AAA of Modern Malware Analysis Attack, Automate and Analyse

Next edition of this course will be taught at DEF CON — Bellevue, WA (USA)
13–14 April 2023

This 90% practical, lab-based, 2-day course covers the three phases of Modern Malware Analysis:
Attack phase: learn what goes into creating malware, author malicious code and build (code) techniques that real-world malware developers use to evade detection.
Automate phase: learn how to automate parts of the analysis process for speed and scaling
Analysis phase: finally, learn how to analyse malware using all the knowledge gained in the first two phases.

This course aims to look at malware analysis from a new angle.
Instead of just looking at analysing malware, we learn what goes into creating malware before we analyse it. Because of this novel approach, we get to see the development of malware and how to use this knowledge to reverse engineer it.
From malicious scripts to executables, we look at the code behind the application, build the binaries and take it all the way to execution in order to understand all steps involved in creating most of the common types of malware we see in the real-world.
We also look at how parts of the analysis process can be automated to facilitate faster analysis on a bigger scale by looking at building on basic code frameworks to open-source tools available.
We cover both Windows and Linux malware and look at the tools, techniques and tricks that can be used to practice this approach in malware analysis. The result is very speedy malware analysis and super deep understanding of basic malware concepts that you can build upon. Also, we analyse a bunch of real-world malware on both days and put the knowledge gained from this course to test!

Technical difficulty of the class:
Beginner

Suggested prerequisites for the class:
+ Students need to have a basic understanding of how code works. Any experience with coding is a plus.
+ Familiarity with how to setup a virtual machine is required to get started with the course.
+ Students will be required to have the community version of Microsoft Visual studio and also a functional virtual machine running Ubuntu. Detailed instructions on how to setup the environment will provided to all students prior to course commencement and all the required tools will be provided.

Items students will need to provide:
+ Students are required to bring a laptop that is capable of easily running at least 2 virtual machines (8 GB of free RAM and at least 50 GB Hard drive space)
+ VMware Workstation or VMware Fusion (trial versions are fine)
+ Windows (Windows 10 64-bit preferred) on one of the VMs
+ Ubuntu on the other VM
+ Host system should be internet-ready
+ Full Admin rights preferred on host system if possible
+ Full Admin rights on the VMs
+ USB port in case course material needs to be transferred using a USB

A detailed list of these requirements will be provided to enrolled students before course commencement.

Course Syllabus/Outline

Day 1

Lab 1.0 — A basic DevOps Environment

Create a DevOps Environment for the course
Basics (practical hands-on)
Create a repository (practical hands-on)
Create your first code project (practical hands-on)
Commit to your first repository (practical hands-on)

Lab 1.1 — Functions in C++, JavaScript and VBS

Writing Functions - basics (practical hands-on)
Writing Functions for malicious purposes (practical hands-on)

Lab 1.2 — Malicious Code: Scripting

Writing Malicious Scripts - basics (practical hands-on)
Code Obfuscation
Why Obfuscation? (lecture)
Obfuscation Tools (practical hands-on)
Write an Obfuscator (practical hands-on)
Obscure techniques (eg. in-sheet macros with no scripting) (practical hands-on)

Lab 1.3 — Encryption

Build Encrypted Payloads (eg. AES) (practical hands-on)
Write an Encryptor (practical hands-on)
Write a Decryptor (practical hands-on)

Lab 1.4

Write malicious scripts(practical hands-on)
Encrypt the payloads(practical hands-on)
Obfuscate a malicious scripts(practical hands-on)
Deliver and execute(practical hands-on)

Lab 1.5. — Assembly Language

Basics of Assembly Language (lecture)
Memory Allocation and Stack Instructions (lecture)
String Instructions and Logical Operations (lecture)
Writing Assembly Code (practical hands-on)
Reading Assembly Code (practical hands-on)

Bonus workshop (Optional, will take place after the class)

YARA Signatures
What is a YARA signature
YARA rules
Writing YARA rules

Lab — YARA Rules

Write YARA rules for sample malware - Windows
Test YARA signature - Windows
Write YARA rules for sample malware - Linux
Test YARA signature - Linux

Day 2

Lab 2.0 — Malware Analysis Environment Setup

Tools setup and familiarity - Windows [Ghidra, x64DBG, OllyDbg, WinDbg etc] (practical hands-on)
Tools setup and familiarity - Linux (practical hands-on)

Lab 2.1 — Analysing Script-based malware

Tools, techniques and tricks (practical hands-on)
Analyse code written on Day 1 (practical hands-on)
Analyse real-world malicious scripts (practical hands-on)

Lab 2.3 — Malware Code

Packing - how to pack code (practical hands-on)
Encryption - how to use encryption of malicious purposes (practical hands-on)
Registry - interact with the Windows Registry (practical hands-on)
Network - perform network operations such as downloading secondary payloads (practical hands-on)

Lab 2.4 — Analysing Windows Malware (Executable Binaries)

Static Analysis
Analyse code written on Day 1 (practical hands-on)
Analyse real-world malware (practical hands-on)
Dynamic Analysis
Analyse code written on Day 1 (practical hands-on)
Analyse real-world malware (practical hands-on)
Automate analysis by building debugger extensions (practical hands-on)

Lab 2.5 — Analysing Linux Malware

Static Analysis
Analyse real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)
Dynamic Analysis
Analyse real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)

A certificate of completion and test results will be provided at the end of the course.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Thakur

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.