Course Code: 19023


Class Dates:
5 Days
Class Time:
Instructor-Led Training, Virtual Instructor-Led Training


  • Course Overview
  • This Behavioral Malware Analysis course teaches students the fundamental skills necessary to analyze malicious software from a behavioral perspective. From simple key loggers to massive botnets, this class covers a wide variety of current threats. Using system monitoring tools and analytic software, students will analyze real-world malware samples in a training environment, giving them hands-on experience building secure lab environments, classifying malware, analyzing behavioral characteristics and their effects to systems, and documenting findings.
  • Audience
  • The primary audience for this course is:

    • Threat operation analysts seeking to have a better understanding of malware
    • Incident responders who need to quickly address a system security breach
    • Forensic investigators who need to identify malicious software
    • Individuals who have experimented with malware analysis and want to expand their malware analysis techniques and methodologies.

    Course Objectives:

    • How to identify malware and discover its capabilities
    • How to set up a secure lab environment to analyze malicious software
    • How to use free tools to characterize malware samples quickly
    • Obfuscation methods used by attackers to escape detection


  • Before taking this course, students should have a comprehensive understanding of Windows, including its major internal components, and a basic understanding of TCP/IP networking.

Course Details

  • Day 1
  • Malware Analysis, Static Analysis
  • Dynamic/Behavioral Analysis
  • Malware Overview, Definition of Malware
  • Malware Intentions and Motivations
  • Malware Types, Virus, Worm, Backdoor, Trojan
  • Malicious Mobile Code
  • User-Mode Rootkit, Kernel-Mode Rootkit
  • Combination Malware, Vulnerabilities
  • Malware threats research websites
  • Technologies to fight Malware and their limitations
  • Intrusion Detection Systems and Intrusion Prevention Systems
  • Anti-Virus Software, Windows Internals for Behavioral Analysts
  • .
  • Windows API
  • Common Libraries
  • Building An Analysis Environment
  • Behavioral Analysis Process (BA)
  • Understanding The Process
  • Knowing Your Goals, BA Tools of the Trade,
  • VMware Workstation
  • Sysinternals Suite, Regshot
  • ApateDNS & Fakenet
  • Wireshark
  • PEID & PackerBreaker
  • Process Hacker
  • DAY 2:
  • Baselining
  • Why Baseline a System
  • The Windows Registry
  • Baselining Tools
  • Document-Embedded Malware
  • How To Embed a Document
  • Hijack Scenario, Macro Viruses
  • Melissa Virus Case Study
  • Adware, Spyware, and Ransomware Botnet Malware
  • Definition of a Bot
  • Botnet Communication Architecture
  • Setting Up and Using IRC For Command and Control
  • DAY 3:
  • KeyLoggers, Purposes
  • Keylogger types, Hardware vs Software
  • Remote Access Keyloggers,Sniffers
  • Malicious Mobile Code (Interactive Web Apps)
  • Definition of Malicious Mobile Code
  • Attack Vectors, Reducing Risk of MMC Attacks
  • Backdoors, Common Backdoor Types
  • Propagation Methods, Persistence Methods
  • Finding Backdoors, Trojan Horses
  • Definition of a Trojan Horse, Backdoor vs Trojan Horse
  • Trojan Horse Infection Methods,
  • Advanced Persistent Threat (APT)
  • .
  • Definition of APT
  • User-Mode Rootkits
  • Definition of a Rootkit
  • Benefit of Rootkits for Attackers
  • Kernel- vs User-Mode Rootkits
  • Detection Methods
  • DAY 4:
  • Drop and Execute Malware
  • Dropper vs Injector
  • VMWARE Detection
  • Why Malware does VMware detection
  • Honeynets and Honeypots
  • Methods of VM Detection
  • Destructive Malware CHM Malware
  • Normal CHM File Usage
  • Advantages and Disadvantages of CHM Files
  • PDF Malware
  • Kernel-Mode Rootkits
  • DAY 5:
  • Using the tools, skills, and methodologies taught in Days 1 through 4 of the class,
  • students will derive the answers to questions regarding one final real-world malware specimen.
  • Each student will have to reverse engineer the malware to discover its capabilities and persistence level as well as the threat level of the malware.
  • What you will learn:
  • Create an isolated and controlled environment for analyzing malware
  • Disassemble malicious software
  • Run malicious software in a debugger to understand its behavior
  • Use system level and code level reversing tools
  • Assess stack overflow vulnerabilities and exploits
  • Understand malware obfuscation tactics
  • Recognize malware tactics and behavior