Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/huskyhacks/pmat-labs
Labs for Practical Malware Analysis & Triage
https://github.com/huskyhacks/pmat-labs
Last synced: 30 days ago
JSON representation
Labs for Practical Malware Analysis & Triage
- Host: GitHub
- URL: https://github.com/huskyhacks/pmat-labs
- Owner: HuskyHacks
- Created: 2021-10-19T14:12:39.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2024-10-22T11:40:34.000Z (3 months ago)
- Last Synced: 2024-12-09T19:52:16.454Z (about 1 month ago)
- Language: HCL
- Homepage:
- Size: 14.8 MB
- Stars: 894
- Watchers: 22
- Forks: 209
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# PMAT-labs ๐ฌ
Welcome to the labs for Practical Malware Analysis & Triage.---
[![Release Version][img-version-badge]][release] [![Course Link][course]][course-link] [![EULA][img-license-badge]][eula] ![student-count]
---
## ๐ด WARNING ๐ด
Read this carefully before proceeding.
This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real-world, "caught in the wild" samples. Both categories are dangerous. These samples are to be handled with extreme caution at all times.
- Do not download these samples to a computer you do not own.
- Do not execute any of these samples on a computer you do not own.
- Do not download and/or execute these samples in an environment where you cannot revert to a saved state, i.e. a virtual machine.
- Practice safe malware handling procedures at all times when using these samples.By downloading the contents of this repository, regardless of whether you have purchased the course or not, you are agreeing to the End User License Agreement. Please refer to `EULA.md` for more information.
---
## About the Course โ๏ธ๐
If you're here after purchasing the course, welcome! Thank you for supporting me as a content creator. Read on to the next section to learn how the lab repo works.
If you're here not having purchased the course, welcome! The labs for the course are free (and always will be) and are hosted here on GitHub for anyone who is interested. But if you don't quite know where to begin and/or are interested in learning malware analysis from 9+ hours of high-quality video content, consider buying the course! The videos were made with love to build you into a capable, knowledgeable malware analyst.
If you want to purchase the course and support me as a content creator, please also consider using my affiliate link!
[![Course Link][course]][course-link]
[![Course Affiliate Link][course-affil]][course-affil-link]---
## ๐งญ Structure ๐บ๏ธ
The structure of this repository maps to the course videos. The top directory contains the name of the section, and the subdirectories are the samples in use during that part of the course. For example:
```
๐ฆlabs
โฃ ๐0-1.HandlingAndSafety
โ โฃ ๐Malware.Calc.exe.7z
โ โฃ ๐md5sum.txt
โ โฃ ๐password.txt
โ โ ๐sha256sum.txt
โฃ ๐1-1.BasicStaticAnalysis
โ โฃ ๐Malware.PackedAndNotPacked.exe.malz
โ โ โฃ ๐Malware.PackedAndNotPacked.exe.zip
โ โ โฃ ๐md5sum.txt
โ โ โฃ ๐password.txt
โ โ โ ๐sha256sum.txt
โ โฃ ๐Malware.Unknown.exe.malz
โ โ โฃ ๐Malware.Unknown.exe.7z
โ โ โฃ ๐README.txt
โ โ โ ๐password.txt
...[snip]...
```In the example above, the `0-1.HandlingAndSafety` directory contains a zipped copy of `Malware.Calc.exe.7z` and the other files that sample is provided with. It is used in the `Handling and Safety` section in the course.
Underneath the Handling and Safety sample, the `1-1.BasicStaticAnalysis` directory contains two samples that are used in that section. The whole course follows this structure, so check to see which section you're currently in and then the videos will reference the sample to work on.
---
## Topics ๐
Each section is broken down by topic:
### 0. Malware Handling and Safety
This section covers basic malware handling and safety, including defanging malware and safe practices for transfer and storage.
### 1. Basic Static | Basic Dynamic
This section covers initial triage, static analysis, initial detonation, and the primary methodology of basic analysis.
### 2. Advanced Static | Advanced Dynamic
This section covers advanced malware analysis methodology and introduces Assembly, debugging, decompiling, and inspecting the Windows API at the ASM level.
### 3. Specialty Class Malware
This section covers different specialty classes of malware like maldocs, C# assemblies, and script-based malware. It also includes a section on mobile platform malware analysis.
### 4. Bossfights!
The Bossfights pit you against infamous real-world samples of malware and require you to do a full analysis.
### 5. Automation | Rule Writing | Report Writing
This section covers effective report writing, Yara rule writing, and automating the initial stages of triage with Blue-Jupyter.
### 6. Course Conclusion: Course Final | References | Resources | Further Readings
The course final consists of a capstone in which you will combine all relevant skills in this course to write and publish open-source information about a given sample from the course.
The course conclusion includes further readings, references, and helpful resources for further learning.
`Please note:` some samples are used multiple times in different sections. Check to make sure which sample the course videos are referencing and that you have the correct one for a given video.
---
## ๐๏ธโโ๏ธ Challenges ๐๏ธ
The challenge samples in this course are used as mini-capstones for the different sections. Each sample marked as a Challenge includes a set of questions to answer about the sample as well as an `answers/` directory. The README in the `answers/` directory contains brief answers to each question in the Challenge. Try to get as far as you can without looking at the answers first!---
## Password ๐
Each sample is zipped and password-protected. The password for all malware samples is `infected`.---
## Report Template โ
In one of the final sections of the course, I teach how to write a simple Malware Analysis report. The template used in that section is [here](https://github.com/HuskyHacks/PMAT-labs/raw/main/labs/5-3.ReportWriting/ReportTemplate.docx). Feel free to use this as a template for this course or any other malware reports you want to create.![image](https://user-images.githubusercontent.com/57866415/137550867-19bc0ce1-5ad7-43ff-94ec-29fbc7719d7a.png)
## Cosmo? ๐
You may be wondering, why is there a picture of a handsome cat in the root directory?
```
cosmo.jpeg
```
That's Cosmo, my cat. He's not very good at malware analysis, so he's along for the ride to learn things. I don't have high hopes for him (he is just a cat after all).`cosmo.jpeg` serves two functions.
### A Surrogate Data File
The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don't touch your data at all.
`cosmo.jpeg` is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom-written malware samples in this course are going to target this file specifically.
It's a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.
### Environmental Keying
I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I've keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. `cosmo.jpeg` present on the Desktop of FLARE-VM acts as the key for most of the malware samples in this course.
### Instructions
When you are done downloading and extracting this lab repository, take `cosmo.jpeg` and copy it to the desktop of the main user account on the Windows FLARE-VM host. That's all![release]:https://github.com/HuskyHacks/PMAT-labs/releases/
[repo]:https://github.com/HuskyHacks/PMAT-labs/ "PMAT-lab repo โถ"
[eula]:https://github.com/HuskyHacks/PMAT-labs/blob/main/EULA.md "EULA โถ"
[course-link]: https://academy.tcm-sec.com/p/practical-malware-analysis-triage
[course-affil-link]: https://academy.tcm-sec.com/p/practical-malware-analysis-triage/?affcode=770707_llmpidil[students]:https://img.shields.io/github/downloads/HuskyHacks/PMAT-labs/total?label=Students&style=for-the-badge
[course]:https://img.shields.io/badge/Course-Available%20Now!-green?style=for-the-badge
[course-affil]:https://img.shields.io/badge/Course-Affiliate%20Link-orange?style=for-the-badge
[img-version-badge]:https://img.shields.io/badge/Version-1.8%20%7C%20September%202023-blue?style=for-the-badge
[lastcommit]:https://img.shields.io/github/last-commit/HuskyHacks/PMAT-labs?style=for-the-badge
[img-license-badge]:https://img.shields.io/badge/license-eula-367588.svg?style=for-the-badge
[student-count]:https://img.shields.io/badge/Students-38K+-orange?style=for-the-badge