Course Description
Course contents
Introduction to Malware Analysis
- What is Malware
- What they do
- Why malware analysis
- Types of malware analysis
- Setting up an isolated lab environment
Static Analysis
- Fingerprinting the malware
- Extracting strings
- Determining File obfuscation
- Pattern matching using YARA
- Fuzzing hashing & comparison
- Understanding PE File characteristics
- Disassembly
- Hands-on lab exercise involves analyzing real malware sample
Dynamic Analysis/Behavioural analysis
- Dynamic Analysis Steps
- Understanding Dynamic Analysis tools
- Simulating services
- Performing Dynamic Analysis
- Monitoring process, filesystem, registry and network activity
- Determining the Indicators of compromise (host and network indicators)
- Demo – Showing the static & dynamic analysis of real malware sample
- Hands-on lab exercise involves analyzing real malware sample
Automating Malware Analysis(sandbox)
- Custom Sandbox Overview
- Working of Sandbox
- Sandbox Features
- Demo – Analyzing malware in the custom sandbox
Code Analysis
- Code Analysis Overview
- Disassembler & Debuggers
- Code Analysis Tools
- Basics of IDA Pro
- Basics of Ollydbg/x64dbg
- Understanding the API calls
- Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
- Hands-on lab exercise involves analyzing real malware sample
Introduction to Memory Forensics
- What is Memory Forensics
- Why Memory Forensics
- Steps in Memory Forensics
- Memory acquisition and tools
- Acquiring memory From physical machine
- Acquiring memory from the virtual machine
- Hands-on exercise involves acquiring the memory
Volatility Overview
- Introduction to Volatility Advanced Memory Forensics Framework
- Volatility Installation
- Volatility basic commands
- Determining the profile
- Volatility help options
- Running the plugin
Investigating Process
- Understanding Process Internals
- Process(EPROCESS) Structure
- Process organization
- Process Enumeration by walking the double linked list
- Process relationship (parent-child relationship)
- Understanding DKOM attacks
- Process Enumeration using pool tag scanning
- Volatility plugins to enumerate processes
- Identifying malware process
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
Investigating Process handles & Registry
- Objects and handles overview
- Enumerating process handles using Volatility
- Understanding Mutex
- Detecting malware presence using mutex
- Understanding the Registry
- Investigating common registry keys using Volatility
- Detecting malware persistence
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
Investigating Network Activities
- Understanding malware network activities
- Volatility Network Plugins
- Investigating Network connections
- Investigating Sockets
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
Investigation Process Memory
- Process memory Internals
- Listing DLLs using Volatility
- Identifying hidden DLLs
- Dumping malicious executable from memory
- Dumping Dll’s from memory
- Scanning the memory for patterns(yarascan)
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
Investigating User-Mode Rootkits & Fileless Malwares
- Code Injection
- Types of Code injection
- Remote DLL injection
- Remote Code injection
- Reflective DLL injection
- Hollow process injection
- Demo – Case Study
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
Memory Forensics in Sandbox technology
- Sandbox Overview
- Integrating Memory Forensics into a sandbox
- Demo – showing the use of memory forensics in a custom sandbox
Investigating Kernel-Mode Rootkits
- Understanding Rootkits
- Understanding Functional call traversal in Windows
- Level of Hooking/Modification on Windows
- Kernel Volatility plugins
- Hands-on lab exercise(scenario based) involves investigating malware infected memory
- Demo – Rootkit Investigation
Memory Forensic Case Studies
- Demo – Hunting an APT malware from Memory
Target audience
This course is intended for
- Forensic practitioners, incident responders, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students and curious security professionals who would like to expand their skills
- Anyone interested in learning malware analysis and memory forensics.
Requirements
Students should:
- Be familiar with using Windows/Linux
- Have an understanding of basic programming concepts, while programming experience is not mandatory.
Hardware/Software Requirements
Students should bring:
- Laptop with minimum 6GB RAM and 40GB free hard disk space
- Laptop with USB ports. The lab samples and custom Linux VM will be shared via USB sticks
- VMware Workstation or VMware Fusion (even trial versions can be used).
- Windows Operating system (preferably Windows 7 64-bit, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.
Note: VMware player or VirtualBox is not suitable for this training. The lab setup guide will be sent you after registration.
Trainer Biography
Monnappa K A works with Cisco Systems as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and targeted attacks. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the author of the upcoming book “Learning Malware Analysis”. He is a member of the Black Hat review board and co-founder of the cyber-security research community “Cysinfo” (https://www.cysinfo.com).
His fields of interest include malware analysis, reverse engineering, memory forensics and threat intelligence. He has presented at various security conferences around the globe including Black Hat, FIRST, SEC-T, DSCI, and Cysinfo on various topics which include memory forensics, malware analysis, reverse engineering and rootkit analysis. He has conducted training sessions at Black Hat, FIRST (Forum of Incident Response and Security teams), SEC-T, OPCDE cyber security conferences. He has also authored various articles in eForensics and Hakin9 magazines.
You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and he publishes blog posts at https://cysinfo.com
Twitter: @monnappa22