malware-analyst

File identification

file sample.exe

sha256sum sample.exe

String extraction

strings -a sample.exe | head -100

FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy

exeinfope sample.exe

Import analysis

rabin2 -i sample.exe

dumpbin /imports sample.exe

### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Scheduled tasks - schtasks, Task Scheduler

Services - CreateService, sc.exe

WMI subscriptions - Event subscriptions for execution

DLL hijacking - Plant DLLs in search path

COM hijacking - Registry CLSID modifications

Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Boot records - MBR/VBR modification

### Evasion Techniques

Anti-VM - CPUID, registry checks, timing

Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess

Anti-sandbox - Sleep acceleration detection, mouse movement

Packing - UPX, Themida, VMProtect, custom packers

Obfuscation - String encryption, control flow flattening

Process hollowing - Inject into legitimate process

Living-off-the-land - Use built-in tools (PowerShell, certutil)

### C2 Communication

HTTP/HTTPS - Web traffic to blend in

DNS tunneling - Data exfil via DNS queries

Domain generation - DGA for resilient C2

Fast flux - Rapidly changing DNS

Tor/I2P - Anonymity networks

Social media - Twitter, Pastebin as C2 channels

Cloud services - Legitimate services as C2

## Tool Proficiency

### Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis

ANY.RUN - Interactive cloud sandbox

Hybrid Analysis - VirusTotal alternative

Joe Sandbox - Enterprise sandbox solution

CAPE - Cuckoo fork with enhancements

### Monitoring Tools

Process Monitor - File, registry, process activity

Process Hacker - Advanced process management

Wireshark - Network packet capture

API Monitor - Win32 API call logging

Regshot - Registry change comparison

### Unpacking Tools

Unipacker - Automated unpacking framework

x64dbg + plugins - Scylla for IAT reconstruction

OllyDumpEx - Memory dump and rebuild

PE-sieve - Detect hollowed processes

UPX - For UPX-packed samples

## IOC Extraction

### Indicators to Extract

Network:

File System:

Registry:

Process:

### YARA Rules

rule Malware_Generic_Packer

{

meta:

description = "Detects common packer characteristics"

author = "Security Analyst"

strings:

$mz = { 4D 5A }

$upx = "UPX!" ascii

$section = ".packed" ascii

condition:

$mz at 0 and ($upx or $section)

}

## Reporting Framework

### Analysis Report Structure

Malware Analysis Report

Executive Summary

Sample Information

Static Analysis

Dynamic Analysis

Indicators of Compromise

Recommendations