🔍 Malware Analysis Portfolio

Owner: Sadra Setarehdan
Supervisor: Prof. Thierry Sans

A curated collection of hands-on malware analysis labs and projects, demonstrating methodologies in static and dynamic analysis, developed over a 12-week course and independent study.

---

📖 Table of Contents

1. About
2. Repository Structure
3. Analysis Workflow
4. Content Overview
5. External Malware Naming
6. Windows Dev Crash Course
7. Contributing
8. License
9. Contact

---

📝 About

This repository showcases my malware analysis journey based on the Practical Malware Analysis book, supplemented by RIPSEC, The Ghidra Book, and independent analyses of external samples.

---

🗂 Repository Structure

malware-analysis-portfolio/
├── README.md              				# This overview file
├── docs/                  				# General methodology & tools
│   └── methodology.md
├── tools/                 				# Scripts, plugins, and rules
│   ├── ghidra/
│   ├── ida/
│   └── other/
├── book-labs/             				# Course lab solutions
│   ├── PMA/               				# "Practical Malware Analysis" labs
│   ├── RIPSEC/            				# RIPSEC labs
│   └── ghidra-book/       				# "The Ghidra Book" labs
├── external-malware/      				# Independent sample analyses
│   └── <sample-hash>/     				# e.g. 3F2A1B4C5D6E7F...
└── windows-programming-crash-course/	# Windows desktop dev crash-course
    ├── Week 1 - simple app/
    └── Week 3 - dll creation/

---

⚙️ Analysis Workflow

Detailed in docs/methodology.md, covering:

• Setup: Two VMs with needed tools
• Static Analysis: PE header inspection, strings, imports, control-flow graphs
• Dynamic Analysis: Malware effects and changes to system
• Reporting: To Be Completed...

---

🗒 Content Overview

• book-labs/
  Structured by source: PMA, RIPSEC, Ghidra Book. Each lab folder contains analysis.md, artifacts, scripts, and sanitized samples (binaries are .gitignored).

• external-malware/
  Each sample in its own folder named by the SHA256 hash for consistency and traceability. Inside:

  • analysis.md — Step-by-step report
  • artifacts/ — Dumps, screenshots, logs
  • (sample.bin) — Actual malware (encrypted or omitted and .gitignored)

• tools/
  Custom plugins, and helper scripts organized by platform.

• windows-programming-crash-course/
  Code from a Windows programming crash course (organized by week). Brief notes only.

---

🏷 External Malware Naming

I recommend using the SHA256 hash as the folder name for each sample (e.g., 3f2a1b4c5d6e7f8a9b0...). This ensures:

• Unique, collision-resistant identifiers
• Privacy (no direct naming of malware family)
• Easy cross-referencing with VT, MISP, and other threat intel

Alternatively, you could suffix the hash with a short alias: 3f2a1b4c..._Emotet, but keeping pure hashes maintains uniformity.

---

🪛 Windows Dev Crash Course

Brief code samples and notes for a 2-week Windows development crash course. See windows-programming-crash-course/ for structure.

---

🤝 Contributing

Although this is a personal portfolio, contributions or feedback are welcome! Please open an issue or pull request for suggestions.

---

🛡 License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

---

📫 Contact

Sadra Setarehdan
Email: s.setarehdan@mail.utoronto.ca
Supervisor: Prof. Thierry Sans