RSA Malware Analysis

Document created by Craig Hansen Employee on Feb 5, 2016Last modified by Elizabeth Maloney on May 1, 2017
Version 9Show Document
  • View in full screen mode






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us




The RSA Malware Analysis course provides security analysts with tools andn techniques for analyzing malware and extracting indicators of compromise.



The RSA Malware Analysis classroom-based learning provides students with the knowledge and skills to identify and act on actionable intelligence gathered through the process of malware analysis. Students are introduced to the threat landscape and common malware vectors. They learn to select and apply the tools and techniques required to reverse, monitor, and detect a malware threat. Students develop a workflow
to gather intelligence and apply it to their security environment.



Security analysts, computer forensic investigators, incident responders who have basic knowledge of malware analysis and want to know more about the tools and techniques associated with gathering and responding to actionable intelligence.


Delivery Type



4 days


Prerequisite Knowledge/Skills

Familiarity with computer architecture principles, operating system theory, networking principles (including protocols and communication channels), and fundamental principles of computer security. Experience with programming and scripting concepts is also required. Knowledge of Python is beneficial.

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe the RSA Cyber Defense recommended workflow for reverse engineering current malware threats.
  • Assess the presence of malware on system.
  • Examine behavior of malware and its interaction with its environment using dynamic analysis tools and techniques.
  • Analyze command and control (C2) communication methods to establish the intention and functionality of the malware.
  • Deduce the program instructions of a malware executable through the use static analysis tools.
  • Combine static and dynamic analysis methods to investigate more complex features of malware using disassembly and debugging tools.
  • Collect and report actionable intelligence gained from reverse engineering malware.
  • Recommend changes to a security program based upon actionable intelligence


Industry tools used in this course include:
  • Process Monitor
  • Regshot
  • CFF Explorer
  • Volatility
  • JSBeautifier
  • Process Explorer
  • Wireshark
  • IDA PRO (free version)
  • Yara
  • JD-GUI
  • Process Hacker
  • HBGary Flypaper
  • Immunity Debugger
  • Malzilla
  • Peepdf


Course Outline

  • Introduction to Malware Analysis
    • Define the components of malware and how they work together to compromise a system
    • Identify common malware vectors
    • Describe the phases of the intrusion kill chain
    • Outline the tasks involved in malware analysis
    • Create a safe environment for investigating malware code and behavior.
  • Assessing the Existence and Persistence of Malware
    • Establish Indicators of Compromise
    • Identify host-based artifacts.
    • Identify network-based artifacts.
    • Locate indicators of compromise.
    • Determine malware’s method of persistence.
    • Outline the procedure for assessing the presence of malware on a system.
  • Dynamic Analysis of Malware
    • Outline process of dynamic analysis
    • Apply dynamic analysis techniques in order to investigate malware’s behavior in a virtual environment.
    • Examine malware execution using a debugger.
    • Identify anti-analysis techniques.
    • Defend against anti-analysis techniques.
    • Analyze commonly exploited file formats.
  • Investigating Command and Control Communications
    • Define command and control communication as used by malware.
    • List the types of activities an attacker engages in using C2.
    • Describe C2 techniques.
    • Outline the procedure to capture and analyze C2 traffic.
    • Describe how to set up an environment to investigate C2.
    • Identify the tools critical to C2 investigation.
    • Intercept SSL.
    • Address the issue of C2 Not Responding.
  • Static Analysis of Malware
    • Explain the process of static analysis.
    • List the outcomes of the static analysis process.
    • Classify sources of data viable for analysis.
    • Identify packing and obfuscation methods used by malware.
    • Describe how compressed files are able to avoid detection.
    • Disassemble malware executable code using IDAPro.
    • Organize information and data gained from static analysis
  • Advanced Malware Techniques
    • Multiple layers of obfuscation
    • Botnets
    • Backdoors
    • Debugging using Ollydbg
    • Analyze memory for the presence of rootkits using Volatility
  • Making Recommendations Based upon Actionable Intelligence
  • Collecting Actionable Intelligence Gained from Malware Analysis
    • Identify trends and problems to solve
    • Communicate Actionable Intelligence
    • Formulate recommendations
    • Develop Yara rules to classify malware








In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us