Windows Malware Analysis For Hedgehogs - Beginner Training

Learn what really matters from an actual analyst: malware reversing, clean vs malware, report writing, unpacking

What you'll learn

Triage and reverse engineering of potentially malicious samples

Determine if a file is malicious, clean, potentially unwanted, grayware, corrupt or junk

Write malware reports

Know the common types of malware and how to identify them

Know how and when to use a disassemblers, debuggers, meta data viewers

Identify malware families

Windows internals necessary for malware analysis, e.g., Windows registry

Packer types, identification, basics of unpacking

Analysis of native and .NET executables, installers, wrappers, scripts

Basics of disinfection

Requirements

You know how to program in at least one language (e.g. Python, C, C#, Java, …)

You are able to read x86 assembly

Description

This course teaches more than just reverse engineering because as a malware analyst you need a variety of other skills. You will learn how to classify samples into malware types, how to identify malware families and how to determine file verdicts like clean, malicious, potentially unwanted programs, junk, grayware, or corrupt. Additionally, you will learn how malware persists, how to identify malicious autostart entries and clean infected systems.The course aims to dispel common myths such as "trojan in a detection name means the file is a trojan horse" or "antivirus detection names are a malware classification".As a malware analyst with experience working at an antivirus company since 2015, I have trained many beginners in the field. I understand the usual pitfalls and the concepts that you need to grasp to become proficient. I focus on building strong foundations that make you flexible in the face of new malware advancements, rather than providing shortcuts with step-by-step recipes.I will teach you how to differentiate between different types of files, including installers, wrappers, packed files, non-packed files, hybrid, and native compiled files. You will learn which tools to apply in which situations and how to analyse samples efficiently. To do that I give you example approaches that work for most situations.This course is ideal for you if you already have some IT background, such as hobby or professional programmers, computer enthusiasts, administrators, computer science students, or gamers with an interest in the inner workings of software or IT security.If you have a strong interest in the topic but lack the necessary IT background, I recommend that you learn programming first. Please refer to the course requirements for more information.ToolsAll the tools and web services that we use during the course are free:Ghidra and AdoptOpenJDKx64dbgVirtualBoxSysInternals SuitePortexAnalyzer CLI and GUIVirusTotal (without account)Speakeasy by MandiantAPI MonitorCyberChefEXIFToolMeldVBinDiffAnalyzePESigDnSpyC# Online Compiler programwizTriDDetect-it-EasyReNamer7zipNotepad++HxDMalpedialnk_parserRequirements You should have a strong understanding of at least one programming language, such as Python, C, C++, Java, or C#. This is a crucial requirement for the course, not only because we create small scripts during the course but because reverse engineering needs an understanding of software as foundation. The specific language does not matter, as you cannot learn every language you may encounter during analysis anyways. The concepts of programming must be clear, though.If you are not there yet, you should not buy this course and start learning C instead. C is great because it is low-level and will integrate well with x86 assembly language.Additionally, you must be able to read (not write) x86 assembly to understand everything in the course. Without assembly you will only be able to understand two-thirds of the content. So if you consider starting this course right away and learning assembly alongside it, that should work fine.During this course we look at samples that use the following execution environments:x86, x64 assembly.NETBatchPowerShellNullsoft scriptsHowever, you do not need to learn all of these languages. Because an analyst encounters new languages all the time, your skillset is rather in using the available documentation, manuals and help provided for those environments and languages. I also show you during the course how to use the documentation for ,e.g., PowerShell.Out of scopeMalware analysis is a broad field, so there are inevitably topics that I will not teach during this course because they would rather require their own course. Some of these topics are: assembly language, programming, how computers work, URL and website analysis, networks, analysis of malware for other platforms than Windows, mobile malware, IoT malware.

Overview

Section 1: Introduction to Malware Analysis

Lecture 1 Introduction

Lecture 2 Analysis process

Section 2: Malware lab setup

Lecture 3 Malware Analysis Lab

Lecture 4 Download links

Lecture 5 Installing VirtualBox Windows 10 VM

Lecture 6 Installing VirtualBox Guest Additions

Lecture 7 Enabling hidden files view and removing Windows Defender

Lecture 8 Sample handling: Course samples and password protected archives

Lecture 9 Sample handling: Shared folder setup

Lecture 10 Sample handling: Prevent execution via ACLs (Windows host only)

Lecture 11 Network, snapshots and first sample execution

Lecture 12 Safety rules summary

Section 3: Triage and file type basics

Lecture 13 What is triage

Lecture 14 Download links

Lecture 15 Lab Triage 1: Determine file types of unknown samples

Lecture 16 What is a file type

Lecture 17 Lab Triage 2: Whole file examination

Lecture 18 Antivirus detection names and formats for malware

Lecture 19 Deciphering antivirus detection names for malware

Lecture 20 Lab Triage 3: VirusTotal autoscans and first research

Lecture 21 Lab Triage 4: Final analysis

Lecture 22 Lab: Exercise solution

Section 4: Wrapped files and installers

Lecture 23 Finding the malware developer's code

Lecture 24 Wrapped files

Lecture 25 Tools and links

Lecture 26 Lab Wapped files 1: Triage of a wrapped file

Lecture 27 Lab Wrapped files 2: Obtaining the script with ACLs

Lecture 28 Lab Wrapped files 3: Wrapped file payload analysis

Lecture 29 Lab Wrapped files 4: Obtaining the script with APIMonitor

Lecture 30 Installers

Lecture 31 Lab Installers 1: Layer 1 Unpacking Nullsoft

Lecture 32 Lab Installers 2: Layer 2 Extract 7zip SFX files

Lecture 33 Lab Installers 3: Extract 7zip SFX configuration

Lecture 34 Lab Installers 4: Triage of multiple files

Section 5: Malware Persistence and Disinfection Basics

Lecture 35 Auto Start Extensibility Points (ASEPs)

Lecture 36 The Windows Registry

Lecture 37 Links

Lecture 38 Lab: Services

Lecture 39 Lab Disinfection 1: Autoruns - Run, IFEO

Lecture 40 Lab Disinfection 2: RunOnce, Active Setup, Scheduled Tasks, LNKs

Section 6: Portable Executable format and .NET

Lecture 41 Introduction to Portable Executable files

Lecture 42 Portable Executable format basics

Lecture 43 PortexAnalyzer and DnSpy download

Lecture 44 Lab PE 1: MS DOS stub, COFF file header, timestamps and REPRO builds

Lecture 45 Lab PE 2: Optional header and section table

Lecture 46 Lab PE 3: Resources, icons, debug path, imports

Lecture 47 Lab PE 4: Anomalies and visualization

Lecture 48 Compilation and Interpretation

Lecture 49 Lab .NET 1: .NET basics and triage

Lecture 50 Lab .NET 2: Running the file, DnSpy basics

Lecture 51 Lab .NET 3: Code search in DnSpy

Section 7: File analysis verdicts

Lecture 52 Analysis types

Lecture 53 File analysis verdicts

Lecture 54 Clean vs malicious—approaches for clean file analysis

Lecture 55 Tools for binary diffing and finding hidden certificate data

Lecture 56 Installing the bindiff and certificate tools

Lecture 57 Lab diffing 1: Binary diffing with vbindiff and meld

Lecture 58 Lab diffing 2: Identify certificate manipulation

Lecture 59 How signature verification works

Lecture 60 Lab diffing3: Force strict signature verification

Lecture 61 Mapping detection names to file verdicts

Section 8: Malware classification and analysis reports

Lecture 62 Writing analysis reports

Lecture 63 Malware Classification

Lecture 64 Malware types by propagation

Lecture 65 Malware types by payload behavior

Lecture 66 Malware family identification

Lecture 67 Tools and links

Lecture 68 Lab report writing 1: Main analysis of a downloader

Lecture 69 Lab report writing 2: ICC profile extraction with exiftool

Lecture 70 Lab report writing 3: Malware decryption with CyberChef

Section 9: Ghidra basics

Lecture 71 Ghidra introduction

Lecture 72 Download link for Ghidra

Lecture 73 Lab preparation: Installing Ghidra

Lecture 74 Lab Ghidra 1: New project, file import and autoanalysis

Lecture 75 Lab Ghidra 2: Windows in the codebrowser part 1

Lecture 76 Lab Ghidra 3: Windows in the codebrowser part 2

Lecture 77 Lab finding main 1: MinGW and VisualStudio C++ applications

Lecture 78 Lab finding main 2: A more difficult application

Section 10: Debugging basics with x64dbg

Lecture 79 x64dbg introduction

Lecture 80 Download links and bookmarks

Lecture 81 Lab x64dbg 1: CPU view windows

Lecture 82 Lab x64dbg 2: Navigation

Lecture 83 Lab x64dbg 3: Software breakpoints

Lecture 84 Lab x64dbg 4: Hardware breakpoints

Lecture 85 Lab x64dbg 5: Memory breakpoints

Lecture 86 Lab ASLR 1: Rebasing and DllCharacteristics in the Optional Header

Lecture 87 Lab ASLR 2: Hex to Bin Conversion, Bitmasks and Disabling Exploit Protection

Section 11: Ransomware analysis with Ghidra and x64dbg

Lecture 88 Legion ransomware intro

Lecture 89 Lab Legion ransomware 1: Triage

Lecture 90 Lab Legion ransomware 2: Finding main

Lecture 91 Lab Legion ransomware 3: Date check markup

Lecture 92 Lab Legion ransomware 4: Finding the encryption function

Lecture 93 Lab Legion ransomware 5: Understanding the encryption

Lecture 94 Lab Legion ransomware 6: Patching with x32dbg

Lecture 95 Lab Legion ransomware 7: Ransomware monitoring and file decryption test

Section 12: Packers and unpacking methods

Lecture 96 How packers work

Lecture 97 Unpacking methods

Lecture 98 Unpacking stub types and how they work

Lecture 99 Download links and documentation

Lecture 100 Installing Python 3 and Speakeasy

Lecture 101 Lab Winupack 1: packing, fix disassembly in x32dbg

Lecture 102 Lab Winupack 2: Find OEP via tracing, dump and fix imports

Lecture 103 Lab Winupack 3: Find OEP via hardware breakpoint on stack

Lecture 104 One generic unpacking approach

Lecture 105 Lab Poison 1: Speakeasy API logging

Lecture 106 Lab Poison 2: Unpacking via RtlDecompressBuffer

Lecture 107 Lab Injector DLL: Unpacking via VirtualAlloc

ideal for people with some IT experience or IT enthusiasts who are beginners in malware analysis and reverse engineering,entry-level or aspiring malware analysts,computer science graduates,software developers,SOC analysts,hobby programmers