Malware Analysis & Reverse Engineering Lab

Overview

In this lab, students will conduct static and dynamic analysis on malware samples to dissect their functionality, extract indicators of compromise (IOCs), and understand how cyber threats operate. The objective is to apply reverse engineering techniques to analyze malicious binaries and scripts.

Lab Instructions

1. Setting Up Your Environment

You will need:

A dedicated malware analysis VM (FlareVM, REMnux, or a sandboxed Windows/Linux VM)
Installed tools:
- Ghidra or IDA Free for static analysis
- Wireshark & ProcMon for system and network monitoring
- Cuckoo Sandbox or Any.Run for dynamic analysis
- YARA for signature-based malware detection

Step 1: Isolate the Analysis Environment

vmrun start /path/to/malware_vm.vmx

Ensure the machine is not connected to the internet and use snapshotting before running any malware.

2. Static Malware Analysis

Static analysis involves examining malware without executing it.

Step 1: Extracting File Metadata

file malware_sample.exe
strings malware_sample.exe | less
sha256sum malware_sample.exe

Identify whether it’s a PE (Portable Executable) file
Extract embedded strings to look for URLs, commands, or API calls
Compute hash values for comparison in malware databases

Step 2: Disassemble with Ghidra

Open Ghidra and import malware_sample.exe
Analyze function calls and entry points
Identify potential obfuscation or packing mechanisms

📝 Proof of Completion: Submit screenshots of extracted metadata and Ghidra function analysis.

3. Dynamic Malware Analysis

Dynamic analysis involves running the malware in an isolated environment to observe its behavior.

Step 1: Monitor System Changes

Use ProcMon to track registry changes, file access, and process injection attempts.

procmon /Run /Minimized

Look for newly created files, processes, or registry keys
Identify attempts to modify startup settings (persistence mechanisms)

Step 2: Capture Network Traffic with Wireshark

wireshark -i eth0 -k

Observe outbound connections to command-and-control (C2) servers
Identify data exfiltration attempts

📝 Proof of Completion: Submit log screenshots highlighting system and network behavior.

4. Reverse Engineering & Code Deobfuscation

Many malware samples use obfuscation to evade detection. This step involves deobfuscating and reversing the malicious code.

Step 1: Identifying Obfuscation Techniques

Use Detect-It-Easy to check if the file is packed.

die malware_sample.exe

If packed, unpack it with UPX:

upx -d malware_sample.exe

Step 2: Writing a YARA Rule

Create a YARA rule to detect malware variants:

rule Malware_Example {
    strings:
        $a = "malicious_string"
        $b = { E8 ?? ?? ?? ?? 68 }
    condition:
        any of them
}

Save as malware.yara and scan:

yara malware.yara malware_sample.exe

📝 Proof of Completion: Submit screenshots of unpacking, code analysis, and YARA results.

Final Submission

Submit a Google Doc with:
- Screenshots of static and dynamic analysis results
- A YARA rule detecting the malware sample
- A short write-up summarizing findings and mitigation steps

🚀 Congratulations! You’ve completed the Malware Analysis & Reverse Engineering Lab! 🚀

Malware Analysis & Reverse Engineering Lab#

Overview#

Lab Instructions#

1. Setting Up Your Environment#

Step 1: Isolate the Analysis Environment#

2. Static Malware Analysis#

Step 1: Extracting File Metadata#

Step 2: Disassemble with Ghidra#

3. Dynamic Malware Analysis#

Step 1: Monitor System Changes#

Step 2: Capture Network Traffic with Wireshark#

4. Reverse Engineering & Code Deobfuscation#

Step 1: Identifying Obfuscation Techniques#

Step 2: Writing a YARA Rule#

Final Submission#