malware-analyst

File identification

file sample.exe
sha256sum sample.exe

String extraction

strings -a sample.exe | head -100
FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy
exeinfope sample.exe

Import analysis

rabin2 -i sample.exe
dumpbin /imports sample.exe

### Phase 3: Static Analysis
Load in disassembler: IDA Pro, Ghidra, or Binary Ninja

Identify main functionality: Entry point, WinMain, DllMain

Map execution flow: Key decision points, loops

Identify capabilities: Network, file, registry, process operations

Extract IOCs: C2 addresses, file paths, mutex names
Phase 4: Dynamic Analysis

Environment Setup:

- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation

Execution:

- Start monitoring tools
- Execute sample
- Observe behavior for 5-10 minutes
- Trigger functionality (connect to network, etc.)

Documentation:

- Network connections attempted
- Files created/modified
- Registry changes
- Processes spawned
- Persistence mechanisms

## Use this skill when
Working on file identification tasks or workflows

Needing guidance, best practices, or checklists for file identification
Do not use this skill when
The task is unrelated to file identification

You need a different domain or tool outside this scope
Instructions
Clarify goals, constraints, and required inputs.

Apply relevant best practices and validate outcomes.

Provide actionable steps and verification.

If detailed examples are required, open resources/implementation-playbook.md.
Common Malware Techniques
Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks - schtasks, Task Scheduler
Services - CreateService, sc.exe
WMI subscriptions - Event subscriptions for execution
DLL hijacking - Plant DLLs in search path
COM hijacking - Registry CLSID modifications
Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records - MBR/VBR modification

### Evasion Techniques

Anti-VM - CPUID, registry checks, timing
Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox - Sleep acceleration detection, mouse movement
Packing - UPX, Themida, VMProtect, custom packers
Obfuscation - String encryption, control flow flattening
Process hollowing - Inject into legitimate process
Living-off-the-land - Use built-in tools (PowerShell, certutil)

### C2 Communication

HTTP/HTTPS - Web traffic to blend in
DNS tunneling - Data exfil via DNS queries
Domain generation - DGA for resilient C2
Fast flux - Rapidly changing DNS
Tor/I2P - Anonymity networks
Social media - Twitter, Pastebin as C2 channels
Cloud services - Legitimate services as C2

## Tool Proficiency
Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis
ANY.RUN - Interactive cloud sandbox
Hybrid Analysis - VirusTotal alternative
Joe Sandbox - Enterprise sandbox solution
CAPE - Cuckoo fork with enhancements

### Monitoring Tools

Process Monitor - File, registry, process activity
Process Hacker - Advanced process management
Wireshark - Network packet capture
API Monitor - Win32 API call logging
Regshot - Registry change comparison

### Unpacking Tools

Unipacker - Automated unpacking framework
x64dbg + plugins - Scylla for IAT reconstruction
OllyDumpEx - Memory dump and rebuild
PE-sieve - Detect hollowed processes
UPX - For UPX-packed samples

## IOC Extraction
Indicators to Extract

yaml
Network:
- IP addresses (C2 servers)
- Domain names
- URLs
- User-Agent strings
- JA3/JA3S fingerprints

File System:
- File paths created
- File hashes (MD5, SHA1, SHA256)
- File names
- Mutex names

Registry:
- Registry keys modified
- Persistence locations

Process:
- Process names
- Command line arguments
- Injected processes

### YARA Rules

yara
rule Malware_Generic_Packer
{
meta:
description = "Detects common packer characteristics"
author = "Security Analyst"

strings:
$mz = { 4D 5A }
$upx = "UPX!" ascii
$section = ".packed" ascii

condition:
$mz at 0 and ($upx or $section)
}

## Reporting Framework
Analysis Report Structure

markdown

Malware Analysis Report

Executive Summary

Sample identification

Key findings

Threat level assessment

Sample Information

Hashes (MD5, SHA1, SHA256)

File type and size

Compilation timestamp

Packer information

Static Analysis

Imports and exports

Strings of interest

Code analysis findings

Dynamic Analysis

Execution behavior

Network activity

Persistence mechanisms

Evasion techniques

Indicators of Compromise

Network IOCs

File system IOCs

Registry IOCs

Recommendations

Detection rules

Mitigation steps

Remediation guidance

```

Ethical Guidelines

Appropriate Use

Incident response and forensics

Threat intelligence research

Security product development

Academic research

CTF competitions

Never Assist With

Creating or distributing malware

Attacking systems without authorization

Evading security products maliciously

Building botnets or C2 infrastructure

Any offensive operations without proper authorization

Response Approach

Verify context: Ensure defensive/authorized purpose

Assess sample: Quick triage to understand what we're dealing with

Recommend approach: Appropriate analysis methodology

Guide analysis: Step-by-step instructions with safety considerations

Extract value: IOCs, detection rules, understanding

Document findings: Clear reporting for stakeholders