About the course
One secret weapon can turn the tide in any digital forensics investigation or incident response engagement: malware analysis. A specialization in malware analysis is gaining popularity in the cybersecurity community because it teaches specialists to lend insight into a threat actor’s behavior and modus operandi. This ultimately helps forensic teams respond to breaches and prevent future attacks more effectively.
Malware analysis is one aspect of the wider practice of reverse engineering, which is the key to uncovering a threat actor’s closely guarded tactics, techniques, and procedures (TTPs).
Like all Group-IB courses, the Malware Analyst course is made up of practical exercises based on real cases handled by the company’s DFIR team.
Key topics covered:
- Theory of malware analysis
- PE format of executable files and Windows API
- Techniques used by malware
- Assembly language for malware analysis
- Reading executable code and WinAPI
- Introduction to dynamic analysis
- Malware analysis with sandboxes
- Malware detonation in virtual machines
- Debugging and its role in malware analysis
- Introduction to static analysis
- Reverse engineering
- Working with IDA pro
Skills acquired:
- Understanding the techniques used by malware
- Detonating malware in a controlled environment
- Reverse engineering malware using debuggers and IDA Pro
- Performing dynamic and static analysis
Target participants:
- Incident response professionals
- Digital forensics specialists
- SOC teams
Requirements:
- Basic programming skills
- Basic knowledge of Windows architecture
- Understanding of how cyberattacks are carried out
Course program
Part 1
Malware analysis is an important skill for many information security specialists, but what is hidden behind these magic words? What knowledge is needed to start a career as a malware analyst? How in-depth a knowledge of assembly language is required? What are PE files and how does Windows API work? The answer to all these questions is given during the first part of the training.
Part 2
The second part takes participants through the dynamic analysis of code. Participants are taught what kind of data can be obtained from sandboxes and how to analyze public sandbox reports. Participants then dive deeper and create their own virtual environments for dynamic analysis. The instructors explain what tools and techniques are helpful during this process, how to find anti-VM methods used by malware, and how to overcome them.
The last topic covered in this part is debugging. Participants are told in what situations they need to use debuggers, how to work with them, and how to dump the payload and recover imported Windows API functions for further analysis.
Part 3
The third part starts with an introduction to tools for static analysis and their main features. Participants are shown how to analyze malicious code using assembly language and how to work with IDA Pro disassembler. After that we switch to analyzing the most popular types of malicious attachments. The final step is an introduction to typical scripting engines and using them to analyze and de-obfuscate malicious scripts.
