This post will be a complete review of the Zero2Automated – The Advanced Malware Analysis course, and the certification exam available at the end of the course delivered by 0ffset Training Solutions.
About the Course
I won’t waste your time reading obvious things that can be found in one of the links I attached above. So.. let’s start.
The course is structured by modules, as follows:
- Main modules (I will talk about them later), where you learn:
- Recognize the code patterns of encryption algorithms;
- Understand the stages of malware infection, for example: 1st stage -> 2nd stage -> final payload
- Reverse Engineering of Defense Evasion Techniques such as different types of Memory Injections and Anti-Analysis techniques;
- Reverse Engineering of Persistence Techniques;
- Reverse Engineering of Vulnerability Exploits;
- In-depth analysis of malware types (reverse engineering of RAT, Ransomware, Banking Stealer, etc.);
- Demonstrates the analysis flow in depth, allowing you to develop your own methodology;
- Reverse Engineering of Rootkits and Shellcode;
- Analysis of Non-Compiled Malware, developed in Python, PowerShell, etc.;
- Understanding what Threat Intelligence is in the context of Malware Analysis, and developing Yara rules for detection and research.
- 4 Practical Challenges;
- ‘Zero2Hero’ Bootcamp
- Malware Walkthroughs E-Book
- Provision of a Windows 7 ISO
The content is made available through PDFs, and mainly through videos. The video lessons are mostly taught by Daniel Bunce, and some by Vitali Kremez (R.I.P.).
This course is not for beginners!! And I say beginners, those people who know absolutely NOTHING about malware analysis and reverse engineering. Skills that I think are important for you to have before starting the course are:
- Prior knowledge of development, especially in C/C++ or Python;
- Prior knowledge of how threats operate, types of malware, tactics, techniques and procedures of threat actors.
Remember, these are NOT prerequisites, I myself did not know how to develop in C/C++. But they are knowledge that will help you A LOT in understanding the context in which malware analysis and reverse engineering are included, and thus, you will know how to understand the value of intelligence production through these activities. If you don’t have this knowledge, you can still continue, but with more difficulties and a shorter learning curve. Always remember to respect your limits.
In addition to the complementary PDFs, there are also some e-books with complete analyses of some samples, made by Daniel himself. Allowing you to have a better understanding of the analysis flow.
About the Content of the Modules – General Information
It’s not an easy course, and by saying that, you might be scared. Don’t be scared, just be warned that if you’re just starting your journey in malware Reverse Engineering, you’re going to struggle a bit at first. And I say that as a positive point, because if you’re setting out to acquire intermediate/advanced knowledge on a topic, and you’re not struggling without understanding something, you’re probably not learning. Suffering is part of the process of understanding something completely unknown to us. And it is a good sign that you are about to learn something that you could not understand before.
I myself struggled at the beginning! My knowledge was limited to my background (Threat Hunting, DFIR and Red Team Operations), and to the content of the TCM Security course, which I had taken over a year before starting Zero2Automated. In other words, I barely knew what packing was, much less unpacking :’) . I had no idea how to write a simple encryption algorithm in C/C++, much less recognize it in Assembly. I personally felt very challenged by the course, mainly because the content was 95% new to me.
The entire course is conducted almost entirely through IDA Pro and x32dbg, meaning you will see C Pseudocode or Assembly instructions almost all the time. If you didn’t feel very comfortable with Assembly and C at the beginning of this course, you can be sure that by the end you will be familiar with them. Although the course basically uses these two software programs, you can apply the knowledge acquired through this course to any software. I use Binary Ninja myself, and I have not had any difficulty following the course over time.
Depending on the module, if it is a very dense and complex topic, a PDF is also made available to complement the content covered in the videos. The existing PDFs helped me A LOT to understand subjects that for me were absurdly abstract and complex, even with the videos. And in addition to the PDFs, every malware sample that is used in the video classes is made available so that you can analyze for yourself what was covered in the class, and perhaps go further. I highly recommend this attitude.
The modules have a main theme, which will be explored in depth in each class. For example, there is a module on the Internals of each Type of Malware, allowing you to understand the characteristics of each type of malware. Another good example is the In-Deep Analysis module! In this module, you are exposed to the entire flow of analysis and intelligence production (configuration extraction scripts and emulation of malware functionality). I believe this was the module I enjoyed the most, and from which I learned the most.
About the Content of the Modules – Intelligence Production and Python Usage
One thing I would really like to mention in this review is that Daniel shows us in depth how Python is one of the indispensable tools in the intelligence extraction process. During the course, Daniel will show you the true power of Python to perform extremely important activities in malware analysis. I guarantee that after completing this course, you will know:
- How to develop script logic to decrypt encrypted payloads;
- How to develop scripts to emulate malware behavior for numerous purposes.
So imagine that you have identified that the sample you are analyzing stores an encrypted configuration and the decryption key in certain locations within the binary, in addition to identifying the decryption algorithm that the malware will use to extract the configuration for communicating with the C&C servers. Using Python, you can develop a script that will automate the process of decrypting and extracting the configuration, not only for this sample, but probably for other samples of the same family.
Another thing I would like to mention is how much this course made me a better developer, and above all, a better developer of automation and emulation. This aspect of the course gave me several insights that I now use at work and in personal projects. In addition, it showed me the breadth of operationalization of intelligence extracted through malware analysis.
And this allows the student, in addition to learning the knowledge passed on through classes, to also apply it to their reality and create their own flow of analysis of malicious samples.
About the Zero2Hero Bootcamp
Depending on the bundle you purchase, you also get the Zero2Hero Bootcamp content. As a bootcamp, it doesn’t contain the huge amount of detail that Zero2Automated has. Therefore, it can even serve as an introduction, before you start diving into the dense content of Zero2Automated.
This bootcamp gives you an introduction to the RC4 encryption algorithm, as well as showing analysis of some malware families and even exploit kits used by APT groups. At the end, it gives a good introduction to Yara detection rules, which are also covered in the Zero2Automated course.
About the Exam
Obviously, I won’t give you any details about the exam. What I can say is that it is quite challenging. The certification exam is made up of two parts:
- Theoretical Exam: here you will be tested on the content you have absorbed from the course classes. I don’t remember how many there are, but I think there are around 70 questions, which are divided into multiple choice questions and open questions. Depending on the question, the weight will be different in determining your final grade. In other words, if a particular question is more difficult than an easier question, the more difficult question will have a greater weight in determining your final grade.
- Practical Exam: after successfully passing, you will receive an email from Daniel asking when you want to start the practical exam. On the chosen day, Daniel will send you an email with a story-telling and everything you need to take the technical exam. From this point on, you will have two weeks to complete your analysis and send a technical report of your complete analysis.
I found the theoretical exam to be easier, but with very specific questions. So before you start, make sure you have watched all the classes and put into practice the content you have learned.
The practical exam is quite challenging and requires you to think a little outside the box. I finished the analysis and the report in 7 days, although I got stuck in some phases for two to three days. During the practical exam, I recommend that you write the report while you do your analysis, this way you will save time. My report had a total of 51 pages, but this should not be a rule, I personally like writing.
When you finish the theoretical exam, you should send the technical report to the same email address that you received all the steps. From there, wait for your feedback. I received my feedback after about 30 days. The feedback will contain your results (whether you passed or failed), excellent feedback on what could have improved your grade. And of course, the certification that proves that you have passed all the prerequisites of the course and the theoretical and practical exams.
Conclusion and Feedback
Well, I hope that in this review you understood what Zero2Automated is about, what its main features are and what the strongest points of this course are. I had already obtained the eJPT, BTL1 and CRTP certifications (I plan to do reviews) before taking this one, and I can safely say that this was the best and most challenging, both in terms of the course content to be learned and the theoretical and practical exams.
Today, the Malware Analysis and Reverse Engineering area has few quality sources of training and certifications. So companies like SANS charge a fortune to take a course and more to take the certification exam. I believe that Zero2Automated is even more advanced than the GREM content, and obviously, MUCH cheaper (God bless Daniel Bunce for that).
What I think could be improved in the course in general would be the addition of more PDFs throughout the modules. The supplementary PDFs helped me A LOT in my absorption process after watching the video. I believe that adding these PDFs, with more specific content, showing the reason for certain things, would be VERY welcome.
The course is great, the content is wonderful, and I am truly happy that I made the decision to start this journey. I hope you enjoyed the review, if you also start this journey, I hope you enjoy the entire learning process.