Malware Analysis In 5+ Hours - Full Course - Learn Practical Malware Analysis!

My gift to you all. Thank you 💜 Husky

🔬 Practical Malware Analysis & Triage: 5+ Hours, YouTube Release

This is the first 5+ house of PMAT, which is my course that is available on TCM Security Academy. The full course is 9 hours of high quality videos, practical labs, and challenges to learn the art and science of malware analysis.

📝 FULL COURSE: https://bit.ly/tcm-pmat-affil

If you use my affiliate link above to purchase the course, I receive more of the revenue for the course. Thanks for supporting me as a content creator!

📡 Course Discord

Head on over to the HuskyPack for access to the course server! Use the link below to join the server. Please read the rules carefully. Once you have joined and accepted the rules, head to the role channel and select the PMAT-student role to get access to the PMAT channels.

Link:   / discord  

Please note: you will have to wait at least 10 minutes before you can send any messages in the server. This is to guard against bot invasions!

📝MY BLOG: https://notes.huskyhacks.dev
🐦TWITTER:   / huskyhacksmk  
👾GITHUB: https://github.com/HuskyHacks

-------------------- Timestamps

00:00-05:55 - Intro & Whoami
05:55-08:26 - Download VirtualBox
08:26-10:26 - Download Windows 10
10:26-18:44 - Set Up Windows 10 VM
18:44-19:55 - Download REMnux
19:55-23:36 - Import REMnux
23:36-30:55 - Download and Install FLAREVM
30:55-38:22 - Set up the Analysis Network
38:22-51:38 - Set up INetSim
51:38-55:39 - Course Lab Repo & Lab Orientation
55:39-57:07 - Snapshot Before First Detonation
57:07- 1:03:06 - First Detonation
1:03:06-1:08:12 - Tool Troubleshooting
1:08:12-1:22:27 - Safety Always! Malware Handling & Safe Sourcing
1:22:27-2:13:20 - Basic Static Analysis
2:13:20-3:38:53 - Basic Dynamic Analysis
3:38:53-3:40:52 - INTERMISSION!
3:40:52-4:00:58 - Challenge 1 SillyPutty Intro & Walkthrough
4:00:58-4:58:07 - Advanced Static Analysis
4:58:07-5:28:56 - Advanced Dynamic Analysis
5:28:56-5:50:52 - Challenge 2 SikoMode Intro & Walkthrough
5:50:52-5:52:42 - Outro, Thank You!

------------------- Errata & Course Notes

📺 Downloading Windows 10

Update 5/25/22: The Microsoft Eval Center was down for most of the month of May, but it is back! You can find the Windows 10 image for this course here:

https://www.microsoft.com/en-us/evalc...

The website looks different than how it appears in the course video, but the ISO is now available there. Select the 64-bit image.

📺 Installing REMnux

Around the 21:33 mark of the video, I start issuing commands to install the VirtualBox VM Tools on REMnux. In newer distros of REMnux, the VM Tools are installed automatically! So you may not have to issue the CD-ROM mount commands and run the auto-installer script.

Check if your VM Tools are installed by minimizing and maximizing the screen of the REMnux guest OS. If the screen resolution changes to fit the size of your monitor, the VM Tools are already installed and you can skip the install instructions.

📺 Course Lab Repo Link

The labs for this course are available here: https://github.com/HuskyHacks/PMAT-labs

This repo has all of the malware needed to complete this course. Please use this link and view the next video, "Course Lab Repo Download & Lab Orientation" for instructions on how to get started with the repo.

📺 Detonating Our First Sample

Please Note: For this detonation, turn off INetSim before detonating. WannaCry will not detonate if INetSim is running.

📺 Strings & FLOSS: Static String Analysis

Tip: FLOSS can be run with the "-n" argument to specify your desired minimum string length. Sometimes, longer strings can be more useful to an analyst than your standard string of len(4).

📺 Combining Analysis Methods: PEStudio

The newer versions of PEStudio do not come installed by default in FLARE-VM anymore. Please use the official Winitor download link to download PEStudio and transfer it to FLARE-VM: https://www.winitor.com/download2

📺 Advanced Analysis of a Process Injector

During the Advanced Static Analysis section, I made an error regarding different values that are moved in and out of EAX during the set up for the process injection. In short, I say that PID of an injected process is stored in EAX first, then moved into EDI after the call to OpenProcess returns. This is not technically true: what is returned to EAX after the OpenProcess call is not the PID of the process, but the handle to that process.

TL;DR: once a process injector can get a handle to a process, it can use the handle with all of its remaining API calls to perform the injection.

-------------------- Misc

🎵 Jazzy Bossa Nova song: Canal 3 by Quincas Moreina, available for free on the YouTube Audio Library
   / @quincasmoreira