Read this carefully before proceeding.
This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, "caught in the wild" samples. Both categories are dangerous. These samples are to be handled with extreme caution at all times.
- Do not download these samples to a computer you do not own.
- Do not execute any of these samples on a computer you do not own.
- Do not download and/or execute these samples in an environment that you cannot revert to a saved state, i.e. a virtual machine.
- Practice safe malware handling procedures at all times when using these samples.
By downloading the contents of this repository, regardless of if you have purchased the course or not, you are agreeing to the End User License Agreement. Please refer to EULA.md
for more information.
If you're here after purchasing the course, welcome! Thank you for supporting me as a content creator. Read on to the next section to learn how the lab repo works.
If you're here not having purchased the course, welcome! The labs for the course are free (and always will be) and are hosted here on GitHub for anyone who is interested. But if you're don't quite know where to begin and/or are interested in learning malware analysis from 9+ hours of high-quality video content, consider buying the course! The videos were made with love to build you into a capable, knowledgeable malware analyst.
If you want to purchase the course and support me as a content creator, please also consider using my affiliate link!
The structure of this repository maps to the course videos. The top directory contains the name of the section, and the subdirectories are the samples in use during that part of the course. For example:
📦labs
┣ 📂0-1.HandlingAndSafety
┃ ┣ 📜Malware.Calc.exe.7z
┃ ┣ 📜md5sum.txt
┃ ┣ 📜password.txt
┃ ┗ 📜sha256sum.txt
┣ 📂1-1.BasicStaticAnalysis
┃ ┣ 📂Malware.PackedAndNotPacked.exe.malz
┃ ┃ ┣ 📜Malware.PackedAndNotPacked.exe.zip
┃ ┃ ┣ 📜md5sum.txt
┃ ┃ ┣ 📜password.txt
┃ ┃ ┗ 📜sha256sum.txt
┃ ┣ 📂Malware.Unknown.exe.malz
┃ ┃ ┣ 📜Malware.Unknown.exe.7z
┃ ┃ ┣ 📜README.txt
┃ ┃ ┗ 📜password.txt
...[snip]...
In the example above, the 0-1.HandlingAndSafety
directory contains a zipped copy of Malware.Calc.exe.7z
and the other files that sample is provided with. It is used in the Handling and Safety
section in the course.
Underneath the Handling and Safety sample, the 1-1.BasicStaticAnalysis
directory contains two samples that are used in that section. The whole course follows this structure, so check to see which section you're currently in and then the videos will reference the sample to work on.
Each section is broken down by topic:
This section covers basic malware handing and safety, including defanging malware and safe practices for transfer and storage.
This section covers initial triage, static analysis, initial detonation, and the primary methodology of basic analysis.
This section covers advanced malware analysis methodology and introduces Assembly, debugging, decompiling, and inspecting the Windows API at the ASM level.
This section covers different specialty classes of malware like maldocs, C# assemblies, and script-based malware. It also includes a section on mobile platform malware analysis.
The Bossfights pit you against infamous real world samples of malware and require you to do a full analysis.
This section covers effective report writing, Yara rule writing, and automating the initial stages of triage with Blue-Jupyter.
The course final consists of a capstone in which you will combine all relevant skills in this course to write and publish open-source information about a given sample from the course.
The course conclusion includes further readings, references, and helpful resources for further learning.
Please note:
some samples are used multiple times in different sections. Check to make sure which sample the course videos are referencing and that you have the correct one for a given video.
The challenge samples in this course are used as mini-capstones for the different sections. Each sample marked as a Challenge includes a set of questions to answer about the sample as well as an answers/
directory. The README in the answers/
directory contains brief answers to each question in the Challenge. Try to get as far as you can without looking at the answers first!
Each sample is zipped and password protected. The password for all malware samples is infected
.
In one of the final sections of the course, I teach how to write a simple Malware Analysis report. The template used in that section is here. Feel free to use this as a template for this course or any other malware reports you want to create.
You may be wondering, why is there a picture of a handsome cat in the root directory?
cosmo.jpeg
That's Cosmo, my cat. He's not very good at malware analysis, so he's along for the ride to learn things. I don't have high hopes for him (he is just a cat after all).
cosmo.jpeg
serves two functions.
The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don't touch your data at all.
cosmo.jpeg
is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom written malware samples in this course are going to target this file specifically.
It's a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.
I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I've keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. cosmo.jpeg
present on the Desktop of FLARE-VM acts as the key for most of the malware samples in this course.
When you are done downloading and extracting this lab repository, take cosmo.jpeg
and copy it to the desktop of the main user account on the Windows FLARE-VM host. That's all!