Introduction to Malware Binary Triage

  • Dates: May 10, 11 and 12 2025
  • Difficulty: Medium
  • Session Format: On-Site

Description

The introduction to Malware Binary Triage (IMBT) course provides a comprehensive overview of the malware binary triage process. You will learn to reverse engineering and analyze real-world malware samples, including a nation state SMB worm, prolific loaders used by cybercriminals and a ransomware variant that has been used to attack critical infrastructure. You will learn to use Binary Ninja, x64dbg and other common open-source tools to achieve your analysis objectives. You will also learn how to analyze advanced malware techniques, including obfuscation, process injection and packing algorithms.

This course consists of eleven modules, each containing lectures and practical labs to apply the knowledge that you have gained as you complete the training course. We provide both practical demonstrations and written materials, so no matter what your learning style is, you can complete the course successfully.

Module 1 - Introduction to Malware Binary Triage

This module provides an introduction to the concept of malware triage and an overview of this training course.

Module 2 - Virtual Machine Setup

This module provides an overview and step by step guide for setting up your virtual machine environment that will be used for malware analysis throughout this course. It also provides an overview of important safety precautions that will be set in place to keep you safe.

Module 3 - PE File Format

This module provides an in-depth look at the Microsoft Windows Portable Executable (PE) file format and provides practical labs to analyze PE attributes commonly used during the malware triage process.

Module 4 - x86 Assembly Primer

This module provides an overview of the Intel x86 (8086) assembly language, little-endian addressing, ring levels, calling conventions and the stack.

Module 5 - Static Analysis

This module provides an in-depth look at the concept of static analysis and how it applies to malware analysis. This includes practical labs that demonstrate analysis of binaries using Binary Ninja, which is followed by analysis of real-world malware samples using these techniques.

Module 6 - Dynamic Analysis

This module provides an in-depth look at the concept of dynamic analysis and how it applies to malware analysis. This includes passive monitoring of malware samples as they execute and debugging malware with x64dbg. We also look at resolving basic obfuscation and patching binaries in memory as they execute to modify execution flow.

Module 7 - Network Monitoring

This module provides an in-depth overview of monitoring network traffic produced by malware using Wireshark, Inetsim and FakeNet-NG. The first practical exam is also provided within this module that will test your knowledge by having you analyze a real-world malware sample using the knowledge you've gained thus far in the course.

Module 8 - Obfuscation

This module provides an in-depth look at removing obfuscation implemented by malware authors in order to recover its original functionality. This includes resolving dynamic import resolution, identification of encryption algorithms, decryption of data using those algorithms, and code-level obfuscation techniques (string concatenation, garbage strings, etc).

Module 9 - Unpacking and Process Injection

This module provides an in-depth overview of the concept of packing, unpacking and process injection. We look at common unpacking and injection techniques used by malware authors to hinder analysis, and provide generic approaches to dynamically unpacking binaries protected with these techniques.

Module 10 - Comparative Analysis

This modules provides an overview of comparing malware at a binary level using the concept of "diffing" in order to compare functionality or confirm overlaps between malware families. We also provide a primer for writing Yara signatures and techniques used to write effective Yara rules for malware families.

Module 11 - Automating Malware Triage

This module provides an overview of automating many of the tasks that we performed throughout this course using freely available tools.

All students will be provided a non-commercial Binary Ninja license and virtual machine to complete the course objectives successfully.

Key Learning Objectives

  • Gain an introductory understanding of reverse engineering and analysis of malware samples.
  • Acquire key information about analyzed malware variants to deliver to stakeholders.
  • Learn tools and techniques to rapidly triage malware variants in order to understand, detect and contain threats.

Who Should Attend?

This course is for anyone with the personal or professional developmental goal of understanding malware analysis and reverse engineering. Roles these courses apply to include Security Operation Center (SOC) analysts, Digital Forensics and Incident Response (DFIR) analysts, malware analysts, Red Team operators (looking to gain insight into blue team techniques used to reverse engineer their tooling) etc. Being in one of these roles is not, however, a prerequisite needed for taking this training course.

Prerequisite Knowledge

  • Microsoft Windows and Operating Systems Internals. We will be analyzing malware that targets Microsoft Windows and calls core Microsoft Windows APIs to interact with operating system components, etc. Have a basic understanding of how Microsoft Windows functions will assist you in completing this course.

  • Having a basic understanding of network protocols and OSI layers will assist you in understanding the network protocols that we will be looking at. This includes TCP, HTTP and UDP.

  • Having a basic understanding of C and C++ will assist you in low level concepts that we will be referencing throughout the course, including pointers, dereferencing, structures, enums etc.

  • Having a basic understanding of the of the Intel x86 assembly language will be beneficial, as we will be providing a primer for the x86 assembly language, however, we will not be covering every single facet of the language to the point of you being an expert. We will, however, be providing labs and exercises to assist you in learning it.

  • We suggest having a basic understanding of the Windows and Linux command-line interfaces if possible, since we will be using them throughout the course.

  • Some optional prerequisites include having security industry experience and understanding terminology commonly used in the security industry. We will be explaining most terminology used during this course, however, having some prior understanding will assist you.

Hardware Requirements

A machine (Microsoft Windows, MacOS or Linux) that can run VMware or Qemu. x86-64 host machine architectures are preferred, however, MacOS M-series chips will also be supported. You should have 5GB of host memory available for VM allocation and 80GB of disk space free.

Bio

Joshua Reynolds , Invoke RE

Joshua Reynolds is the founder of Invoke RE. Joshua has over ten years of reverse engineering, malware analysis and security experience working for industry leading companies. He has spoken at major conferences such as REcon, RSA, DEF CON and Virus Bulletin on topics including ransomware, malicious document analysis and automating malware analysis. He has also co-developed a malware analysis course that is taught at SAIT Polytechnic.

Return to training sessions