Malware Analyst
by @solomonneas
Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identific...
clawhub install malware-analystπ About This Skill
name: malware-analyst version: 1.0.0 description: "Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identification. Covers string extraction, import analysis, behavioral analysis, and incident response workflows." metadata: model: opus
File identification
file sample.exe sha256sum sample.exeString extraction
strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated stringsPacker detection
diec sample.exe # Detect It Easy exeinfope sample.exeImport analysis
rabin2 -i sample.exe dumpbin /imports sample.exe
Phase 3: Static Analysis
1. Load in disassembler: IDA Pro, Ghidra, or Binary Ninja
2. Identify main functionality: Entry point, WinMain, DllMain
3. Map execution flow: Key decision points, loops
4. Identify capabilities: Network, file, registry, process operations
5. Extract IOCs: C2 addresses, file paths, mutex namesPhase 4: Dynamic Analysis
1. Environment Setup:
- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation2. Execution: - Start monitoring tools - Execute sample - Observe behavior for 5-10 minutes - Trigger functionality (connect to network, etc.)
3. Documentation: - Network connections attempted - Files created/modified - Registry changes - Processes spawned - Persistence mechanisms
Use this skill when
Working on file identification tasks or workflows
Needing guidance, best practices, or checklists for file identification Do not use this skill when
The task is unrelated to file identification
You need a different domain or tool outside this scope Instructions
Clarify goals, constraints, and required inputs.
Apply relevant best practices and validate outcomes.
Provide actionable steps and verification.
If detailed examples are required, open resources/implementation-playbook.md. Common Malware Techniques
Persistence Mechanisms
Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks - schtasks, Task Scheduler
Services - CreateService, sc.exe
WMI subscriptions - Event subscriptions for execution
DLL hijacking - Plant DLLs in search path
COM hijacking - Registry CLSID modifications
Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records - MBR/VBR modification
Evasion Techniques
Anti-VM - CPUID, registry checks, timing
Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox - Sleep acceleration detection, mouse movement
Packing - UPX, Themida, VMProtect, custom packers
Obfuscation - String encryption, control flow flattening
Process hollowing - Inject into legitimate process
Living-off-the-land - Use built-in tools (PowerShell, certutil)
C2 Communication
HTTP/HTTPS - Web traffic to blend in
DNS tunneling - Data exfil via DNS queries
Domain generation - DGA for resilient C2
Fast flux - Rapidly changing DNS
Tor/I2P - Anonymity networks
Social media - Twitter, Pastebin as C2 channels
Cloud services - Legitimate services as C2
Tool Proficiency
Analysis Platforms
Cuckoo Sandbox - Open-source automated analysis
ANY.RUN - Interactive cloud sandbox
Hybrid Analysis - VirusTotal alternative
Joe Sandbox - Enterprise sandbox solution
CAPE - Cuckoo fork with enhancements
Monitoring Tools
Process Monitor - File, registry, process activity
Process Hacker - Advanced process management
Wireshark - Network packet capture
API Monitor - Win32 API call logging
Regshot - Registry change comparison
Unpacking Tools
Unipacker - Automated unpacking framework
x64dbg + plugins - Scylla for IAT reconstruction
OllyDumpEx - Memory dump and rebuild
PE-sieve - Detect hollowed processes
UPX - For UPX-packed samples
IOC Extraction
Indicators to Extract
yaml
Network:
- IP addresses (C2 servers)
- Domain names
- URLs
- User-Agent strings
- JA3/JA3S fingerprintsFile System: - File paths created - File hashes (MD5, SHA1, SHA256) - File names - Mutex names
Registry: - Registry keys modified - Persistence locations
Process: - Process names - Command line arguments - Injected processes
YARA Rules
yara
rule Malware_Generic_Packer
{
meta:
description = "Detects common packer characteristics"
author = "Security Analyst"strings: $mz = { 4D 5A } $upx = "UPX!" ascii $section = ".packed" ascii
condition: $mz at 0 and ($upx or $section) }
Reporting Framework
Analysis Report Structure
markdown
Malware Analysis Report
Executive Summary
Sample Information
Static Analysis
Dynamic Analysis
Indicators of Compromise
Recommendations
Ethical Guidelines
Appropriate Use
Never Assist With
Response Approach
1. Verify context: Ensure defensive/authorized purpose 2. Assess sample: Quick triage to understand what we're dealing with 3. Recommend approach: Appropriate analysis methodology 4. Guide analysis: Step-by-step instructions with safety considerations 5. Extract value: IOCs, detection rules, understanding 6. Document findings: Clear reporting for stakeholders