In this short course, we covered various aspects of malware analysis. We explained static malware analysis, analyzing hashes and strings, analyzing portable executable header, packed malware samples, analysis using online scanner, using YARA rules for malware analysis, dynamic malware analysis, using process explorer and lastly reverse engineering a sample using Ghidra.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Course Contents
- Intro to static malware analysis
- String and hash analysis
- Portable executable analysis
- Analyzing packers
- Malware analysis with YARA rules.
- Intro to dynamic malware analysis
- Dynamic malware analysis with process explorer
- Reverse engineering with Ghidra
Intro to malware analysis
When learning or even conducting malware analysis, a lab setup for malware analysis requires the ability to save the state of a machine (snapshot) and revert to that state whenever required. The machine is thus prepared with all the required tools installed, and its state is saved. After analyzing the malware in that machine, it is restored to its clean state with all the tools installed. This activity ensures that each malware is analyzed in an otherwise clean environment, and after analysis, the machine can be reverted without any sustained damage.
Following these steps ensures that your VM is not contaminated with remnants of previous malware samples when analyzing new malware. It also ensures that you don’t have to install your tools again and again for each analysis.
1. Create a fresh Virtual Machine with a new OS install
2. Set up the machine by installing all the required analysis tools in it
3. Take a snapshot of the machine
4. Copy/Download malware samples inside the VM and analyze it
5. Revert the machine to the snapshot after the analysis completes
Full Video Course
