Malware Analysis

Malware Analysis

Take it apart. Understand it. Build a detection.

A five-day, sample-driven track on dissecting real-world malware - static and dynamic analysis, unpacking, anti-debug evasion, and basic reverse engineering with Ghidra. We end every analysis with a detection your SOC could ship.

Enroll now All tracks
5 days
Duration
≤ 12
Cohort size
Advanced
Level
Verifiable
Certificate

What you'll walk away with

  • Set up an isolated, instrumented malware lab
  • Triage a binary with static + dynamic indicators in under an hour
  • Unpack common packers (UPX, custom XOR / RC4) safely
  • Read x86/x64 assembly enough to follow a malicious flow
  • Author a Sigma + YARA rule from a fresh sample
  • Write an IR-ready malware analysis report

Who this is for

Designed for the prerequisites below - but motivated learners outside the profile are welcome with a short pre-call.

  • Comfortable with Windows internals (processes, registry, services)
  • Networking + TCP/IP / DNS understanding
  • Basic Python (or any scripting) for automation
  • Curiosity about how things actually work under the hood

Curriculum

Day-by-day breakdown

Day 1

Lab setup + static analysis

  • Isolated VM lab (FlareVM + REMnux)
  • PE / ELF anatomy
  • Strings, imports, entropy
  • Capa + PEStudio walkthrough
Day 2

Dynamic analysis

  • Process Monitor + Procmon filters
  • Network capture + INetSim
  • Behavioural sandboxing
  • API call tracing patterns
Day 3

Unpacking + anti-analysis

  • UPX + custom packers
  • Anti-debug + anti-VM tricks
  • Sleep + check evasion bypass
  • Memory dumping with Process Hacker / x64dbg
Day 4

Reverse engineering basics

  • x86/x64 assembly survival kit
  • Ghidra workflow + scripting
  • Recognising malicious flow control
  • Recovering config from packed binaries
Day 5

From sample to detection

  • Authoring YARA rules
  • Authoring Sigma + host detections
  • IOC extraction + sharing (MISP)
  • Final exercise - full report on a fresh sample

Hands-on labs

Realistic, isolated environments - you break things safely and rebuild them harder.

  • Pre-configured FlareVM + REMnux pair
  • Curated commodity + APT-style samples
  • Step-by-step exercises with checkpoints
  • Network-isolated sandbox for live execution
  • Day-5 'analyse a fresh sample' assessment

Tools you'll use

No proprietary kit - everything is industry-standard.

GhidraIDA Freex64dbgPE-bearPEStudioCapaFLOSSProcMonINetSimYARASigmaMISP

Your instructor

Senior Malware Researcher

DFIR / malware-analysis practitioner with experience across commodity and targeted intrusions. Teaches the boring parts (setup, triage discipline, report writing) alongside the exciting parts - because incident response without discipline is just guessing.

Practitioner firstLab-drivenOffice hours after class

Reserve your seat

Cohorts are small on purpose. Email us to confirm dates, request a corporate cohort, or ask anything about the curriculum.

Next cohort: On request - quarterly cohorts
Enroll Other tracks