PJMR, ECMAP, and Malware Stuff

2023-08-30

5 min read

As of today, August 30th, I have earned both the Practical Junior Malware Researcher and the eLearnSecurity Certified Malware Analysis Professional (now retired). I wanted to take the opportunity to talk about the training courses, thoughts, and word vomit about these two for a little bit.

I started this journey when I purchased the TCM course “Practical Malware Analysis and Triage.” This really sparked my interest in malware analysis and reverse engineering, and I gotta say it’s a fantastic introduction. Husky does a great job presenting the methodology he takes, and things are presented in a way that makes things easy to understand and keeping the complex topics interesting.

Iended up putting the course on hold for a while as Life happened, but was brought back to it when my company let me know that we had some eLS vouchers that we needed to use. I decided that it would make sense to take both the eCMAP and PJMR because they have a pretty big overlap (that being they’re both exams on malware analysis) so it would make sense to just do both. However, that course too was delayed because of Life.

Fast forward to the announcement from INE that the eCMAP was one of the courses that was being retired. That added a sense of urgency because I only had a limited amount of time to claim the voucher from work and actually take the exam. I did the things, and here I am.

The INE malware analysis course was last updated in I think 2017. That’s not necessarily a bad thing because the Portable Executable (PE) file format hasn’t changed at all so the majority of the content was still relevant. But as is the case with a lot of the INE/eLS training material, it can be pretty dry because it’s just a powerpoint presentation. That’s not the fault of Ali Hadi (the author), and the content was good to know, but that just made things really hard to stick with since it was just reading the entire time. (There are some videos and “labs,” but the overwhelming majority of the content needed came from the slides.)

With that in mind, let’s talk about the actual exams.

Both allowed five days in the actual lab, and then so many days to write a report. PJMR also required a debrief/presentation on top of that.

They were both pretty fun in my opinion, though absolutely different animals. Based on the course content, it’s no surprise to say that eCMAP focused almost exclusively on Windows executables, while PJMR included other things as well (the course covers things written in C#, powershell, two different types of maldocs, Golang, mobile malware, etc.). This isn’t a good or bad thing per se, however I did enjoy learning about things other than just PEs, as most of my work experience hasn’t needed to actually analyze a PE. I would say that if you take (took, RIP eCMAP) the respective courses you could likely pass without other training, however for PJMR I did look up some John Hammond videos and like a 30 second clip from the Zero2Auto “Beginner Malware Analysis Course”. The information I got from those could have been in the TCM course, but it had been so long ago that I can’t say for certain.

The other big difference between them is that the eCMAP was conducted via RDP, so software could be transferred to/from the testing machine, whereas PJMR is done exclusively in-browser. I asked if I was able to import a tool and was asked not to, so you should really be comfortable with the tools installed in the latest default FlareVM machine. (Fun fact, I probably didn’t even need that tool anyways, but whatever.)

How they do grading is also pretty different. INE required a report, but never taught how to write it. So I yoinked the template from the PMAT course and just used that. PJMR provides a template and wants it in a certain structure, so that took a lot of the thinking out of it which was nice. The other big difference was INE very literally said “screenshots or it doesn’t count,” whereas PJMR left it up to the judgement of the reviewer I’m guessing. Though I probably added in unecessary screenshots due to having done the eCMAP first, I didn’t receive any feedback from the PJMR that I added too much information! (“Better safe than sorry.”)

Based on the TCM PJMR overview video it’s not a secret that there are nine samples to analyze, however the way things are scored you would in theory be able to not do all nine and do some YARA rules/extracted VBA code as “extra credit” and still pass. While I don’t know how I did on the samples (you only are told if you pass or didn’t), I did attempt all nine and did the YARA rules/extracted VBA code for all of them. So in my mind, I had a perfect score. (Go ahead, prove me wrong!)

I’m glad to have taken both exams, and proud of them both equally. I do think that PJMR is a fantastic replacement for eCMAP now that that one is retired, and it should be an easy choice for someone who’s new to the field of malware analysis.

Please feel free to reach out with questions about my experience, but do please note if you ask me specifics my answer is just going to be “42” and/or cat pictures. You’ve been warned.