PMAT-labs - Labs For Practical Malware Analysis And Triage

Read this carefully before proceeding.

This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, "caught in the wild" samples. Both categories are dangerous. These samples are to be handled with extreme caution at all times.

By downloading the contents of this repository, regardless of if you have purchased the course or not, you are agreeing to the End User License Agreement. Please refer to EULA.md for more information.

Structure

The structure of this repository maps to the course videos. The top directory contains the name of the section, and the subdirectories are the samples in use during that part of the course. For example:

In the example above, the 0-1.HandlingAndSafety directory contains a zipped copy of Malware.Calc.exe.7z and the other files that sample is provided with. It is used in the Handling and Safety section in the course.

Underneath the Handling and Safety sample, the 1-1.BasicStaticAnalysis directory contains two samples that are used in that section. The whole course follows this structure, so check to see which section you're currently in and then the videos will reference the sample to work on.

Topics

Each section is broken down by topic:

0. Malware Handling and Safety

This section covers basic malware handing and safety, including defanging malware and safe practices for transfer and storage.

1. Basic Static | Basic Dynamic

This section covers initial triage, static analysis, initial detonation, and the primary methodology of basic analysis.

2. Advanced Static | Advanced Dynamic

This section covers advanced malware analysis methodology and introduces Assembly, debugging, decompiling, and inspecting the Windows API at the ASM level.

3. Specialty Class Malware

This section covers different specialty classes of malware like maldocs, C# assemblies, and script-based malware. It also includes a section on mobile platform malware analysis.

4. Bossfights!

The Bossfights pit you against infamous real world samples of malware and require you to do a full analysis.

5. Automation | Rule Writing | Report Writing

This section covers effective report writing, Yara rule writing, and automating the initial stages of triage with Blue-Jupyter.

6. Course Conclusion: Course Final | References | Resources | Further Readings

The course final consists of a capstone in which you will combine all relevant skills in this course to write and publish open-source information about a given sample from the course.

The course conclusion includes further readings, references, and helpful resources for further learning.

Please note: some samples are used multiple times in different sections. Check to make sure which sample the course videos are referencing and that you have the correct one for a given video.

Challenges

The challenge samples in this course are used as mini-capstones for the different sections. Each sample marked as a Challenge includes a set of questions to answer about the sample as well as an answers/ directory. The README in the answers/ directory contains brief answers to each question in the Challenge. Try to get as far as you can without looking at the answers first!

Password

Each sample is zipped and password protected. The password for all malware samples is infected.

Report Template

In one of the final sections of the course, I teach how to write a simple Malware Analysis report. The template used in that section is here. Feel free to use this as a template for this course or any other malware reports you want to create.

Cosmo?

You may be wondering, why is there a picture of a handsome cat in the root directory?

That's Cosmo, my cat. He's not very good at malware analysis, so he's along for the ride to learn things. I don't have high hopes for him (he is just a cat after all).

cosmo.jpeg serves two functions.

A Surrogate Data File

The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don't touch your data at all.

cosmo.jpeg is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom written malware samples in this course are going to target this file specifically.

It's a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.

Environmental Keying

I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I've keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. cosmo.jpeg present on the Desktop of FLARE-VM acts as the key for most of the malware samples in this course.

Instructions

When you are done downloading and extracting this lab repository, take cosmo.jpeg and copy it to the desktop of the main user account on the Windows FLARE-VM host. That's all!