malware-analysis-sandboxing
Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification
适合你,如果你需要分析可疑文件并提取威胁情报
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxingcurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxingnpx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxing怎么用
技能原文 SKILL.md
Malware Analysis & Sandboxing
Purpose
Enable Claude to assist with malware analysis workflows including static analysis of file properties and code, dynamic behavioral analysis interpretation, YARA rule generation, sandbox configuration, and malware family identification. Claude analyzes provided artifacts directly and orchestrates scripts for automated processing.
Safety Warning: Never execute suspicious files outside of isolated, controlled environments. Use dedicated VMs or sandboxes with network isolation and snapshot capability.
Activation Triggers
This skill activates when the user asks about:
- Analyzing a suspicious file, binary, or script
- Generating YARA rules for malware detection
- Setting up a malware analysis sandbox
- Interpreting Cuckoo/CAPE/AnyRun sandbox reports
- Identifying malware family or behavior
- Creating IOCs from malware samples
- Static analysis of PE/ELF files
- Memory forensics for malware artifacts
- Behavioral analysis (process creation, network, registry, file changes)
Prerequisites
pip install yara-python pefile python-magic requests ssdeep
Recommended analysis tools:
Cuckoo Sandbox / CAPE— Automated dynamic analysisVirusTotal API— Multi-engine scanning and intelYARA— Pattern matching engineGhidra / IDA Pro— Deep binary analysis (→ Skill 04)Volatility 3— Memory forensicsDIE (Detect-It-Easy)— Packer/compiler detectionPestudio— Windows PE static analysis
Core Capabilities
1. Static Malware Analysis
When the user provides a suspicious file or hash for analysis:
Claude performs analysis in this order:
Step 1 — File Identification:
file malware.exe # File type from magic bytes md5sum malware.exe # MD5 hash (legacy, for lookups) sha256sum malware.exe # SHA-256 (primary identifier) python scripts/static_analyzer.py --file malware.exe --hashes
Step 2 — Threat Intelligence Lookup:
- Query VirusTotal (requires API key or paste hash in browser)
- Check MalwareBazaar, AbuseIPDB, URLhaus
- Search for existing analysis reports
# VirusTotal hash lookup via API curl "https://www.virustotal.com/api/v3/files/<sha256>" -H "x-apikey: YOUR_KEY"
Step 3 — PE Analysis (Windows executables):
python scripts/static_analyzer.py --file malware.exe --strings --imports --output report.json
Look for these indicators in the output:
Suspicious Import Functions: | Category | Suspicious APIs | |----------|----------------| | Process Injection | CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, NtMapViewOfSection, RtlCreateUserThread | | Persistence | RegSetValueEx, CreateService, SHFileOperation, ITaskScheduler | | Anti-Analysis | IsDebuggerPresent, CheckRemoteDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetSystemInfo | | Network C2 | InternetOpenUrl, HttpSendRequest, WSAStartup, socket, URLDownloadToFile, WinHttpOpen | | Crypto Operations | CryptEncrypt, CryptDecrypt, BCryptEncrypt, CryptHashData | | Credential Access | SamOpenDatabase, LsaOpenPolicy, NtlmGetUserInfo | | Keylogging | SetWindowsHookEx, GetAsyncKeyState, GetKeyboardState | | Defense Evasion | VirtualProtect, NtSetInformationProcess, Wow64DisableWow64FsRedirection |
Step 4 — String Extraction & Analysis:
strings -a malware.exe | grep -E "(http|ftp|/[a-z]|[0-9]{1,3}\.[0-9]{1,3}|HKEY|reg|cmd|powershell)"
Categorize extracted strings:
- Network indicators: URLs, IPs, domains, user agents
- File system: paths, filenames, registry keys
- Crypto: base64 blobs, hex strings (potential keys/payloads)
- Anti-analysis: VM/sandbox detection strings (VMware, VirtualBox, Sandboxie)
- Mutex names: unique identifiers preventing double-infection
Step 5 — Entropy Analysis:
python scripts/static_analyzer.py --file malware.exe --entropy
| Entropy Range | Interpretation | |---------------|---------------| | 0.0 – 1.0 | Near-empty or all-zeros section | | 1.0 – 5.0 | Normal code/data section | | 5.0 – 7.0 | Compressed data or code | | 7.0 – 8.0 | Encrypted or packed data — investigate | | 7.9 – 8.0 | Highly suspicious — likely encrypted payload |
2. YARA Rule Generation
When the user asks to create YARA rules from a sample or indicators:
Claude generates YARA rules following this methodology:
- Select stable, unique indicators — Avoid generic patterns; choose bytes/strings unique to this family
- Prefer structural patterns — Header magic bytes, specific offsets, section names
- Balance specificity vs. coverage — Avoid rules that are too specific (catch only one sample) or too broad (false positives)
- Test against benign files — Rule should NOT match clean Windows system files
YARA Rule Templates:
// Tier 1: Specific sample (hash-based)
rule MalwareFamily_Variant_Hash {
meta:
author = "Analyst Name"
date = "2025-05-28"
description = "Detects [MalwareFamily] [Variant] — specific sample"
sha256 = "aabbcc..."
tlp = "GREEN"
reference = "https://example.com/analysis"
condition:
hash.sha256(0, filesize) == "aabbcc..."
}
// Tier 2: Family-level detection (behavioral strings)
rule MalwareFamily_Generic {
meta:
author = "Analyst Name"
date = "2025-05-28"
description = "Detects [MalwareFamily] family by strings and structure"
tlp = "GREEN"
strings:
// C2 patterns
$c2_ua = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ascii
$c2_uri = "/gate.php?id=" ascii
// Crypto constants
$rc4_key = { 52 43 34 5F 4B 45 59 } // "RC4_KEY" hex
// Mutex
$mutex = "Global\\MSDTC_MUTEX_" ascii wide
// Registry persistence key
$reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide nocase
// Anti-analysis check
$vm_check = "VBOX" ascii wide nocase
condition:
uint16(0) == 0x5A4D and // MZ header (PE file)
filesize < 2MB and
(
(2 of ($c2_*)) or
($mutex and 1 of ($reg_key, $rc4_key))
)
and not $vm_check // Exclude sandbox-aware variants
}
// Tier 3: Network IOC detection (for NIDS integration)
rule MalwareFamily_Network_C2 {
meta:
description = "Detects [MalwareFamily] C2 communication patterns"
type = "network"
strings:
$beacon_path = "/api/v1/ping?uid=" ascii
$beacon_ua = "MalBot/1.0" ascii
$checkin_hdr = "X-Command-Key: " ascii
condition:
any of them
}
# Generate YARA rules using the script python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar python scripts/yara_generator.py --file single_sample.exe --rule-name "MalwareFamily" --output rule.yar # Test rules against benign files yara -r generated_rule.yar /usr/bin/ 2>/dev/null | wc -l # Should be 0 yara generated_rule.yar malware.exe # Should match
3. Dynamic/Behavioral Analysis
When the user provides sandbox analysis output or asks about dynamic analysis:
Interpreting Cuckoo/CAPE Sandbox Reports:
Claude analyzes behavioral reports looking for:
- Process Tree Analysis:
- Unusual parent-child relationships (Word.exe → PowerShell.exe → cmd.exe)
- Process injection indicators (process spawning with different credentials)
- Hollowing patterns (legitimate process with suspicious memory)
- Network Indicators:
- DNS queries: DGA patterns (random-looking domains), fast-flux
- HTTP: Unusual user agents, encoded POST data, beaconing intervals
- C2 beaconing detection: Regular interval callbacks (check timing consistency)
- File System Changes:
- Shadow copy deletion:
vssadmin delete shadows→ ransomware indicator - Startup persistence:
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ - Dropped secondary payloads in temp directories
- Registry Modifications:
- Run keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Service installation:
HKLM\SYSTEM\CurrentControlSet\Services\ - Security policy changes: Disabling UAC, Windows Defender
- MITRE ATT&CK Mapping:
| Observed Behavior | MITRE Technique | |-------------------|----------------| | PowerShell download cradle | T1059.001 — PowerShell | | cmd /c vssadmin delete shadows | T1490 — Inhibit System Recovery | | Registry Run key persistence | T1547.001 — Registry Run Keys | | CreateRemoteThread injection | T1055.001 — DLL Injection | | Scheduled task creation | T1053.005 — Scheduled Task | | netsh advfirewall set allprofiles state off | T1562.004 — Disable Host Firewall | | UAC bypass (fodhelper.exe) | T1548.002 — Bypass UAC | | LSASS memory access | T1003.001 — LSASS Memory |
4. Malware Family Classification
When the user asks to identify or classify a malware sample:
Classification by behavioral patterns:
| Family Indicators | Likely Family Category | |------------------|----------------------| | Shadow copies deleted + file encryption + ransom note | Ransomware | | Regular HTTP beaconing + command execution + lateral movement | RAT/Botnet | | Browser credential theft + banking overlay | Banking Trojan | | Keylogging + screenshot capture + data exfiltration | Spyware/Infostealer | | Process hollowing + covert persistence | Rootkit/Backdoor | | Cryptocurrency mining process spawning | Cryptominer | | Worm propagation via network shares | Worm | | Document with macro downloading payload | Dropper/Downloader |
Similarity analysis:
# SSDeep fuzzy hash comparison ssdeep -l malware.exe > hash.txt ssdeep -m hash.txt similar_sample.exe # Similarity > 70% → likely same family/variant
5. Sandbox Environment Setup
When the user asks to set up a malware analysis environment:
Minimum isolation requirements:
- Dedicated VM (VirtualBox, VMware, KVM) — NEVER use your main machine
- Host-only or isolated network adapter (NO internet access by default)
- Snapshot before analysis — restore after each sample
- Disable shared folders and clipboard (data exfiltration prevention)
Recommended sandbox stack:
Analysis VM (Windows 10/11 or Ubuntu): ├── FakeNet-NG or INetSim — Simulate network services ├── Wireshark — Capture network traffic ├── ProcessMonitor (Windows) / strace (Linux) — Monitor syscalls ├── Regshot (Windows) — Compare registry before/after ├── Autoruns (Windows) — Monitor persistence locations └── Cuckoo/CAPE Agent — Automated collection Network Layer: └── Host-only adapter → no real internet → INetSim captures C2 attempts
Anti-anti-VM measures:
- Install VMware Tools (some malware checks for missing tools)
- Set reasonable RAM (4GB+) and CPU count (2+)
- Add some benign user files and browser history
- Set realistic screen resolution (1920x1080)
- Remove obvious VM artifacts (registry keys, device names)
IOC Extraction & Output Format
For every analyzed sample, produce:
## Malware Analysis Report — [Sample Name] **Hashes:** - MD5: [hash] - SHA1: [hash] - SHA256: [hash] - SSDeep: [fuzzy hash] **Classification:** [Ransomware / RAT / Infostealer / etc.] **Confidence:** [High / Medium / Low] **Family:** [Family Name, if identified] **First Seen:** [Date from TI sources] **Network IOCs:** - IPs: [list] - Domains: [list] - URLs: [list] - User-Agent: [string] **Host IOCs:** - File Paths: [list] - Registry Keys: [list] - Mutex Names: [list] - Services: [list] **MITRE ATT&CK Mapping:** - [Tactic]: [Technique ID] — [Technique Name] **YARA Rules:** [Attached] **Sigma Rules:** [Attached, for Skill 12]
Script Reference
static_analyzer.py
python scripts/static_analyzer.py --file malware.exe --output report.json python scripts/static_analyzer.py --file sample.dll --hashes --strings --imports --entropy
yara_generator.py
python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar python scripts/yara_generator.py --file single_sample.exe --rule-name "MyMalware" --output rule.yar
Skill Integration
| Condition | Adjacent Skill | |-----------|---------------| | Needs deeper disassembly | → Skill 04 (Reverse Engineering) | | IOCs ready for environment-wide hunting | → Skill 06 (Threat Hunting) | | Malware collected during IR | ← Skill 07 (Incident Response) | | Create detection signatures | → Skill 15 (Blue Team Defense) |
References
- YARA Documentation
- MITRE ATT&CK Framework
- MalwareBazaar
- VirusTotal
- Cuckoo Sandbox Docs
- CAPE Sandbox
- Practical Malware Analysis (Book)
- vx-underground Sample Archive
v3.0 Enhancements (2026 Update)
Aligned to the current threat landscape:
- Dominant families/TTPs (2025-26) — infostealers (Lumma, Redline-successors), loaders (initial-access brokers), and ransomware affiliates; Linux/ESXi ransomware; cross-platform Go/Rust payloads.
- EDR evasion & BYOVD — detect Bring-Your-Own-Vulnerable-Driver, EDR-killer tooling, direct/indirect syscalls, unhooking, and AMSI/ETW patching.
- Fileless / memory-only — prioritize memory forensics (→ Skill 07); hunt LOLBins (
rundll32,mshta,regsvr32,msbuild) and PowerShell/.NETreflective loads. - Config extraction — pull C2 config from common families (decode strings/keys, dump beacon profiles) and emit IOCs as STIX/CSV for Skill 06.
- AI-generated malware — watch for high-variability, low-shared-code samples; rely on behavioral + YARA-on-behavior rather than hash matching.
- Detonation services — pivot via MalwareBazaar, Triage, and Hybrid Analysis for family attribution before local detonation.
Safety rule: detonate only in an isolated, snapshot-restored VM with no production network reachability; document the sandbox config in the report.