The ability to analyze malware has become a necessary skill for anyone performing incident response. This course will teach the skills required to properly, quickly, and safely analyze malware by examining both its characteristics and behavior.
Since finding malware is a common occurrence for anyone that performs incident response, knowing how to properly analyze that malware is an essential skill. In this course, Malware Analysis Fundamentals, you'll gain the ability to analyze malware. First, you'll explore how to keep yourself and your systems safe when analyzing malware. Next, you'll discover how to get information on the malware by examining its characteristics. Finally, you'll learn how to execute malware and watch how it interacts with your system. When you're finished with this course, you'll have the skills and knowledge of malware analysis needed to safely and successfully determine what a malware sample does and the risk it presents.
Tyler Hudak has more than 15 years of experience performing malware analysis, computer forensics, and incident response for multiple organizations. He loves sharing the knowledge he has gained on these topics in his presentations and classes!
Course Overview Hi there. My name is Tyler Hudak, and welcome to my course, Malware Analysis Fundamentals. I'm an incident responder that has taught malware analysis to hundreds of people for many years now. I love what I do, and am passionate when it comes to malware analysis. In almost every incident that I've worked, malware has been a part of it in some form or fashion, and having the ability to analyze that malware has made my job a ton easier. A lot of people think that malware analysis is hard to learn, but I put together this course to show you it's not. Anyone can do it, and I'm going to prove it to you. In this course, we're going to learn how to safely analyze malware so we can figure out what it does. Some of the major topics that we'll cover include how to set up a safe environment to analyze malware in, what clues can be obtained from examining the malware's characteristics, and how to watch the malware's behavior, to see what it does when it runs. By the end of this course, you'll know the common tools and techniques that are used by incident responders everywhere to analyze malware. Before beginning this course, you should be familiar with the basics of Windows and setting up a virtual machine. I hope you'll join me on this journey to learn malware analysis with the Malware Analysis Fundamentals course, here at Pluralsight.
Introduction and Setting up Your Malware Analysis Lab Hey there. This is Tyler Hudak, and I'm here to teach Malware Analysis Fundamentals. If you've ever had to respond to any type of security incident, you know that some type of malware is going to be involved. It's used everywhere by attackers, from the phishing attachments used to gain access to a system, to the hacker tools used to maintain that access. This course is designed to teach you the tools and techniques you need to know in order to quickly and safely analyze the malware you find and get the information you need. This course is designed to take you from knowing nothing about malware analysis to being able to take a sample and figure out exactly what you need to know. We'll start off by quickly going over some fundamental concepts of malware analysis, just to make sure we're all on the same page. After that, we're going to talk about how to set up a Windows Sandbox in order to safely analyze malware without compromising any other systems. There are lots of techniques that can be used to analyze malware, but in this course we're only going to focus on those that will get you the information you want the fastest. We'll start off by talking about various techniques that examine the characteristics of malware. Specifically, we'll talk about how you can identify the type of malware you're dealing with, how to extract and analyze the embedded strings within a file, and how to analyze the Windows PE executable header. We're also going to talk about how we can monitor the malware's behavior as it executes to find out exactly what it does. Throughout this course, we'll be using real malware samples that you'll have access to so you can follow along and analyze on your own. One last thing. While we're going to focus on examining Windows malware, most of the techniques we learn can be applied to other types of malware with little to no effort. So let's get started.
Static Analysis: Identifying Malware Hey there. This is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. If you're like me, as soon as you get some malware you want to jump right in and tear it apart and get at the information using the techniques we're going to talk about later in this course. However, there are a few things you want to make sure you do before any other analysis, as these will help speed and guide everything else you do. We're going to talk about one of these techniques in this module, File Identification. Malware authors are constantly trying to trick users into opening up their malware, and one of the ways they do this is by disguising a file to look like it's safe. So, as malware analysts, one of the first things we have to do is figure out what type of file we're dealing with. In this module, we're going to talk about some techniques that will help us identify exactly what we're examining. This will allow us to determine the best way to proceed as we move forward. It's also rare that we come across malware that no one has ever seen before, especially in the case of commodity malware that's sent out in phishing attacks. The fact that someone has probably already seen the malware we have means the analysis of the malware may already be done and on the internet. We'll talk about how we can find that information using cryptographic hashing.
Static Analysis: Analyzing Embedded Strings Hey there. This is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. In this module, we're going to talk about one of my favorite malware analysis techniques, one that can give you a goldmine of information on how the malware behaves. This technique is embedded strings analysis. There are lots of ways we can extract and analyze strings from a file. I'm going to talk about a few of those ways, and give you a few tools to get this information out. Attackers, they aren't stupid. They know we're analyzing their malware, and that strings analysis is one of the easiest and most powerful ways to get at the information. So, attackers have started to hide their strings inside their files. We'll talk about a few of the common ways that this is done, and how we can defeat them.
Static Analysis: Understanding the PE Header Hey all, this is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. What if I told you there was something in Windows executables you could look at that could tell you how the malware interacted with the computer, when it was created, and possibly where it came from? Sound too good to be true? Well, it's not. I'm talking about the Windows PE header. The Windows PE header provides the operating system information it needs to run the program. We'll pull out key pieces of this information to help us with our analysis. Since the header tells the OS how to run the program, we'll find a lot of information down to a very low level, that will tell us how the malware interacts with the computer. Additionally, there are some places in the PE header which record timestamps and locations that can help us determine when and where the malware was created. This is extremely helpful if we are trying to determine attribution.
Lab 1: Static Analysis Hey there, this is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. We're going to use all of the knowledge that you've gained so far about static analysis and put it to use analyzing a new piece of malware, so here we go. For the last couple of modules, we've been looking at how you can look at the characteristics of malware without executing it to figure out what it does, what it can do, who it may contact, and so on. In this module, you're going to use all those skills to analyze a piece of malware and figure all that out on your own. After you do that, we'll go over everything to see if you got the same results that I do. An incident responder's work is never done, and that can definitely be said for our incident responder from Example Inc. , Kevin. Kevin has been hard at work analyzing the malware found on the computer of his CEO, Carla. However, Carla has given Kevin a call, and wants him to look at another file she just got in an email. It looks suspicious to her, and she wants him to analyze it before she opens it. So we're going to help Kevin analyze the malware as our static analysis lab. The malware can be found at this URL, and will be in a password-protected zip file with the password of infected. Remember, this is real malware. Take all the precautions we've talked about to ensure you are analyzing the malware safely. Go ahead and pause the video here. When you've done your analysis, unpause the video and you can watch how I analyze it and compare your results.
Dynamic Analysis Considerations Hey there. This is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. You're about to start the part of malware analysis that everyone looks forward to, actually executing the malware and watching what it does. Before we start, though, there are a few concepts you should know about which makes your analysis a lot easier. A lot can happen when you execute malware, and when you start to look at your tools data, you're going to have a lot to sift through. So like with static analysis, you'll want to focus on what you look for and have certain questions in mind to answer. We'll talk about what those questions are in this module. The operating system and malware sometimes do weird things, so it's good to know about these things before you start to examine a system's behavior. We'll also talk about some of the things you'll come across. Remember, the malware analysis process is composed of two phases, static analysis and dynamic analysis. Up until now, we've discussed static analysis techniques that have given us hints as to what the malware might do. In dynamic analysis, where we actually run the malware, we'll see exactly what it does. You may also find that during dynamic analysis the malware drops new files that you'll recover. This means that you'll go back and do static analysis on these new files before you run them. Don't worry if this happens. Malware analysis is very much a cyclical process where you get as much information as you can.
Dynamic Analysis: Detecting Malware System Changes Hey there, this is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. This is it. In this module we are jumping into the dynamic analysis phase, executing malware, and watching how it interacts with the system. Let's go. There are many ways you can monitor how malware interacts with your Sandbox, each with their own advantages and disadvantages. In this module, we'll use a technique which detects changes over a period of time and allows us to quickly see file and registry modifications on the Sandbox. this technique is known as system integrity monitoring and has a very simple process. To perform this technique, you'll take an initial snapshot on the Sandbox, recording the state of the system. Then the malware will run, and you'll wait for some time. After however long you wait, a second snapshot is taken, and then the two snapshots are compared. This then shows the changes to the file system and registry that occurred between the two snapshots when the malware was running.
Lab 2: Dynamic Analysis Hey there, this is Tyler Hudak, and welcome back to Malware Analysis Fundamentals. Kevin is still waiting for us to help him analyze the second piece of malware he found, so let's jump in and not keep him waiting anymore. We've learned a lot about dynamic analysis in this course so far, but we've only been applying it piecemeal. In this module, we'll use all of the techniques that we've learned to analyze Kevin's second malware. After we're done analyzing it, we'll summarize everything we found and you can compare it to what you did to see if you got the same results. If you recall, Kevin is our incident responder, and Carla is his CEO. We've already looked at one piece of malware Kevin found on Carla's computer, but there's still one more we need to look at. First, let's quickly review what we'll be looking for based on our previous analysis. On the network side, we saw strings related to download. bravesentry. com and the IP address 69. 50. 175. 181. We'll watch to see if our malware connects out to these places. On the file side, we saw strings of BraveSentry. exe in the Program Files directory, and C:\windows\xpupdate. exe. We'll want to see if the malware places itself there. Since it's likely the malware will try to, let's also give it elevated privileges to see what it can do. For the Registry, we saw mention of the common persistence key, SOFTWARE\Microsoft\Windows\CurrentVersion\Run. We'll see if the malware utilizes that. Finally, we saw a lot of strings mentioning Your computer is in Danger. We'll want to see what the malware does with this.
Progressing Your Malware Analysis Skills Hey there. This is Tyler Hudak, and welcome back to Malware Analysis Fundamentals, and congratulations on making it through the entire Malware Analysis course. We've covered a lot of material in this course, but there is still so much more that you can do and learn on malware analysis. We're going to talk about that in this module. In this module, we'll do a quick recap of the malware analysis techniques that you learned throughout the entire course. We'll also talk about where you go from here to keep increasing your malware analysis knowledge.