Unpacking Malware Samples | Chapter 0x02: Initial Stagers | Zero 2 Automated | Products | Zero2Automated

Unpacking Malware Samples

Unpacking Malware Samples

For the first video this week, we look at unpacking 4 different malware samples: Dridex, Ramnit, Remcos (.NET), and ZLoader! Unpacking is the first stage in most situations, so knowing how to unpack samples effectively will save you a lot of time!

Zero 2 Automated

Buy nowLearn more

Chapter 0x00: Course Introduction

Course Introduction and Structure

Presentation Access

Discord Invite

IDA Pro & Hex-Rays Training Discount

Chapter 0x01: Algorithms

Delayed 0 days

Looking at Algorithms inside of Malware

Recognizing Common Cryptographic Algorithms - Encryption

"Recognizing Common Cryptographic Algorithms - Encryption" Samples

Chapter 0x02: Initial Stagers

Delayed 0 days

Unpacking Malware Samples

Diving into 1st Stage Loaders

Reversing Second Stage Loaders - IcedID

Reversing Second Stage Loaders - Zloader

Writing Automated Config Extractors and Emulators

Equation Editor Theory PDF: Exploit Analysis

"Unpacking Malware Samples" Samples

"Diving into 1st Stage Loaders" Macro Infected Documents

"Diving into 1st Stage Loaders" Equation Editor Exploiting Documents

"Reversing Second Stage Loaders" Samples

Chapter 0x03: Evasion

Delayed 3 days

Reverse Engineering Process Injection - Reflective, DLL, PE, Hollowing

Reverse Engineering Process Injection - Doppelganging, APC, EarlyBird

Reverse Engineering Process Injection - API Hooking

Reverse Engineering Process Injection - PROPagate Injection

Analyzing Anti-Analysis Mechanisms in Malware

Analyzing Persistence Mechanisms in Malware

Process Injection Theory PDF: PROPagate Injection

Process Injection Theory PDF: Process Doppelganging

Process Injection Theory PDF: Reflective DLL Injection

"Reverse Engineering Process Injection" Samples - Part 1

"Reverse Engineering Process Injection" Samples - Part 2

"Reverse Engineering Process Injection" Samples - Part 3

"Analyzing Anti-Analysis Mechanisms in Malware" Samples

"Analyzing Persistence Mechanisms in Malware" Samples

Practical Analysis

Delayed 5 days

Custom Sample README

Custom Sample 1

Chapter 0x04: Malware Internals

Delayed 7 days

Malware Internals: Qakbot Web Inject Loader (Part 1)

Malware Internals: Qakbot Web Inject Loader (Part 2)

Malware Internals: Worms & Spyware

Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs

"Malware Internals: Qakbot Web Inject Loader" Sample

"Malware Internals: Worms & Spyware" Samples

"Malware Internals: Ransomware, POS, Wipers, SpamBots, and RATs" Samples

Chapter 0x05: In-Depth Analysis

Delayed 10 days

Theory - Trickbot & Active Directory: In-Depth Analysis

Practical - Trickbot & Active Directory: In-Depth Analysis

Trickbot & Active Directory: Prototype Source Code (CPP)

Qakbot Deep Dive - First Stage Analysis

Qakbot Deep Dive - Second Stage Analysis

Qakbot Deep Dive - Communications Analysis

"Qakbot Deep Dive - First Stage Analysis" Sample

Compiled BriefLZ DLL

Qakbot Scripts

Chapter 0x06: Exploitation

Delayed 12 days

Trickbot Case Study: EternalBlue & EternalRomance - Theory

Trickbot Case Study: EternalBlue & EternalRomance - Practical

Analysing a Kernel Level Priv. Esc. Exploit: CVE-2014-4113

Kernel Level Priv. Esc. Exploit Samples

Analysing a Vulnerable Driver Exploitation Technique for Disabling DSE

Vulnerable Driver Exploitation Samples

Analyzing a UAC Bypass

Chapter 0x07: Decompilable2Src Malware

Delayed 14 days

Analyzing Uncompiled & Decompilable Malware

"Analyzing Uncompiled & Decompilable Malware" Samples

Chapter 0x08: Threat Intelligence

Delayed 15 days

Hunting for Automated Signature Development - YARA

Threat Intelligence - Part 1

Threat Intelligence - Part 2

Chapter 0x09: Shellcode Analysis

Delayed 17 days

Analysing Shellcode Statically and Dynamically

"Analysing Shellcode Statically and Dynamically" Samples

Chapter 0x0A: Rootkits & Bootkits

Delayed 20 days

TrickBoot Theory PDF: Technical Details

Analyzing Trickbot's Bootkit Vulnerability Reconnaissance Tool: Trickboot

permaDll32.zip

Final Examination

Delayed 21 days

Examination Brief

Zero2Automated Exam: Theory

Biweekly Malware Challenges

Challenge #1: Gozi String Decryption

Challenge #2: IcedID Configuration Extraction

Challenge #3: Oski Stealer String Decryption

Challenge #4: Operation DreamJob

Zero2Hero

Zero2Hero: Algorithms - RC4

Zero2Hero: How Attackers Gain Footholds

Zero2Hero: Persistence

Zero2Hero: Privilege Escalation

Zero2Hero: Analysis Of ASUS SHADOWHAMMER Attack

Zero2Hero: Basic Injection Techniques

Zero2Hero: RigEK - Theory

Zero2Hero: RigEK - Practice Part 1

Zero2Hero: RigEK - Practice Part 2

Zero2Hero: POS - Theory

Zero2Hero: POS - Practice

Zero2Hero: FIN7 Insights - Theory

Zero2Hero: FIN7 Insights - Practice Part 1

Zero2Hero: FIN7 Insights - Practice Part 2

Zero2Hero: Trickbot Hooking Engine - Theory

Zero2Hero: Trickbot Hooking Engine - Practice

Zero2Hero: Golang Usage in Malware - Theory

Zero2Hero: Golang Usage in Malware - Practice

Zero2Hero: YARA Hunting for Code Reuse - Theory

Zero2Hero: YARA Hunting for Code Reuse - Practice

Zero2Hero: Malware Samples

Zero2Automated: Malware Walkthroughs E-Book

Zero2Automated Malware Walkthroughs

Zero2Automated Malware Walkthroughs - EPUB (Test)

Blog Posts

Netwalker - From static RE to automatic extraction

Resources

Link to Windows 7 VM