This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 5 of REMA
In-Depth Malware Analysis
Packed malware identification, manual unpacking, obfuscated PowerShell, fileless malware, code injection, memory forensics, sandbox analysis, and network signatures.
Topics
Identifying Packed Malware
How packers work, the four structural indicators of packing, packer identification with Detect-It-Easy, common packer families from UPX to VMProtect, and when high entropy alone is insufficient evidence.
Unpacking with a Debugger
The OEP concept, the ESP hardware breakpoint technique step-by-step in x32dbg, alternative breakpoint strategies, Scylla IAT rebuild workflow, dump verification, and common unpacking failures with fixes.
Obfuscated PowerShell Scripts
Six PowerShell obfuscation techniques with decode procedures, AMSI interception and bypass, Script Block Logging for automatic cleartext capture, de-obfuscation tools, and a four-step workflow.
Fileless and Multi-Technology Malware
Four fileless execution techniques, WMI event subscription persistence, registry-resident payloads, multi-technology attack chain analysis, detection evidence sources, and the Astaroth case study.
Cryptographic Identification
XOR encoding patterns, single-byte and multi-byte key extraction, standard algorithm identification via constants, FindCrypt2 and signsrch usage, custom Base64 alphabets, and a six-step decryption workflow.
Memory Forensics with Volatility
RAM acquisition methods, Volatility 3 essential plugins (pslist, psscan, malfind, dlllist, netscan, cmdline), malfind detection criteria, a ten-step analysis workflow, and extracting injected PE files from memory.
Network Signatures and YARA Rules
YARA rule structure, string modifiers, condition logic, writing effective rules, testing with the yara CLI, Snort/Suricata rule structure with key options, and combining both for defence in depth.
Unit 5 Knowledge Check
Test your understanding of all Unit 5 topics — identifying packed malware, manual unpacking, obfuscated PowerShell, fileless malware, cryptographic identification, memory forensics with Volatility, sandbox analysis, and network signatures and YARA — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.