Intro to Malware Analysis
Overview
In this class students will learn the fundamentals of basic malware analysis through static and behavioral analysis of real and exemplar malware. This hands-on course will walk students through setting up a proper sandboxed environment well equipped for malware analysis. Students will be exposed to the compilation process that takes human readable code to compiled machine readable code. Students will be exposed to numerous tools used for malware analysis to examine a variety of malware samples from across many spectrums in the malware analysis spectrum. These samples will include specifically crafted malware that exhibits malware behaviors up through real world malware used by Advanced Persistent Threats (APTs).
This course includes many hands-on labs for repeated practical demonstration of skills learned. Students will be given lecture to baseline the core concepts followed by many hands-on labs to practice what is learned. The course concludes with a capstone lab that combines all the skills and tools learned throughout the class to successfully demonstrate an understanding of conducting basic malware analysis, identify binary obfuscation, and report key findings of interest.
Who Should Take This Course
Prerequisites
- Working knowledge of penetration testing methodology and tools is required
- Basic technical writing skills
- General knowledge of the Windows Operating System including a basic understanding of windows processes, registry, and filesystem
- Familiarity with VMware, setting up VMs, and using VMs
- Exposure to C programming languages is recommended
Course Objectives
On completion of this course, students will be able to:
-
- Set up a sandboxed environment for static and behavioral analysis of Windows portable executables
- Compile basic C code from source to executable
- Statically analyze suspected malicious windows binaries (PE)
- Identify behaviors typically exhibited by malicious windows binaries (PE)
- Identify common packing and obfuscation techniques use by malware authors to disguise its purpose
- Use basic unpackers to return binaries to their original de-obfuscated state
- Report key findings from their malware analysis efforts
Course Outline
Intro to Malware Analysis
Day 1
- What is malware?
- Primary types of malware (past and current)
- APT malware
- Setting up a safe environment for analysis
- Labs
- Setting up a safe environment
- Tool familiarity
- Report familiarity
Day 2
- What is a Portable Executable?
- Compilation process
- Static Analysis
- Behavioral Analysis
- Labs
- Static Analysis
- Behavioral Analysis
- Hybrid Analysis
Day 3
- Obfuscated and packed code
- Detecting packed or obfuscated binaries
- Detecting embedded binaries
- Labs
- Unpacking code
- Analyzing unpacked binaries
- Embedded Binaries
Day 4
- Written Test
- APT malware
- Labs
- APT1 case study
Day 5
-
- Practical Test (hands on Lab)
- Review of Practical