Malware Analysis Fundamentals

محمدعلی عطایی

• پیشرفته
• مسیر آبی
• ۱۱ درس

دربارۀ این دوره

مخاطبان

• تیم‌های شکار تهدیدها
• متخصصان جرم‌شناسی
• تیم‌های SOC
• متخصصان تیم قرمز

پیش‌نیازها

• درک زبان‌های برنامه‌نویسی C و ++C
• درک مقدماتی از سیستم‌عامل
• درک عمیق از حمله‌های پیشرفته

• Fundamentals
  • Introduction to malware: Define malware, its types, and how it works
  • Malware analysis process: Introduce the malware analysis process, including the different stages of analysis and the tools used in each stage
  • Static analysis: Cover static analysis techniques such as file format analysis, disassembly, and code analysis
  • Dynamic analysis: Cover dynamic analysis techniques such as sandboxing, behavioral analysis, and memory analysis
  • Reverse engineering: Discuss reverse engineering techniques for analyzing malware, including debugging and code decompilation
  • Case studies: Talk about the case studies of real-world malwares in the course and why this course is different from other malware analysis courses
• APT Groups 101
  • Introduction to APT groups: Definition, characteristics, and their importance in malware analysis
  • History of APT groups: Overview of the most well-known APT groups and their history, including their targets, tactics, and techniques
  • Motivations of APT groups: Understanding the motivations behind APT groups, including espionage, Information Operation (IO), and sabotage
  • Target selection: Understanding how APT groups select their targets, including individuals, organizations, and governments
  • Introduction to the infection chain: Definition, understanding the different stages of an infection chain, and how they relate to malware analysis
  • Tactics and techniques: Overview of the different tactics and techniques used by APT groups, such as spear-phishing, watering hole attacks, social engineering, and zero-day exploits
• Programming in the Malwares World!
  • Overview of programming languages used in malware, including compiled and interpreted languages
  • Commonly used languages in malware development, such as C/C++, Python, JS, .Net and PowerShell
  • Advantages and disadvantages of different programming languages for malware development, such as ease of development, stealth, and detection evasion
  • Techniques used by malware authors to obfuscate their code to evade detection
  • Introduction to assembly language and its importance in malware analysis
• Compiled vs. Interpreted Languages
  • Understanding the difference between compiled and interpreted languages
  • Advantages and disadvantages of each approach in malware development
  • Examples of commonly used compiled and interpreted languages in malware
• Program Compilation Process
  • Overview of the stages a program goes through to get compiled, including preprocessing, compiling, assembling, and linking
  • Explanation of each stage and its role in the compilation process
  • Overview of common tools used in the compilation process, such as compilers, assemblers, and linkers
  • Techniques used by malware authors to obfuscate their code during the compilation process
• Structure of PE Files
  • Introduction to Portable Executable (PE) file format
  • Overview of the different sections of a PE file, such as headers, import tables, and resources
  • Touching on the role of each section in a PE file
• Analyzing Malicious Documents and Other File Formats used for Initial Access
  • Introduction to maldocs: Definition, types of maldocs, why they are important in malware analysis
  • Document formats: Understanding the different document formats such as OOXML (docx, pptx, xlsx) and RTF
  • Techniques used in maldocs: Overview of the different techniques used in maldocs such as macros, exploits, embedded objects, etc
  • Static and Dynamic analysis of maldocs: Analyzing the structure of maldocs without executing them, such as analyzing their code, embedded objects, etc. Executing maldocs and observing their behavior
  • Identifying and decoding obfuscated code: Techniques for identifying and decoding obfuscated code in maldocs
  • Malware Analysis Lab: A Fancy look at a Document – APT28’s Malicious Document
  • Malware Analysis Project: My Meeting is Coming – APT37’s Malicious Document
  • Malware Analysis Project: You’ll get paid for your new awesome job – Lazarus’s Malicious Document
  • Introduction to LNK files: Definition, how they work, and their importance in malware analysis
  • Structure of LNK files: Understanding the structure of LNK files, including header information, target path, MAC address
  • Malware Analysis Lab: Think tanks are getting busy again – APT29’s Malicious LNK file
  • Malware Analysis Project: Another mercenary comes into play – DeathStalker’s Malicious LNK file
• Analyzing JavaScript, VBScript, PowerShell malwares
  • Techniques used by malware authors to obfuscate code, such as string encoding, code splitting, and dead code insertion
  • Static analysis techniques such as code review, deobfuscation, and string decoding
  • Unpacking techniques for packed or compressed code
  • String decoding techniques for encoded strings
  • Function and variable renaming techniques used by malware authors
  • Malware Analysis Lab: Craftiness of illegals – APT29’s PowerShell Malware
  • Malware Analysis Project: A well-trained Falcon – StealthFalcon’s PowerShell Malwares
  • Malware Analysis Project: I Love your Secret Documents – Turla’s ComRAT Dropper
  • Malware Analysis Lab: My Instagram is getting really hot – Turla’s JScript Malware
  • Malware Analysis Project: Your Foreign Ministry is mine – Turla’s JScript Malware
  • Malware Analysis Lab: SolarWinds wasn’t the beginning – APT29’s VBscript Malware
  • Malware Analysis Project: My digital actions are physical – Sandworm’s VBscript Malware
  • Malware Analysis Project: Sometimes simple is enough – Turla’s VBscript Malware
• Analyzing .NET malwares
  • Differences between .NET and native malware
  • Touching on the techniques used by malware authors to obfuscate .NET code, such as control flow obfuscation, string encryption, and resource embedding
  • Static analysis techniques for .NET malware, such as code review, disassembly, and decompilation
  • Deobfuscating control flow, such as unflattening loops and resolving jump tables
  • Deobfuscating strings, such as decrypting encrypted strings or decoding base64-encoded strings
  • Deobfuscating resources, such as extracting embedded resources and decoding them
  • Using dnSpy for analyzing .NET binaries
  • Touching on .NET dynamic code generation and reflection
  • Malware Analysis Lab: I like google – APT29’s Malware
  • Malware Analysis Project: Fog of War – APT28’s Malware
  • Malware Analysis Project: My recipe is here – Turla’s Malware
• Analyzing native code Malwares
  • Overview of native code and assembly language, including their differences from high-level languages
  • Basics of x86 and x64 assembly language, including registers, instructions, and memory addressing modes
  • Overview of common techniques used by malware authors to obfuscate native code, such as packing, encryption, and anti-analysis tricks
  • Static analysis techniques for native code, such as disassembly, decompilation, and code review
  • Reverse engineering techniques for native code, such as code patching, code injection, and API hooking
  • Malware Analysis Lab: Straightforward – Lazarus’s Malware
  • Malware Analysis Project: My Second-Choice or Second-Chance : Turla’s Malware
  • Malware Analysis Project: Hitting your Critical Infrastructures like Missiles – Sandworm’s Malware
• Final Project
  • Analyzing a real-world malware sample and creating a report on the infection chain, including an analysis of each stage of the chain and the techniques used in each stage

گواهینامه‌ی دوره