This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.

REMA units

Unit 5 of REMA

In-Depth Malware Analysis

Packed malware identification, manual unpacking, obfuscated PowerShell, fileless malware, code injection, memory forensics, sandbox analysis, and network signatures.

Topics

5.1

Identifying Packed Malware

How packers work, the four structural indicators of packing, packer identification with Detect-It-Easy, common packer families from UPX to VMProtect, and when high entropy alone is insufficient evidence.

5.2

Unpacking with a Debugger

The OEP concept, the ESP hardware breakpoint technique step-by-step in x32dbg, alternative breakpoint strategies, Scylla IAT rebuild workflow, dump verification, and common unpacking failures with fixes.

5.3

Obfuscated PowerShell Scripts

Six PowerShell obfuscation techniques with decode procedures, AMSI interception and bypass, Script Block Logging for automatic cleartext capture, de-obfuscation tools, and a four-step workflow.

5.4

Fileless and Multi-Technology Malware

Four fileless execution techniques, WMI event subscription persistence, registry-resident payloads, multi-technology attack chain analysis, detection evidence sources, and the Astaroth case study.

5.5

Cryptographic Identification

XOR encoding patterns, single-byte and multi-byte key extraction, standard algorithm identification via constants, FindCrypt2 and signsrch usage, custom Base64 alphabets, and a six-step decryption workflow.

5.6

Memory Forensics with Volatility

RAM acquisition methods, Volatility 3 essential plugins (pslist, psscan, malfind, dlllist, netscan, cmdline), malfind detection criteria, a ten-step analysis workflow, and extracting injected PE files from memory.

5.8

Network Signatures and YARA Rules

YARA rule structure, string modifiers, condition logic, writing effective rules, testing with the yara CLI, Snort/Suricata rule structure with key options, and combining both for defence in depth.

5.9

Unit 5 Knowledge Check

Test your understanding of all Unit 5 topics — identifying packed malware, manual unpacking, obfuscated PowerShell, fileless malware, cryptographic identification, memory forensics with Volatility, sandbox analysis, and network signatures and YARA — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.