PMAT-labs – Labs For Practical Malware Analysis And Triage
Read this carefully before proceeding.
This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, “caught in the wild” samples. Both categories are dangerous. These samples are to be handled with extreme caution at all times.
- Do not download these samples to a computer you do not own.
- Do not execute any of these samples on a computer you do not own.
- Do not download and/or execute these samples in an environment that you cannot revert to a saved state, i.e. a virtual machine.
- Practice safe malware handling procedures at all times when using these samples.
By downloading the contents of this repository, regardless of if you have purchased the course or not, you are agreeing to the End User License Agreement. Please refer to EULA.md
for more information.
Structure
The structure of this repository maps to the course videos. The top directory contains the name of the section, and the subdirectories are the samples in use during that part of the course. For example:
📦labs
┣ 📂0-1.HandlingAndSafety
┃ ┣ 📜Malware.Calc.exe.7z
┃ ┣ 📜md5sum.txt
┃ ┣ 📜password.txt
┃ ┗ 📜sha256sum.txt
┣ 📂1-1.BasicStaticAnalysis
┃ ┣ 📂Malware.PackedAndNotPacked.exe.malz
┃ ┃ ┣ 📜Malware.PackedAndNotPacked.exe.zip
┃ ┃ ┣ 📜md5sum.txt
┃ ┃ ┣ 📜password.txt
┃ ┃ ┗ 📜sha256sum.txt
┃ ┣ 📂Malware.Unknown.exe.malz
┃ ┃ ┣ 📜Malware.Unknown.exe.7z
┃ ┃ ┣ 📜README.txt
┃ ┃ ┗ 📜password.txt
...[snip]...
In the example above, the 0-1.HandlingAndSafety
directory contains a zipped copy of Malware.Calc.exe.7z
and the other files that sample is provided with. It is used in the Handling and Safety
section in the course.
Underneath the Handling and Safety sample, the 1-1.BasicStaticAnalysis
directory contains two samples that are used in that section. The whole course follows this structure, so check to see which section you’re currently in and then the videos will reference the sample to work on.
Topics
Each section is broken down by topic:
0. Malware Handling and Safety
This section covers basic malware handing and safety, including defanging malware and safe practices for transfer and storage.
1. Basic Static | Basic Dynamic
This section covers initial triage, static analysis, initial detonation, and the primary methodology of basic analysis.
2. Advanced Static | Advanced Dynamic
This section covers advanced malware analysis methodology and introduces Assembly, debugging, decompiling, and inspecting the Windows API at the ASM level.
3. Specialty Class Malware
This section covers different specialty classes of malware like maldocs, C# assemblies, and script-based malware. It also includes a section on mobile platform malware analysis.
4. Bossfights!
The Bossfights pit you against infamous real world samples of malware and require you to do a full analysis.
5. Automation | Rule Writing | Report Writing
This section covers effective report writing, Yara rule writing, and automating the initial stages of triage with Blue-Jupyter.
6. Course Conclusion: Course Final | References | Resources | Further Readings
The course final consists of a capstone in which you will combine all relevant skills in this course to write and publish open-source information about a given sample from the course.
The course conclusion includes further readings, references, and helpful resources for further learning.
Please note:
some samples are used multiple times in different sections. Check to make sure which sample the course videos are referencing and that you have the correct one for a given video.
Challenges
The challenge samples in this course are used as mini-capstones for the different sections. Each sample marked as a Challenge includes a set of questions to answer about the sample as well as an answers/
directory. The README in the answers/
directory contains brief answers to each question in the Challenge. Try to get as far as you can without looking at the answers first!
Password
Each sample is zipped and password protected. The password for all malware samples is infected
.
Report Template
In one of the final sections of the course, I teach how to write a simple Malware Analysis report. The template used in that section is here. Feel free to use this as a template for this course or any other malware reports you want to create.
Cosmo?
You may be wondering, why is there a picture of a handsome cat in the root directory?
cosmo.jpeg
That’s Cosmo, my cat. He’s not very good at malware analysis, so he’s along for the ride to learn things. I don’t have high hopes for him (he is just a cat after all).
cosmo.jpeg
serves two functions.
A Surrogate Data File
The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don’t touch your data at all.
cosmo.jpeg
is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom written malware samples in this course are going to target this file specifically.
It’s a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.
Environmental Keying
I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I’ve keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. cosmo.jpeg
present on the Desktop of FLARE-VM acts as the key for most of the malware samples in this course.
Instructions
When you are done downloading and extracting this lab repository, take cosmo.jpeg
and copy it to the desktop of the main user account on the Windows FLARE-VM host. That’s all!