Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 10

Cybersecurity II, Unit 10: Malware, Social Engineering, and Defensive Awareness

Static analysis basics, dynamic analysis in a sandbox, and a deep dive on social engineering at the level needed to design awareness programs that actually work.

Length
300 min
Level
advanced
Track
Cyber II
Cadence
Semester 2

Career paths

SOC AnalystIncident Responder
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 10: Malware, Social Engineering, and Defensive Awareness

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Suggested length | 5 × 60 minutes | | Recommended placement | Week 16 | | Prerequisite | Units 1–9 | | Materials | Isolated analysis VM (no internet), sample benign + EICAR + teacher-prepared training samples (only), strings/PEview/Detect-It-Easy, Process Monitor, FakeNet-NG or INetSim, GoPhish (lab) |

Safety: Malware analysis is performed only on samples the teacher has issued. Students do not download samples from VirusShare, MalwareBazaar, etc., during this unit. The analysis VM has no shared folders and no internet - full isolation. Snapshot before, revert after.

Social engineering exercises target a fictional company. No phishing of real people, classmates, faculty, or family.

Standards & credential alignment

  • EHE - System hacking + malware analysis fundamentals.
  • NIST SP 800-83 - Malware Incident Prevention and Handling.

Learning objectives

By the end of this unit, students can:

  1. Distinguish static and dynamic analysis with concrete examples.
  2. Perform safe static analysis on a teacher-issued sample (PE info, strings, hashes, imports).
  3. Run dynamic analysis in an isolated sandbox and observe network + filesystem + registry behavior.
  4. Articulate the social engineering taxonomy (phishing, vishing, smishing, pretexting, baiting, tailgating, BEC).
  5. Run an authorized internal phishing simulation against a fictional target with GoPhish in the lab.
  6. Design an awareness program that doesn't blame users.

Vocabulary

  • Static analysis - Examining a sample without executing it.
  • Dynamic analysis - Examining behavior while running.
  • Sandbox - Isolated environment for safe execution.
  • PE / ELF / Mach-O - Windows / Linux / macOS executable formats.
  • IOC - Indicator of Compromise.
  • C2 - Command-and-control infrastructure.
  • Phishing / vishing / smishing - Email / voice / SMS.
  • Pretext - Fabricated scenario used in social engineering.
  • BEC - Business Email Compromise.

Pacing

| Day | Focus | Deliverable | | --- | ---------------------------------------- | -------------------------------------------------------- | | 1 | Sandbox setup + static analysis basics | Static analysis report on benign sample | | 2 | Static analysis on teacher-issued sample | Static report with IOCs | | 3 | Dynamic analysis | Dynamic report with network + FS + registry observations | | 4 | Social engineering deep dive | Phishing template + indicators worksheet | | 5 | GoPhish lab + awareness program design | Awareness plan |

Day 1 - Sandbox setup + static basics

Set up the analysis VM:

  • Snapshot baseline.
  • Disable shared folders.
  • Disconnect networking (or attach to fake-internet via INetSim/FakeNet-NG).
  • Install: PEview / Detect-It-Easy, strings, sigcheck, Process Monitor, Process Explorer, Wireshark.

Static analysis on a benign file (e.g., notepad.exe copy):

sha256sum sample.exe
file sample.exe
strings sample.exe | head -50
# Windows: sigcheck.exe / PEview / DIE

Day 2 - Static on teacher-issued training sample

Teacher issues an analysis-safe sample (e.g., a packed test binary). Students:

  • Hash it (MD5, SHA-1, SHA-256).
  • Identify file type and architecture.
  • Note compile timestamp.
  • Inspect imports - WinHTTP.*? ws2_32.*? CryptAcquireContext? Build a hypothesis.
  • Pull strings; note URLs, IPs, registry paths, mutex names.
  • Document IOCs.

Day 3 - Dynamic analysis

In the isolated VM:

  1. Snapshot.
  2. Start Process Monitor (filter by process name once known).
  3. Start Wireshark on the lab interface.
  4. Start FakeNet-NG (it answers DNS + serves fake responses).
  5. Detonate.
  6. Observe for 60–120 seconds.
  7. Stop. Save Procmon log + PCAP.
  8. Revert.

Document: files written, registry keys created, processes spawned, DNS lookups, HTTP requests, mutexes.

Day 4 - Social engineering taxonomy

Walk through each:

  • Phishing - broad email lure.
  • Spear phishing - targeted with personal context.
  • Whaling - targeting executives.
  • Vishing - phone calls (sometimes deepfake voice now).
  • Smishing - SMS / iMessage.
  • Pretexting - invented scenario, often paired with vishing.
  • Baiting - physical (USB drops) or digital lures.
  • Tailgating / piggybacking - physical access by following someone.
  • BEC - fraudulent wire transfer requests, vendor invoice swaps.

Indicators worksheet: 10 sample emails (provided), students mark indicators (sender mismatch, urgency, link mismatch, unusual ask, attachment type, generic greeting, etc.).

Day 5 - GoPhish + awareness design

Lab GoPhish runs against fictional acmewidgets.example mailboxes (no real recipients).

  • Build campaign: template, landing page, sending profile.
  • Send.
  • Observe campaign metrics.
  • Discuss: what does a 35% click rate actually mean? What's the right metric (reporting rate, time-to-report, repeat offender rate)?

Awareness program design (1 page):

  • Goals (specific behaviors).
  • Methods (training, simulations, just-in-time prompts).
  • Reporting workflow that's easy and stigma-free.
  • Metrics that matter.
  • Things you will not do (publicly shame, surprise-test high-stress roles, fire on first click).

Common misconceptions

  • "Users are the problem." - Users are the last layer of defense after the system failed to block the email. Design for human factors.
  • "Detonating is the analysis." - Detonating without isolation is "infecting yourself." Isolation is the lab's job.

Assessment

  • Day 2 static report.
  • Day 3 dynamic report with IOCs.
  • Day 4 phishing indicators worksheet.
  • Day 5 awareness plan.

Career connection

Malware analysts $90K–$150K. Threat intel analysts $80K–$140K. Awareness program leads $80K–$120K with broad latitude.

Homework

Read one MITRE ATT&CK technique under the Initial Access tactic that wasn't covered in class. Bring 3 detection ideas.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum