This course is a continuation of the stages of malware analysis(the advanced dynamic analysis) for all types of malicious files on Windows, like:
using many tools like x64dbg, IDA remote debugging, dnSpy, oletools, Didier Stevens suite, python uncompyle6, and much more..."
-
Download and Setup x64/x32 debugger for windows .
-
Load a file, DLL file, shellcode into x64dbg .
-
Attach to an existing process in x64dbg .
-
Set x64dbg as Just-In-Time Debugger .
-
Use all x64dbg windows (Disassembly and Registers, Dump, Stack, Comments, Memory Map, Threads & Callstack, Graph / Log View and Command Bar).
-
Navigate easily in x4dbg using (StepInto, StepOver, StepOut, Run, Reload, RunToUserCode, Undo last instruction, GoTo, Software & Hardware Breakpoint, Set a Comment / Label / Bookmark).
-
Trace Execution .
-
Patching in x64dbg .
-
Use x64dbg plugins and Scripts (xAnalyzer, ScyllaHide, ollydumpex, Scylla) .
-
Reach the Entry points for executables .
-
IDA debugger & Remote Debugging feature.
-
Using MITRE ATT&CK Website to learn about Tactics and Techniques used by Attackers.
-
Differentiate between Attacks techniques (Credential Stealing, Persistence, Privilege Escalation, Malware Launcher, Fileless Malware, Process Injection, APC Injection, User mode rootkit, Anti-Virtual Machine, Ransomware).
-
Analyze Malware Sample that does PrivEsc (SeDebugPrivilege, UAC bypass).
-
Analyze Malware Sample does Process Injection.
-
Analyze Malware Samples that have Anti Debugging Techniques.
-
Differentiate between antidebugging checks ("IsDebuggerPresent","CheckRemoteDebuggerPresent", "BeingDebugged", Timing Checks, detecting debugger behavior, using INT3 & INT2D).
-
Analyze Malware that exploit Debugger vulnerabilities.
-
Differentiate between Data Encoding and Encryption.
-
Detect many Encoding and Encryption Schemes (ASCII, Unicode, URL, Base64, “Substitution/rotation” ciphers, “XOR” cipher).
-
Decode (Unicode, Base64) Using CyberChef .
-
Recognize Encrypted Data (has high-Entropy, strings,crypt constants,manually).
-
nstrument the debugger to make the malware Self-Decode its encrypted data.
-
Solve Flare-On 7 Challenge by decrypting RC4 cipher.
-
Decrypt RC4 cipher using 2 methods: “instrumentation of the debugger” and “manual decryption using python/java”.
-
Analyze Malware Samples using Advanced Dynamic Analysis: (“IcedID” sample + “DarkSide ransomware” sample).
-
Install py3, py2, OLE tools, DidierStevensSuite, CMD Watcher, .NET Framework .
-
Analyze MS Office file Using (oleid, olevba, oledump, CMD Watcher).
-
Differentiate between the Office “Legacy” format and ""OOXML"" format.
-
Analyze (VBA macro, XLM macro, Template Injection) Sample.
-
Analyze of RTF files Using rtfobj , RTFdump.
-
Detect Encoded Strings in RTF file using xorsearch.
-
Install peepdf and PDF Analysis Tool.
-
Analyze Malicious PDFS Samples (sample containing JS code, phishing sample, DRM sample, nobelium decoy sample).
-
Analyze Malicious JavaScript, PowerShell, VBScript Analysis.
-
Describe Browser Fingerprinting.
-
Run JS/JScript on windows (using cScript vs. wScript).
-
Analyze and Deobfuscate Malicious JS code.
-
Use Visual Studio Debugger, PowerShell ISE.
-
Decompile / Debug / Deobfuscate .NET Code Sample (using DnSpy, De4dot).
-
Decompile/ Deobfuscate JAR file (using JD GUI Tool , Recaf, java-deobfuscator).
-
Decompile/ Analyze AutoIt sample ( using exe2aut, SciTE, autoit debugger).
-
Compile/ Decompile AutoIt sample into an EXE.
-
Extract python script from EXE created by PyInstaller (using pyinstxtractor, uncompyle6, decompyle3).
-
Decompile/ Analyze a Python malware sample that failes to decompile properly..
-
Analyze Malicious Android APK (ADB & Logcat).
-
Decode Android Manifest file using axmldec .
-
Disassembly / Decompile android sample using (apktool, dex2jar, jd-gui).
-
Differentiate between Android Virtualization and Emulation (using QEMU and AVD manager) .
-
Download Android System Images & AVD Manager.
-
Using ADB push and pull commands & Logcat.
-
Install (sideloading) / Uninstall APK Using ADB Commands.