Malware Analysis In 5+ Hours - Full Course - Learn Practical Malware Analysis!
Vložit
- čas přidán 15. 06. 2024
- My gift to you all. Thank you 💜 Husky
🔬 Practical Malware Analysis & Triage: 5+ Hours, CZcams Release
This is the first 5+ house of PMAT, which is my course that is available on TCM Security Academy. The full course is 9 hours of high quality videos, practical labs, and challenges to learn the art and science of malware analysis.
📝 FULL COURSE: bit.ly/tcm-pmat-affil
If you use my affiliate link above to purchase the course, I receive more of the revenue for the course. Thanks for supporting me as a content creator!
📡 Course Discord
Head on over to the HuskyPack for access to the course server! Use the link below to join the server. Please read the rules carefully. Once you have joined and accepted the rules, head to the role channel and select the PMAT-student role to get access to the PMAT channels.
Link: / discord
Please note: you will have to wait at least 10 minutes before you can send any messages in the server. This is to guard against bot invasions!
📝MY BLOG: notes.huskyhacks.dev
🐦TWITTER: / huskyhacksmk
👾GITHUB: github.com/HuskyHacks
-------------------- Timestamps
00:00-05:55 - Intro & Whoami
05:55-08:26 - Download VirtualBox
08:26-10:26 - Download Windows 10
10:26-18:44 - Set Up Windows 10 VM
18:44-19:55 - Download REMnux
19:55-23:36 - Import REMnux
23:36-30:55 - Download and Install FLAREVM
30:55-38:22 - Set up the Analysis Network
38:22-51:38 - Set up INetSim
51:38-55:39 - Course Lab Repo & Lab Orientation
55:39-57:07 - Snapshot Before First Detonation
57:07- 1:03:06 - First Detonation
1:03:06-1:08:12 - Tool Troubleshooting
1:08:12-1:22:27 - Safety Always! Malware Handling & Safe Sourcing
1:22:27-2:13:20 - Basic Static Analysis
2:13:20-3:38:53 - Basic Dynamic Analysis
3:38:53-3:40:52 - INTERMISSION!
3:40:52-4:00:58 - Challenge 1 SillyPutty Intro & Walkthrough
4:00:58-4:58:07 - Advanced Static Analysis
4:58:07-5:28:56 - Advanced Dynamic Analysis
5:28:56-5:50:52 - Challenge 2 SikoMode Intro & Walkthrough
5:50:52-5:52:42 - Outro, Thank You!
------------------- Errata & Course Notes
📺 Downloading Windows 10
Update 5/25/22: The Microsoft Eval Center was down for most of the month of May, but it is back! You can find the Windows 10 image for this course here:
www.microsoft.com/en-us/evalc...
The website looks different than how it appears in the course video, but the ISO is now available there. Select the 64-bit image.
📺 Installing REMnux
Around the 21:33 mark of the video, I start issuing commands to install the VirtualBox VM Tools on REMnux. In newer distros of REMnux, the VM Tools are installed automatically! So you may not have to issue the CD-ROM mount commands and run the auto-installer script.
Check if your VM Tools are installed by minimizing and maximizing the screen of the REMnux guest OS. If the screen resolution changes to fit the size of your monitor, the VM Tools are already installed and you can skip the install instructions.
📺 Course Lab Repo Link
The labs for this course are available here: github.com/HuskyHacks/PMAT-labs
This repo has all of the malware needed to complete this course. Please use this link and view the next video, "Course Lab Repo Download & Lab Orientation" for instructions on how to get started with the repo.
📺 Detonating Our First Sample
Please Note: For this detonation, turn off INetSim before detonating. WannaCry will not detonate if INetSim is running.
📺 Strings & FLOSS: Static String Analysis
Tip: FLOSS can be run with the "-n" argument to specify your desired minimum string length. Sometimes, longer strings can be more useful to an analyst than your standard string of len(4).
📺 Combining Analysis Methods: PEStudio
The newer versions of PEStudio do not come installed by default in FLARE-VM anymore. Please use the official Winitor download link to download PEStudio and transfer it to FLARE-VM: www.winitor.com/download2
📺 Advanced Analysis of a Process Injector
During the Advanced Static Analysis section, I made an error regarding different values that are moved in and out of EAX during the set up for the process injection. In short, I say that PID of an injected process is stored in EAX first, then moved into EDI after the call to OpenProcess returns. This is not technically true: what is returned to EAX after the OpenProcess call is not the PID of the process, but the handle to that process.
TL;DR: once a process injector can get a handle to a process, it can use the handle with all of its remaining API calls to perform the injection.
-------------------- Misc
🎵 Jazzy Bossa Nova song: Canal 3 by Quincas Moreina, available for free on the CZcams Audio Library
/ @quincasmoreira - Věda a technologie
Hey everyone, I messed up the editing for this release and two clips are out of order.
The correct order for Parts I and II of Dynamic Analysis of an Unknown Binary should be as follows:
3:00:54 - Part 1 Basic Dynamic Analysis
2:39:37 - Part 2 Basic Dynamic Analysis
I apologize for the confusion!
I recently completed the full 9 hour course on TCM and loved it. Great class!
Great course! I just made it through the tutorial! I was able to solidify my understanding on basic malware analysis. I have taken a course in my graduate studies and it was a great supplement.
I can't wait to watch this all the way through! Thank you!
Im about 60% through your course loving it gotta stalk your youtube for everything i need more.. MOOORE 👁️👄👁️
Would definetly recommend his course for anyone reading :D
This has been such an amazing journey. Much respect to Husky! Heath's crew @ TCM are awesome! 🎉
Excellent intro to malware analysis ! great job ! looking fwd at many more videos ..
Hey fam! I just released a new, free section of PMAT that includes more detail about the security of Host Only networks and how to set up an Internal Network for malware analysis. It fits right in after the video at 51:39:00. Check it out here: notes.huskyhacks.dev/blog/malware-analysis-labs-internal-network-vs-host-only
Excellent resource. Certainly appreciate the effort that went into this! I encountered an issue with the Windows machine where it wouldn't be fed any fake html page after manually setting the DNS on the Windows machine for the Remnux host. The issue was with the LAN Settings Automatically Detect Settings configuration. Unchecking this box within Internet Explorer resolved the matter. Just in case anyone oberves this as well.
Good to see you share this much for free to many people God bless you.
Thank you Matt, we truly appreciate the 🎁
I already have your course, but its good to see it on youtube :)
I don't usually comment on CZcams but you deserve admirations. I will make sure to mention you in every interview I have for Threat Intel position and to everyone who is interested in Threat Intel/Malware analysis career path.
Thank you is not enough.
Thank you! I managed to pick up the full course (as well as others) during the $1-$6 discount event! You guys are awesome! I am halfway through PMAT and I am enjoying it. This is definitely worth the money! TCM Security has high quality and very affordable training.
Hello, i want to ask how can I drag and drop the malware folder from host to FlareVM, not able to perform this action
@@khodorj6581 I am using VMware Workstation and I had to install VMware tools. There is probably a similar process for VMware Player or VirtualBox.
@@khodorj6581 in vm settings set them drag modes to bi directional
Glad I found this video. I'm getting in to malware analysis in my job and I think your course will be a great intro. Do you cover analysis of malicious websites too?
Thank you my friend. Excelent tutorial :) I'm cheering for you to do more. hhaha
i just completed the course , i really want to thank you for sharing that for free
this is why they say that teaching is an art... you can make someone who knows nothing understand things and slowly take them to the next level is spectacular... as soon as I finish these 5 hours I can't wait to go to buy the rest of the course.
Thank you for the awesome course
best malware analysis course. Thanks for this amazing course
Man you are so generous. Now I can tell my Junior to learn from here to know if he's into malware analysis. Btw I already have the full course and I'm halfway done.
In remnux when i mount it said no medium found on dev/sro what i can do for these
Some may have noticed that the part of Basic Dynamic Analysis was not mounted in the proper order.
3:00:54 - Part 1 Basic Dynamic Analysis
2:39:37 - Part 2 Basic Dynamic Analysis
Thank you @huskyhacks531 for a fantastic tutorial
Yep, I just realized this. Thank you for pointing it out. I just looked into the editor to see if I could rearrange the order but it doesn't look like that's the case.
I'll add something to the description and a pinned comment to try to clear up any confusion.
Thank You for this. i actually finished your course,it was really awesome experience lots of good learning, Highly recommended your course. A very good teacher😍😇
Thank you so much for this amazing tutorial
Please release next set of malware analysis video
You earned a sub, my friend 😊
Great Video..Thank you
awesome video, thank you for all the information. I am a cybersecurity student and found this video invaluable.
Brilliant !!!
Good Lecture man!
I can't thank you enough, Matt 🌸💝
Subscribed!!
Thank you so much
You're the best bruh
Appreciate the effort you put in this video.
Amazing content.
What i liked about the video is the way it has been explain which clear and to the point.
Thanks husky.
I cannot thank you enough.
Gonna need to make some time for this.
Thank you so much for all your hard working ,but I do not know why the commands did not work for with me at the beginning?
Im curious, has the FLAREVM installation changed? I went through the process but simply get a folder named Tools instead of FLARE. Also it seems the packages that get installed are different than those seen the video, for example no peview. Is that just necause theyve changed their tool lost in the config file?
Congrats for ur great work and thanks for the content! I wanted to ask u if the host only adapter is safe because somewhere i read that this is not the case since the vm can communicate with the host.
I actually just wrote a new section of PMAT about this specifically! notes.huskyhacks.dev/blog/malware-analysis-labs-internal-network-vs-host-only
Thanks a lot sir. Just what to know for after ransomware detonation which tools I can use for dynamic analysis like you have shown how to use procmon and procexp but when I detonate the ransomware tools get crash.
at the 4.00.31 i don't understand how i find the metasploit module for use the reverse shell?
Just a quick question.. why does my Network setting is not working? I tried everything but the configuration is just not working in my case? Any solution?
floss cmmand not working in my cmd said that it is not recognizeble how to solve this issue
I am still a beginner, how to install the files to my flare vm and I have no connection to the internet ?
Can you show the same lab setup using VMware Workstation Pro? I haven't been able to find a single video on this topic.
Was hoping someone could answer a question regarding downloading file samples directly from an EDR dashboard. For example, 365 Defender from MS allows me to download a password protected zip file with the sample in question. However, as I am signed in with the company admin account used to access the EDR dashboard and subsequently have to download the sample to my work machine, how can this be done safely? Do I create a read only account for the dashboard access and sign in to that account in a lab environment and then download the sample? Do I just download the zipped sample on my work machine and send it elsewhere? I'm trying to limit as much possible risk from downloading a sample during an investigation and unfortunately Microsoft don't make this easier in the 365 defender dashboard.
Hello Sir,
I am facing one issue, whenever I try to arm any binary, win10 defender or firewall removes it, Although all security options are turned off, Via Real Time Protection, Registry entry, group security policy etc. Still whenever any binary is converted to armed mode, windows automatically removes it. Kindly help what to do?
This is phucking fantastic. Very well explained
cutter and PEview are missing on flarevm
i cannot find the flare-vm github repo
How to filter on Procmon:
2:27:00
3:28:42
I bought this and im so happy i did
Did you bought it on TCM Security?
@@todorokiyosukedesu yeah!
@105:10 did you adjust your DNS and just edit that portion out?
Never mind you cleared the air on this about 10 minutes later! :)
Cool :)
Windows Defender is not letting me detonate de virus :(
is malware analysis job generally full time job or are there part time jobs as well?
Hello, I am trying to find a way to contact Matt Kiely to ask him about his training video i just purchased and i am not able to mount the file.
Hello, please check the description of this video for some notes about that issue.
hey husky i tried to download the repo on my physical host but the defender and browser didn't let me download the repo as it was detection viruses into it
can you help me with it please
Same issue. Best I can find, the latest version of Win10 does not allow users to disable MsMpEng.exe. It is owned by the system. That's Microsoft's main AV scanner. Have not found a way around it yet.
@@OldDirtyDragon well bro it is a very simple issue what i did that i cloned the repo using git clone command and further it was downloaded on the pc but i made sure i dont open or unzip the repo, i further enabled the drag n drop from host to machine option temporarily for flarevm after dropping the repo into the flarevm i disabled the drag n drop option from v box and made sure that i have deleted the cloned repo from my physical machine and during all this process i didn't touched or twitch the windows defender
should work for you as well
21:56 I get error "no medium found on /dev/sr0" :(
It means the needed files are already on your distro. Your good to go!
I'm trying to download labs from the URL given in description but it says "Virus detected" and then stopped downloading.
Please solve my query
download it on the vm and not your host, after its down disable nat again
Waiting for Remnux to install 20:58
I’ll be back whenever I remember to continue 24:40
That first malware file from close to an hour in just will not execute.
Hello , I am not able to drag the malware folder from the host to FlareVM, any idea?
Hi ,I am facing same issue,Can you please share if you already resolved the problem.
@@AaryadevVRBLX @khodorj6581
Same here, have you found the way ? do share the idea.
Hello, you need to enable drag and drop in your VM. On running VM, on toolbar, go to devices -> Drag and Drop -> Host to Guest
this course related to TCM security pratical malware analysis
My laptop doesn't support virtualization what to do in this condition?
lolololol
Thank you very much for this video, can I get your mail id so that can discuss which are related to this in details. Am a PhD student and faculty in an organization, my work on this is very interesting.
Hello , I am not able to drag the malware folder from the host to FlareVM, anyone please help
were you able to solve the problem?
@@mahetsiedahi6530 ITS BEEN A YEAR
@@mahetsiedahi6530 Turn on host to guest in the drag-and-drop setting
While mounting th CD-ROM directory It says no media found under /dev/sr0
Just click on Devices -> Insert Guest Additions CD image...
The no media found error should be solved after this
@@angelaguirre9384 Thanks for saving me!
Edit: I found the answer to the below from your later explanation. However I did waste plenty of time trying to figure out myself. Here what took me further in the wrong direction is when I tried to open the malz file with 7zip and it did actually open it and presented a heirarchy of files and even 2 executables inside. So perhaps you need to rearrange the video so the safety part comes before any detonation. This is so others don't waste time like me (or worse, do something harmful) Thanks.
Original post:
Hi. At 57:08 you jumped to the next video and started working with the wanacry exe. However the file from the repository extracted in the previous video is ransomeware.wanacy.exe.malz
So how did we jump from that to that?!?
That question and more are addressed in the course FAQ, which is located on the course Discord (link in description). If you get stuck like that please check the Discord, it's likely another student has asked the question before and we can get you back on track
@@huskyhacks I found another problem in the youtube video. The 2 video parts of basic dynamics with RAT.Unknown are in reverse order. The first video comes 2nd and the 2nd video comes 1st.
@@quasaaaar Do you mind replying with the time stamps of what you think is out of order? I just skimmed that section and it all looks to be in order
@@huskyhacks for Rat.unknown:
Part 2 @ 2:39:35
Part 1 @ 3:00:55
@@quasaaaar The samples in the sections you've timestamped are different samples. The course material includes multiple samples in the Basic Dynamic Analysis section. The times you've mentioned correspond to Part 2 from the first sample and Part 1 from the second sample
When I try to mount the cdrom I get this error message, mount: /media/cdrom: no medium found on /dev/sr0.
Go to devices>insert guest additions cd image... >run
Is this course basic or advanced?
i installed inetsim and configured it like you did but i dont get a page when i try to access any web site
did you fix it?
@@ytriskad3889 yes but dont remember how
@@ytriskad3889 Hey, I had the same issue you had and was able to get it to work. Let me know if you still have this issue and I can tell you how I got mine to work and that might help in oyur case.
@@Crixus0112 yeah that would be nice
man disabling the Defender is a real PIA, I tried everything. Being Denied access, even with Administrator access. Does anyone here have any ideas.😰
I'm trying to get through the course but I'm not able to run the powershell script from flare-vm. I'm stuck trying to disable Windows Defender... Damn, I've even followed all the links provided under the github repository to do this but none seem to work. Hence I'm stuck here trying to run the powershell script ...
Just for anyone that might face the same issue. I just went ahead and installed Windows 11 on my VM. I was finally able to disable windows defender with the help of John Hammond's yt video. Flare VM install script has successfully ran and I will be continuing the course later today.
listening to all the safety spiels as a linux user is funny. I have a habit of just leaving malware .exes lying around my pc because it can't do anything aha
5:02 5:03 5:05
hello
Isn't this a paid course?
Full course covers up to 9 hours, the first 5 hours are completely free.
Malware analysis didn't work anymore.
May I know why?
why i cant open the Malware.Unknown.exe ? if i renamed it from .exe.malz to .exe it wont run at all. it says i have to look in the microsoft store to search an app to run it.
And could anyone tell me how to get the malware on the vm without compromising my main operating system?
Thanks and Great video!
Can anyone get past the "The Installer GUI" where you can select the different packages you want installed? I dont have the option to confirm yes or no and proceed.
Hi @huskyhacks ! Thank you for sharing the video. I am unable to get Fireeye Flare-vm, it it mandiant/Flare-vm ?
Yes, it's now hosted under the Mandiant org on GitHub
Can you please explain how to differentiate between qakbot and emotet
remnux@remnux:~$ sudo mkdir /media/cdrom
remnux@remnux:~$ sudo mount /dev/cdrom
mount: /dev/cdrom: can't find in /etc/fstab.
I cant seem to get past this
📺 Installing REMnux
Around the 21:33 mark of the video, I start issuing commands to install the VirtualBox VM Tools on REMnux. In newer distros of REMnux, the VM Tools are installed automatically! So you may not have to issue the CD-ROM mount commands and run the auto-installer script.
Had the same problem. Thank you
Insert the guest CD-ROM (VirtualBox Guest Additions installation) as you did in Windows to achieve a better screen resolution.
@@huskyhacks Thank you for clarifying, this may be worth pinning for people such as myself who see this in the far future.
Man thank you this has been amazing. Liked and Subbed and going to recommend your channel. 💙💻🦠😎