Windows Malware Analysis For Hedgehogs - Beginner Training
Published 9/2023
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 6.30 GB | Duration: 11h 16m
Published 9/2023
MP4 | Video: h264, 1280x720 | Audio: AAC, 44.1 KHz
Language: English | Size: 6.30 GB | Duration: 11h 16m
Learn what really matters from an actual analyst: malware reversing, clean vs malware, report writing, unpacking
What you'll learn
Triage and reverse engineering of potentially malicious samples
Determine if a file is malicious, clean, potentially unwanted, grayware, corrupt or junk
Write malware reports
Know the common types of malware and how to identify them
Know how and when to use a disassemblers, debuggers, meta data viewers
Identify malware families
Windows internals necessary for malware analysis, e.g., Windows registry
Packer types, identification, basics of unpacking
Analysis of native and .NET executables, installers, wrappers, scripts
Basics of disinfection
Requirements
You know how to program in at least one language (e.g. Python, C, C#, Java, …)
You are able to read x86 assembly
Description
This course teaches more than just reverse engineering because as a malware analyst you need a variety of other skills. You will learn how to classify samples into malware types, how to identify malware families and how to determine file verdicts like clean, malicious, potentially unwanted programs, junk, grayware, or corrupt. Additionally, you will learn how malware persists, how to identify malicious autostart entries and clean infected systems.The course aims to dispel common myths such as "trojan in a detection name means the file is a trojan horse" or "antivirus detection names are a malware classification".As a malware analyst with experience working at an antivirus company since 2015, I have trained many beginners in the field. I understand the usual pitfalls and the concepts that you need to grasp to become proficient. I focus on building strong foundations that make you flexible in the face of new malware advancements, rather than providing shortcuts with step-by-step recipes.I will teach you how to differentiate between different types of files, including installers, wrappers, packed files, non-packed files, hybrid, and native compiled files. You will learn which tools to apply in which situations and how to analyse samples efficiently. To do that I give you example approaches that work for most situations.This course is ideal for you if you already have some IT background, such as hobby or professional programmers, computer enthusiasts, administrators, computer science students, or gamers with an interest in the inner workings of software or IT security.If you have a strong interest in the topic but lack the necessary IT background, I recommend that you learn programming first. Please refer to the course requirements for more information.ToolsAll the tools and web services that we use during the course are free:Ghidra and AdoptOpenJDKx64dbgVirtualBoxSysInternals SuitePortexAnalyzer CLI and GUIVirusTotal (without account)Speakeasy by MandiantAPI MonitorCyberChefEXIFToolMeldVBinDiffAnalyzePESigDnSpyC# Online Compiler programwizTriDDetect-it-EasyReNamer7zipNotepad++HxDMalpedialnk_parserRequirements You should have a strong understanding of at least one programming language, such as Python, C, C++, Java, or C#. This is a crucial requirement for the course, not only because we create small scripts during the course but because reverse engineering needs an understanding of software as foundation. The specific language does not matter, as you cannot learn every language you may encounter during analysis anyways. The concepts of programming must be clear, though.If you are not there yet, you should not buy this course and start learning C instead. C is great because it is low-level and will integrate well with x86 assembly language.Additionally, you must be able to read (not write) x86 assembly to understand everything in the course. Without assembly you will only be able to understand two-thirds of the content. So if you consider starting this course right away and learning assembly alongside it, that should work fine.During this course we look at samples that use the following execution environments:x86, x64 assembly.NETBatchPowerShellNullsoft scriptsHowever, you do not need to learn all of these languages. Because an analyst encounters new languages all the time, your skillset is rather in using the available documentation, manuals and help provided for those environments and languages. I also show you during the course how to use the documentation for ,e.g., PowerShell.Out of scopeMalware analysis is a broad field, so there are inevitably topics that I will not teach during this course because they would rather require their own course. Some of these topics are: assembly language, programming, how computers work, URL and website analysis, networks, analysis of malware for other platforms than Windows, mobile malware, IoT malware.
Overview
Section 1: Introduction to Malware Analysis
Lecture 1 Introduction
Lecture 2 Analysis process
Section 2: Malware lab setup
Lecture 3 Malware Analysis Lab
Lecture 4 Download links
Lecture 5 Installing VirtualBox Windows 10 VM
Lecture 6 Installing VirtualBox Guest Additions
Lecture 7 Enabling hidden files view and removing Windows Defender
Lecture 8 Sample handling: Course samples and password protected archives
Lecture 9 Sample handling: Shared folder setup
Lecture 10 Sample handling: Prevent execution via ACLs (Windows host only)
Lecture 11 Network, snapshots and first sample execution
Lecture 12 Safety rules summary
Section 3: Triage and file type basics
Lecture 13 What is triage
Lecture 14 Download links
Lecture 15 Lab Triage 1: Determine file types of unknown samples
Lecture 16 What is a file type
Lecture 17 Lab Triage 2: Whole file examination
Lecture 18 Antivirus detection names and formats for malware
Lecture 19 Deciphering antivirus detection names for malware
Lecture 20 Lab Triage 3: VirusTotal autoscans and first research
Lecture 21 Lab Triage 4: Final analysis
Lecture 22 Lab: Exercise solution
Section 4: Wrapped files and installers
Lecture 23 Finding the malware developer's code
Lecture 24 Wrapped files
Lecture 25 Tools and links
Lecture 26 Lab Wapped files 1: Triage of a wrapped file
Lecture 27 Lab Wrapped files 2: Obtaining the script with ACLs
Lecture 28 Lab Wrapped files 3: Wrapped file payload analysis
Lecture 29 Lab Wrapped files 4: Obtaining the script with APIMonitor
Lecture 30 Installers
Lecture 31 Lab Installers 1: Layer 1 Unpacking Nullsoft
Lecture 32 Lab Installers 2: Layer 2 Extract 7zip SFX files
Lecture 33 Lab Installers 3: Extract 7zip SFX configuration
Lecture 34 Lab Installers 4: Triage of multiple files
Section 5: Malware Persistence and Disinfection Basics
Lecture 35 Auto Start Extensibility Points (ASEPs)
Lecture 36 The Windows Registry
Lecture 37 Links
Lecture 38 Lab: Services
Lecture 39 Lab Disinfection 1: Autoruns - Run, IFEO
Lecture 40 Lab Disinfection 2: RunOnce, Active Setup, Scheduled Tasks, LNKs
Section 6: Portable Executable format and .NET
Lecture 41 Introduction to Portable Executable files
Lecture 42 Portable Executable format basics
Lecture 43 PortexAnalyzer and DnSpy download
Lecture 44 Lab PE 1: MS DOS stub, COFF file header, timestamps and REPRO builds
Lecture 45 Lab PE 2: Optional header and section table
Lecture 46 Lab PE 3: Resources, icons, debug path, imports
Lecture 47 Lab PE 4: Anomalies and visualization
Lecture 48 Compilation and Interpretation
Lecture 49 Lab .NET 1: .NET basics and triage
Lecture 50 Lab .NET 2: Running the file, DnSpy basics
Lecture 51 Lab .NET 3: Code search in DnSpy
Section 7: File analysis verdicts
Lecture 52 Analysis types
Lecture 53 File analysis verdicts
Lecture 54 Clean vs malicious—approaches for clean file analysis
Lecture 55 Tools for binary diffing and finding hidden certificate data
Lecture 56 Installing the bindiff and certificate tools
Lecture 57 Lab diffing 1: Binary diffing with vbindiff and meld
Lecture 58 Lab diffing 2: Identify certificate manipulation
Lecture 59 How signature verification works
Lecture 60 Lab diffing3: Force strict signature verification
Lecture 61 Mapping detection names to file verdicts
Section 8: Malware classification and analysis reports
Lecture 62 Writing analysis reports
Lecture 63 Malware Classification
Lecture 64 Malware types by propagation
Lecture 65 Malware types by payload behavior
Lecture 66 Malware family identification
Lecture 67 Tools and links
Lecture 68 Lab report writing 1: Main analysis of a downloader
Lecture 69 Lab report writing 2: ICC profile extraction with exiftool
Lecture 70 Lab report writing 3: Malware decryption with CyberChef
Section 9: Ghidra basics
Lecture 71 Ghidra introduction
Lecture 72 Download link for Ghidra
Lecture 73 Lab preparation: Installing Ghidra
Lecture 74 Lab Ghidra 1: New project, file import and autoanalysis
Lecture 75 Lab Ghidra 2: Windows in the codebrowser part 1
Lecture 76 Lab Ghidra 3: Windows in the codebrowser part 2
Lecture 77 Lab finding main 1: MinGW and VisualStudio C++ applications
Lecture 78 Lab finding main 2: A more difficult application
Section 10: Debugging basics with x64dbg
Lecture 79 x64dbg introduction
Lecture 80 Download links and bookmarks
Lecture 81 Lab x64dbg 1: CPU view windows
Lecture 82 Lab x64dbg 2: Navigation
Lecture 83 Lab x64dbg 3: Software breakpoints
Lecture 84 Lab x64dbg 4: Hardware breakpoints
Lecture 85 Lab x64dbg 5: Memory breakpoints
Lecture 86 Lab ASLR 1: Rebasing and DllCharacteristics in the Optional Header
Lecture 87 Lab ASLR 2: Hex to Bin Conversion, Bitmasks and Disabling Exploit Protection
Section 11: Ransomware analysis with Ghidra and x64dbg
Lecture 88 Legion ransomware intro
Lecture 89 Lab Legion ransomware 1: Triage
Lecture 90 Lab Legion ransomware 2: Finding main
Lecture 91 Lab Legion ransomware 3: Date check markup
Lecture 92 Lab Legion ransomware 4: Finding the encryption function
Lecture 93 Lab Legion ransomware 5: Understanding the encryption
Lecture 94 Lab Legion ransomware 6: Patching with x32dbg
Lecture 95 Lab Legion ransomware 7: Ransomware monitoring and file decryption test
Section 12: Packers and unpacking methods
Lecture 96 How packers work
Lecture 97 Unpacking methods
Lecture 98 Unpacking stub types and how they work
Lecture 99 Download links and documentation
Lecture 100 Installing Python 3 and Speakeasy
Lecture 101 Lab Winupack 1: packing, fix disassembly in x32dbg
Lecture 102 Lab Winupack 2: Find OEP via tracing, dump and fix imports
Lecture 103 Lab Winupack 3: Find OEP via hardware breakpoint on stack
Lecture 104 One generic unpacking approach
Lecture 105 Lab Poison 1: Speakeasy API logging
Lecture 106 Lab Poison 2: Unpacking via RtlDecompressBuffer
Lecture 107 Lab Injector DLL: Unpacking via VirtualAlloc
ideal for people with some IT experience or IT enthusiasts who are beginners in malware analysis and reverse engineering,entry-level or aspiring malware analysts,computer science graduates,software developers,SOC analysts,hobby programmers