- Lab
-
Libraries: If you want this lab, consider one of these libraries.
Reverse Engineering with Ghidra
In this lab, you will reverse engineer malware samples using Ghidra to unpack obfuscated code, deobfuscate malicious payloads, and analyze in-memory execution techniques. You will examine real-world evasion methods used by advanced threats to improve detection capabilities. #### Final Outcome After completing this lab, you will be able to: - Unpack and analyze software packing techniques used by advanced malware (T1027.002) - Deobfuscate malicious code and decode encrypted payloads for analysis (T1140) - Analyze reflective loading techniques and in-memory malware execution (T1620)
Lab Info
Table of Contents
-
Challenge
Unpack and Analyze Software Packing Techniques
You will use command-line tools to identify the packer type and verify packing signatures. You will then unpack the UPX-packed binary, use Ghidra's headless analyzer to decompile the code, and extract indicators of compromise. You will also examine a custom-packed sample that uses a proprietary format not recognizable by standard tools and compare the two approaches. By the end of this objective, you will have extracted the original malware code and identified embedded indicators of compromise, including C2 server addresses and campaign identifiers.
-
Challenge
Deobfuscate Malicious Code and Decode Encrypted Payloads
You will open the obfuscated binary in Ghidra's headless analyzer, use the decompiler to locate the XOR decryption function, identify encrypted byte arrays, determine the encryption key, and decode the hidden strings. You will also run a Ghidra script to automate XOR pattern detection and use a command-line decoder to verify your findings. By the end of this objective, you will have extracted the encrypted C2 URLs and configuration data from the sample.
-
Challenge
Analyze Reflective Loading and In-Memory Execution
You will open the reflective loader binary in Ghidra's headless analyzer, identify the key system calls used for memory manipulation (
mmap,memcpy,munmap), trace the injection and execution flow through the decompiler, and analyze the anti-analysis checks the malware performs. You will also run an automated detection script and a Ghidra script to assess the binary's risk profile. By the end of this objective, you will have a complete understanding of the reflective loading lifecycle. -
Challenge
Final Objective
This is your last chance to experiment in the environment. Clicking End Lab will end this little world that flittered into existence just for you.
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.