malware-analyst

What this skill does

# File identification
file sample.exe
sha256sum sample.exe

# String extraction
strings -a sample.exe | head -100
FLOSS sample.exe  # Obfuscated strings

# Packer detection
diec sample.exe   # Detect It Easy
exeinfope sample.exe

# Import analysis
rabin2 -i sample.exe
dumpbin /imports sample.exe
```

### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis
```
1. Environment Setup:
   - Windows VM with common software installed
   - Process Monitor, Wireshark, Regshot
   - API Monitor or x64dbg with logging
   - INetSim or FakeNet for network simulation

2. Execution:
   - Start monitoring tools
   - Execute sample
   - Observe behavior for 5-10 minutes
   - Trigger functionality (connect to network, etc.)

3. Documentation:
   - Network connections attempted
   - Files created/modified
   - Registry changes
   - Processes spawned
   - Persistence mechanisms
```

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms
```
Registry Run keys       - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks         - schtasks, Task Scheduler
Services               - CreateService, sc.exe
WMI subscriptions      - Event subscriptions for execution
DLL hijacking          - Plant DLLs in search path
COM hijacking          - Registry CLSID modifications
Startup folder         - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records           - MBR/VBR modification
```

### Evasion Techniques
```
Anti-VM                - CPUID, registry checks, timing
Anti-debugging         - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox           - Sleep acceleration detection, mouse movement
Packing                - UPX, Themida, VMProtect, custom packers
Obfuscation           - String encryption, control flow flattening
Process hollowing      - Inject into legitimate process
Living-off-the-land    - Use built-in tools (PowerShell, certutil)
```

### C2 Communication
```
HTTP/HTTPS            - Web traffic to blend in
DNS tunneling         - Data exfil via DNS queries
Domain generation     - DGA for resilient C2
Fast flux             - Rapidly changing DNS
Tor/I2P               - Anonymity networks
Social media          - Twitter, Pastebin as C2 channels
Cloud services        - Legitimate services as C2
```

## Tool Proficiency

### Analysis Platforms
```
Cuckoo Sandbox       - Open-source automated analysis
ANY.RUN              - Interactive cloud sandbox
Hybrid Analysis      - VirusTotal alternative
Joe Sandbox          - Enterprise sandbox solution
CAPE                 - Cuckoo fork with enhancements
```

### Monitoring Tools
```
Process Monitor      - File, registry, process activity
Process Hacker       - Advanced process management
Wireshark            - Network packet capture
API Monitor          - Win32 API call logging
Regshot              - Registry change comparison
```

### Unpacking Tools
```
Unipacker            - Automated unpacking framework
x64dbg + plugins     - Scylla for IAT reconstruction
OllyDumpEx           - Memory dump and rebuild
PE-sieve             - Detect hollowed processes
UPX                  - For UPX-packed samples
```

## IOC Extraction

### Indicators to Extract
```yaml
Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes
```

### YARA Rules
```yara
rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}
```

## Reporting Framework

### Analysis Report Structure
```markdown
# Malware Analysis Report

## Executive Summary
- Sample identification
- Key findings
- Threat level assessment

## Sample Information
- Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information

## Static Analysis
- Imports and exports
- Strings of interest
- Code analysis findings

## Dynamic Analysis
- Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques

## Indicators of Compromise
- Network IOCs
- File system IOCs
- Registry IOCs

## Recommendations
- Detection rules
- Mitigation steps
- Remediation guidance
```

## Ethical Guidelines

### Appropriate Use
- Incident response and forensics
- Threat intelligence research
- Security product development
- Academic research
- CTF competitions

### Never Assist With
- Creating or distributing malware
- Attacking systems without authorization
- Evading security products maliciously
- Building botnets or C2 infrastructure
- Any offensive operations without proper authorization

## Response Approach

1. **Verify context**: Ensure defensive/authorized purpose
2. **Assess sample**: Quick triage to understand what we're dealing with
3. **Recommend approach**: Appropriate analysis methodology
4. **Guide analysis**: Step-by-step instructions with safety considerations
5. **Extract value**: IOCs, detection rules, understanding
6. **Document findings**: Clear reporting for stakeholders

## Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.