Tactical Malware Analysis (TMA)

Introducing our unique malware training class

Tactical Malware Analysis - Course Objectives

After completing this course students will be able to independently solve following problems:

  • Frame the analysis objectives.
  • Use a combination of static and dynamic analysis to perform objectives.
  • Automate analysis process.
  • Deliver a complete intelligence product.

Introduction

Welcome to Tactical Malware Analysis (TMA) course!

This unique Tactical Malware Analysis course covers all aspects of an attacker kill-chain by an intermediate or advanced adversary. It will enable attendees to hunt, collect, analyze, detect, and track malware.

By taking this course, attendees will gain all the necessary skills to analyze and document complex malware in an efficient way. This course will go over all aspects of modern malware analysis:

  • Static
  • Dynamic
  • Emulation
  • Unpacking
  • Instrumentation
  • Deobfuscation
  • Memory Forensics

Attendees will be able to write detailed technical malware reports with actionable intelligence suitable for all levels of audience: threat intel analysts, blue team, and executives.

Within each section of this training, students will be taught how to analyze malware related to every tactics and techniques defined in the MITRE Entreprise ATT&CK framework.

While learning how to analyze malware, attendees will be taught how to configure and setup their own automated analysis infrastructure in the AWS cloud. We will also provide preconfigured virtual machine infrastructure to build virtual analysis lab.

Authors have distilled their unique experience in tracking and analyzing APTs to teach the most efficient analysis techniques. All hands-on exercises are based on real world malware examples to closely match challenges students will face during the course of their careers.

Techniques will be taught on tracking malware developers, malware attribution, identification of repurposed malware, and malware authors coding styles or evasion techniques.

Below is the course coverage vs MITRE ATT&CK Matrix for Enterprise:

TMAvsMITRE

Course Syllabus

Malware Analysis Infrastructure

In this section we will outline the course and set the stage for the rest of the class. Before diving into specific topics we will discuss different strategies to setup malware analysis laboratory and outline our automated setup for building and managing virtual machines along with package management and tool configurations. Goal of this section is to get everyone comfortable with the course setup and improve your malware analysis setup by introducing Infrastructure as code methodology.

Static Analysis

This section will present modern techniques for an improved static analysis experience. We start with a deep dive into IDA and Ghidra as the main disassemblers and decompilers and explain various ways to annotate code in these tools to get the best disassembly and decompiler output from their type propagation and analysis engines. Next, we will discuss various approaches for automatic code deobfuscation using IDA, Ghidra, and MIASM APIs. To wrap up we will go through our first hand-on exercise by trying to deobfuscate an APT malware. To successfully pass this exercise you will have to put to use the tools and scripts discussed in this section. Finally we will go over solutions and discuss various approaches to note-taking during analysis as well as automation of steps performed during the exercise. Goal of this section is to get everyone confident in static analysis of large and complex malware by efficiently using tools and automating tedious tasks.

Dynamic Analysis

This section will present common challenges when debugging malware and most efficient ways to deal with them. We start with different ways to debug malware at different stages of execution on different platforms (Windows, Linux, MacOS), discuss different anti-debugging checks and how to bypass them. Next, we discuss understanding different persistence mechanisms and ways to collect changes to the operating system environment. For this task we will use both sandbox, memory forensics, and endpoint visibility and collection tools. We will complete this section by exploring different emulation and symbolic execution concepts for cases where debugging is not feasible or desired. To wrap up we will go through a hand-on exercise by trying to debug an APT malware which is employing anti-debugging checks. Goal of this section is to get everyone experienced in deciding on different dynamic approaches and show optimal techniques for switching between static and dynamic analysis.

Unpacking Malware

This section will present different types of packers, crypters, and protectors and ways to differentiate between them. Next we will look at the structure of one of the most commonly abused and modified packers (UPX) to dive deeper into common packer internals. Next, we will discuss static and dynamic approaches for writing unpackers but also ways to cheat and quickly dump process memory which is suitable for static analysis. To wrap up we will go through a hand-on exercise by trying to unpack a packed APT malware. Goal of this section is to get everyone experienced in efficient ways to both quickly unpack malware to support time-sensitive analysis and write unpackers to support automated analysis systems.

Malware Memory Forensics

This section will present memory forensics concepts and will apply them to dive into detection, analysis, and extraction of malware from a memory dump collected. We will discuss different approaches to memory resident malware analysis including: process injection, hooking, and persistence. Next we go over data sources which can support memory forensics by providing contextual information and answering questions not available in memory image. These include reconstructing evidence from network traces, disk images, and event logs. We will wrap up this section by going through anti-forensics techniques, malware hiding techniques, and timelining approaches. We finish with a practical hands on exercise in Windows memory analysis to identify, extract, and analyze memory only malware. Goal of this section is to get everyone experienced in techniques used to efficiently identify, extract, and analyze memory images on Windows.

Variant Malware Analysis

This section covers the foundations of reverse engineering malware written in different programming languages. Every programming language is represented in a compiled or interpreted code that comes in different forms of disassembly and low level concepts that need to be understood to fully understand and reconstruct high-level functionality. Attendees will be exposed to different types of malware and effective analysis methods. We will start from a basic shellcode analysis to malware written in high level object oriented programming languages.Students will be taught how to write helper scripts and disassemblers plugins for an effective and time efficient analysis.

Documenting Analysis

This section covers a topic possibly as important as the actual reverse engineering: documenting analysis and writing reports. We discuss all important aspects of writing a good report: from defining clear objectives, documenting work during reverse engineering, structuring the report, and documenting malware capabilities. We end this section with discussion on structured analytic techniques to reduce analysis bias and improve confidence in the final product. To wrap up we will go through a hand-on exercise by reverse engineering an APT malware and writing an analysis report.

Detailled Course Syllabus

  • Section 1 - Building automated malware analysis infrastructure

    • Summary: This section addresses the problem of building and maintaining a virtualization infrastructure of different types of operating systems and tooling to perform static and dynamic analysis. Using Packer, Vagrant, Ansible and cloud service providers we will present an efficient way to build and maintain analysis infrastructure.

    • Goals: Build and maintain malware analysis infrastructure.

    • Subsections:

      • Section 1.1 - Introduction to AWS
      • Section 1.2 - Build a cloud automated analysis infrastructure for various OS’s
      • Section 1.3 - Automating installation of analysis tools
      • Section 1.4 - Malware analysis tooling overview
        • Section 1.4.1 - Disassemblers
          • IDA Pro
          • Ghidra
        • Section 1.4.2 - Debuggers
          • GDB/LLDB
          • X64dbg
          • WinDbg
        • Section 1.4.3 - Memory Forensics
          • Volatility
          • Velociraptor
        • Section 1.4.4 - File format parsers
          • Hex editors
  • Section 2 - Static analysis

    • Summary: This section will present modern techniques for a successful static analysis. We start with an introduction to the x86/x64 assembly language and then we dive into IDA and Ghidra as the main disassemblers/decompilers. Throughout this course attendees we cover several advanced features of IDA and Ghidra. Most of static analysis concepts will be addressed here: unpacking, resolving APIs, deobfuscating control flow graphs, and analyzing virtual machines. Section will conclude with practical hands-on exercise to gain experience in described concepts

    • Goals: Ability to uncover all malware features using only static analysis.

    • Subsections:

      • Section 2.1 - Introduction to x86/x64 Assembly language
        • Assembly language
        • Overview of calling conventions
      • Section 2.2 - Executable File formats
      • Section 2.3 - Overview of native OS API calls
      • Section 2.4 - Analysis with IDA pro disassembler:
        • Navigating and annotating IDA databases
        • Introduction to IDA Python scripting engine
      • Section 2.5 - Analysis with Ghidra:
        • Navigating and annotating Ghidra projects
        • Introduction to Ghidra Jython
        • Ghidra decompiler annotation and scripting
      • Section 2.6 - Obfuscated code analysis
      • Section 2.7 - Malware techniques identification
      • Section 2.8 - Partical Hands-on exercises
  • Section 3 - Dynamic analysis

    • Summary: This section presents modern dynamic analysis techniques. We start with an introduction to debuggers: ways to attach to a process, debug process hollowing, getting pass anti-debugging checks, and patching a binary. Next, we tackle tracing function calls, understanding persistence mechanisms, and finally using sandboxing for a more contained analysis. We will complete this section with emulation and symbolic execution concepts and hands on exercises to deobfuscate and analyse malware dynamically.

    • Goals: Efficiently use dynamic analysis techniques to compliment static analysis of complex code.

    • Subsections:

      • Section 3.1 - Introduction to Debuggers
        • How debugger works
        • When debugging is needed
        • Introduction to debuggers (gdb, LLDB, WinDBG)
        • Time travel debugging
      • Section 3.2 - Anti-debuggin checks
      • Section 3.3 - I/O and syscall/tracing
      • Section 3.4 - Malware Sandboxing
      • Section 3.5 - Debugging tips & tricks
      • Section 3.6 - Malware emulation
        • Introduction to emulation tools
        • Unpacking malware using an emulator
        • Deobfuscation using Symbolic execution
      • Section 3.7 - Partical hands-on exercises
  • Section 4 - Unpacking Malware

    • Summary: This section will present the concept of malware packers and how they work on PE files. The section will start by analyzing and unpacking UPX packed malware then move to more advanced ones. The unpacking techniques taught in the section will help students use static or dynamic analysis to automatically unpack a malware then rebuild the original executable for further analysis.

    • Goals: Gain experience in efficient ways to both quickly unpack malware to support time-sensitive analysis and write unpackers to support automated analysis systems.

    • Subsections:

      • Section 4.1 - Introduction to Packers, Crypters, and Protectors
      • Section 4.2 - Structure of UPX
      • Section 4.3 - Static unpacking
      • Section 4.4 - Dynamic unpacking
      • Section 4.5 - Rebuilding unpacked PE
      • Section 4.6 - Hands-on exercises
  • Section 5 - Malware Memory Forensics

    • Summary: This section of the course will present memory forensics concepts needed for analysing malware resident in memory. We will discuss different aspects related to malware analysis and provide techniques to detect, analyse and extract malware samples from memory. All in-memory malware related activity will be studied, including process injections, process hollowing, hooking and persistence. This section will also teach how to provide additional contextual information by collecting artifacts such as network, disk and Windows Event logs.

      • Goals: Ability to detect malicious activity in system memory, extract and reconstruct malware from memory for further static/dynamic analysis

      • Subsections:

        • Section 5.1 - Introduction to memory acquisition concepts
        • Section 5.2 - Windows Objects overview
        • Section 5.3 - Hunting for memory resident malware
        • Section 5.4 - Collecting artifacts
        • Section 5.5 - Anti-forensics techniques
        • Section 5.6 - Hands-on exercises
  • Section 6 - Variant Malware Analysis

    • Summary: This section will teach the foundations of reverse engineering malware written in a variety of programming languages. Attendees will be exposed to different types of malware and effective analysis methods. Each subsection teaches specific concepts for a different language.

    • Goals: Ability to analyze malware written in any language by identifying specific high-level concepts and constructs.

    • Subsections:

      • Section 6.1 - Shellcode
      • Section 6.2 - C++
      • Section 6.3 - Objective-C/Swift
      • Section 6.4 - .NET
      • Section 6.5 - Java
      • Section 6.6 - Python
      • Section 6.8 - Golang
  • Section 7 - Malware Analysis reports

    • Summary: This is the final section of Tactical Malware Analysis where the attendees will be taught how to write tactical malware reports step by step. It covers all the important aspects of writing a good report. From defining clear objectives, documenting work during reverse engineering, structuring the report, and. We end this section and the course with discussion on structured analytic techniques and attribution.

    • Goals: Attendees will be able to produce high-quality malware analysis reports.

    • Subsections:

      • Section 7.1 - Defining clear objectives
      • Section 7.2 - Documenting during analysis
      • Section 7.3 - Report structure
      • Section 7.4 - IOCs and TTPs guidelines
      • Section 7.5 - Structured analytic techniques and attribution

Tactical Malware Analysis - Class requirements

The Students will be expected to have:

  • Basic understanding of the C language, Python, and x86 assembly.
  • Desire to improve malware analysis.

NOTE: Students who don’t have a previous programming experience can still attend the training as all accompanying code will be provided. However, to get the most value out of the training it will require some extra effort during class to follow up with some hands-on exercises that require programming.

We will provide all students with VMware (compatible with Vmware Fusion and Vmware Workstation) and VirtualBox virtual machine images that will be shared ahead of the course. Students are encouraged to bring a laptop with VMware/VirtualBox installed, and have sufficient RAM and disk space to run up to two Windows 10 virtual machines at the same time.

Tactical Malware Analysis - Authors

  • Branko Spasojevic: Branko started his career in penetration testing and consulting. From there he moved to Symantec as reverse engineer and spent all his time doing malware analysis and tracking APT groups. After that he joined Google’s detection team and realized there is more to a good malware report than IDA screenshots. Currently Branko is a senior security engineer at Google’s Threat Analysis Group (TAG) where he does malware analysis and threat hunting. Branko is one of the authors of the Gray Hat Hacking books.

  • Taha ‘lordx64’ Karim: Taha is the founder and CEO of tephracore where he is globally in charge of making APT’s life harder. Taha is a passionate malware analysis expert with over a decade of technical experience and worked at different senior technical malware analysis positions in the past: Taha worked with DarkMatter where he was the head of Malware Research Labs, during that time, he uncovered WINDSHIFT APT and reverse engineered and tracked different Iranian APTs targeting the Middle East. Before that, Taha was a senior Malware Researcher at FireEye Labs where he specialized in tracking and analyzing cyber espionage APTs. Taha worked before that at Symantec where he met Branko and both won the prestigious Symantec CyberWar Game challenge and ranked at the first position.

Tactical Malware Analysis - Contact us

  • To discuss your organization’s training needs, please drop us a line by email

  • Please follow us on twitter @tephracore for the next available training session announcements.


See also