Malware Analysis


Table of Contents


Malware Analysis is the study and close examination of malware to understand its origins, purpose, and potential impact on the system. Malware analysts accomplish their tasks by using various tools and expert-level knowledge to understand not only what a piece of malware can do but also how it does it.

This course provides participants with the practical skills and knowledge to be able to analyze malware and exposes them to a critical set of tools required for their tasks.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

The course targets participants with a foundation understanding of the internet, who wish to gain advanced capabilities in open-source intelligence.

  • Cybersecurity practitioners
  • Cyber forensics analysts
  • Security engineers/researchers
  • Incident responders
  • Junior malware analysts
  • Software developers
  • IT security administrators


  • Malware analysis using both Dynamic and Static analysis methods
  • Assembly language to examine malware
  • Reverse engineering malware using various tools
  • The first glimpse into Windows kernel


  • ThinkCyber Level-1 courses



In the first module, participants will study different types of malware and see how they operate, understand how the anti-virus works, and will eventually develop an idea of how to approach a malicious file and where to find it.

Technical content

  • Introduction to Malware Analysis
    o Malware Analysis Definitions
    o Types of Malware
    o Different Behaviors of Malware Types
    ▪ Behavioral Analysis
    ▪ Code Analysis
    ▪ Memory Analysis
    o Security Mechanisms
    o How the Anti-Virus Works
    o Understanding PE Format
    o Hash and File Identification
    o Windows Libraries and Processes
    o Windows APIs
    o Setting Up a Safe Environment for Inspecting Malware
    ▪ Building and Configuring Virtual Machine
    ▪ Malware Analysis Tools
    o Process Hacker
    o Process Monitor
    o Regshot
    o API Monitor
    o IDA
  • Extracting malware from data segments
    o Network PCAP file
    o Volatile Memory (RAM)
    o Basics of Volatile Memory Malicious Activity Research
    ▪ Network Connections
    ▪ Malfind
    ▪ Process
    ▪ DLL
    ▪ Memdump


Basic static analysis allows the malware-researcher to inspect the influences of malware on the system, while it is in a static stage, that is, in code format. This phase is critical for collecting information about the malware for more advanced stages of the research.

Technical content

  • Basic Static Analysis
    o Security Concerns
    ▪ Double-Click Prevention
    ▪ Auto-run Prevention
    o First Analysis with Strings
    ▪ Identify Libraries
    ▪ Identify Patterns
    ▪ Identify the Domain
    ▪ Identify Windows Functions
    o PE file Sections
    ▪ Common Sections
    ▪ Anomaly Sections
    o Information Gathering from PE
    ▪ Timestamp
    ▪ GUI or CLI Application
    ▪ Virtual Memory Allocation
    ▪ Entry Point
    o Analyzing Program Dependency Libraries
    ▪ Exports and Imports
    ▪ Function Calls by Ordinal Number
    o Resources Section Anomaly
    o VirusTotal
    o Database of File Hashes
    o Writing Static Analysis Report


Basic Dynamic Analysis is the initial method of inspecting and analyzing malware. During this stage, participants will activate the malware in a protected sandbox environment and analyze its effects on the system. Various tools for malware analysis will be introduced and used by participants during this module.

Technical content

  • Basic Dynamic Analysis
    o Organize and Isolate your Environment
    o New Malware System
    ▪ Identifying Virtual Machines
    ▪ Searching for Ports
    ▪ Testing Network Traffic
    o Snapshot System
    o Analyzing Processes
    ▪ Procmon
    ▪ Process Explorer
    o Registry Analysis
    o Monitoring Registry Changes
    o Analyzing Autoruns
    o Network Traffic Monitoring with Wireshark
    o Faking Network Traffic and Configure Proxies
    o DNS Monitoring
    o Simulating Internet Services
    o Analyzing Findings


This module will introduce the basics of Assembly language, which is the closest to computer binary language that can be read by humans. Familiarization with Assembly will allow participants to gain a closer insight into what lies at the base of the malware’s code and how it was meant to operate when activated and is an entry ticket into the world of reverse engineering.

Technical content

  • Assembly Language Basics
    o x86 Processor Architecture
    o Understanding Buses and Data Traffic
    o Syscalls Table
    o Number and Character Representation
    o Basic Assembly x86 Programming
    ▪ Standard Output
    ▪ Registers
    ▪ Variables and Reserves
    ▪ Strings in Assembly
    ▪ Working with Numbers
    ▪ Jumps and Flags


The following labs are part of the actual BT220 course:
  • Lab 1 Introduction to Malware Analysis
  • Lab 2 Advanced DNS Monitoring
  • Lab 3 Extracting Malware from Data Segments
  • Lab 4 Analyzing Processes
  • Lab 5 Basic Static Analysis
  • Lab 6 Basic Dynamic Analysis
  • Lab 7 Network Traffic Monitoring with Wireshark
  • Lab 8 Registry Analysis
  • Lab 9 Assembly Basics
  • Lab 10 Assembly x86 Programming

Real cases studies

Case study #1 (MA001)
A power company named City Power was attacked by ransomware that caused South Africa's financial capital Johannesburg to be left without power. The ransomware encrypted all of the company's database. As the malware analysis expert of the company, you have been assigned to analyze the malware.
Case study #2 (MA002)
A group of security researchers discovered a new super-advanced malware that infected a European energy company. One of the malware's abilities is to dismantle anti-virus processes. It also contains anti-analysis features. You have been assigned to initiate an analysis of the malware.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:


Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, the attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details