Malware Analysis is the study and close examination of malware to understand its origins, purpose and potential impact on the system. Malware analysts accomplish their task by using various tools and expert-level knowledge to understand not only what a piece of malware can do but also how it does it. This course provides participants with the practical skills and knowledge to be able to analyze malware, and exposes them to a critical set of tools required for their task.

      • Cyber security practitioners
      • Cyber forensics analysts
      • Security engineers/researchers
      • Incident responders
      • Junior malware analysts or reverse engineers
      • Software developers
      • IT security administrators
  • Malware analysis is an advanced field of study that requires a lot of discipline and strong analytical skills. Applicants of this course should have a solid foundation in the following areas before starting the course:

    • Basic programming concepts.
    • Operating system concepts.
    • Networking fundamentals.
    • Background in network forensics is highly recommended.
    • CF101, CF201 and CF300 are a solid foundation of preliminary knowledge required for this training.
}

80 Hours

Cyber Security

h

Certificate: No

Price: contact us for more details

Leave your details

Course Outline

Objectives

Participants of this course will build up their skills and knowledge to the level of:

  • Malware analysis using both Dynamic and Static analysis methods.
  • Assembly language for the purpose of examining malware.
  • Reverse engineering malware using various tools.
  • A first glimpse into Windows interworks by studying Windows kernel.
  • Exercising every step and topic that is covered to reinforce hands-on capabilities.

Course Outline

Module 01:  Introduction to Malware Analysis – 8 hours

The first module will introduce participants to the world of malware. They will study different types of malware and see how they operate, understand how the anti-virus works, and will eventually develop an idea of how to approach a malicious file and where to find it. Tools for performing malware analysis will also be presented during this module.

  • Different behaviors of malware types
    • Behavioral analysis
    • Code analysis
    • Memory analysis
    • Malware behavior blocking
  • How the anti-virus works
  • PE files
  • Hash and file identification
  • VirusTotal and other Sandboxes
  • Windows libraries and processes
  • Windows APIs
  • Setting-up a safe environment for inspecting malware:
    • Virtual machine
    • Real systems
    • Malware analysis tools
      • Process Hacker
      • Process Monitor
      • Regshot
      • API monitor
      • IDA
    • Malware hiding places
      • On live systems
      • On dead systems
    • Malware on the network
      • Identifying malware
      • Carving malware
      • Analyzing malicious PCAP files
    • Lab: Students will be required to identify malware and present a report of the incident.

 

Module 02: Basic Dynamic Analysis – 8 hours

Basic Dynamic Analysis is the initial method of inspecting and analyzing malware. During this stage, students will activate the malware in a protected sandbox environment and analyze its effects on the system. Various tools for malware analysis will be introduced and used by participants during this module.

  • Checking the Sandbox
  • All about snapshots
  • Events capture
  • Host integrity monitor
  • Process Monitor
  • Registry analysis
  • Monitoring registry changes
  • Analyzing with Autoruns
  • Network traffic monitoring with Wireshark
  • DNS monitoring
  • Simulating internet services
  • Windows Sysinternals suite
  • Challenge: Students will be tasked with analyzing a sample malware, examining its traffic, what information it passes over and to whom, what file systems it alters and which files it adds, and finalize their findings in a full report.

 

Module 03: Basic Static Analysis – 4 hours

Basic Static Analysis allows the malware-researcher to inspect the influences of malware on the system, while it is in a static stage, that is, in code format. This phase is critical for collecting information about the malware for more advanced stages of the research.

  • Strings
  • PE file sections
  • Information gathering from PE
  • Database of file hashes
  • Identifying file compilation date

 

 

Module 04: Assembly – 20 hours

This module will introduce the basics of Assembly language, which is the closest to computer binary language, that can be read by humans. Familiarization with Assembly will allow students to gain a closer insight into what lies at the base of the malware’s code and how it was meant to operate when activated, and is an entry ticket into the world of reverse engineering.

  • Registers
  • Flags
  • Functions
  • Imports
  • Exports
  • Stack
  • Heap
  • Conditions
  • Loops
  • Lab: Students will perform several reverse engineering exercises using Assembly, facing various challenges on different levels.

Module 05: Advanced Static Analysis Using IDA Pro – 16 hours

During this stage, students will practice what they have learnt in previous modules in order to perform a deep analysis of the malicious code using Assembly principles. Students will be able to recognize running commands intended to harm or infect the system.

  • Disassembly
  • IDA Pro
  • C in Assembly
  • File signature analysis
  • Analyzing malicious programs
  • Identifying malware passwords
  • Lab: Participants will explore and analyze different types of malware from recent years, that demonstrate new and challenging techniques and methods.

 

Module 06: Advanced Dynamic Analysis Using a Debugger – 12 hours

During this module, students will dive deeper into practicing advanced dynamic analysis methods using debuggers to get more precise findings when analyzing the malware. By injecting code, participants will be able to study the reaction of the malware and learn more about how it functions.

  • Debugging
  • OllyDbg
  • WinDbg
  • Anti-debugging
    • x86
    • x64
    • Breakpoints
    • Timing attacks
    • Windows internals
    • Process exploitation
    • Anti-dumping
  • Lab: Students will perform a full analysis on a malware sample, using all the tools and techniques covered during the course so far.

 

Module 07: Windows Kernel and Rootkits – 12 hours

The final module takes participants another step ahead, providing a glimpse into the interworks of the operating system – the kernel system, and further familiarization with advanced injection methods using Rootkits.

  • Windows Kernel
    • Kernel basics
    • Windows API
    • Windows drivers
    • Kernel debugging
  • Rootkit techniques
    • Hooking
    • Patching
    • Object manipulation

Final lab:  Students will practice the analysis of malware that affects the Kernel. This exercise will incorporate understanding of Kernel along with reverse engineering capabilities and Assembly.