Participants ‘learn by doing’ using the hands-on virtual lab to practice on malware samples used in the wild by powerful APT actors.
Contact us
Ask a question?
If you want to know anything about the course, we’re here to help.
Advanced Malware Analysis Techniques
Course overview
Kaspersky opens a treasure-box: our legendary training program on Advanced Malware Analysis Techniques. It helps established reverse engineers, incident responders & digital forensics specialists level-up their work on cybersecurity incidents and become unique experts.
The main focus of the course is advanced static analysis because for cybersecurity incidents involving previously unseen malicious code, this is the most reliable way to determine functionality of the code and find actionable artefacts. It allows organizations affected by APTs to define adequate damage assessment and incident response.
The course also heavily features our exclusive know-hows on the automation of decryption, decoding and other processing of the samples which helps not only optimize routine tasks, but preserves your work in the code. You will be introduced to a custom static analysis framework (available for download), proven to be very efficient during decades of Kaspersky APT research.
Igor Kuznetsov, the course author, has participated in Kaspersky research on the most notorious APT campaigns. He has cherry-picked exercises from his own work to cover generic approaches to analysis in IDA Pro, using all important features and also to demonstrate unique cornerstone cases that require special treatment, which will super- charge your skills for the future.
Welcome to the elite club of malware researchers!
100% practical and real-life
Advance your static malware analysis
Strengthen your skills with advanced static analysis techniques, get to know decrypting frameworks to automate your tasks to make your reversing skills unique!
Learn with the best
Igor Kuznetsov is a Chief Security Researcher at Kaspersky. He participated in Kaspersky research on the most notorious APT campaigns and he’s packed the course full of his expertise and exclusive techniques.
Training objectives:
By the end of this training you will be better able to:
- Analyze modern complicated code samples, from receiving the initial artefact, all the way to producing a technical description of the attacker’s TTPs with IOCs
- Produce static decryptors for real-life scenarios and then continuing with in-depth analysis of the malicious code
- Analyze malicious documents that are typically used to deliver initial payloads and know how to extract them
- Ensure damage assessment and incident response efforts are accurate and effective
Key topic areas:
- In-depth analysis of disassembled code
- Identification of common cryptographic algorithms
- Developing own decryptors for common scenarios
- Automating common reverse engineering tasks
- Analyzing exploit payloads
- Recognizing typical code constructs
- Class and structure reconstruction
- Analyzing decompiled bytecode
- Dynamic unpacking, decryption
Your course leader
Igor Kuznetsov,
Chief Security Researcher
Who it's for
InfoSec professionals
The course is intended for established reverse engineers, incident responders and digital forensics practitioners seeking to level up their work with cybersecurity incidents.
Enterprises
After completing this training your cybersecurity or SOC team will be able to implement full dynamic and static analysis of malware efficiently, automate routine tasks and find detailed actionable items for protection of your organization & incident response.
Cybersecurity consultancies
Specialist consultancies who need to train their team on relevant practical skills will also benefit from this course: their personnel will level up and will be able to create more effective cybersecurity products and malware analysis services for clients.
How you'll learn
Guided video lectures
Learn from Igor Kuznetsov, Chief Security Researcher and member of Kaspersky’s revered Global Research and Analysis Team.
Hands-on virtual lab
Practice in our fully configured virtual lab on real targeted malware cases like Lazarus, Sofacy, Regin, Equation, RedOctober, Miniduke and Carbanak.
Iterative learning
The course is structured around progressive learning with a consistent module framework based on specialist overviews of each task, practical work in the virtual lab and detailed solution walk-throughs.
Syllabus
Introduction
Introduction into IDA work flow and shellcode analysis. Main features of IDA required to reverse engineer: code, functions, structures, structure offsets. Reconstructing the metasploit’s API hashing algorithm.
Shell
Practicing shellcode analysis: extracting the C&C from the Metasploit shell, code and data flow analysis, manual reconstruction of a structure, stack layout.
Msfvenom
Unpacking a real-life sample found at a bank and analyzing the shellcode. Proceeding through all the layers of an msvfenom-wrapped Metasploit shellcode to extract the network IOC.
Bangladesh GPCA
Introduction into static decryption, decrypting files using a static analysis framework. Practice on the Bangladesh CB heist case (Lazarus).
Regin driver
Introduction into decryption of malicious Windows PE files (a Regin driver). Dealing with malicious samples with blocks of encrypted data and RVA/RAW offsets.
Decrypt strings
Static analysis of a Sofacy OSX sample. Dealing with separate strings decrypted with a dedicated function. Reconstructing the decryption routine.
Driver
Full-scale reverse engineering of a single PE file (a driver from Equation). Using knowledge from tracks 1-6 to preprocess all encrypted data and then walk through all the code, reconstructing the business logic of the driver in IDA.
Miniduke
DIY disassembly and API hashing. Creating your own tiny disassembler to extract the API hashes from hand-written assembly code and then reconstructing an API hashing algorithm to revert all the hashes to API names. Using IDC files to transfer results to IDA.
Rocra
Introduction to document-based exploit payloads: analysis of a malicious RTF example (RedOctober dropper) where you need to locate the exploit code, unpack several layers till you get to the final payload. Generic approach to dealing with weaponized RTF documents and embedded shellcode.
Cobalt
Exploit analysis of a malicious Word document (Office Equation exploit). Generic approach to analyzing OLE2 objects.
Cloud Atlas
Practice: analysis of a weaponized OLE2 file embedded in an RTF container (CloudAtlas). Extracting several layers till the final payload.
Miniduke PDF
Static analysis of a ROP chain from a PDF document (with Miniduke from). Generic mechanics of a ROP chain, reconstructing the business logic from code snippets.
Ragua Py2exe
Introduction to bytecode-compiled Python samples. Practice using a decompiler to extract the source code.
Cridex
Generic approach to dynamic decryption/unpacking. Extracting the payloads from Cridex samples using the debugger.
Carbanak
Decompiling and analyzing .NET bytecode. Dynamic extraction of the payload.
Snake
Introduction to the Golang binaries. Static analysis, built-in structures, strings. Extracting and decrypting string constants.
What you will reverse:
- Real-life malware from APT cases
- x86/64 Intel code
- Windows PE (including Go), Mac OS X Mach-O files, raw shellcode for Windows
- RTF, OLE2, PDF documents
- .NET and Python bytecode
How you will reverse:
- Static analysis mostly, dynamic analysis exercises are present as well
- Primary tool: IDA Pro
- Automation using Python 3
- Most tracks include code templates that need to be filled in / modified to solve the exercises
- The scripts are written in Python 3 and most are standalone, but several IDAPython scripts are also included in the exercises
Benefits for you
While samples cannot be downloaded, you can download static analysis framework, scripts from the exercises and the training materials.
 |
6 months to complete your course from activation of your access code |  |
 |
Courses delivered in English with subtitles | |
 |
Self-guided learning that fits around your life | |
 |
100 hours of virtual lab time for hands-on learning | |
 |
Static analysis framework, scripts from exercises and training materials are available for download | |
 |
Browser-based via desktop, mobile & tablet | |
 |
Igor Kuznetsov, Chief Security Researcher at Kaspersky GReAT | |
 |
About 60 videos to guide you through the course | |
 |
Platform support and help from our subject matter experts is available by email 0900 - 1730 UK time on standard business days via help.kasperskyxtraining.com | |
 |
If you’re already an xTraining learner then contact us at help.kaspersky.com for a special discount | |
 |
PDF document on a Kaspersky letterhead certifying the completion of the course, signed by the course leader(s) | |
$2,700 inc. tax per learner