Practical Malware Analysis & Triage

Arm yourself with knowledge and bring the fight to the bad guys! Practical Malware Analysis & Triage (PMAT) brings the state of the art of malware analysis to you in engaging instructional videos and custom-made, practical labs.

Welcome to Practical Malware Analysis & Triage. I’m Matt, aka HuskyHacks, and I’m excited to be your instructor for this course. I had a blast putting it together and I hope that you will come along with me and learn the art of splicing, slicing, inspecting, and dissecting malware samples.

Featuring two malware analysis lab build options: local virtual machines and a rapid-deployable cloud malware analysis network! Learn how to spin up a malware analysis network on AWS from anywhere in the world!

This course is centered on practical labs that bring malware samples to bear in a safe, controlled environment.

First, you will learn to handle malware safely and construct an isolated lab environment. Then, you will learn the basics of malware analysis on samples designed to teach you the core analysis concepts. As the labs progress, the level of offensive tradecraft employed by these samples grows.

By the end of the course, you’ll be using automated workflows and advanced analysis to extract key facts about real-world specimens.

Finally, and most importantly, you’ll learn the keys to writing detection rules and triage reports to tell the world what you have learned.

• Access to the student-only channel on Discord to receive support from the instructor and other students.
• Access to 9+ hours of engaging, instructional video content.
• Access to the PMAT Lab repository containing dozens of malware samples designed to teach you the fundamentals.
• Course completion certificate.

• For a local lab build, you need:
• A computer that:
• Has at least 6GB of available RAM.
• Has at least 40GB of available storage.
• Can run Oracle VirtualBox and host two lab virtual machines at the same time (with the option to host a third for additional development).
• Has an internet connection.
• For a cloud malware analysis lab, you need:
• An AWS account and a way to pay for AWS resource utilization.
• Knowledge of x86 Assembly and other low level computer programming concepts is not required.

• Basic IT knowledge.
• Knowledge of the general classes of malware (virus, trojan, worm, etc). Knowledge of how these malware classes function on the technical level is not required.
• Comfort in the command line of Linux and Windows. All tools and techniques taught in the course are explained step-by-step but working knowledge of Bash and the Windows command prompt is recommended.

•  IT professionals of all skill levels who are looking to gain foundational knowledge of malware analysis.
•  Network defenders looking to deepen their knowledge of the state of the art of malware analysis.
•  Penetration Testers/Red Teamers looking to pick up the skill of malware analysis to increase tradecraft/provide higher threat emulation fidelity.
•  Anyone who wants to learn an in-demand skill set and bring the fight to the bad guys!

• Course Introduction
  • Hey, thanks!
  • Whoami & Course Overview
  • Course Discord Information
  • Course FAQ
• Safety Always! Building Your Malware Analysis Lab & Malware Safety
  • Lab Network Options: Local VMs vs. AWS Cloud Lab
  • Downloading VirtualBox
  • Downloading Windows 10
  • Setting Up the Windows 10 VM
  • Downloading REMnux
  • Installing REMnux
  • Installing FLARE-VM
  • Analysis Network Setup
  • INetSim Setup
  • Host-only Safety & Internal Networks
  • Lab VM Repo Link
  • Rapid-deployable Cloud Malware Analysis Lab Setup
  • Course Lab Repo Link
  • Course Lab Repo Download & Lab Orientation
  • Taking a Snapshot Before First Detonation
  • Detonating Our First Sample
  • Tool Troubleshooting
  • Course Tool List & Resources
  • Basic Malware Handling
  • Safe Malware Sourcing & Additional Resources
• Basic Static Analysis
  • Hashing Malware Samples
  • Malware Repositories: VirusTotal
  • Strings & FLOSS: Static String Analysis
  • Analyzing the Import Address Table
  • Introduction to the Windows API
  • MalAPI.io
  • To Pack Or Not To Pack: Packed Malware Analysis
  • Combining Analysis Methods: PEStudio
  • Identifying Malware Capabilities & Intro to MITRE ATT&CK
  • Note Review
• Basic Dynamic Analysis
  • Basic Dynamic Analysis Intro: Host and Network Indicators
  • Initial Detonation & Triage: Hunting for Network Signatures
  • Host-Based Indicators: Procmon Part I
  • Host-Based Indicators: Procmon Part II
  • Dynamic Analysis of Unknown Binaries Part I: Analyzing Wireshark
  • Dynamic Analysis of Unknown Binaries Part II: Host-Based Indicators
  • Analyzing a Reverse Shell Part I: Correlating IOCs
  • Analyzing a Reverse Shell Part II: Parent-Child Process Analysis
• Challenge 1: SillyPutty
  • Challenge 1: SillyPutty Intro
  • Challenge 1: SillyPutty Walkthrough
• Advanced Static Analysis: Assembly Language, Decompiling, & Disassembling Malware
  • Intro to Advanced Analysis & Assembly Language
  • Disassembling & Decompiling a Malware Dropper: Intro to Cutter
  • x86 CPU Instructions, Memory Registers, & the Stack: A Closer Look
  • Revisiting the Dropper: Assembly Instructions and the Windows API
  • Hello, World! Under a Microscope Part I
  • Advanced Analysis of a Process Injector
• Advanced Dynamic Analysis: Debugging Malware
  • Getting Comfortable in x32dbg: Flow Control & Breakpoints
  • Debugging the Dropper: Dynamic Analysis of x86 Instructions & API Calls
  • Hello, World! Under a Microscope Part II
  • Unpacking by Debugging
• Challenge 2: SikoMode
  • Challenge 2: SikoMode Intro
  • Challenge 2: SikoMode Walkthrough
  • Bonus Lecture: Live Analysis of Challenge 2 SikoMode Twitch Stream with Taggart
• Binary Patching & Anti-analysis
  • Patch it out: Patching x86 Binaries
  • Identifying & Defeating Anti-analysis Techniques
• Specialty Malware Classes
  • Specialty Malware Classes
• Gone Phishing: Maldoc Analysis
  • Analyzing Excel Maldocs: OLEdump
  • Analyzing Word Maldocs: Remote Template Macro Injection
• What The Shell? Shellcode Analysis
  • Analyzing Shellcode: Carving Shellcode & scdbg
  • Carving Shellcode from Memory
• Off-Script: Scripted Malware Delivery Mechanisms
  • PowerShell: Analyzing Obfuscated Scripts
  • PowerShell Analysis with Script Block Logging & Module Logging
  • VBScript: Analyzing a Multi-Stage MSBuild Dropper
  • HTML Applications (HTA): Wrapped Payloads, Scripted Delivery, & WMI
• Stay Sharp: Reversing C# Malware
  • Intro to Reversing C# & the .NET Framework
  • Reversing an Encrypted C2 Dropper DLL with dnSpy
• Go Time: Analyzing Go Malware
  • Programming Language Recognition & Analyzing a Go Service Backdoor
• Get Mobile! Mobile Malware Analysis
  • Lab Update: Installing MobSF
  • Intro to MobSF
• The Bossfight! Analyzing Real-World Malware Samples
  • WannaCry.exe Introduction
  • WannaCry.exe Walkthrough
• Automation: Sandboxes & Pipelines
  • BlueJupyter: Automating Triage with Jupyter Notebooks
  • Any.Run: Malware Sandboxing
  • Advanced Script Analysis with ChatGPT
• Tell The World: Rule Writing & Report Publishing
  • Writing YARA Rules
  • Detecting Malware with YARA
  • Writing & Publishing a Malware Analysis Report
• Course Final
  • Course Final
• Course Conclusion
  • Congrats! Course Outro
  • Learning Objectives
  • A new challenger approaches… PMRP!
  • Feedback Form