static-ip</td>
<td class=xl6924838 width=367 style='width:275pt'>Temporarily assign a static
IP</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-config (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>stunnel</td>
<td class=xl6924838 width=406 style='width:305pt'>stunnel</td>
<td class=xl6924838 width=367 style='width:275pt'>SSL encryption wrapper</td>
<td class=xl6924838 width=202 style='width:151pt'>stunnel (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://www.stunnel.org/">https://www.stunnel.org/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Misc.</td>
<td class=xl6924838 width=129 style='width:96pt'>Just-Metadata</td>
<td class=xl6924838 width=406 style='width:305pt'>cd
/opt/remnux-just-metadata &amp;&amp; ./Just-Metadata.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Gather OSINT about IP
addresses</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-just-metadata (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/ChrisTruncer/Just-Metadata">https://github.com/ChrisTruncer/Just-Metadata</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>accept-all-ips</td>
<td class=xl6924838 width=406 style='width:305pt'>accept-all-ips</td>
<td class=xl6924838 width=367 style='width:275pt'>Accept and redirect network
traffic to all IPs</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl6924838 width=733 style='width:550pt'></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>FakeDNS</td>
<td class=xl6924838 width=406 style='width:305pt'>fakedns</td>
<td class=xl6924838 width=367 style='width:275pt'>Respond to DNS queries with
a specified IP address</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://code.activestate.com/recipes/491264-mini-fake-dns-server/">http://code.activestate.com/recipes/491264-mini-fake-dns-server/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>fakeMail</td>
<td class=xl6924838 width=406 style='width:305pt'>fakemail</td>
<td class=xl6924838 width=367 style='width:275pt'>Fake mail server that
captures emails messages sent through it without retransmitting them</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://sourceforge.net/projects/fakemail/">http://sourceforge.net/projects/fakemail/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>INetSim</td>
<td class=xl6924838 width=406 style='width:305pt'>inetsim</td>
<td class=xl6924838 width=367 style='width:275pt'>Emulate common network
services</td>
<td class=xl6924838 width=202 style='width:151pt'>inetsim (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.inetsim.org/">http://www.inetsim.org/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>Inspire IRCd</td>
<td class=xl6924838 width=406 style='width:305pt'>ircd start</td>
<td class=xl6924838 width=367 style='width:275pt'>IRC server</td>
<td class=xl6924838 width=202 style='width:151pt'>inspircd (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.inspircd.org/">http://www.inspircd.org/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>Nginx</td>
<td class=xl6924838 width=406 style='width:305pt'>httpd start</td>
<td class=xl6924838 width=367 style='width:275pt'>A web server</td>
<td class=xl6924838 width=202 style='width:151pt'>nginx (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a href="http://nginx.org/">http://nginx.org/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Services</td>
<td class=xl6924838 width=129 style='width:96pt'>OpenSSH</td>
<td class=xl6924838 width=406 style='width:305pt'>sshd start</td>
<td class=xl6924838 width=367 style='width:275pt'>SSH server</td>
<td class=xl6924838 width=202 style='width:151pt'>openssh-server (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.openssh.com/">http://www.openssh.com/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Network:
Sniffing</td>
<td class=xl6924838 width=129 style='width:96pt'>ngrep</td>
<td class=xl6924838 width=406 style='width:305pt'>ngrep</td>
<td class=xl6924838 width=367 style='width:275pt'>Sniff the network while
looking for patterns that match the specified regular expressions</td>
<td class=xl6924838 width=202 style='width:151pt'>ngrep (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://ngrep.sourceforge.net/">http://ngrep.sourceforge.net/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Sniffing</td>
<td class=xl6924838 width=129 style='width:96pt'>TCPDump</td>
<td class=xl6924838 width=406 style='width:305pt'>tcpdump</td>
<td class=xl6924838 width=367 style='width:275pt'>Command-line network
sniffer</td>
<td class=xl6924838 width=202 style='width:151pt'>tcpdump (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.tcpdump.org/">http://www.tcpdump.org/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Sniffing</td>
<td class=xl6924838 width=129 style='width:96pt'>tcpick</td>
<td class=xl6924838 width=406 style='width:305pt'>tcpick</td>
<td class=xl6924838 width=367 style='width:275pt'>Sniffer that reassembles
TCP streams</td>
<td class=xl6924838 width=202 style='width:151pt'>tcpick (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://tcpick.sourceforge.net/">http://tcpick.sourceforge.net/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Network:
Sniffing</td>
<td class=xl6924838 width=129 style='width:96pt'>Wireshark</td>
<td class=xl6924838 width=406 style='width:305pt'>wireshark</td>
<td class=xl6924838 width=367 style='width:275pt'>Network sniffer</td>
<td class=xl6924838 width=202 style='width:151pt'>wireshark (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.wireshark.org/">http://www.wireshark.org/</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>bashacks</td>
<td class=xl6924838 width=406 style='width:305pt'>See &quot;man
bashacks&quot;</td>
<td class=xl6924838 width=367 style='width:275pt'>Useful Bash shell functions</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-bashacks (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/merces/bashacks">https://github.com/merces/bashacks</a></td>
</tr>
<tr class=xl6824838 height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>Docker</td>
<td class=xl6924838 width=406 style='width:305pt'>docker,
docker-update-images</td>
<td class=xl6924838 width=367 style='width:275pt'>Run applications as
isolated containers on the local host</td>
<td class=xl6924838 width=202 style='width:151pt'>docker-engine (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.docker.com/">http://www.docker.com/</a></td>
</tr>
<tr class=xl6824838 height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>ProcDOT</td>
<td class=xl6924838 width=406 style='width:305pt'>procdot</td>
<td class=xl6924838 width=367 style='width:275pt'>Visualize and examine the
output of Process Monitor and network sniffer logs</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-procdot (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.procdot.com/">http://www.procdot.com/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>REMnux Updater</td>
<td class=xl6924838 width=406 style='width:305pt'>update-remnux</td>
<td class=xl6924838 width=367 style='width:275pt'>Update or upgrade the
REMnux distro on the local host</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://remnux.org/">https://REMnux.org</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>vtTool</td>
<td class=xl6924838 width=406 style='width:305pt'>vtTool.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Determine malware name by
querying VirusTotal</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-vttool (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/malware-crawler/wiki/vtTool">https://code.google.com/p/malware-crawler/wiki/vtTool</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Other
tasks</td>
<td class=xl6924838 width=129 style='width:96pt'>Decompyle++</td>
<td class=xl6924838 width=406 style='width:305pt'>pycdas, pycdc</td>
<td class=xl6924838 width=367 style='width:275pt'>Python bytecode
disassembler and decompiler</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pycdc (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/zrax/pycdc">https://github.com/zrax/pycdc</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Process
Multiple Samples</td>
<td class=xl6924838 width=129 style='width:96pt'>Maltrieve</td>
<td class=xl6924838 width=406 style='width:305pt'>maltrieve</td>
<td class=xl6924838 width=367 style='width:275pt'>Retrieve malware from
malicious sites</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux/maltrieve (Docker)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/technoskald/maltrieve">https://github.com/technoskald/maltrieve</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Process
Multiple Samples</td>
<td class=xl6924838 width=129 style='width:96pt'>MASTIFF</td>
<td class=xl6924838 width=406 style='width:305pt'>mas</td>
<td class=xl6924838 width=367 style='width:275pt'>Perform static analysis of
suspicious files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-mastiff (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://git.korelogic.com/mastiff.git/">https://git.korelogic.com/mastiff.git/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Process
Multiple Samples</td>
<td class=xl6924838 width=129 style='width:96pt'>Ragpicker</td>
<td class=xl6924838 width=406 style='width:305pt'>cd /opt/remnux-ragpicker
&amp;&amp; ./ragpicker.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Plugin based malware
crawler and downloader with pre-analysis and reporting functionalities</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-ragpicker (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/malware-crawler/">https://code.google.com/p/malware-crawler/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Process
Multiple Samples</td>
<td class=xl6924838 width=129 style='width:96pt'>Viper</td>
<td class=xl6924838 width=406 style='width:305pt'>cd /opt/remnux-viper
&amp;&amp; ./viper.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Store, classify and
investigate suspicious binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-viper (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/botherder/viper">https://github.com/botherder/viper</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Process
Multiple Samples</td>
<td class=xl6924838 width=129 style='width:96pt'>WIPSTER Installer</td>
<td class=xl6924838 width=406 style='width:305pt'>install-wipster</td>
<td class=xl6924838 width=367 style='width:275pt'>Install web interface for
MASTIFF and other tools</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/TheDr1ver/WIPSTER">https://github.com/TheDr1ver/WIPSTER</a></td>
</tr>
<tr height=51 style='height:38.25pt'>
<td height=51 class=xl6924838 width=307 style='height:38.25pt;width:230pt'>Statically
Examine PE files: Disassemble<br>
<br>
Investigate Linux Malware: Disassemble</td>
<td class=xl6924838 width=129 style='width:96pt'>objdump</td>
<td class=xl6924838 width=406 style='width:305pt'>objdump</td>
<td class=xl6924838 width=367 style='width:275pt'>Disassemble binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>binutils (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://en.wikipedia.org/wiki/Objdump">http://en.wikipedia.org/wiki/Objdump</a></td>
</tr>
<tr height=51 style='height:38.25pt'>
<td height=51 class=xl6924838 width=307 style='height:38.25pt;width:230pt'>Statically
Examine PE files: Disassemble<br>
<br>
Investigate Linux Malware: Disassemble</td>
<td class=xl6924838 width=129 style='width:96pt'>BinNavi</td>
<td class=xl6924838 width=406 style='width:305pt'>install-binnavi</td>
<td class=xl6924838 width=367 style='width:275pt'>Install BinNavi, a tool for
statically examining disassembled code</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/google/binnavi">https://github.com/google/binnavi</a></td>
</tr>
<tr height=51 style='height:38.25pt'>
<td height=51 class=xl6924838 width=307 style='height:38.25pt;width:230pt'>Statically
Examine PE files: Disassemble<br>
<br>
Investigate Linux Malware: Disassemble</td>
<td class=xl6924838 width=129 style='width:96pt'>Udis86</td>
<td class=xl6924838 width=406 style='width:305pt'>udcli</td>
<td class=xl6924838 width=367 style='width:275pt'>Disassemble binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-udis86 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://udis86.sourceforge.net/">http://udis86.sourceforge.net/</a></td>
</tr>
<tr height=51 style='height:38.25pt'>
<td height=51 class=xl6924838 width=307 style='height:38.25pt;width:230pt'>Statically
Examine PE files: Disassemble<br>
<br>
Investigate Linux Malware: Disassemble</td>
<td class=xl6924838 width=129 style='width:96pt'>Vivisect</td>
<td class=xl6924838 width=406 style='width:305pt'>vivbin, vdbbin</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically examine and
emulate binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-vivisect (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://visi.kenshoto.com/viki/Vivisect">http://visi.kenshoto.com/viki/Vivisect</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>ExeScan</td>
<td class=xl6924838 width=406 style='width:305pt'>exescan.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically examine a PE
file and detect suspicious characteristics</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://securityxploded.com/exe-scan.php">http://securityxploded.com/exe-scan.php</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>pedump</td>
<td class=xl6924838 width=406 style='width:305pt'>pedump</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically examine a PE
file</td>
<td class=xl6924838 width=202 style='width:151pt'>pedump (Gem)</td>
<td class=xl7124838 width=733 style='width:550pt'><a href="http://pedump.me/">http://pedump.me/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>Peframe</td>
<td class=xl6924838 width=406 style='width:305pt'>peframe</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically Examine PE files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-peframe (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/guelfoweb/peframe">https://github.com/guelfoweb/peframe</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>pescanner</td>
<td class=xl6924838 width=406 style='width:305pt'>pescanner</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically examine a PE
file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py">https://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>pev</td>
<td class=xl6924838 width=406 style='width:305pt'>pepack, pescan, pestr,
pehash, readpe, etc.</td>
<td class=xl6924838 width=367 style='width:275pt'>PE file analysis toolkit</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pev (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://pev.sourceforge.net/">http://pev.sourceforge.net/</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Find Anomalies</td>
<td class=xl6924838 width=129 style='width:96pt'>Signsrch</td>
<td class=xl6924838 width=406 style='width:305pt'>signsrch</td>
<td class=xl6924838 width=367 style='width:275pt'>Locate common code patterns</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-signsrch (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://aluigi.altervista.org/mytoolz.htm">http://aluigi.altervista.org/mytoolz.htm</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>RATDecoders</td>
<td class=xl6924838 width=406 style='width:305pt'>See /opt/remnux-ratdecoders</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract and decode
configuration details from common RAT samples</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-ratdecoders (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/kevthehermit/RATDecoders">https://github.com/kevthehermit/RATDecoders</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Investigate<br>
Library</td>
<td class=xl6924838 width=129 style='width:96pt'>DC3-MWCP</td>
<td class=xl6924838 width=406 style='width:305pt'>mwcp-tool.py and
&quot;import malwareconfigreporter&quot;</td>
<td class=xl6924838 width=367 style='width:275pt'>A framework for parsing
configuration information from malware.</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-dc3-mwcp (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP">https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>readpe.py</td>
<td class=xl6924838 width=406 style='width:305pt'>readpe.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract contents of PE file
headers</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-pype32 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/crackinglandia/pype32">https://github.com/crackinglandia/pype32</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>PyInstaller Extractor</td>
<td class=xl6924838 width=406 style='width:305pt'>pyinstxtractor.py</td>
<td class=xl6924838 width=367 style='width:275pt'>Extract contents of a
Windows executable file generated using PyInstaller</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://sourceforge.net/projects/pyinstallerextractor/">https://sourceforge.net/projects/pyinstallerextractor/</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Investigate<br>
Investigate Linux Malware: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>Bokken</td>
<td class=xl6924838 width=406 style='width:305pt'>bokken</td>
<td class=xl6924838 width=367 style='width:275pt'>Interactive static malware
analysis tool</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-bokken (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://inguma.eu/projects/bokken">https://inguma.eu/projects/bokken</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Investigate<br>
Investigate Linux Malware: Investigate</td>
<td class=xl6924838 width=129 style='width:96pt'>Pyew</td>
<td class=xl6924838 width=406 style='width:305pt'>pyew</td>
<td class=xl6924838 width=367 style='width:275pt'>Statically examine
suspicious files</td>
<td class=xl6924838 width=202 style='width:151pt'>pyew (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://code.google.com/p/pyew/">https://code.google.com/p/pyew/</a></td>
</tr>
<tr height=51 style='height:38.25pt'>
<td height=51 class=xl6924838 width=307 style='height:38.25pt;width:230pt'>Statically
Examine PE files: Investigate<br>
Investigate Linux Malware: Investigate<br>
Edit and View Files: Binary</td>
<td class=xl6924838 width=129 style='width:96pt'>Radare 2</td>
<td class=xl6924838 width=406 style='width:305pt'>radare2</td>
<td class=xl6924838 width=367 style='width:275pt'>Framework for examining
binary files</td>
<td class=xl6924838 width=202 style='width:151pt'>radare2 (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/radare/radare2">https://github.com/radare/radare2</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Unpacking</td>
<td class=xl6924838 width=129 style='width:96pt'>Bytehist</td>
<td class=xl6924838 width=406 style='width:305pt'>bytehist</td>
<td class=xl6924838 width=367 style='width:275pt'>Generate
byte-usage-histograms for all types of files with a focus PE files</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-bytehist (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://www.cert.at/downloads/software/bytehist_en.html">https://www.cert.at/downloads/software/bytehist_en.html</a></td>
</tr>
<tr height=34 style='height:25.5pt'>
<td height=34 class=xl6924838 width=307 style='height:25.5pt;width:230pt'>Statically
Examine PE files: Unpacking</td>
<td class=xl6924838 width=129 style='width:96pt'>Density Scout</td>
<td class=xl6924838 width=406 style='width:305pt'>densityscout</td>
<td class=xl6924838 width=367 style='width:275pt'>Calculates density (like
entropy) of files in the specified location, useful for finding packed
programs</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-densityscout (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://www.cert.at/downloads/software/densityscout_en.html">http://www.cert.at/downloads/software/densityscout_en.html</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Unpacking</td>
<td class=xl6924838 width=129 style='width:96pt'>PackerID</td>
<td class=xl6924838 width=406 style='width:305pt'>packerid</td>
<td class=xl6924838 width=367 style='width:275pt'>Help determine which packer
was used to protect a PE file</td>
<td class=xl6924838 width=202 style='width:151pt'>remnux-scripts (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="https://github.com/sooshie/packerid">https://github.com/sooshie/packerid</a></td>
</tr>
<tr height=17 style='height:12.75pt'>
<td height=17 class=xl6924838 width=307 style='height:12.75pt;width:230pt'>Statically
Examine PE files: Unpacking</td>
<td class=xl6924838 width=129 style='width:96pt'>UPX</td>
<td class=xl6924838 width=406 style='width:305pt'>upx</td>
<td class=xl6924838 width=367 style='width:275pt'>A popular tool for packing
and unpacking executable files</td>
<td class=xl6924838 width=202 style='width:151pt'>upx-ucl (APT)</td>
<td class=xl7124838 width=733 style='width:550pt'><a
href="http://upx.sourceforge.net/">http://upx.sourceforge.net/</a></td>
</tr>
<![if supportMisalignedColumns]>
<tr height=0 style='display:none'>
<td width=307 style='width:230pt'></td>
<td width=129 style='width:96pt'></td>
<td width=406 style='width:305pt'></td>
<td width=367 style='width:275pt'></td>
<td width=202 style='width:151pt'></td>
<td width=733 style='width:550pt'></td>
</tr>
<![endif]>
</table>
</div>
<!----------------------------->
<!--END OF OUTPUT FROM EXCEL PUBLISH AS WEB PAGE WIZARD-->
<!----------------------------->
</body>
</html>