malware-analyst

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

File identification

文件识别

file sample.exe sha256sum sample.exe

String extraction

字符串提取

strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings

strings -a sample.exe | head -100 FLOSS sample.exe # 混淆字符串

Packer detection

加壳检测

diec sample.exe # Detect It Easy exeinfope sample.exe

Import analysis

导入表分析

rabin2 -i sample.exe dumpbin /imports sample.exe

undefined

rabin2 -i sample.exe dumpbin /imports sample.exe

undefined

Phase 3: Static Analysis

第三阶段：静态分析

Load in disassembler: IDA Pro, Ghidra, or Binary Ninja
Identify main functionality: Entry point, WinMain, DllMain
Map execution flow: Key decision points, loops
Identify capabilities: Network, file, registry, process operations
Extract IOCs: C2 addresses, file paths, mutex names

加载至反汇编器：IDA Pro、Ghidra或Binary Ninja
识别核心功能：入口点、WinMain、DllMain
梳理执行流程：关键决策点、循环结构
识别功能特性：网络、文件、注册表、进程操作
提取IOC：C2地址、文件路径、互斥体名称

Phase 4: Dynamic Analysis

第四阶段：动态分析

1. Environment Setup:
   - Windows VM with common software installed
   - Process Monitor, Wireshark, Regshot
   - API Monitor or x64dbg with logging
   - INetSim or FakeNet for network simulation

2. Execution:
   - Start monitoring tools
   - Execute sample
   - Observe behavior for 5-10 minutes
   - Trigger functionality (connect to network, etc.)

3. Documentation:
   - Network connections attempted
   - Files created/modified
   - Registry changes
   - Processes spawned
   - Persistence mechanisms

1. 环境搭建:
   - 安装常用软件的Windows虚拟机
   - Process Monitor、Wireshark、Regshot
   - API Monitor或带日志功能的x64dbg
   - 用于网络模拟的INetSim或FakeNet

2. 执行分析:
   - 启动监控工具
   - 执行样本
   - 观察5-10分钟行为
   - 触发相关功能（如连接网络等）

3. 记录分析结果:
   - 尝试建立的网络连接
   - 创建/修改的文件
   - 注册表变更
   - 生成的进程
   - 持久化机制

Use this skill when

适用场景

Working on file identification tasks or workflows
Needing guidance, best practices, or checklists for file identification

处理文件识别任务或流程时
需要文件识别相关的指导、最佳实践或检查清单时

Do not use this skill when

不适用场景

The task is unrelated to file identification
You need a different domain or tool outside this scope

任务与文件识别无关时
需要本范围外的其他领域或工具时

Instructions

使用说明

Clarify goals, constraints, and required inputs.
Apply relevant best practices and validate outcomes.
Provide actionable steps and verification.
If detailed examples are required, open
```
resources/implementation-playbook.md
```
.

明确目标、约束条件及所需输入。
应用相关最佳实践并验证结果。
提供可执行步骤及验证方法。
如需详细示例，请打开
```
resources/implementation-playbook.md
```
。

Common Malware Techniques

常见恶意软件技术

Persistence Mechanisms

持久化机制

Registry Run keys       - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks         - schtasks, Task Scheduler
Services               - CreateService, sc.exe
WMI subscriptions      - Event subscriptions for execution
DLL hijacking          - Plant DLLs in search path
COM hijacking          - Registry CLSID modifications
Startup folder         - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records           - MBR/VBR modification

Registry Run keys       - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks         - schtasks, Task Scheduler
Services               - CreateService, sc.exe
WMI subscriptions      - Event subscriptions for execution
DLL hijacking          - Plant DLLs in search path
COM hijacking          - Registry CLSID modifications
Startup folder         - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records           - MBR/VBR modification

Evasion Techniques

规避技术

Anti-VM                - CPUID, registry checks, timing
Anti-debugging         - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox           - Sleep acceleration detection, mouse movement
Packing                - UPX, Themida, VMProtect, custom packers
Obfuscation           - String encryption, control flow flattening
Process hollowing      - Inject into legitimate process
Living-off-the-land    - Use built-in tools (PowerShell, certutil)

Anti-VM                - CPUID, registry checks, timing
Anti-debugging         - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox           - Sleep acceleration detection, mouse movement
Packing                - UPX, Themida, VMProtect, custom packers
Obfuscation           - String encryption, control flow flattening
Process hollowing      - Inject into legitimate process
Living-off-the-land    - Use built-in tools (PowerShell, certutil)

C2 Communication

C2通信

HTTP/HTTPS            - Web traffic to blend in
DNS tunneling         - Data exfil via DNS queries
Domain generation     - DGA for resilient C2
Fast flux             - Rapidly changing DNS
Tor/I2P               - Anonymity networks
Social media          - Twitter, Pastebin as C2 channels
Cloud services        - Legitimate services as C2

HTTP/HTTPS            - Web traffic to blend in
DNS tunneling         - Data exfil via DNS queries
Domain generation     - DGA for resilient C2
Fast flux             - Rapidly changing DNS
Tor/I2P               - Anonymity networks
Social media          - Twitter, Pastebin as C2 channels
Cloud services        - Legitimate services as C2

Tool Proficiency

工具熟练度

Analysis Platforms

分析平台

Cuckoo Sandbox       - Open-source automated analysis
ANY.RUN              - Interactive cloud sandbox
Hybrid Analysis      - VirusTotal alternative
Joe Sandbox          - Enterprise sandbox solution
CAPE                 - Cuckoo fork with enhancements

Cuckoo Sandbox       - Open-source automated analysis
ANY.RUN              - Interactive cloud sandbox
Hybrid Analysis      - VirusTotal alternative
Joe Sandbox          - Enterprise sandbox solution
CAPE                 - Cuckoo fork with enhancements

Monitoring Tools

监控工具

Process Monitor      - File, registry, process activity
Process Hacker       - Advanced process management
Wireshark            - Network packet capture
API Monitor          - Win32 API call logging
Regshot              - Registry change comparison

Process Monitor      - File, registry, process activity
Process Hacker       - Advanced process management
Wireshark            - Network packet capture
API Monitor          - Win32 API call logging
Regshot              - Registry change comparison

Unpacking Tools

脱壳工具

Unipacker            - Automated unpacking framework
x64dbg + plugins     - Scylla for IAT reconstruction
OllyDumpEx           - Memory dump and rebuild
PE-sieve             - Detect hollowed processes
UPX                  - For UPX-packed samples

Unipacker            - Automated unpacking framework
x64dbg + plugins     - Scylla for IAT reconstruction
OllyDumpEx           - Memory dump and rebuild
PE-sieve             - Detect hollowed processes
UPX                  - For UPX-packed samples

IOC Extraction

IOC提取

Indicators to Extract

需提取的指示器

yaml

Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes

yaml

Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes

YARA Rules

YARA规则

yara

rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}

yara

rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}

Reporting Framework

报告框架

Analysis Report Structure

分析报告结构

markdown

undefined

markdown

undefined

Malware Analysis Report

Executive Summary

Sample identification
Key findings
Threat level assessment

Sample identification
Key findings
Threat level assessment

Sample Information

Hashes (MD5, SHA1, SHA256)
File type and size
Compilation timestamp
Packer information

Hashes (MD5, SHA1, SHA256)
File type and size
Compilation timestamp
Packer information

Static Analysis

Imports and exports
Strings of interest
Code analysis findings

Imports and exports
Strings of interest
Code analysis findings

Dynamic Analysis

Execution behavior
Network activity
Persistence mechanisms
Evasion techniques

Execution behavior
Network activity
Persistence mechanisms
Evasion techniques

Indicators of Compromise

Network IOCs
File system IOCs
Registry IOCs

Network IOCs
File system IOCs
Registry IOCs

Recommendations

Detection rules
Mitigation steps
Remediation guidance

undefined

Detection rules
Mitigation steps
Remediation guidance

undefined

Ethical Guidelines

伦理准则

Appropriate Use

合理使用场景

Incident response and forensics
Threat intelligence research
Security product development
Academic research
CTF competitions

事件响应与取证
威胁情报研究
安全产品开发
学术研究
CTF竞赛

Never Assist With

禁止协助的行为

Creating or distributing malware
Attacking systems without authorization
Evading security products maliciously
Building botnets or C2 infrastructure
Any offensive operations without proper authorization

创建或传播恶意软件
未经授权攻击系统
恶意规避安全产品
构建僵尸网络或C2基础设施
任何未经适当授权的攻击性操作

Response Approach

响应流程

Verify context: Ensure defensive/authorized purpose
Assess sample: Quick triage to understand what we're dealing with
Recommend approach: Appropriate analysis methodology
Guide analysis: Step-by-step instructions with safety considerations
Extract value: IOCs, detection rules, understanding
Document findings: Clear reporting for stakeholders

验证场景：确认是防御性/授权场景
样本评估：快速分类以明确样本类型
推荐方案：选择合适的分析方法
指导分析：提供含安全注意事项的分步说明
提炼价值：提取IOC、检测规则及样本认知
记录结果：为相关方提供清晰的报告