4-DAY TRAINING 1 – Modern Malware Analysis: Advanced Edition


CAPACITY: 20 pax


EUR3499 (early bird)

EUR4299 (normal)

Early bird registration rate ends on the 31st of January


Malware authors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion and maintain persistence to compromise an organization. To achieve this, malware authors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. In Modern Malware Analysis Advanced Edition, you will get hands-on with real-world malware and learn how to identify key indicators of compromise/indicators of attack, apply analysis to enhance security products to protect your users and infrastructure and gain a deeper understanding of malware behavior through reverse engineering. Open-source and limited use tools such as Ghidra, IDA Pro Free/Demo, Oledump/OleVBA, PE Studio and Suricata will be utilized to perform deep technical analysis of malware at each phase of an attack, focusing on developing effective strategies to maximize your time spent. By the end of this course you will be able to analyze malicious office documents, dig deep into native and interpreted code through disassembly and decompilation, identify and defeat prevalent obfuscation techniques and generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.

This is a fast-paced course designed to take you deep into all stages of malware operations – from delivery methods to the post-infection payloads! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 4 days of lecture, but an immersive and interactive learning experience.This is an ideal course for security analysts, malware analysts/researchers and blue teams that need to get hands-on diving deep into malicious software.

Key Learning Objectives

  • Understand different attack methods used by malicious actors, how this affects your analysis and effective ways for disrupting the attack.
  • Learn the tools and skills needed to perform exhaustive analysis on malicious office documents, exploit kits, Java and .NET binaries, native code binaries (PE files) and shellcode
  • Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
  • Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior
  • Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes
  • Identify key indicators of compromise to update security products such as an IDS/IPS
  • Learn how to leverage network traffic to gain a deeper understanding of malware behavior
  • Learn how to extend tools to fit your analysis needs, such as writing IDA Pro plugins with Python
  • Generate custom threat intelligence for your organization


DAY 1 – Analyzing Delivery Mechanisms
– Basic analysis and leveraging open source intelligence – strings, hashes and threat intelligence sharing platforms such as VirusTotal and AlienVault OTX
– Understanding delivery mechanisms: Office documents, JavaScript attachments and other means of bypassing the perimeter
– Leveraging network traffic to enhance analysis
– A brief look at exploit kits and techniques for unraveling
– Analyzing compromised infrastructure through a server compromise

DAY 2 – Unraveling Malware Payloads
– Performing analysis on native code binaries through reversing engineering
– Understanding binary file formats and key operating system internals
– Determining signs of packing and other native code obfuscation techniques
– Identifying and defeating malware packing
– Detecting malware persistence techniques
– Leveraging network traffic analysis to identify malware families

DAY 3 – Advanced Analysis Techniques
– Identifying and tracing malware use of shellcode
– Analyzing Windows-based shellcode, along with common obfuscation techniques
– Defeating string and API obfuscation techniques in native and interpreted code
– Extending reversing tools through plugins
– Identifying lateral movement
– Extracting malware configuration information
– Automating IOC extraction from malware samples

DAY 4 – Performing Post-Infection Analysis
– Reverse engineering modular payloads
– Identifying evidence of data exfiltration
– Recognizing patterns of command and control communications
– Reversing other file formats such as .NET and Java binaries
– Analyzing malware on other platforms – Mac OS X and Android

Prerequisite Knowledge

The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:

  • Basic malware analysis
  • An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
  • Ability to read assembly for Intel 32 and 64 bit architectures
  • Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity

To help prepare for this course, it is recommended that students be familiar with information from the following sources:

A brief overview of malicious office documents
– Hack-in-the-Box CommSec Track 2018: https://youtu.be/Ii0ENuigBSM

Assembly and Intel’s 32/64-bit architecture
– Specifically concepts from chapters 1 – 5: https://pacman128.github.io/pcasm/

Getting started with reverse engineering
– YouTube playlist: https://www.youtube.com/playlist?list=PLHJns8WZXCdvaD7-xR7e5FJNW_6H9w-wC

Hardware / Software Requirements for Attendees

  • Linux/Windows/Mac desktop environment
  • A laptop with the ability to run virtualization software such as VMWare or VirtualBox
  • Access to the system BIOS to enable virtualization, if disabled via the chipset
  • Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
  • A laptop that the attendee is comfortable handling live malware on
  • Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used

Location: Training Rooms Date: April 20, 2020 Time: 9:00 am - 6:00 pm Dr. Josh Stroschein