Ficha

Versión en español

Course: 2025/2026

Malware analisys and engineering

(12400)

Master in Cybersecurity (Plan: 325 - Estudio: 288)

EPI

Coordinating teacher: ESTEVEZ TAPIADOR, JUAN MANUEL

Department assigned to the subject: Computer Science and Engineering Department

Type: Electives

ECTS Credits: 3.0 ECTS

Course: 1º

Semester: 2º

Requirements (Subjects that are assumed to be known)

- Software Systems Exploitation - Secure Communications - Data Protection - Cyberdefense Systems - Cyberattack Techniques - Cybercrime, Cyberterrorism, and Cyberwar

Objectives

Understand the main types of malware and the techniques used to achieve their objectives. Learn the techniques and tools used in malware analysis, including both static and dynamic analysis. Develop useful artifacts for the threat intelligence lifecycle, including analysis reports and indicators of compromise. LEARNING OUTCOMES Make an informed choice for the best analysis tool in the investigation process started due to suspicion of presence of malware. Explain the mechanisms that can be used to conceal an intrusion in a system.

Learning Outcomes

Link to document

Description of contents: programme

1 Introduction 1.1 Basic Concepts and Evolution 1.2 Malware Analysis Techniques 1.3 The Lab 2 Basic Analysis Techniques 2.1 The Life of an Executable 2.2 Basic Static Analysis 2.3 Basic Dynamic Analysis 3 Advanced Analysis Techniques 3.1 x86 Disassembly 3.2 C Code Constucts in Assembly 3.3 IDA Pro 3.4 The Windows API 3.5 Debugging 4 Behaviors 4.1 Downloaders 4.2 Backdoors 4.3 Info Stealers 4.4 Persistence 4.5 Covert Launching 4.6 Data Encoding 4.7 Anti-disassembly 4.8 Anti-debugging 4.9 Anti-virtualization 4.10 Packers

Learning activities and methodology

LEARNING ACTIVITIES: - Lectures and practicals - Lab sessions - Tutorship - Group work - Individual work METHODOLOGIES - Lectures to introduce and discuss the main course concepts. - Study and analysis of references provided by the lecturer, including academic papers, reports, selected book chapters, and press articles. This will be instrumental to consolidate and complement concepts introduced in the course, and also as material to be discussed during some lectures. - Analysis of practical cases proposed by the lecturer, either individually or in group. - Presentation and discussion of topics and practical cases related to the course. - Preparation of individual essays and reports.

Assessment System

% end-of-term-examination/test 0
% of continuous assessment (assigments, laboratory, practicals...) 100

Calendar of Continuous assessment

The assessment system includes:

1. Continuous assessment of the student through one or more of the following methods:
     1.1. Oral or written tests.
     1.2. Essays and reports assigned by the lecturer.
     1.3. Presentations about a course topic.
     1.4. Participation in the debates organized throughout the semester.

Continuous assessment accounts for 100% of the final mark.

2. A final exam assessing the knowledge and skills acquired during the course for those students that chose not to follow the continuous assessment. The final exam accounts for 100% of the final mark.

For the extraordinary exam, students will sit an exam for 100% of the final grade. This exam may have questions related to all activities done during the course.

Basic Bibliography

Michael Ligh, Steven Adair, Blake Harstein, Matthew Richard. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. Wiley. 2010
Michael Sikorski, Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press. 2012

The course syllabus may change due academic events or other reasons.