malware-analyst

仓库: sickn33/antigravity-awesome-skills
安装量: 116
排名: #7395

安装

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill malware-analyst

File identification file sample.exe sha256sum sample.exe String extraction strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings Packer detection diec sample.exe # Detect It Easy exeinfope sample.exe Import analysis rabin2 -i sample.exe dumpbin /imports sample.exe

Phase 3: Static Analysis

  1. Load in disassembler: IDA Pro, Ghidra, or Binary Ninja
  2. Identify main functionality: Entry point, WinMain, DllMain
  3. Map execution flow: Key decision points, loops
  4. Identify capabilities: Network, file, registry, process operations
  5. Extract IOCs: C2 addresses, file paths, mutex names

Phase 4: Dynamic Analysis

Environment Setup: Windows VM with common software installed Process Monitor, Wireshark, Regshot API Monitor or x64dbg with logging INetSim or FakeNet for network simulation Execution: Start monitoring tools Execute sample Observe behavior for 5-10 minutes Trigger functionality (connect to network, etc.) Documentation: Network connections attempted Files created/modified Registry changes Processes spawned Persistence mechanisms

Use this skill when

  • Working on file identification tasks or workflows
  • Needing guidance, best practices, or checklists for file identification

Do not use this skill when

  • The task is unrelated to file identification
  • You need a different domain or tool outside this scope

Instructions

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open resources/implementation-playbook.md.

Common Malware Techniques

Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled tasks - schtasks, Task Scheduler Services - CreateService, sc.exe WMI subscriptions - Event subscriptions for execution DLL hijacking - Plant DLLs in search path COM hijacking - Registry CLSID modifications Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup Boot records - MBR/VBR modification

Evasion Techniques

Anti-VM - CPUID, registry checks, timing Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess Anti-sandbox - Sleep acceleration detection, mouse movement Packing - UPX, Themida, VMProtect, custom packers Obfuscation - String encryption, control flow flattening Process hollowing - Inject into legitimate process Living-off-the-land - Use built-in tools (PowerShell, certutil)

C2 Communication

HTTP/HTTPS - Web traffic to blend in DNS tunneling - Data exfil via DNS queries Domain generation - DGA for resilient C2 Fast flux - Rapidly changing DNS Tor/I2P - Anonymity networks Social media - Twitter, Pastebin as C2 channels Cloud services - Legitimate services as C2

Tool Proficiency

Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis ANY.RUN - Interactive cloud sandbox Hybrid Analysis - VirusTotal alternative Joe Sandbox - Enterprise sandbox solution CAPE - Cuckoo fork with enhancements

Monitoring Tools

Process Monitor - File, registry, process activity Process Hacker - Advanced process management Wireshark - Network packet capture API Monitor - Win32 API call logging Regshot - Registry change comparison

Unpacking Tools

Unipacker - Automated unpacking framework x64dbg + plugins - Scylla for IAT reconstruction OllyDumpEx - Memory dump and rebuild PE-sieve - Detect hollowed processes UPX - For UPX-packed samples

IOC Extraction

Indicators to Extract

```yaml Network: - IP addresses (C2 servers) - Domain names - URLs - User-Agent strings - JA3/JA3S fingerprints File System: - File paths created - File hashes (MD5, SHA1, SHA256) - File names - Mutex names Registry: - Registry keys modified - Persistence locations Process: - Process names - Command line arguments - Injected processes YARA Rules rule Malware_Generic_Packer { meta: description = "Detects common packer characteristics" author = "Security Analyst" strings: $mz = { 4D 5A } $upx = "UPX!" ascii $section = ".packed" ascii condition: $mz at 0 and ($upx or $section) } Reporting Framework Analysis Report Structure

Malware Analysis Report

Executive Summary

Sample identification

Key findings

Threat level assessment

Sample Information

Hashes (MD5, SHA1, SHA256)

File type and size

Compilation timestamp

Packer information

Static Analysis

Imports and exports

Strings of interest

Code analysis findings

Dynamic Analysis

Execution behavior

Network activity

Persistence mechanisms

Evasion techniques

Indicators of Compromise

Network IOCs

File system IOCs

Registry IOCs

Recommendations

Detection rules

Mitigation steps

Remediation guidance
Ethical Guidelines
Appropriate Use
Incident response and forensics
Threat intelligence research
Security product development
Academic research
CTF competitions
Never Assist With
Creating or distributing malware
Attacking systems without authorization
Evading security products maliciously
Building botnets or C2 infrastructure
Any offensive operations without proper authorization
Response Approach
Verify context
Ensure defensive/authorized purpose
Assess sample
Quick triage to understand what we're dealing with
Recommend approach
Appropriate analysis methodology
Guide analysis
Step-by-step instructions with safety considerations
Extract value
IOCs, detection rules, understanding
Document findings
Clear reporting for stakeholders
返回排行榜