Description

In the first module, participants will study different types of malware and see how they operate, understand how the anti-virus works, and will eventually develop an idea of how to approach a malicious file and where to find it.

Technical content

• Introduction to Malware Analysis
  o Malware Analysis Definitions
  o Types of Malware
  o Different Behaviors of Malware Types
  ▪ Behavioral Analysis
  ▪ Code Analysis
  ▪ Memory Analysis
  o Security Mechanisms
  o How the Anti-Virus Works
  o Understanding PE Format
  o Hash and File Identification
  o Windows Libraries and Processes
  o Windows APIs
  o Setting Up a Safe Environment for Inspecting Malware
  ▪ Building and Configuring Virtual Machine
  ▪ Malware Analysis Tools
  o Process Hacker
  o Process Monitor
  o Regshot
  o API Monitor
  o IDA
• Extracting malware from data segments
  o Network PCAP file
  o Volatile Memory (RAM)
  o Basics of Volatile Memory Malicious Activity Research
  ▪ Network Connections
  ▪ Malfind
  ▪ Process
  ▪ DLL
  ▪ Memdump

Description

Basic static analysis allows the malware-researcher to inspect the influences of malware on the system, while it is in a static stage, that is, in code format. This phase is critical for collecting information about the malware for more advanced stages of the research.

Technical content

• Basic Static Analysis
  o Security Concerns
  ▪ Double-Click Prevention
  ▪ Auto-run Prevention
  o First Analysis with Strings
  ▪ Identify Libraries
  ▪ Identify Patterns
  ▪ Identify the Domain
  ▪ Identify Windows Functions
  o PE file Sections
  ▪ Common Sections
  ▪ Anomaly Sections
  o Information Gathering from PE
  ▪ Timestamp
  ▪ GUI or CLI Application
  ▪ Virtual Memory Allocation
  ▪ Entry Point
  o Analyzing Program Dependency Libraries
  ▪ Exports and Imports
  ▪ Function Calls by Ordinal Number
  o Resources Section Anomaly
  o VirusTotal
  o Database of File Hashes
  o Writing Static Analysis Report

Description

Basic Dynamic Analysis is the initial method of inspecting and analyzing malware. During this stage, participants will activate the malware in a protected sandbox environment and analyze its effects on the system. Various tools for malware analysis will be introduced and used by participants during this module.

Technical content

• Basic Dynamic Analysis
  o Organize and Isolate your Environment
  o New Malware System
  ▪ Identifying Virtual Machines
  ▪ Searching for Ports
  ▪ Testing Network Traffic
  o Snapshot System
  o Analyzing Processes
  ▪ Procmon
  ▪ Process Explorer
  o Registry Analysis
  o Monitoring Registry Changes
  o Analyzing Autoruns
  o Network Traffic Monitoring with Wireshark
  o Faking Network Traffic and Configure Proxies
  o DNS Monitoring
  o Simulating Internet Services
  o Analyzing Findings

Description

This module will introduce the basics of Assembly language, which is the closest to computer binary language that can be read by humans. Familiarization with Assembly will allow participants to gain a closer insight into what lies at the base of the malware’s code and how it was meant to operate when activated and is an entry ticket into the world of reverse engineering.

Technical content

• Assembly Language Basics
  o x86 Processor Architecture
  o Understanding Buses and Data Traffic
  o Syscalls Table
  o Number and Character Representation
  o Basic Assembly x86 Programming
  ▪ Standard Output
  ▪ Registers
  ▪ Variables and Reserves
  ▪ Strings in Assembly
  ▪ Working with Numbers
  ▪ Jumps and Flags