Behavioral Malware Analysis (BMA)

Course Overview

Behavioral Malware Analysis teaches you all the fundamental skills necessary to analyze malicious software from a behavioral perspective. Using system monitoring tools and analytic software, this course teaches how to observe malware in a controlled environment to quickly analyze its malicious effects to the system. From simple keyloggers to massive botnets this class covers a wide variety of current threats from today’s internet with actual samples being analyzed in the training environment. With the majority of the class being hands-on, each student will be issued a computer with a secure environment to learn the skills and essential methodologies required to be an effective malware analyst.

5 days
    • How to identify malware and discover its capabilities
    • How to set up a secure lab environment to analyze malicious software
    • How to use free tools to characterize malware samples quickly
    • Obfuscation methods used by attackers to escape detection
  • DAY 1:

    Malware Analysis

    • Static Analysis
    • Dynamic/Behavioral Analysis

    Malware Overview

    • Definition of Malware
    • Malware Intentions and Motivations
    • Malware Types
      • Virus
      • Worm
      • Backdoor
      • Trojan
      • Malicious Mobile Code
      • User-Mode Rootkit
      • Kernel-Mode Rootkit
      • Combination Malware
    • Vulnerabilities
    • Malware threats research websites
    • Technologies to fight Malware and their limitations
      • Intrusion Detection Systems
      • Intrusion Prevention Systems
      • Anti-Virus Software

    Windows Internals for Behavioral Analysts

    • Windows API
    • Common Libraries
    • Building An Analysis Environment

    Behavioral Analysis Process (BA)

    • Understanding The Process
    • Knowing Your Goals

    BA Tools of the Trade

    • VMware Workstation
    • Sysinternals Suite
    • Regshot
    • ApateDNS & Fakenet
    • Wireshark
    • PEID & PackerBreaker
    • Process Hacker

    DAY 2:


    • Why Baseline a System
    • The Windows Registry
    • Baselining Tools

    Document-Embedded Malware

    • How To Embed a Document
    • Hijack Scenario
    • Macro Viruses
    • Melissa Virus Case Study

    Adware, Spyware, and Ransomware Botnet Malware

    • Definition of a Bot
    • Botnet Communication Architecture
    • Setting Up and Using IRC For Command and Control

    DAY 3:


    • Purposes
    • Keylogger types
      • Hardware vs Software
    • Remote Access Keyloggers
    • Sniffers

    Malicious Mobile Code (Interactive Web Apps)

    • Definition of Malicious Mobile Code
    • Attack Vectors
    • Reducing Risk of MMC Attacks


    • Common Backdoor Types
    • Propagation Methods
    • Persistence Methods
    • Finding Backdoors

    Trojan Horses

    • Definition of a Trojan Horse
    • Backdoor vs Trojan Horse
    • Trojan Horse Infection Methods

    Advanced Persistent Threat (APT)

    • Definition of APT

    User-Mode Rootkits

    • Definition of a Rootkit
    • Benefit of Rootkits for Attackers
    • Kernel- vs User-Mode Rootkits
    • Detection Methods

    DAY 4:

    Drop and Execute Malware

    • Dropper vs Injector

    VMWARE Detection

    • Why Malware does VMware detection
    • Honeynets and Honeypots
    • Methods of VM Detection

    Destructive Malware CHM Malware

    • Normal CHM File Usage
    • Advantages and Disadvantages of CHM Files

    PDF Malware

    Kernel-Mode Rootkits

    DAY 5:

    Student Practical


  • DAY 1:

    • BA Process Lab 1
    • BA Process Lab 2
    • BA Process Lab 3
    • Day 1 Scenario

    DAY 2:

    • Document-Embedded Malware 1
    • Document-Embedded Malware 2
    • Spyware Sample
    • Ransomware Sample
    • IRC Bot Sample
    • Day 2 Scenario

    DAY 3:

    • Keylogger Sample
    • MMC Implant Sample
    • Backdoor Sample
    • Trojan Horse Sample 1
    • Trojan Horse Sample 2
    • Day 3 Scenario

    DAY 4:

    • Drop & Execute Sample
    • Anti-analysis Sample
    • Destructive Sample
    • CHM Sample
    • PDF Sample
    • Day 4 Scenario

    DAY 5:

    • Day 5 Practical
    • Thorough understanding of Microsoft Windows
    • Basic understanding of operating system internals
    • Experience with VMWare software although not required would be beneficial
    • Knowledge of networking protocols and Wireshark filtering is recommended but not required
    • Threat operation analysts seeking to have a better understanding of malware
    • Incident responders who need to quickly address a system security breach
    • Forensic investigators who need to identify malicious software
    • Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies