🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Malware Analyst

by @solomonneas

Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identific...

Versionv1.0.1
Downloads994
TERMINAL
clawhub install malware-analyst

πŸ“– About This Skill


name: malware-analyst version: 1.0.0 description: "Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identification. Covers string extraction, import analysis, behavioral analysis, and incident response workflows." metadata: model: opus

File identification

file sample.exe sha256sum sample.exe

String extraction

strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy exeinfope sample.exe

Import analysis

rabin2 -i sample.exe dumpbin /imports sample.exe

Phase 3: Static Analysis

1. Load in disassembler: IDA Pro, Ghidra, or Binary Ninja 2. Identify main functionality: Entry point, WinMain, DllMain 3. Map execution flow: Key decision points, loops 4. Identify capabilities: Network, file, registry, process operations 5. Extract IOCs: C2 addresses, file paths, mutex names

Phase 4: Dynamic Analysis

1. Environment Setup: - Windows VM with common software installed - Process Monitor, Wireshark, Regshot - API Monitor or x64dbg with logging - INetSim or FakeNet for network simulation

2. Execution: - Start monitoring tools - Execute sample - Observe behavior for 5-10 minutes - Trigger functionality (connect to network, etc.)

3. Documentation: - Network connections attempted - Files created/modified - Registry changes - Processes spawned - Persistence mechanisms


Use this skill when

  • Working on file identification tasks or workflows
  • Needing guidance, best practices, or checklists for file identification
  • Do not use this skill when

  • The task is unrelated to file identification
  • You need a different domain or tool outside this scope
  • Instructions

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open resources/implementation-playbook.md.
  • Common Malware Techniques

    Persistence Mechanisms

    Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled tasks - schtasks, Task Scheduler Services - CreateService, sc.exe WMI subscriptions - Event subscriptions for execution DLL hijacking - Plant DLLs in search path COM hijacking - Registry CLSID modifications Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup Boot records - MBR/VBR modification
    
    

    Evasion Techniques

    Anti-VM - CPUID, registry checks, timing Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess Anti-sandbox - Sleep acceleration detection, mouse movement Packing - UPX, Themida, VMProtect, custom packers Obfuscation - String encryption, control flow flattening Process hollowing - Inject into legitimate process Living-off-the-land - Use built-in tools (PowerShell, certutil)
    
    

    C2 Communication

    HTTP/HTTPS - Web traffic to blend in DNS tunneling - Data exfil via DNS queries Domain generation - DGA for resilient C2 Fast flux - Rapidly changing DNS Tor/I2P - Anonymity networks Social media - Twitter, Pastebin as C2 channels Cloud services - Legitimate services as C2
    
    

    Tool Proficiency

    Analysis Platforms

    Cuckoo Sandbox - Open-source automated analysis ANY.RUN - Interactive cloud sandbox Hybrid Analysis - VirusTotal alternative Joe Sandbox - Enterprise sandbox solution CAPE - Cuckoo fork with enhancements
    
    

    Monitoring Tools

    Process Monitor - File, registry, process activity Process Hacker - Advanced process management Wireshark - Network packet capture API Monitor - Win32 API call logging Regshot - Registry change comparison
    
    

    Unpacking Tools

    Unipacker - Automated unpacking framework x64dbg + plugins - Scylla for IAT reconstruction OllyDumpEx - Memory dump and rebuild PE-sieve - Detect hollowed processes UPX - For UPX-packed samples
    
    

    IOC Extraction

    Indicators to Extract

    yaml Network: - IP addresses (C2 servers) - Domain names - URLs - User-Agent strings - JA3/JA3S fingerprints

    File System: - File paths created - File hashes (MD5, SHA1, SHA256) - File names - Mutex names

    Registry: - Registry keys modified - Persistence locations

    Process: - Process names - Command line arguments - Injected processes

    
    

    YARA Rules

    yara rule Malware_Generic_Packer { meta: description = "Detects common packer characteristics" author = "Security Analyst"

    strings: $mz = { 4D 5A } $upx = "UPX!" ascii $section = ".packed" ascii

    condition: $mz at 0 and ($upx or $section) }

    
    

    Reporting Framework

    Analysis Report Structure

    markdown

    Malware Analysis Report

    Executive Summary

  • Sample identification
  • Key findings
  • Threat level assessment
  • Sample Information

  • Hashes (MD5, SHA1, SHA256)
  • File type and size
  • Compilation timestamp
  • Packer information
  • Static Analysis

  • Imports and exports
  • Strings of interest
  • Code analysis findings
  • Dynamic Analysis

  • Execution behavior
  • Network activity
  • Persistence mechanisms
  • Evasion techniques
  • Indicators of Compromise

  • Network IOCs
  • File system IOCs
  • Registry IOCs
  • Recommendations

  • Detection rules
  • Mitigation steps
  • Remediation guidance
  • ```

    Ethical Guidelines

    Appropriate Use

  • Incident response and forensics
  • Threat intelligence research
  • Security product development
  • Academic research
  • CTF competitions
  • Never Assist With

  • Creating or distributing malware
  • Attacking systems without authorization
  • Evading security products maliciously
  • Building botnets or C2 infrastructure
  • Any offensive operations without proper authorization
  • Response Approach

    1. Verify context: Ensure defensive/authorized purpose 2. Assess sample: Quick triage to understand what we're dealing with 3. Recommend approach: Appropriate analysis methodology 4. Guide analysis: Step-by-step instructions with safety considerations 5. Extract value: IOCs, detection rules, understanding 6. Document findings: Clear reporting for stakeholders