academy$ objdump -d /lessons/static-analysis/samples.bin | head

00001040: 48 89 e5 mov %rsp,%rbp

00001043: bf 04 20 40 mov $0x402004,%edi

[LESSON_04][INTERMEDIATE]

[🔍 STATIC ANALYSIS TECHNIQUES]

// Master the art of analyzing binaries without execution. Learn disassembly, control flow analysis, string extraction, and function identification to understand malware behavior before it runs.

academy$ cat learning_objectives.md

[🎯 LEARNING_OBJECTIVES]

> mastery_goals.list

[✓]Master disassembler tools (Ghidra, IDA, Binary Ninja)
[✓]Perform comprehensive string and metadata analysis
[✓]Analyze control flow graphs and identify code patterns
[✓]Recognize function signatures and calling conventions
[✓]Extract IOCs and create detection signatures

> prerequisites.cfg

- Completed Lesson 3: File Formats
- Assembly language fundamentals
- Hexadecimal and binary understanding
- Command line proficiency

# Estimated completion time: 5 hours

academy$ man static_analysis

[📚 STATIC_ANALYSIS_FUNDAMENTALS]

🔍 What is Static Analysis?

Static analysis is the examination of software without executing it. Think of it as performing an autopsy on code - dissecting every component to understand structure, behavior, and purpose before the program ever runs.

✅ Advantages

• Safe - malware can't execute
• Complete coverage - analyze all code paths
• Fast - no need for sandboxes
• Deterministic - same results every time

⚠️ Limitations

• Can't analyze runtime behavior
• Defeated by obfuscation/packing
• May miss dynamic code generation
• Requires significant expertise

🛠️ Static Analysis Workflow

1. Initial Triage

file, entropy, DIE, PEiD

File type, size, entropy, packing detection

2. Metadata Analysis

exiftool, sigcheck, pescan

Headers, timestamps, digital signatures

3. String Extraction

strings, FLOSS, StringSifter

Readable strings, URLs, registry keys

4. Disassembly

Ghidra, IDA, Binary Ninja

Convert machine code to assembly

5. Code Analysis

Manual analysis, CFG viewers

Control flow, function identification, algorithms

🎯 Key Analysis Areas

Import/Export Analysis

Reveals capabilities and dependencies

# Windows PE imports

CreateFileW - File operations

RegSetValueW - Registry manipulation

InternetOpenW - Network activity

Entropy Analysis

Detect packed/encrypted sections

# Entropy ranges

0.0-3.0: Low (text/code)

3.0-6.0: Medium (compressed)

6.0-8.0: High (encrypted/random)

Cross-References

Track data and function usage

XREF to sub_401000: 5 locations

XREF from "malware.exe": 12 strings

XREF to API CreateProcess: 3 calls

academy$ which ghidra ida binja && echo "Disassembler arsenal loaded"

[⚙️ DISASSEMBLER_MASTERY]

Ghidra

NSA's Free Powerhouse

🏆 Strengths

• Completely free and open source
• Excellent decompiler output
• Multi-architecture support
• Collaborative analysis features
• Scriptable with Python/Java

💡 Best For

• Beginners learning reverse engineering
• Large-scale malware analysis
• Academic and research projects
• Cross-platform binary analysis

# Quick start

analyzeHeadless /tmp proj -import file.exe -postScript analyze.py

IDA Pro

Industry Standard

🏆 Strengths

• Most mature analysis engine
• Extensive plugin ecosystem
• Superior debugging integration
• Advanced signature matching
• Professional support

💰 Considerations

• Very expensive licensing
• Complex learning curve
• IDA Free has limitations
• Proprietary/closed source

# IDAPython scripting

ida_auto.auto_wait(); print("Analysis complete")

🥷

Binary Ninja

Modern UI Leader

🏆 Strengths

• Beautiful, modern interface
• Excellent API for automation
• Strong community support
• Innovative analysis techniques
• Regular feature updates

🎯 Best For

• Modern malware analysis
• Custom analysis workflows
• UI-focused analysts
• Educational environments

# Binary Ninja Python

bv.get_functions_containing(addr)

🔧 Advanced Disassembly Techniques

Function Identification

Modern disassemblers use multiple techniques to identify function boundaries:

Signature-Based Recognition

# Common function prologs

55 push ebp ; x86

48 89 e5 mov rbp, rsp ; x64

55 8b ec mov ebp, esp ; MSVC

Control Flow Analysis

• CALL instruction targets

• Exception handler entries

• Virtual function table entries

• Switch statement jump tables

Data Type Recovery

Inferring data structures from assembly code patterns:

Structure Field Access

# Detecting struct members

mov eax, [ebp+8] ; struct.field1

mov edx, [ebp+12] ; struct.field2

; Indicates 8-byte and 12-byte offsets

Array Access Patterns

mov eax, [esi+ecx*4] ; int array[index]

mov al, [edi+ebx] ; char array[index]

academy$ strings --help && echo "String analysis toolkit ready"

[🔤 STRING_ANALYSIS_MASTERY]

🎯 Why String Analysis is Critical

Strings are the DNA of malware - they reveal capabilities, targets, and intentions before execution. A single string can identify malware families, C&C servers, or attack vectors.

🔍 Intelligence Goldmine

• C&C server URLs and IP addresses
• Cryptocurrency wallet addresses
• Registry keys for persistence
• File paths and mutex names
• Error messages and debug info

⚠️ Evasion Challenges

• String encryption and obfuscation
• Stack string construction
• Unicode and encoding variations
• Base64 and custom encoding
• Runtime string deobfuscation

🛠️ String Extraction Tools

GNU strings (Basic)

# Extract ASCII strings (min 4 chars)

strings -a malware.exe

# Include Unicode strings

strings -a -e l malware.exe

# Print offsets

strings -a -t x malware.exe

Fast but limited - misses encoded/encrypted strings

FLOSS (Advanced)

# FireEye Labs Obfuscated String Solver

floss malware.exe

# Emulate string deobfuscation

floss --no-static-strings malware.exe

# Save deobfuscated strings

floss -q malware.exe > deobfuscated.txt

Can reverse string obfuscation through emulation

Custom Regex Hunting

# Hunt for specific patterns

strings malware.exe | grep -E "(http|ftp)://.*"

strings malware.exe | grep -E ".*\\.(exe|dll|bat)$"

strings malware.exe | grep -E "^[A-Z]:\\\\.*"

Targeted hunting for IOCs and file paths

🏷️ String Classification & Analysis

🚨 High-Value Strings

Network IOCs

• http://malware-c2.example.com/gate.php
• 192.168.1.100:4444
• evil.dyndns.org

File System

• C:\\Windows\\System32\\evil.exe
• %TEMP%\\payload.dll
• ~/.bashrc

Registry Keys

• SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
• SYSTEM\\CurrentControlSet\\Services

🔧 Analysis Techniques

Encoding Detection

Base64: "aHR0cDovL2V2aWwuY29t"

Hex: "687474703a2f2f6576696c2e636f6d"

ROT13: "uggc://rivy.pbz"

String Entropy

Low entropy: "Hello World" (readable)

High entropy: "xK9#mP$vL2@" (encrypted/random)

Cross-Reference Analysis

Find where strings are used in the disassembled code

academy$ objdump -M intel -d malware.exe | grep -E "(jmp|call|ret)" | head

[🌐 CONTROL_FLOW_ANALYSIS]

🧠 Understanding Program Logic

Control Flow Graphs (CFGs) reveal how malware thinks and behaves. By mapping the flow of execution, you can identify algorithms, understand decision logic, and predict program behavior.

📊 CFG Benefits

• Visualize program structure
• Identify unreachable code
• Find algorithm patterns
• Detect anti-analysis tricks
• Guide dynamic analysis

🔍 Analysis Focus

• Basic block identification
• Loop structure recognition
• Conditional branch analysis
• Dead code detection
• Code complexity metrics

🧩 Basic Block Analysis

What is a Basic Block?

A basic block is a maximal sequence of instructions with:

• Single entry point - Only one way in
• Single exit point - Only one way out
• Sequential execution - No branches inside
• Atomic unit - Either all instructions execute or none

# Example basic block

loc_401000: ; Entry point

mov eax, [ebp+8] ; Sequential

add eax, 1 ; Sequential

mov [ebp-4], eax ; Sequential

jmp loc_401020 ; Exit point

Block Boundary Detection

Block Starts

• Function entry points
• Jump/call targets
• Instructions after branches
• Exception handler entries

Block Ends

• Jump instructions (JMP, JNZ, etc.)
• Call instructions
• Return instructions
• Last instruction before target

🔄 Common Control Flow Patterns

🔀 Conditional Branches

# If-else pattern

cmp eax, 0

jz else_block

; if body

jmp end_if

else_block:

; else body

end_if:

Analysis tip: Look for CMP/TEST followed by conditional jumps

🔄 Loop Structures

# For/while loop

mov ecx, 10

loop_start:

; loop body

dec ecx

jnz loop_start

Pattern: Backward jumps typically indicate loops

🎯 Switch Statements

# Jump table

cmp eax, 4

ja default_case

jmp [jump_table+eax*4]

jump_table:

dd case_0, case_1...

Indicator: Indirect jumps with address tables

🎯 Advanced CFG Analysis Techniques

Complexity Metrics

Cyclomatic Complexity

Measures the number of independent paths through code

CC = E - N + 2P
E = edges, N = nodes, P = programs

Interpretation

1-10: Simple, easy to understand

11-20: Moderately complex

21-50: Complex, hard to test

>50: Very complex, likely obfuscated

Anti-Analysis Detection

Obfuscation Patterns

• Excessive conditional jumps
• Dead code insertion
• Opaque predicates (always true/false)
• Control flow flattening
• Indirect jumps through calculations

Detection Heuristics

# Suspicious patterns

jmp $+5 ; Jump to next instruction

xor eax, eax; Followed by

jz label ; Always taken

academy$ nm -D malware.elf | head && echo "Analyzing symbol table..."

[🎯 FUNCTION_IDENTIFICATION]

📝 Function Signature Analysis

Standard Library Functions

Many functions can be identified by their unique patterns and constants:

# memcpy signature

push edi

push esi

mov esi, [ebp+src]

mov edi, [ebp+dst]

mov ecx, [ebp+len]

rep movsb ; Distinctive pattern

Tools: FLAIR signatures, Zynamics BinDiff, Diaphora

Cryptographic Functions

Crypto algorithms have distinctive constants and operations:

AES:

0x63636363, S-box tables, ShiftRows operations

SHA-256:

0x428a2f98, 0x71374491, 0xb5c0fbcf...

MD5:

0x67452301, 0xefcdab89, 0x98badcfe

📞 Calling Convention Analysis

Windows x86 Conventions

stdcall (__stdcall)

• Parameters pushed right-to-left

• Callee cleans stack (ret 0x10)

• Used by Win32 API

cdecl (__cdecl)

• Parameters pushed right-to-left

• Caller cleans stack (add esp, 0x10)

• C/C++ default

fastcall (__fastcall)

• First 2 params in ECX, EDX

• Remaining on stack

• Callee cleans stack

x64 Conventions

Microsoft x64 ABI

• RCX, RDX, R8, R9 for first 4 parameters

• XMM0-XMM3 for floating point

• Caller allocates 32-byte shadow space

• 16-byte stack alignment required

# Typical x64 function call

mov rcx, param1

mov rdx, param2

call function

academy$ cd /workshop/static_analysis && ls -la samples/

[🔬 STATIC_ANALYSIS_WORKSHOP]

Apply your static analysis skills on real-world samples! Each exercise builds on the previous, teaching you to systematically dissect malware without ever executing it.

1Comprehensive Static Analysis: Banking Trojan

🏦 Real Binary Banking Trojan Sample

Analyze a compiled binary with realistic banking trojan patterns. This is a real Mach-O executable with actual functions you can decompile in Ghidra and Binary Ninja. Completely safe for analysis.

📥 Download Real Binary 📄 View Source Code

Phase 1: Initial Triage

Command Line Assessment

$ file samples/banking_trojan_real.exe

Mach-O 64-bit executable arm64

$ ls -la samples/banking_trojan_real.exe

-rwxr-xr-x 50,520 bytes

$ strings samples/banking_trojan_real.exe | wc -l

127 strings found (analyzable with Ghidra)

Entropy Analysis

$ python entropy_analyzer.py banking_trojan.exe

.text: 4.2 (normal code)

.data: 6.8 (compressed/encrypted)

.rsrc: 7.1 (likely packed resources)

Phase 2Ghidra Deep Dive

1. Initial Import and Auto-Analysis

File → Import File → banking_trojan.exe

Analysis → Auto Analyze 'banking_trojan.exe'

✓ Decompiler Parameter ID: ON

✓ Windows PE x86 Propagate External Parameters: ON

Key findings: 247 functions identified, 15 external references, 3 suspicious string clusters

2. Import Analysis in Ghidra

Window → Symbol Tree → Imports

Navigate to KERNEL32.dll:

→ CreateFileW

→ WriteFile

→ CreateMutexW

Navigate to WININET.dll:

→ InternetOpenW

→ HttpOpenRequestW

→ InternetReadFile

Analysis: High-risk combination of file I/O, networking, and synchronization APIs

3. String Analysis in Ghidra

Search → For Strings...

Min Length: 4, Null Terminated: ✓

Filter results:

"http://secure-bank-update.com/form.php" @ 0x402080

"BankingCredentials.dat" @ 0x402120

"SecureBankHelper" @ 0x402150

Cross-reference: Right-click string → References → Show References to see usage

4. Function Analysis and Decompilation

Navigate to entry function (usually FUN_00401000)

Window → Decompile

Look for suspicious patterns:

if (CreateMutexW(..., "BankTrojanMutex2024", ...)) {

// Main malware logic

}

Pro tip: Rename functions (press 'L') for better analysis: FUN_00401230 → "download_payload"

Phase 3: Binary Ninja Analysis

1. Load and Initial Analysis

File → Open → banking_trojan.exe

Wait for automatic analysis to complete

View → Strings (Ctrl+Shift+S)

Binary Ninja advantage: Real-time analysis with immediate cross-references

2. Control Flow Graph Analysis

Navigate to main function (entry point)

View → Graph View

Identify key decision points:

→ Mutex check (anti-reinfection)

→ Internet connectivity test

→ Registry persistence setup

Key insight: Three-stage execution flow with error handling

3. API Cross-Reference Analysis

Right-click on InternetOpenW → Find References

Results show 2 references:

sub_401450: Network connectivity check

sub_401680: C&C communication function

Double-click sub_401680 → High Level IL:

hInternet = InternetOpenW("Mozilla/5.0...", ...);

hRequest = HttpOpenRequestW(..., "POST", "/gate", ...);

Discovery: Malware impersonates Mozilla browser for C&C communication

4. Advanced Taint Analysis

Right-click suspicious string "BankingCredentials.dat"

Select "Highlight Variable" → Choose bright color

Observe data flow through functions:

String loaded → passed to CreateFileW → written with stolen data

Pattern identified: Credential harvesting and local storage workflow

Phase 4: Advanced Analysis Synthesis

Ghidra vs Binary Ninja Findings

Ghidra Strengths:

• Better PE header analysis
• More detailed string cross-references
• Superior decompiler for complex logic

Binary Ninja Strengths:

• Cleaner control flow visualization
• Real-time analysis updates
• Better taint/data flow analysis

Combined Intelligence Report

Malware Type: Banking Credential Stealer

Persistence: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

C&C Communication: HTTPS POST to /gate endpoint

Data Exfiltration: Stores credentials in local .dat file

Anti-Analysis: Mutex-based reinfection prevention

Target: Online banking sessions (form injection)

📊 Complete Analysis Summary

Malware Family

Banking Trojan / Credential Harvester

Attack Vectors

Browser injection, form grabbing, C&C communication

Persistence

Registry Run key, browser configuration modification

2Control Flow Analysis: Packed Malware

📦 Packed Malware Challenge

Analyze a packed malware sample that uses control flow obfuscation. Learn to identify unpacking stubs, find the original entry point (OEP), and understand evasion techniques.

📥 Download Sample

Step 1: Multi-Tool Packer Detection

Command Line Detection

$ file samples/packed_malware.exe

PE32 executable, UPX packed

$ die samples/packed_malware.exe

Packer: UPX(3.96)[NRV2E]

Entropy: 7.89 (packed)

Overlay: No

Section Analysis

$ objdump -h samples/packed_malware.exe

UPX0 RWX (packed data)

UPX1 R-X (unpacking stub)

.rsrc R-- (minimal resources)

⚠️ Abnormal section names = packing

Step 2: Ghidra Analysis of Packer Stub

1. Import and Analysis Setup

File → Import → packed_malware.exe

Analysis → Auto Analyze (disable aggressive analysis)

⚠️ Uncheck "Aggressive Instruction Finder" for packed files

✓ Keep "Create Address Tables" enabled

Why: Aggressive analysis can misinterpret packed data as code

2. Entry Point Examination

Navigate to entry point (usually 0x401000)

Disassembly view shows:

401000: PUSHAD ; Save all registers

401001: MOV ESI,0x405000 ; Source address

401006: LEA EDI,[ESI+0x0] ; Destination calculation

40100b: CLD ; Clear direction flag

40100c: MOV ECX,0x3A8 ; Loop counter

Pattern recognition: Classic decompression loop setup

3. Unpacking Algorithm Analysis

Follow the control flow:

REP MOVSB ; Copy packed data

XOR decryption loop

Jump table reconstruction

POPAD ; Restore registers

JMP 0x402340 ; Jump to Original Entry Point (OEP)

Critical finding: OEP located at 0x402340 - bookmark this address!

4. Memory Layout Analysis

Window → Memory Map

Observe sections:

UPX0: 00401000-00404FFF (packed data)

UPX1: 00405000-00405FFF (unpacker code)

Note: Original .text will be at 0x402000 after unpacking

Insight: UPX creates virtual sections that get unpacked at runtime

Step 3: Binary Ninja Unpacking Strategy

1. Initial Load and Entropy Visualization

File → Open → packed_malware.exe

Tools → Entropy → View Entropy Graph

Observations:

High entropy sections: UPX0, UPX1

Low entropy: Import table, some strings

Binary Ninja advantage: Visual entropy analysis guides unpacking strategy

2. Control Flow Analysis of Unpacker

Navigate to entry point (0x401000)

View → Graph View

Analysis reveals:

→ Single linear unpacking path (no anti-debug)

→ Clear decompression loop structure

→ Direct jump to OEP (no obfuscation)

Assessment: Simple UPX packing - manual unpacking feasible

3. Static Unpacking Technique

Since this is educational UPX, use command line:

$ upx -d packed_malware.exe -o unpacked.exe

Then reopen in Binary Ninja:

File → Open → unpacked.exe

Now analyze the original malware without obfuscation

Real-world note: Custom packers require manual unpacking with debuggers

4. Post-Unpacking Analysis

Analysis of unpacked.exe reveals:

✓ 89 functions (vs 12 in packed version)

✓ 1,247 strings (vs 23 in packed version)

✓ Clear import table with 67 APIs

⚠️ Suspicious APIs: keylogger, screen capture, crypto

Key insight: Packing hides massive amounts of malicious functionality

Step 4: Comparative Analysis Results

Packed vs Unpacked Analysis

Packed Binary Analysis:

• 12 functions detected
• 23 readable strings
• Minimal import table
• High entropy sections

Unpacked Binary Analysis:

• 89 functions with clear structure
• 1,247 strings including C&C URLs
• Complete API imports visible
• Normal entropy distribution

Key Lessons Learned

1. Packing Detection: Multiple tools confirm packing (file, DIE, entropy)

2. Static Limits: Packed binaries resist static analysis

3. Unpacker Analysis: Understanding packer logic enables unpacking

4. Tool Synergy: Ghidra excels at stub analysis, Binary Ninja at visualization

5. Real Malware: Custom packers require dynamic unpacking techniques

academy$ diff educational_sample.exe real_malware.exe

[🚨 REAL_MALWARE_INDICATORS]

⚠️ Critical Difference: Educational vs Real Malware

Our educational samples contain malware patterns and strings but use only safe APIs like printf(). Real malware uses the same strings but calls dangerous APIs that actually perform malicious actions.

🔍 Professional Tip: Always check the Import Address Table (IAT) and actual API calls - not just strings!

📋 Registry Persistence: Educational vs Real

✅ Our Educational Sample

Strings Found

"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"Registry key: %s"

"Educational: This would setup persistence"

Actual API Calls

printf("Registry key: %s\\n", registry_key);

printf("Educational simulation");

// Only prints messages - NO actual registry modification

Safe for analysis: Contains learning patterns but performs no malicious actions

🚨 Real Banking Malware

Same Strings (Deception)

"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"WindowsSecurityUpdate" // Fake legitimate name

"C:\\Windows\\System32\\svchost32.exe" // Fake system file

Dangerous API Calls

RegOpenKeyExW(HKEY_CURRENT_USER, ...)

RegSetValueExW(hKey, L"WindowsSecurityUpdate", ...)

RegCloseKey(hKey)

// Actually modifies Windows registry for persistence!

Real threat: Actually writes malicious entries to Windows registry

📋 Import Address Table (IAT) Analysis

🔍 Professional Detection Technique: IAT Analysis

The Import Address Table shows which external APIs a program can call. This is the most reliable wayto identify potential malicious capabilities, regardless of obfuscation or string encryption.

✅ Educational Sample IAT

libc.dylib (macOS):

printf

puts

malloc

free

// Only safe system functions

// No registry, network, or file APIs

Analysis: Can only print messages and manage memory - no malicious capabilities

🚨 Real Malware IAT

KERNEL32.dll:

CreateFileW, WriteFile, CreateMutexW

ADVAPI32.dll:

RegOpenKeyExW, RegSetValueExW

WININET.dll:

InternetOpenW, HttpSendRequestW

USER32.dll:

SetWindowsHookExW, GetAsyncKeyState

// Complete malicious toolkit available!

Analysis: Registry modification, network communication, keylogging, file operations

🎯 Professional Malware Detection Workflow

Step-by-Step Real Malware Analysis

Import Address Table Analysis

• Check Windows → Symbol Tree → Imports

• Look for dangerous APIs: RegSetValueEx, CreateProcess, InternetOpen

• High-risk = Multiple dangerous API categories present

String Analysis & Cross-References

• Extract all strings: Search → For Strings

• Look for: registry paths, file paths, URLs, mutex names

• Follow XREFs: Which functions use these strings?

API Call Verification

• For each suspicious string, verify actual API usage

• Registry strings + RegSetValueEx calls = Real persistence

• Network strings + InternetOpen calls = Real C&C communication

Behavioral Pattern Recognition

• Persistence: Registry + File system + Service installation

• C&C Communication: Network APIs + Encryption + Data exfiltration

• Evasion: Anti-debug + Packing + VM detection

🚩 Real Malware Red Flags Checklist

🚨 Critical Indicators

⚠️Registry APIs: RegSetValueEx, RegCreateKey, RegDeleteKey

⚠️Process APIs: CreateProcess, OpenProcess, TerminateProcess

⚠️Network APIs: WinINet, WinSock, raw sockets

⚠️Injection APIs: VirtualAllocEx, WriteProcessMemory

⚠️Hook APIs: SetWindowsHookEx, SetWinEventHook

⚠️ Evasion Indicators

🔍Anti-Debug: IsDebuggerPresent, CheckRemoteDebuggerPresent

🔍VM Detection: Registry checks, hardware fingerprinting

🔍Packing: High entropy, minimal imports, obfuscated strings

🔍Persistence: Multiple mechanisms (registry + files + services)

🔍Legitimate Names: svchost32.exe, WindowsUpdate.exe

academy$ ./master_analyst_challenge --static-analysis-expert

[🏆 MASTER_ANALYST_CHALLENGE]

🎯 Advanced Persistent Threat Analysis

You've discovered a sophisticated APT sample with multiple stages and advanced evasion techniques. Perform a complete static analysis and create comprehensive intelligence reports.

Phase 1: Multi-Stage Analysis

• Identify all embedded stages and payloads
• Map the complete infection chain
• Extract configuration data and IOCs
• Analyze anti-analysis techniques

Phase 2: Attribution Analysis

• Compare with known APT TTP databases
• Identify code reuse and shared infrastructure
• Extract metadata for timeline analysis
• Create threat intelligence reports

Phase 3: Signature Creation

• Develop YARA rules for detection
• Create Snort/Suricata network signatures
• Build IOC packages for threat hunting
• Design behavioral detection logic

🛠️ Professional Analyst Toolkit

Advanced Analysis Commands

# Complete static analysis pipeline

floss --no-static-strings apt_sample.exe

yara-rules/apt_detection.yar apt_sample.exe

radare2 -A apt_sample.exe

binwalk -e apt_sample.exe

# Generate intelligence reports

capa apt_sample.exe --format json

malware_analyzer.py --full-report apt_sample.exe

📦 Master Challenge Kit

📥 APT Sample 🐍 Config Extractor 📋 YARA Templates 📝 Analysis Guide

Complete the master challenge to earn your Static Analysis Expert certification!

✅

Static analysis mastery achieved!

Ready for Lesson 4: File Formats