Reverse Engineering Malware

The content of this course has been transforming over time constantly as the current hot topics related to malicious code is constantly changing. Year 2021 iterations will be focused on reverse engineering skills, information exchange and building skills for improving existing response infrastructure with real-time event processing technology.


Due to the COVID-19 situation this course MIGHT be held as an online course and in that case the confirmed students DON’T HAVE TO TRAVEL to Estonia, and in that case they don’t have to buy flight tickets and don’t have to book accommodation in Tallinn. 

If the course will be held online, then all of the technical details to join the course will be shared with the confirmed participants until 27th of September, 2021 and the Administration fee will be reimbursed for the participants.

Learning Objectives

Goal of this course is to deliver to the participants following skills and knowledge:

  • Understanding malware: life-cycle and motivation of their creators.
  • Identifying malware related activity in endpoints and networks.
  • Autonomously collect information and analyze samples from multiple stages of malware.
  • Producing and using indicators of malware related activity.
  • Work as team while identify and search for IoC’s.


  • Cybersecurity incident life cycle; Lockheed Martin Kill Chain.
  • Preparing the lab
    • Tools and skills; safety
  • ”Black box” analysis
    • Monitoring host activity
    • Monitoring network activity
    • Collecting and selecting meaningful observable indicators
  • Deobfuscating Code in a Word Macro
  • Reverse Engineering Basics
    • Introduction into Assembly
  • Familiarizing reverse engineering
  • Static analysis (IDA Pro)
  • Dynamic analysis (OllyDbg, WinDgb)
  • Writing IOCs (Yara rules)
  • Familiarizing with Ghidra debugger
  • Making systems more resilient to the attacks
    • Collecting and sharing IOCs
    • Network architecture
    • Endpoint security
    • Automating mitigation
  • Anti-Debugging and Anti-VM Techniques
  • Practice: teamwork with parallel tasks for solving malware activity related incident


Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics.


  • Good work/administration experience in Linux (as the work environment) and Windows (as the malware environment).
  • Basic understanding of network traffic and malware.
  • Ability to use virtual machine technology (Virtualbox or similar).
  • Experience with firewalls and network traffic analysis (Wireshark and similar).
  • Basic understanding of assembler and higher programming languages.
  • Scripting language skill (Python, Visual Basic, Bash).
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the strong technical nature of this course. It is not intended for inexperienced IT security specialists. The topics covered in this course are mostly similar to the previously given Botnet Mitigation Course. Therefore, this course is not recommended for previous participants of the BMC.

 Pre-study e-Learning material


Registration opens on 21st of June, 2021. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]