Malware stands for malicious software, scripts or code meant to aid an attacker to hack a system, keep control, steal information or to cause damage. Malware poses a large risk to an organization and having theoretical knowledge on this matter is not enough anymore. Hands-on experience is required on how to discover, analyse and fight malware and is a difficult task without the right knowledge and experience.
In this training we will cover the following basics:
- What is malware?
- How do victims get infected?
- How do we start our malware analysis?
- How do we modify malware by modifying assembly?
- What does malware actually do on our system?
- What techniques do malware creators use to not be analyzed and how to circumvent these?
- What can we see on the network layer?
- How do we analyze exploits and scripts?
This is a hands-on course. This means that the participants will receive a small portion of content after which they are immediately going to apply this knowledge in a demonstration environment. These challenges start easy and end with a full analysis of WannaCry on day three. To support people that are already familiar with (part of) the topic, we have various additional (difficult) challenges to distribute.
- Incident response employees
- Digital forensic researchers
- IT system & network administrators
- IT professionals interested in malware analysis
The training agenda is structured as followed:
Day 1
- General malware overview and history
- How victims are infected
- Introduction to malware analysis
- Malware identification
- Track 1: readable text strings
- Track 2: packers, crypters and protectors
- Track 3: Jumps (assembly)
- Track 4: XOR (Exclusive OR)
- Track 5: Malware Behavior
Day 2
- Track 6: API calls (assembly)
- Banking malware
- Track 7: Anti-forensics & circumvention
- Track 8: Network analysis
- Track 9: Fake internet
- Track 10: Quarantine files
- Track 11: Exploit analysis
Day 3
- Track 12: WannaCry!
- Track 13: Various other challenges
Extra information
Prerequisites for the course are as followed:
- Participants should understand the basics of computers, VMs and network.
- Participants should have a laptop with VMWare Workstation that supports Snapshots. We will distribute a Virtual Machine, which has to be removed after the training due to copyright. We will provide a binder containing training material.
- If you have extensive experience with the topics mentioned above, this training most likely is not suitable for you. It is a basic introduction to malware analysis