competition-malware-config

Original：🇺🇸 English

Translated

Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for malware configuration recovery, staged payload boundaries, beacon parameter extraction, and IOC decoding. Use when the user asks to recover a malware config, decode C2 or beacon fields, unpack staged payloads, extract bot or campaign IDs, or tie recovered config to observed protocol behavior under sandbox assumptions. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.

4installs

Sourcegaliais/ctf-sandbox-orchestrator

Added on2026-04-01

NPX Install

npx skill4agent add galiais/ctf-sandbox-orchestrator competition-malware-config

SKILL.md Content

View Translation Comparison →

Competition Malware Config

Use this skill only as a downstream specialization after

$ctf-sandbox-orchestrator

is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to

$ctf-sandbox-orchestrator

first.

Use this skill when the decisive value is not just "what the sample does," but which config fields, stages, or network parameters the sample hides and when they become plaintext.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

Preserve the original sample before unpacking or patching.
Separate loader, payload, config blob, and post-decode behavior.
Rank candidate config blobs by entropy, field shape, nearby strings, and decode helpers.
Record the exact transform chain for each recovered field.
Reproduce the decoded config or beacon parameters from the smallest possible path.

Workflow

1. Find The Config Boundary

Inspect sections, resources, embedded archives, strings, imports, and decode helpers.
Identify where config is stored: resource, overlay, encrypted blob, registry seed, network bootstrap, or stage2 memory.
Keep one note of when each value becomes plaintext.

2. Reconstruct The Decode Chain

Recover the chain in order: container -> compression -> encoding -> xor/substitution -> crypto -> parse.
Group all config fields from the same chain together instead of treating them as unrelated clues.
Preserve hashes, offsets, keys, IVs, masks, and parsed fields in one compact evidence block.

3. Tie Config To Behavior

Show which field affects which branch: beacon path, mutex, wallet, bot id, campaign, tasking route, persistence name, or process target.
Correlate decoded config with PCAPs, process trees, or stage2 strings when possible.

Read This Reference

Load
```
references/malware-config.md
```
for the config-hunting checklist, staged-sample checklist, and evidence packaging rules.

What To Preserve

Original artifact, unpacked layer, dumped stage, and parsed config as separate artifacts
Offsets, hashes, decode helpers, keys, masks, and field names
The branch or protocol step each recovered field actually influences