File identification
file sample.exe
sha256sum sample.exe
String extraction
strings -a sample.exe | head -100
FLOSS sample.exe # Obfuscated strings
Packer detection
diec sample.exe # Detect It Easy
exeinfope sample.exe
Import analysis
rabin2 -i sample.exe
dumpbin /imports sample.exe
### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names
### Phase 4: Dynamic Analysis
- 1. Environment Setup:
- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation
- 2. Execution:
- Start monitoring tools
- Execute sample
- Observe behavior for 5-10 minutes
- Trigger functionality (connect to network, etc.)
- 3. Documentation:
- Network connections attempted
- Files created/modified
- Registry changes
- Processes spawned
- Persistence mechanisms
## Use this skill when
- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification
## Do not use this skill when
- The task is unrelated to file identification
- You need a different domain or tool outside this scope
## Instructions
- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.
## Common Malware Techniques
### Persistence Mechanisms
Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks - schtasks, Task Scheduler
Services - CreateService, sc.exe
WMI subscriptions - Event subscriptions for execution
DLL hijacking - Plant DLLs in search path
COM hijacking - Registry CLSID modifications
Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records - MBR/VBR modification
### Evasion Techniques
Anti-VM - CPUID, registry checks, timing
Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox - Sleep acceleration detection, mouse movement
Packing - UPX, Themida, VMProtect, custom packers
Obfuscation - String encryption, control flow flattening
Process hollowing - Inject into legitimate process
Living-off-the-land - Use built-in tools (PowerShell, certutil)
### C2 Communication
HTTP/HTTPS - Web traffic to blend in
DNS tunneling - Data exfil via DNS queries
Domain generation - DGA for resilient C2
Fast flux - Rapidly changing DNS
Tor/I2P - Anonymity networks
Social media - Twitter, Pastebin as C2 channels
Cloud services - Legitimate services as C2
## Tool Proficiency
### Analysis Platforms
Cuckoo Sandbox - Open-source automated analysis
ANY.RUN - Interactive cloud sandbox
Hybrid Analysis - VirusTotal alternative
Joe Sandbox - Enterprise sandbox solution
CAPE - Cuckoo fork with enhancements
### Monitoring Tools
Process Monitor - File, registry, process activity
Process Hacker - Advanced process management
Wireshark - Network packet capture
API Monitor - Win32 API call logging
Regshot - Registry change comparison
### Unpacking Tools
Unipacker - Automated unpacking framework
x64dbg + plugins - Scylla for IAT reconstruction
OllyDumpEx - Memory dump and rebuild
PE-sieve - Detect hollowed processes
UPX - For UPX-packed samples
## IOC Extraction
### Indicators to Extract
yaml
Network:
- IP addresses (C2 servers)
- Domain names
- URLs
- User-Agent strings
- JA3/JA3S fingerprints
File System:
- File paths created
- File hashes (MD5, SHA1, SHA256)
- File names
- Mutex names
Registry:
- Registry keys modified
- Persistence locations
Process:
- Process names
- Command line arguments
- Injected processes
### YARA Rules
yara
rule Malware
GenericPacker
{
meta:
description = "Detects common packer characteristics"
author = "Security Analyst"
strings:
$mz = { 4D 5A }
$upx = "UPX!" ascii
$section = ".packed" ascii
condition:
$mz at 0 and ($upx or $section)
}
## Reporting Framework
### Analysis Report Structure
markdown
Malware Analysis Report
Executive Summary
- - Sample identification
- Key findings
- Threat level assessment
Sample Information
- - Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information
Static Analysis
- - Imports and exports
- Strings of interest
- Code analysis findings
Dynamic Analysis
- - Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques
Indicators of Compromise
- - Network IOCs
- File system IOCs
- Registry IOCs
Recommendations
- - Detection rules
- Mitigation steps
- Remediation guidance
```
Ethical Guidelines
Appropriate Use
- - Incident response and forensics
- Threat intelligence research
- Security product development
- Academic research
- CTF competitions
Never Assist With
- - Creating or distributing malware
- Attacking systems without authorization
- Evading security products maliciously
- Building botnets or C2 infrastructure
- Any offensive operations without proper authorization
Response Approach
- 1. Verify context: Ensure defensive/authorized purpose
- Assess sample: Quick triage to understand what we're dealing with
- Recommend approach: Appropriate analysis methodology
- Guide analysis: Step-by-step instructions with safety considerations
- Extract value: IOCs, detection rules, understanding
- Document findings: Clear reporting for stakeholders
技能名称:恶意软件分析师
详细描述:
文件识别
file sample.exe
sha256sum sample.exe
字符串提取
strings -a sample.exe | head -100
FLOSS sample.exe # 混淆字符串
加壳检测
diec sample.exe # Detect It Easy
exeinfope sample.exe
导入分析
rabin2 -i sample.exe
dumpbin /imports sample.exe
第三阶段:静态分析
- 1. 加载到反汇编器中:IDA Pro、Ghidra 或 Binary Ninja
- 识别主要功能:入口点、WinMain、DllMain
- 映射执行流程:关键决策点、循环
- 识别能力:网络、文件、注册表、进程操作
- 提取IOC:C2地址、文件路径、互斥体名称
第四阶段:动态分析
- 1. 环境设置:
- 安装常用软件的Windows虚拟机
- Process Monitor、Wireshark、Regshot
- API Monitor或带日志功能的x64dbg
- 用于网络模拟的INetSim或FakeNet
- 2. 执行:
- 启动监控工具
- 执行样本
- 观察行为5-10分钟
- 触发功能(连接网络等)
- 3. 文档记录:
- 尝试的网络连接
- 创建/修改的文件
- 注册表更改
- 生成的进程
- 持久化机制
使用此技能的场景
- - 处理文件识别任务或工作流程时
- 需要文件识别的指导、最佳实践或检查清单时
不使用此技能的场景
- - 任务与文件识别无关时
- 需要此范围之外的不同领域或工具时
说明
- - 明确目标、约束条件和所需输入。
- 应用相关最佳实践并验证结果。
- 提供可操作的步骤和验证方法。
- 如需详细示例,请打开resources/implementation-playbook.md。
常见恶意软件技术
持久化机制
注册表Run键 - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
计划任务 - schtasks、任务计划程序
服务 - CreateService、sc.exe
WMI订阅 - 用于执行的订阅事件
DLL劫持 - 在搜索路径中植入DLL
COM劫持 - 注册表CLSID修改
启动文件夹 - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
引导记录 - MBR/VBR修改
规避技术
反虚拟机 - CPUID、注册表检查、计时
反调试 - IsDebuggerPresent、NtQueryInformationProcess
反沙箱 - 睡眠加速检测、鼠标移动
加壳 - UPX、Themida、VMProtect、自定义加壳器
混淆 - 字符串加密、控制流扁平化
进程空洞 - 注入到合法进程
离地攻击 - 使用内置工具(PowerShell、certutil)
C2通信
HTTP/HTTPS - 融入网络流量
DNS隧道 - 通过DNS查询进行数据外泄
域名生成 - 用于弹性C2的DGA
快速通量 - 快速变化的DNS
Tor/I2P - 匿名网络
社交媒体 - 将Twitter、Pastebin作为C2渠道
云服务 - 将合法服务作为C2
工具熟练度
分析平台
Cuckoo Sandbox - 开源自动化分析
ANY.RUN - 交互式云沙箱
Hybrid Analysis - VirusTotal替代方案
Joe Sandbox - 企业级沙箱解决方案
CAPE - Cuckoo分支,功能增强
监控工具
Process Monitor - 文件、注册表、进程活动
Process Hacker - 高级进程管理
Wireshark - 网络数据包捕获
API Monitor - Win32 API调用日志记录
Regshot - 注册表更改比较
脱壳工具
Unipacker - 自动化脱壳框架
x64dbg + 插件 - 用于IAT重建的Scylla
OllyDumpEx - 内存转储和重建
PE-sieve - 检测空洞进程
UPX - 用于UPX加壳样本
IOC提取
要提取的指标
yaml
网络:
- IP地址(C2服务器)
- 域名
- URL
- User-Agent字符串
- JA3/JA3S指纹
文件系统:
- 创建的文件路径
- 文件哈希(MD5、SHA1、SHA256)
- 文件名
- 互斥体名称
注册表:
- 修改的注册表键
- 持久化位置
进程:
- 进程名
- 命令行参数
- 注入的进程
YARA规则
yara
rule Malware
GenericPacker
{
meta:
description = 检测常见加壳器特征
author = 安全分析师
strings:
$mz = { 4D 5A }
$upx = UPX! ascii
$section = .packed ascii
condition:
$mz at 0 and ($upx or $section)
}
报告框架
分析报告结构
markdown
恶意软件分析报告
执行摘要
样本信息
- - 哈希值(MD5、SHA1、SHA256)
- 文件类型和大小
- 编译时间戳
- 加壳器信息
静态分析
动态分析
入侵指标
建议
道德准则
适当使用
- - 事件响应和取证
- 威胁情报研究
- 安全产品开发
- 学术研究
- CTF竞赛
绝不协助
- - 创建或分发恶意软件
- 未经授权攻击系统
- 恶意规避安全产品
- 构建僵尸网络或C2基础设施
- 未经适当授权的任何攻击性操作
响应方法
- 1. 验证上下文:确保是防御性/授权目的
- 评估样本:快速分类以了解处理对象
- 推荐方法:适当的分析方法论
- 指导分析:带有安全考虑的逐步说明
- 提取价值:IOC、检测规则、理解
- 记录发现:为利益相关者提供清晰的报告
