Back to Details

competition-malware-config

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Malware Config

竞赛类恶意软件配置

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive value is not just "what the sample does," but which config fields, stages, or network parameters the sample hides and when they become plaintext.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在
$ctf-sandbox-orchestrator
已激活并建立沙箱假设、节点所有权和证据优先级后,作为下游专项技能使用。如果还未满足上述前提,请先返回
$ctf-sandbox-orchestrator
当核心价值不只是「样本的行为」,而是样本隐藏了哪些配置字段、载荷阶段、网络参数,以及这些内容何时会变为明文时,使用本技能。
除非用户明确要求使用英文,否则使用简体中文回复。

Quick Start

快速开始

  1. Preserve the original sample before unpacking or patching.
  2. Separate loader, payload, config blob, and post-decode behavior.
  3. Rank candidate config blobs by entropy, field shape, nearby strings, and decode helpers.
  4. Record the exact transform chain for each recovered field.
  5. Reproduce the decoded config or beacon parameters from the smallest possible path.
  1. 解包或打补丁前保留原始样本。
  2. 区分加载器、载荷、配置 blob 和解码后行为。
  3. 按熵值、字段形态、相邻字符串、解码辅助工具对候选配置 blob 排序。
  4. 记录每个恢复字段对应的精确转换链。
  5. 用尽可能短的路径复现解码后的配置或信标参数。

Workflow

工作流

1. Find The Config Boundary

1. 查找配置边界

  • Inspect sections, resources, embedded archives, strings, imports, and decode helpers.
  • Identify where config is stored: resource, overlay, encrypted blob, registry seed, network bootstrap, or stage2 memory.
  • Keep one note of when each value becomes plaintext.
  • 检查节、资源、内嵌归档、字符串、导入表和解码辅助工具。
  • 确定配置存储位置:资源、附加数据、加密 blob、注册表种子、网络引导文件或第二阶段内存。
  • 记录每个值变为明文的时间点。

2. Reconstruct The Decode Chain

2. 重构解码链

  • Recover the chain in order: container -> compression -> encoding -> xor/substitution -> crypto -> parse.
  • Group all config fields from the same chain together instead of treating them as unrelated clues.
  • Preserve hashes, offsets, keys, IVs, masks, and parsed fields in one compact evidence block.
  • 按顺序恢复转换链:容器 -> 压缩 -> 编码 -> xor/替换 -> 加密 -> 解析。
  • 将同一条转换链产出的所有配置字段分组,不要将它们视为无关的线索。
  • 将哈希、偏移量、密钥、IV、掩码和解析后的字段保存在一个紧凑的证据块中。

3. Tie Config To Behavior

3. 关联配置与行为

  • Show which field affects which branch: beacon path, mutex, wallet, bot id, campaign, tasking route, persistence name, or process target.
  • Correlate decoded config with PCAPs, process trees, or stage2 strings when possible.
  • 说明每个字段影响的分支:信标路径、互斥量、钱包、bot id、活动、任务路由、持久化名称或进程目标。
  • 尽可能将解码后的配置与PCAPs、进程树或第二阶段字符串关联。

Read This Reference

参考资料

  • Load 
    references/malware-config.md
    for the config-hunting checklist, staged-sample checklist, and evidence packaging rules.
  • 加载
    references/malware-config.md
    查看配置排查清单、分段样本检查清单和证据打包规则。

What To Preserve

需要留存的内容

  • Original artifact, unpacked layer, dumped stage, and parsed config as separate artifacts
  • Offsets, hashes, decode helpers, keys, masks, and field names
  • The branch or protocol step each recovered field actually influences
  • 原始工件、解包层、转储的阶段文件、解析后的配置作为独立工件留存
  • 偏移量、哈希、解码辅助工具、密钥、掩码和字段名称
  • 每个恢复字段实际影响的分支或协议步骤