Deep dive malware analysis is primarily a static approach, reading the assembly instructions to determine functionality. Debugging is used in a limited manner for targeted purposes. The approach can provide every last detail or be used to quickly identify IOC’s and Yara rules, but the method is often shrouded in mystery. It can take years to develop and most analysts don’t have the time to fumble around in the dark trying to build this advanced skill. Save yourself countless hours and guesswork and get an up-close view of this approach.
This lab based workshop will guide you through the deep dive process using Ghidra to analyze a malicious RAT from start to finish. You’ll learn how to triage a function, judge what to analyze and what to skip, verify the full C2 network protocol using Python, and much more. See the benefits and learn how you can practice this approach in your own job to dramatically elevate your RE skill level.
This course starts by presenting the deep dive malware analysis approach. We discuss the different analysis strategies, explain why the deep dive approach is the most efficient, and then provide a series of warnings and insights to optimize the approach. We end with a number of tips on how to best practice this strategy in the limited time provided by most jobs.
With the academic portion completed, the rest of the course consists of a series of labs where you will perform the complete analysis of a live malicious RAT (Remote Access Tool) found in the wild. Each lab comes with a written solution and a video where the lab is performed live so that you can see the analysis in action. The value comes in watching the live analysis.
Knowing the method is great and is the first step in learning, but there’s a large gap between knowing what you should do, and knowing how to do it. How accurate does your analysis need to be prior to moving on to the next capability? What instructions do you highlight for understanding and what do you skip over? These types of questions are difficult to learn conceptually and are best learned through example. The experience you witness in the video solutions is the true value of the course. Watching the video solutions provides an idea of the decision making process. That key takeaway will let you speed through the trial and error stage of learning and quickly become proficient.
Performing the labs prior to watching the instructor walkthrough makes the learning interactive. By first attempting analysis on your own and then watching the instructor walkthrough, you can compare your approach to that of a more experienced reverse engineer.
The example malware chosen is a live piece of malware and not a toy instructional example. The sample was chosen because it is both realistic, and uses a variety of techniques. There are several unidentified library functions statically linked, encryption, a network authentication protocol, and a full array of C2 commands.
What You’ll Learn
Upon completion of the course, students will have learned:
- An advanced method for analyzing malware to identify Indicators of Compromise (IOC) in the shortest time frame
- The decision making process used by an experienced analyst when analyzing malware
- How to identify key focus areas when statically reviewing assembly code
- Insights on how to optimize your analysis approach
- Tips for practicing the deep dive analysis approach with limited time available
- To build a Command and Control (C2) server to exercise C2 commands for dynamic analysis
This is an advanced class intended to improve students’ analysis methods. It is not a class to teach the basics of reading assembly or analyzing malware.
Students need to be proficient in reading and debugging x86 assembly code and should have some general experience manually analyzing malware outside of a sandbox. Additionally, a basic understanding of programming in python is required for one part of a single lab where a Command and Control (C2) simulator is built in python from a provided template.
Students will need a 64 bit computer with:
- A virtualization program installed (VirtualBox, VMWare, VMWare Player, etc.)
- One 64 bit Windows Virtual Machine with the following free tools installed:
- The latest version of Ghidra (available from https://ghidra-sre.org)
- The latest version of x64Dbg (available from https://x64dbg.com)
- A pdf reader such as Acrobat Reader (available from https://get.adobe.com/reader/)
- An unzipping utility such as 7zip (available from https://www.7-zip.org/download.html)
- One REMnux Linux Virtual Machine (available from https://remnux.org)
- 12GB of RAM
- 1 USB slot
- Internet Connectivity
If needed, a free 64 bit windows VM can be downloaded for testing from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- Briefing: The Deep Dive Malware Analysis Methodology
- Briefing: Getting Started
- Briefing: Introduction To Ghidra
- Lab 1: Identifying The Main Capabilities Function
- Lab 2: Identifying How API’s Are Resolved
- Lab 3: Building An Outline Of The Main Program Flow
- Lab 4: Determining General C2 Commands
- Lab 5: Fully Reverse Engineer And Verify The Network Protocol For One C2 Command
- Lab 6: Additional Take-Home Exercises