Deep dive malware analysis is primarily a static approach, reading the assembly instructions to determine functionality.  Debugging is used in a limited manner for targeted purposes.  The approach can provide every last detail or be used to quickly identify IOC’s and Yara rules, but the method is often shrouded in mystery.  It can take years to develop and most analysts don’t have the time to fumble around in the dark trying to build this advanced skill.  Save yourself countless hours and guesswork and get an up-close view of this approach.

This lab based workshop will guide you through the deep dive process using Ghidra to analyze a malicious RAT from start to finish. You’ll learn how to triage a function, judge what to analyze and what to skip, verify the full C2 network protocol using Python, and much more. See the benefits and learn how you can practice this approach in your own job to dramatically elevate your RE skill level. 

This course starts by presenting the deep dive malware analysis approach.  We discuss the different analysis strategies, explain why the deep dive approach is the most efficient, and then provide a series of warnings and insights to optimize the approach.  We end with a number of tips on how to best practice this strategy in the limited time provided by most jobs.

With the academic portion completed, the rest of the course consists of a series of labs where you will perform the complete analysis of a live malicious RAT (Remote Access Tool) found in the wild.  Each lab comes with a written solution and a video where the lab is performed live so that you can see the analysis in action.  The value comes in watching the live analysis.  

Knowing the method is great and is the first step in learning, but there’s a large gap between knowing what you should do, and knowing how to do it.  How accurate does your analysis need to be prior to moving on to the next capability?  What instructions do you highlight for understanding and what do you skip over?  These types of questions are difficult to learn conceptually and are best learned through example.  The experience you witness in the video solutions is the true value of the course.  Watching the video solutions provides an idea of the decision making process.  That key takeaway will let you speed through the trial and error stage of learning and quickly become proficient.

Performing the labs prior to watching the instructor walkthrough makes the learning interactive.  By first attempting analysis on your own and then watching the instructor walkthrough, you can compare your approach to that of a more experienced reverse engineer.

The example malware chosen is a live piece of malware and not a toy instructional example.  The sample was chosen because it is both realistic, and uses a variety of techniques.  There are several unidentified library functions statically linked, encryption, a network authentication protocol, and a full array of C2 commands.