Learn this moderately sooner than continuing.
This repository accommodates are living malware samples to be used within the Sensible Malware Research & Triage route (PMAT). Those samples are both written to emulate commonplace malware traits or are are living, actual international, “stuck within the wild” samples. Each classes are bad. Those samples are to be treated with excessive warning always.
- Don’t obtain those samples to a pc you don’t personal.
- Don’t execute any of those samples on a pc you don’t personal.
- Don’t obtain and/or execute those samples in an atmosphere that you can not revert to a stored state, i.e. a digital system.
- Apply protected malware dealing with procedures always when the usage of those samples.
Through downloading the contents of this repository, without reference to when you’ve got bought the route or now not, you’re agreeing to the Finish Person License Settlement. Please seek advice from
EULA.md for more info.
The construction of this repository maps to the route movies. The highest listing accommodates the identify of the segment, and the subdirectories are the samples in use all over that a part of the route. For instance:
â”ƒ â”£ ðŸ“œMalware.Calc.exe.7z
â”ƒ â”£ ðŸ“œmd5sum.txt
â”ƒ â”£ ðŸ“œpassword.txt
â”ƒ â”— ðŸ“œsha256sum.txt
â”ƒ â”£ ðŸ“‚Malware.PackedAndNotPacked.exe.malz
â”ƒ â”ƒ â”£ ðŸ“œMalware.PackedAndNotPacked.exe.zip
â”ƒ â”ƒ â”£ ðŸ“œmd5sum.txt
â”ƒ â”ƒ â”£ ðŸ“œpassword.txt
â”ƒ â”ƒ â”— ðŸ“œsha256sum.txt
â”ƒ â”£ ðŸ“‚Malware.Unknown.exe.malz
â”ƒ â”ƒ â”£ ðŸ“œMalware.Unknown.exe.7z
â”ƒ â”ƒ â”£ ðŸ“œREADME.txt
â”ƒ â”ƒ â”— ðŸ“œpassword.txt
Within the instance above, the
0-1.HandlingAndSafety listing accommodates a zipped replica of
Malware.Calc.exe.7z and the opposite information that pattern is supplied with. It’s used within the
Dealing with and Protection segment within the route.
Beneath the Dealing with and Protection pattern, the
1-1.BasicStaticAnalysis listing accommodates two samples which might be utilized in that segment. The entire route follows this construction, so test to peer which segment you are recently in after which the movies will reference the pattern to paintings on.
Every segment is damaged down by way of subject:
0. Malware Dealing with and Protection
This segment covers elementary malware handing and protection, together with defanging malware and protected practices for switch and garage.
1. Elementary Static | Elementary Dynamic
This segment covers preliminary triage, static research, preliminary detonation, and the main technique of elementary research.
2. Complex Static | Complex Dynamic
This segment covers complex malware research technique and introduces Meeting, debugging, decompiling, and examining the Home windows API on the ASM degree.
3. Area of expertise Elegance Malware
This segment covers other forte categories of malware like maldocs, C# assemblies, and script-based malware. It additionally features a segment on cell platform malware research.
The Bossfights pit you towards notorious actual international samples of malware and require you to do a complete research.
5. Automation | Rule Writing | Record Writing
This segment covers efficient record writing, Yara rule writing, and automating the preliminary levels of triage with Blue-Jupyter.
6. Route Conclusion: Route Ultimate | References | Assets | Additional Readings
The route ultimate is composed of a capstone by which you are going to mix all related talents on this route to put in writing and post open-source details about a given pattern from the route.
The route conclusion comprises additional readings, references, and useful sources for additional studying.
Please notice: some samples are used more than one instances in several sections. Test to ensure which pattern the route movies are referencing and that you’ve the proper one for a given video.
The problem samples on this route are used as mini-capstones for the other sections. Every pattern marked as a Problem features a set of questions to respond to in regards to the pattern in addition to an
solutions/ listing. The README within the
solutions/ listing accommodates temporary solutions to every query within the Problem. Attempt to get so far as you’ll be able to with out having a look on the solutions first!
Every pattern is zipped and password safe. The password for all malware samples is
In one of the crucial ultimate sections of the route, I educate tips on how to write a easy Malware Research record. The template utilized in that segment is right here. Be happy to make use of this as a template for this route or another malware experiences you need to create.
You can be questioning, why is there an image of a good-looking cat within the root listing?
That is Cosmo, my cat. He isn’t superb at malware research, so he is alongside for the journey to be informed issues. I do not need prime hopes for him (he’s only a cat in any case).
cosmo.jpeg serves two purposes.
A Surrogate Knowledge Report
The malware samples on this route are constructed to accomplish other purposes. Some are designed to smash knowledge. Some are designed to scouse borrow it. Some do not contact your knowledge in any respect.
cosmo.jpeg is a placeholder for the valuable, valuable knowledge that a median finish consumer will have on their host. Some malware samples on this route will scouse borrow him, encrypt him, encode and exfiltrate him, the entire 9 yards. As a way to as it should be constitute what knowledge robbery or destruction may seem like, the customized written malware samples on this route are going to focus on this document in particular.
It is a bit of a hefty document (about 1.6MB), not like Cosmo himself who isn’t a hefty cat in any respect. So it must serve smartly as an information document placeholder.
I wrote the samples for this route from the bottom as much as be as protected as conceivable. I’m mindful that placing malware samples out into the sector, without reference to your aim for doing so, imparts chance. As a way to lend a hand mitigate the likelihood that those samples may well be used maliciously, I have keyed them to this actual document. This can be a purple crew tactic that guarantees a payload will handiest cause if there are specific identifiers provide within the setting.
cosmo.jpeg provide at the Desktop of FLARE-VM acts as the important thing for many of the malware samples on this route.
If you find yourself finished downloading and extracting this lab repository, take
cosmo.jpeg and replica it to the desktop of the primary consumer account at the Home windows FLARE-VM host. That is all!