Malware Analysis Learning Plan

Please check out my post where I discuss the blueprint of my learning plan

Learning Plan Blueprint: Design a Personalized Study Path

Design your personalized learning plan! Set clear milestones and choose the best resources to acquire new skills quickly.

SecurityNguyenNguyen Nguyen

Step 1: Map out the direct application first

I needed to find out what malware analyst do 80% of their time and then the roughly 20% of their time. Then create an learning plan around that 80% so I headed to LinkedIn.

Then, I would check out their profile to see if they actually do have experience with malware analysis. If they do, I would try to sent connect request asking: "Hi Bob, I saw you have experience with malware analysis, I wanted to connect with you because I wanted to know what you do on the daily for that role.".

If you're shy, you can look up on YouTube about malware analyst and see if you can find videos about their day to day.

Other good source of information is reddit but LinkedIn is more honest because it's more personal.

Here's my research on what an professional malware analyst do:

Analyze a large quantity of malware samples.
1. Gather artifacts & IOC quickly
- Locate all infected machines and infected files.
2. Identify what the malware can do
3. Create Host-based/Network-based detections within host/network.

Perform static and dynamic analysis
- Ability to unpack and de-obfuscate highly complex malicious applications.
- Debugging and Debugger experience (Experience identifying and defeating known or custom packers).
- Disassembling/disassemblers experience

Analyze network traffic and detect indicators of command and control C2 activity or data exfiltration
- Create host-based and network-based signatures suited for large-scale hunting, detection, and tracking of threats.
- Example: Sigma Rules, Yara Rules

Analyze and evaluate malicious code
- Create technical reports on IOC and to recommend mitigation and detection actions.

Step 2: Progression System

General Resource:

Malware Samples:

• https://bazaar.abuse.ch/
• https://malshare.com/

Level 1: Perform a Basic static analysis

Goals

• Examining the executable file without viewing the actual code.
• Can confirm whether a file is malicious or not.
• Provide insight on its functionality

Direct Practice:

1. Download "PotentialKeylogger.exe" from Practical Malware Analysis and
2. Conduct a investigation on "PotentialKeylogger.exe" and create an Technical report.
3. Gather the hash of the malware sample
4. Conduct investigation on the malware using Virus Total
5. Locate the strings on the malware sample
   • Identify potential clues that allow us to determine the functionality of the malware.
6. Detect if the malware is Packer or Obfuscated
   • If it is, type of packer used.
7. Analyze the PE file format
   • What Linked Libraries (DLLs) and Functions is it running?

Add a Feedback Loop

Analyze: PotentialKeylogger.exe, write down your finding. At the end of your investigation, compare your findings with findings in section: "Static Analysis in Practice".

• What did you miss? & What did you get right?

Resources for Level 1 Direct Practice:

• Basic Static Analysis:
  • Practical Malware Analysis, pg. 9
  • MAL: Malware Introductory
  • Exercise:
    • https://tryhackme.com/room/malstrings
    • https://tryhackme.com/room/staticanalysis1
    • https://tryhackme.com/room/basicmalwarere
  • Calculating Hashes:
    • https://tryhackme.com/room/malresearching
  • File Types:
    • https://www.udemy.com/course/windows-malware-analysis-for-hedgehogs-beginner-training/learn/lecture/37399904#overview
  • Virus Scan:
    • https://www.udemy.com/course/windows-malware-analysis-for-hedgehogs-beginner-training/learn/lecture/37400154#overview
    • https://tryhackme.com/room/introtoav
  • Creating an Technical Report
    • Mastering Malware Analysis, pg. 37

- Calculating Hashes:
- https://tryhackme.com/room/malresearching

File Types:
- https://www.udemy.com/course/windows-malware-analysis-for-hedgehogs-beginner-training/learn/lecture/37399904#overview

Virus Scan:
- https://www.udemy.com/course/windows-malware-analysis-for-hedgehogs-beginner-training/learn/lecture/37400154#overview
- https://tryhackme.com/room/introtoav

Level 1.5 More Practice on Basic Static Analysis:

Inside practical malware analysis, at page 26, Answer each question in each lab. Then compare your answer with the lab answer at the back of the book.

Level 2: Perform Basic Dynamic Analysis

• Running and observing the application behavior.

Level 3: Perform Advanced Static Analysis

• Reverse-engineering the malware internals -> Loading into disassembler
• Looking at the program code and figuring out the functionality

Resources for Advanced Static Analysis

https://tryhackme.com/room/windowsapi
https://tryhackme.com/room/jvmreverseengineering

Level 4: Perform Advanced Dynamic Analysis

• Using a debugger to examine the internal state of a running malicious executable.

Updates:

As I go up the progression system, I will update the levels with resources I used. Maybe, the time you read this. I will have everything updated.