Lab Progress
0%0 / 11 steps
LabsMalware RE › L15
LAB L15 · REVERSE ENGINEERING · ADVANCED

Reverse Engineering with Ghidra + AI

Decompile a malware sample in Ghidra (NSA's free RE tool). Use AI to explain assembly and decompiled C code, identify key functions, document findings, and map behavior to MITRE ATT&CK.

120 min
🖥️ Flare-VM or REMnux
🔧 Ghidra · x64dbg · Python
🤖 AI Code Explanation
🔍 Reverse Engineering Challenge

The malware sample from L03-L04 has been submitted for deeper analysis. Leadership wants to understand exactly what it does — not just behavioral indicators. You'll decompile the binary in Ghidra, document key functions, and produce a technical capability report.

0
Phase 0 — Ghidra Setup & Import
Configure Ghidra and import the binary for analysis
Launch Ghidra and create a new project
Ghidra is pre-installed on Flare-VM and REMnux
# On REMnux or Flare-VM
ghidra &
# In Ghidra UI:
# File → New Project → Non-Shared Project
# Name: "MalwareAnalysis_L15"
# File → Import File → select your sample.exe
# Accept all defaults → OK → Double-click file → Analyze (Yes)
💡
Auto-analysis takes 1-5 minutes depending on binary size. Check the progress bar at the bottom of the CodeBrowser window.
Navigate the Ghidra interface
Understand the key windows before starting analysis
Key Ghidra panes:
Symbol Tree (left): imports, exports, functions, labels
Listing (center): disassembly view
Decompiler (right): pseudo-C code — the most readable view
Functions: Window → Functions window shows all identified functions

Start by clicking Imports in Symbol Tree to see all Windows API functions used.
🤖 AI Analyst

Paste the list of imports shown in Ghidra's Symbol Tree → Imports section. The AI will explain what each import function does and what malware capability it enables.

1
Phase 1 — Function Analysis
Find, rename, and document key functions
Navigate to entry point and main function
Start analysis from where execution begins
# In Ghidra:
# Press G and type "entry" to go to entry point
# OR: Symbol Tree → Functions → entry
# Look for the call to WinMain or main function
# Double-click to navigate to it
# The Decompiler pane shows pseudo-C code
# Rename functions: right-click function name → Edit Function Signature
Identify and document key functions with AI
Work through the most important functions systematically
For each significant function: copy the decompiled code from the Decompiler pane and paste into the AI for explanation. Focus on functions that call suspicious APIs.
🤖 AI Analyst — Code Explanation

Copy a function's decompiled code from Ghidra's Decompiler pane and paste it here. The AI will explain what the function does, identify its purpose (network beacon, file encryption, persistence, etc.), and suggest a meaningful name.

Find and analyze the network communication function
Locate C2 communication — typically involves WSAStartup, connect, send/recv
# Find network function via API cross-references:
# Symbol Tree → Imports → find WSAStartup or InternetOpen
# Right-click → References → Find References to [API]
# Double-click each reference to see calling context
# The function that calls WSAStartup IS the network init function
Identify string decryption and XOR encoding
Malware often encrypts C2 domains and config strings
# Look for XOR loops in Ghidra decompiler — they look like:
# while (i < length) { buffer[i] = encrypted[i] ^ key; i++; }
# Or use FLOSS on the unpacked binary to extract decoded strings:
floss --only-stack-strings sample_unpacked.exe
floss --only-decoded-strings sample_unpacked.exe
🤖 AI Analyst

Paste the assembly or decompiled code of a suspected XOR decryption loop. The AI will explain the algorithm, extract the XOR key if visible, and decode any encrypted strings in the code.

2
Phase 2 — AI-Assisted Deep Analysis
Use AI to accelerate analysis of complex code sections
Analyze anti-analysis and evasion techniques
Find timing checks, debugger detection, and VM detection code
# Search for anti-debug APIs in Ghidra:
# Symbol Tree → Imports → look for:
# IsDebuggerPresent
# CheckRemoteDebuggerPresent
# GetTickCount (timing-based anti-debug)
# NtQueryInformationProcess
# Also search for VM detection strings:
# Search → Memory → search for "VMware" "VirtualBox" "QEMU"
🤖 AI Analyst

Paste the decompiled code of any anti-analysis function you find. The AI will explain the technique, what conditions it's checking, and how to bypass it during analysis.

Create a function call graph and capability map
Build a visual map of what the malware can do
# In Ghidra: Function Graph view
# View → Function Graph
# Shows visual flow of a single function

# For overall capability summary, use Capa on the (unpacked) binary:
capa sample_unpacked.exe -v 2>&1 | tee capa_final.txt
🤖 AI Analyst

Share your Capa results and list of documented functions. The AI will create a complete capability matrix: what the malware can do organized by ATT&CK tactic, with the evidence from your reverse engineering.

3
Phase 3 — Technical Report
Document your reverse engineering findings professionally
Document all renamed functions with descriptions
Add Ghidra comments explaining what each function does
In Ghidra, for each key function you've analyzed:
• Right-click function name → Edit Function Signature → rename (e.g., c2_beacon, decrypt_config, establish_persistence)
• Add plate comment: right-click → Comments → Set Pre Comment
• Document: what it does, what APIs it uses, what data it processes
AI writes the technical malware capability report
Full RE report with code snippets, function descriptions, and ATT&CK mapping
🤖 AI Analyst — Technical Report

Share your documented functions (names + descriptions), key decompiled code snippets, identified strings, and behavioral observations. The AI will write a technical malware capability report suitable for peer review and threat intel sharing.

Lab complete
Save your Ghidra project
✅ Ghidra project created with binary imported
✅ Auto-analysis completed
✅ Imports analyzed and capabilities noted
✅ Entry point and main function located
✅ Network communication function identified
✅ String decryption routine analyzed
✅ Anti-analysis techniques documented
✅ All key functions renamed with comments
✅ Technical capability report generated

Next: Lab L16 — AI Threat Intelligence Aggregator

Build a Python tool that aggregates OSINT feeds and uses AI to surface critical IOCs.

Start L16 →
🤖
CyberSec AI Analyst
L15 — Reverse Engineering Mode
Lab Context: Reverse engineering with Ghidra. Explaining decompiled C code, identifying malware functions, documenting capabilities, mapping to ATT&CK.

→ Connect AI Analyst — add your Claude API key

RE Actions