‹ 首页

malware-triage

@gl0bal01 · 收录于 1 周前

Rapid assessment, classification, and prioritization of malware samples. Use when you need to perform initial malware assessment, classify a sample's type and family, determine analysis priority, identify quick indicators, or decide on next analysis steps.

适合你,如果需要快速分类和研判恶意软件样本

/ 下载安装
malware-triage.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add gl0bal01/malware-analysis-claude-skills/malware-triage
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- gl0bal01/malware-analysis-claude-skills/malware-triage
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify gl0bal01/malware-analysis-claude-skills/malware-triage
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
42GitHub stars
~3K最小装载
~6.9K含声明引用
~6.9K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 09f91e4

Malware Triage

Systematic workflow for rapid malware assessment, classification, and prioritization for professional malware analysis and enterprise security operations.

When to Use This Skill

Use this skill when the user needs to:

  • Perform initial assessment of malware samples
  • Quickly classify and prioritize samples
  • Identify key indicators without deep analysis
  • Decide whether to proceed with full analysis
  • Triage multiple samples efficiently
  • Create initial findings summary
  • Predict malware behaviors before dynamic analysis
Overview

Triage is the critical first phase of malware analysis that:

  1. Quickly identifies key characteristics
  2. Classifies malware type and threat level
  3. Determines analysis priority
  4. Predicts behaviors to guide deeper analysis
  5. Extracts immediate IOCs

Goal: Make informed decisions about analysis approach within 5-30 minutes per sample.

Triage Workflow
Phase 1: Basic Information Gathering (5 minutes)

Calculate Hashes:

python scripts/hash_calculator.py sample.exe

Document:

  • MD5, SHA1, SHA256
  • Original filename
  • File size
  • File type (PE32/PE64/Script/Document)

Check Online Reputation:

  • VirusTotal (virustotal.com)
  • MalwareBazaar (bazaar.abuse.ch)
  • Hybrid Analysis
  • Any.Run

Record:

  • Detection rate
  • Known family name (if identified)
  • Previous submission dates
  • Community comments
Phase 2: Quick Static Analysis (10 minutes)

For PE Files:

  1. Check packing/obfuscation
  2. Use Detect It Easy (DIE) or PEiD
  3. Check entropy (>7.0 = likely packed)
  4. Document packer name if identified
  1. Examine PE structure
  2. Compilation timestamp
  3. Section names and characteristics
  4. Digital signature status
  5. Entry point location
  6. Overlay data presence
  1. Review import table
  2. See references/indicators.md for suspicious APIs
  3. Note process injection functions
  4. Note network functions
  5. Note anti-analysis functions
  1. Extract strings
  2. URLs and IP addresses
  3. File paths
  4. Registry keys
  5. Mutex names
  6. Error messages
  7. Email addresses

For Scripts (PowerShell, VBS, JavaScript):

  1. Check obfuscation level
  2. Look for Base64/hex encoding
  3. Identify download/execute patterns
  4. Extract URLs and IPs
  5. Check for embedded payloads

For Office Documents:

  1. Check for macros
  2. Examine OLE streams
  3. Look for external references
  4. Check metadata
  5. Identify exploit indicators
Packed Sample Handling

When a sample is packed or protected, static analysis yields limited results. Identify and document packing before proceeding.

Identify Packing:

  • Entropy analysis — Overall entropy >7.0 or individual sections with entropy >6.8 strongly indicate packing or encryption
  • Import table — Very few imports, or imports limited to LoadLibrary / GetProcAddress / VirtualAlloc / VirtualProtect (runtime loading pattern)
  • Section names — Known packer section names: UPX0, UPX1, UPX2 (UPX); .themida, .winlicence (Themida/WinLicense); .vmp0, .vmp1 (VMProtect); .aspack (ASPack); .MPRESS1, .MPRESS2 (MPRESS)
  • Section characteristics — Executable sections with no readable strings, or a single large section combining code and data
  • PE anomalies — Entry point outside the first section, missing standard sections (.text, .data, .rsrc), or unusually small code section

Common Packers and Indicators:

| Packer | Key Indicators | Reversible? | |--------|----------------|-------------| | UPX | UPX0/UPX1 sections, high entropy, UPX! magic in overlay | Yes — upx -d sample.exe | | Themida / WinLicense | .themida section, virtualized code, anti-debug tricks, large protected section | No — dynamic analysis required | | VMProtect | .vmp0/.vmp1 sections, custom VM bytecode, heavy anti-tamper | No — dynamic analysis required | | ASPack | .aspack section, low import count, aSPack string in binary | Partially — tools available | | MPRESS | .MPRESS1/.MPRESS2 sections, LZMA compression | Partially — tools available | | Enigma Protector | .enigma1/.enigma2 sections, license-check stubs | No — dynamic analysis required | | Custom packer | Unknown section names, high entropy, minimal imports, no recognizable signature | No — dynamic analysis required |

What to Do When Packing is Detected:

  1. Document packing in triage findings — Note the packer name (if identified), entropy values per section, and import count
  2. Attempt UPX unpacking if applicable: ```bash upx -d packed_sample.exe -o unpacked_sample.exe # Verify unpacking succeeded python scripts/hash_calculator.py unpacked_sample.exe ```
  3. Record both packed and unpacked hashes — The packed hash is the delivery artifact; the unpacked hash may match known malware families
  4. Re-run static analysis on the unpacked sample — Import table and strings will be significantly richer
  5. Flag for dynamic analysis — For non-UPX packers, the sample must unpack itself in a sandbox; document this as the recommended next step
  6. Note sophistication level — Commercial protectors (Themida, VMProtect, Enigma) indicate higher-sophistication threats; custom packers indicate APT-level development

Tools for Packer Detection:

  • Detect It Easy (DIE) — Primary tool; identifies 300+ packers and compilers by signature, shows per-section entropy
  • PEiD — Signature-based packer detection (older but widely referenced signatures)
  • pestudio — PE analysis with packer detection and entropy visualization
  • ExeinfoPE — Additional packer signatures, useful when DIE is inconclusive

Triage Report Updates for Packed Samples:

  • Set Packed: Yes - [Packer name or "Unknown packer"] in the File Information section
  • Add entropy values per section under PE Analysis
  • If unpacked: record unpacked SHA256 and note unpacking method
  • Set Sophistication to at minimum Moderate for known packers, Advanced for commercial protectors, Advanced/APT for custom packers
  • Add "Requires dynamic analysis for full static indicators" to Next Steps if not UPX-unpacked
Phase 3: Classification (5 minutes)

Determine Malware Type: Consult references/indicators.md for patterns.

Common types:

  • Trojan/RAT - Remote access, C2 communication
  • Ransomware - File encryption, ransom demands
  • Infostealer - Credential theft, browser data
  • Dropper/Loader - Delivers additional payloads
  • Cryptominer - Cryptocurrency mining
  • Backdoor - Persistent remote access
  • Worm - Self-propagating

Assess Threat Level:

  • Critical - Destructive, ransomware, APT
  • High - Data theft, full system compromise
  • Medium - Limited capabilities, targeted
  • Low - Minimal impact, commodity malware

Evaluate Sophistication:

  • Simple - Basic functionality, no obfuscation
  • Moderate - Some protection, standard techniques
  • Advanced - Heavy obfuscation, anti-analysis
  • APT-level - Custom, targeted, advanced evasion
Phase 4: Behavior Prediction (5 minutes)

Based on static indicators, predict:

Process Activity:

  • Will it create child processes?
  • Process injection expected?
  • Which processes targeted?

File System:

  • Files likely to be created (paths)
  • Files likely to be modified
  • Files likely to be deleted

Registry:

  • Persistence keys likely to be used
  • Configuration storage locations
  • System modifications expected

Network:

  • C2 communication expected?
  • Protocol (HTTP/HTTPS/Raw TCP/IRC/DNS)
  • Beacon interval pattern
  • Data exfiltration likely?

Persistence:

  • Mechanism (Run key/Service/Task/Startup)
  • Location and method
Phase 5: Priority and Decision (5 minutes)

Determine Priority:

Immediate (analyze now):

  • Unknown samples unclear threat
  • Active incident-related
  • Destructive capabilities
  • APT/targeted indicators
  • Recent threat intel matches

Standard (normal queue):

  • Known variant
  • Commodity malware
  • Clear signatures available
  • Historical/research samples

Low (defer if needed):

  • Clearly identified common malware
  • Adware/PUP minimal impact
  • Old/outdated samples
  • Likely false positives

Analysis Decision:

Proceed with full analysis if:

  • Unknown/new sample
  • Need behavioral confirmation
  • Creating signatures required
  • Investigating specific functionality

Quick report if:

  • Known malware with existing docs
  • Time-constrained triage
  • Clear identification from reputation check
Triage Report Template

Use this format to document findings:

## Malware Triage Report

**Sample:** [filename]
**Date:** [date]
**Analyst:** [name]

### File Information
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **Size:** [bytes]
- **Type:** [PE32/PE64/Script/etc]
- **Packed:** [Yes/No - Packer name]

### Online Reputation
- **VirusTotal:** [XX/YY detections - Link]
- **Known Family:** [Family name or Unknown]
- **First Seen:** [Date or Unknown]

### Static Indicators

**PE Analysis:**
- Compilation Date: [date]
- Digital Signature: [Valid/Invalid/None]
- Sections: [names and entropy]
- Entry Point: [location]

**Suspicious Imports:**
- [DLL]: [Function, Function, ...]
- [Key: Process injection, Network, Anti-analysis]

**Notable Strings:**
- URLs: [list]
- IPs: [list]
- Paths: [list]
- Registry: [list]
- Mutex: [name if found]

### Classification

**Type:** [Trojan/Ransomware/Infostealer/etc]
**Threat Level:** [Critical/High/Medium/Low]
**Sophistication:** [Simple/Moderate/Advanced/APT]

**Primary Capabilities:**
- [Capability 1]
- [Capability 2]
- [Capability 3]

### Predicted Behaviors

**Process Activity:**
- [Expected behavior]

**File System:**
- [Expected modifications]

**Registry:**
- [Expected changes]

**Network:**
- [Expected communication]

**Persistence:**
- [Expected mechanism]

### Initial IOCs

**File Indicators:**
- Hashes listed above
- [Additional file indicators]

**Network Indicators:**
- [IPs from strings]
- [Domains from strings]

**Host Indicators:**
- [Registry keys]
- [File paths]
- [Mutex names]

### Recommendation

**Priority:** [Immediate/Standard/Low]

**Next Steps:**
1. [Action 1 - e.g., Proceed with full dynamic analysis]
2. [Action 2 - e.g., Create YARA rule]
3. [Action 3 - e.g., Search network for IOCs]

**Analysis Approach:**
[Full analysis / Behavioral confirmation / Quick signature creation]

**Estimated Time:** [time estimate for full analysis]
Time Management
Professional Analysis Context

When analyzing multiple samples, efficient triage is critical:

Quick Triage (5 min/sample):

  • Hashes + VirusTotal
  • Basic file info
  • Quick priority decision

Standard Triage (15 min/sample):

  • Above + imports analysis
  • String extraction
  • Classification
  • Behavior prediction

Comprehensive Triage (30 min/sample):

  • Above + detailed documentation
  • Initial IOC list
  • Full prediction writeup
  • YARA concept notes

Strategy:

  • Quick triage ALL samples first
  • Prioritize based on findings
  • Comprehensive triage high-priority samples
  • Defer or quick-report low-priority samples
Key References
Suspicious Indicators

See references/indicators.md for comprehensive lists of:

  • Suspicious API imports by category
  • Common string patterns
  • Behavioral indicators
  • Packer signatures
  • Red flags by file type
  • Quick classification patterns
Detailed Checklist

See references/triage_checklist.md for:

  • Complete step-by-step checklist
  • Decision tree guidance
  • Dynamic analysis go/no-go criteria
  • Common pitfalls to avoid
  • Tools quick reference
Tools and Scripts
Hash Calculator
# Run from the malware-triage/ directory:
python scripts/hash_calculator.py <sample_path>

# Or from the repo root:
python malware-triage/scripts/hash_calculator.py <sample_path>

Quickly calculates all three hashes (MD5, SHA1, SHA256) for documentation.

Recommended External Tools

Static Analysis:

  • Detect It Easy (DIE) - Packer detection
  • PEStudio - PE analysis
  • strings / FLOSS - String extraction
  • HxD - Hex editor
  • CFF Explorer - PE structure

Online Services:

  • VirusTotal - Multi-engine scanning
  • MalwareBazaar - Sample database
  • Hybrid Analysis - Automated analysis
  • Any.Run - Interactive sandbox
Best Practices
Do:
  • Always calculate all three hashes immediately
  • Check multiple reputation sources
  • Document findings as you discover them
  • Use checklists to ensure completeness
  • Consider false positive possibilities
  • Predict behaviors before dynamic analysis
  • Prioritize samples logically
Don't:
  • Skip basic file information
  • Rely solely on VirusTotal results
  • Assume packing means malicious
  • Execute without proper isolation
  • Trust timestamps (easily forged)
  • Ignore negative findings
  • Rush classification decisions
Efficiency Tips:
  1. Have tools ready and scripts prepared
  2. Use templates for documentation
  3. Automate hash calculation
  4. Keep a reference of common indicators
  5. Build up a personal knowledge base
  6. Take notes during, not after
  7. Use multiple monitors if possible
Common Triage Scenarios
Scenario 1: Unknown Executable
  1. Calculate hashes → not found online
  2. Check packing → heavily packed
  3. Review imports → suspicious injection/network APIs
  4. Classification → likely trojan/RAT
  5. Decision → Full analysis required
Scenario 2: Suspicious Document
  1. Calculate hashes → 0 detections
  2. Check macros → obfuscated VBA
  3. Extract strings → download URLs found
  4. Classification → dropper via macro
  5. Decision → Dynamic analysis of macro behavior
Scenario 3: Known Malware Variant
  1. Calculate hashes → 50+ detections, identified as Emotet
  2. Review VirusTotal → well-documented
  3. Quick checks → confirms expected indicators
  4. Classification → confirmed Emotet variant
  5. Decision → Quick report, no deep analysis needed
Integration with Full Analysis

Triage findings guide the full analysis:

Use predictions to:

  • Know what to monitor during dynamic analysis
  • Set up appropriate monitoring tools
  • Focus on predicted areas first
  • Validate or refute hypotheses

Triage report becomes:

  • Introduction section of full report
  • Hypothesis to test during analysis
  • Quick reference during investigation
  • Foundation for IOC development
Quality Checklist

Before concluding triage:

  • [ ] All three hashes calculated and verified
  • [ ] Online reputation checked (at least VirusTotal)
  • [ ] File type and basic info documented
  • [ ] Packing status determined
  • [ ] Key imports identified
  • [ ] Notable strings extracted
  • [ ] Classification assigned with reasoning
  • [ ] Threat level assessed
  • [ ] Behaviors predicted
  • [ ] Priority determined
  • [ ] Next steps documented
  • [ ] Initial IOCs listed
  • [ ] Findings clearly documented
Example Usage

User request: "I have a suspicious .exe file, help me triage it"

Workflow:

  1. Guide user to calculate hashes
  2. Check online reputation together
  3. Examine PE structure and imports
  4. Extract and review strings
  5. Classify based on indicators
  6. Predict behaviors
  7. Recommend next steps
  8. Create triage report
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。