‹ 首页

malware-analysis-sandboxing

@masriyan · 收录于 1 周前

Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification

适合你,如果你需要分析可疑文件并提取威胁情报

/ 下载安装
malware-analysis-sandboxing.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxing
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxing
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/malware-analysis-sandboxing
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
160GitHub stars
~2.8K最小装载
~6.3K含声明引用
~6.4K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 2c864e3

Malware Analysis & Sandboxing

Purpose

Enable Claude to assist with malware analysis workflows including static analysis of file properties and code, dynamic behavioral analysis interpretation, YARA rule generation, sandbox configuration, and malware family identification. Claude analyzes provided artifacts directly and orchestrates scripts for automated processing.

Safety Warning: Never execute suspicious files outside of isolated, controlled environments. Use dedicated VMs or sandboxes with network isolation and snapshot capability.

Activation Triggers

This skill activates when the user asks about:

  • Analyzing a suspicious file, binary, or script
  • Generating YARA rules for malware detection
  • Setting up a malware analysis sandbox
  • Interpreting Cuckoo/CAPE/AnyRun sandbox reports
  • Identifying malware family or behavior
  • Creating IOCs from malware samples
  • Static analysis of PE/ELF files
  • Memory forensics for malware artifacts
  • Behavioral analysis (process creation, network, registry, file changes)

Prerequisites
pip install yara-python pefile python-magic requests ssdeep

Recommended analysis tools:

  • Cuckoo Sandbox / CAPE — Automated dynamic analysis
  • VirusTotal API — Multi-engine scanning and intel
  • YARA — Pattern matching engine
  • Ghidra / IDA Pro — Deep binary analysis (→ Skill 04)
  • Volatility 3 — Memory forensics
  • DIE (Detect-It-Easy) — Packer/compiler detection
  • Pestudio — Windows PE static analysis

Core Capabilities
1. Static Malware Analysis

When the user provides a suspicious file or hash for analysis:

Claude performs analysis in this order:

Step 1 — File Identification:

file malware.exe              # File type from magic bytes
md5sum malware.exe            # MD5 hash (legacy, for lookups)
sha256sum malware.exe         # SHA-256 (primary identifier)
python scripts/static_analyzer.py --file malware.exe --hashes

Step 2 — Threat Intelligence Lookup:

  • Query VirusTotal (requires API key or paste hash in browser)
  • Check MalwareBazaar, AbuseIPDB, URLhaus
  • Search for existing analysis reports
# VirusTotal hash lookup via API
curl "https://www.virustotal.com/api/v3/files/<sha256>" -H "x-apikey: YOUR_KEY"

Step 3 — PE Analysis (Windows executables):

python scripts/static_analyzer.py --file malware.exe --strings --imports --output report.json

Look for these indicators in the output:

Suspicious Import Functions: | Category | Suspicious APIs | |----------|----------------| | Process Injection | CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, NtMapViewOfSection, RtlCreateUserThread | | Persistence | RegSetValueEx, CreateService, SHFileOperation, ITaskScheduler | | Anti-Analysis | IsDebuggerPresent, CheckRemoteDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetSystemInfo | | Network C2 | InternetOpenUrl, HttpSendRequest, WSAStartup, socket, URLDownloadToFile, WinHttpOpen | | Crypto Operations | CryptEncrypt, CryptDecrypt, BCryptEncrypt, CryptHashData | | Credential Access | SamOpenDatabase, LsaOpenPolicy, NtlmGetUserInfo | | Keylogging | SetWindowsHookEx, GetAsyncKeyState, GetKeyboardState | | Defense Evasion | VirtualProtect, NtSetInformationProcess, Wow64DisableWow64FsRedirection |

Step 4 — String Extraction & Analysis:

strings -a malware.exe | grep -E "(http|ftp|/[a-z]|[0-9]{1,3}\.[0-9]{1,3}|HKEY|reg|cmd|powershell)"

Categorize extracted strings:

  • Network indicators: URLs, IPs, domains, user agents
  • File system: paths, filenames, registry keys
  • Crypto: base64 blobs, hex strings (potential keys/payloads)
  • Anti-analysis: VM/sandbox detection strings (VMware, VirtualBox, Sandboxie)
  • Mutex names: unique identifiers preventing double-infection

Step 5 — Entropy Analysis:

python scripts/static_analyzer.py --file malware.exe --entropy

| Entropy Range | Interpretation | |---------------|---------------| | 0.0 – 1.0 | Near-empty or all-zeros section | | 1.0 – 5.0 | Normal code/data section | | 5.0 – 7.0 | Compressed data or code | | 7.0 – 8.0 | Encrypted or packed data — investigate | | 7.9 – 8.0 | Highly suspicious — likely encrypted payload |

2. YARA Rule Generation

When the user asks to create YARA rules from a sample or indicators:

Claude generates YARA rules following this methodology:

  1. Select stable, unique indicators — Avoid generic patterns; choose bytes/strings unique to this family
  2. Prefer structural patterns — Header magic bytes, specific offsets, section names
  3. Balance specificity vs. coverage — Avoid rules that are too specific (catch only one sample) or too broad (false positives)
  4. Test against benign files — Rule should NOT match clean Windows system files

YARA Rule Templates:

// Tier 1: Specific sample (hash-based)
rule MalwareFamily_Variant_Hash {
    meta:
        author = "Analyst Name"
        date = "2025-05-28"
        description = "Detects [MalwareFamily] [Variant] — specific sample"
        sha256 = "aabbcc..."
        tlp = "GREEN"
        reference = "https://example.com/analysis"
    
    condition:
        hash.sha256(0, filesize) == "aabbcc..."
}

// Tier 2: Family-level detection (behavioral strings)
rule MalwareFamily_Generic {
    meta:
        author = "Analyst Name"
        date = "2025-05-28"
        description = "Detects [MalwareFamily] family by strings and structure"
        tlp = "GREEN"
    
    strings:
        // C2 patterns
        $c2_ua   = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ascii
        $c2_uri  = "/gate.php?id=" ascii
        
        // Crypto constants
        $rc4_key = { 52 43 34 5F 4B 45 59 }  // "RC4_KEY" hex
        
        // Mutex
        $mutex   = "Global\\MSDTC_MUTEX_" ascii wide
        
        // Registry persistence key
        $reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide nocase
        
        // Anti-analysis check
        $vm_check = "VBOX" ascii wide nocase
    
    condition:
        uint16(0) == 0x5A4D and          // MZ header (PE file)
        filesize < 2MB and
        (
            (2 of ($c2_*)) or
            ($mutex and 1 of ($reg_key, $rc4_key))
        )
        and not $vm_check               // Exclude sandbox-aware variants
}

// Tier 3: Network IOC detection (for NIDS integration)
rule MalwareFamily_Network_C2 {
    meta:
        description = "Detects [MalwareFamily] C2 communication patterns"
        type = "network"
    
    strings:
        $beacon_path = "/api/v1/ping?uid=" ascii
        $beacon_ua   = "MalBot/1.0" ascii
        $checkin_hdr = "X-Command-Key: " ascii
    
    condition:
        any of them
}
# Generate YARA rules using the script
python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar
python scripts/yara_generator.py --file single_sample.exe --rule-name "MalwareFamily" --output rule.yar

# Test rules against benign files
yara -r generated_rule.yar /usr/bin/ 2>/dev/null | wc -l  # Should be 0
yara generated_rule.yar malware.exe                         # Should match
3. Dynamic/Behavioral Analysis

When the user provides sandbox analysis output or asks about dynamic analysis:

Interpreting Cuckoo/CAPE Sandbox Reports:

Claude analyzes behavioral reports looking for:

  1. Process Tree Analysis:
  2. Unusual parent-child relationships (Word.exe → PowerShell.exe → cmd.exe)
  3. Process injection indicators (process spawning with different credentials)
  4. Hollowing patterns (legitimate process with suspicious memory)
  1. Network Indicators:
  2. DNS queries: DGA patterns (random-looking domains), fast-flux
  3. HTTP: Unusual user agents, encoded POST data, beaconing intervals
  4. C2 beaconing detection: Regular interval callbacks (check timing consistency)
  1. File System Changes:
  2. Shadow copy deletion: vssadmin delete shadows → ransomware indicator
  3. Startup persistence: \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  4. Dropped secondary payloads in temp directories
  1. Registry Modifications:
  2. Run keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. Service installation: HKLM\SYSTEM\CurrentControlSet\Services\
  4. Security policy changes: Disabling UAC, Windows Defender
  1. MITRE ATT&CK Mapping:

| Observed Behavior | MITRE Technique | |-------------------|----------------| | PowerShell download cradle | T1059.001 — PowerShell | | cmd /c vssadmin delete shadows | T1490 — Inhibit System Recovery | | Registry Run key persistence | T1547.001 — Registry Run Keys | | CreateRemoteThread injection | T1055.001 — DLL Injection | | Scheduled task creation | T1053.005 — Scheduled Task | | netsh advfirewall set allprofiles state off | T1562.004 — Disable Host Firewall | | UAC bypass (fodhelper.exe) | T1548.002 — Bypass UAC | | LSASS memory access | T1003.001 — LSASS Memory |

4. Malware Family Classification

When the user asks to identify or classify a malware sample:

Classification by behavioral patterns:

| Family Indicators | Likely Family Category | |------------------|----------------------| | Shadow copies deleted + file encryption + ransom note | Ransomware | | Regular HTTP beaconing + command execution + lateral movement | RAT/Botnet | | Browser credential theft + banking overlay | Banking Trojan | | Keylogging + screenshot capture + data exfiltration | Spyware/Infostealer | | Process hollowing + covert persistence | Rootkit/Backdoor | | Cryptocurrency mining process spawning | Cryptominer | | Worm propagation via network shares | Worm | | Document with macro downloading payload | Dropper/Downloader |

Similarity analysis:

# SSDeep fuzzy hash comparison
ssdeep -l malware.exe > hash.txt
ssdeep -m hash.txt similar_sample.exe
# Similarity > 70% → likely same family/variant
5. Sandbox Environment Setup

When the user asks to set up a malware analysis environment:

Minimum isolation requirements:

  1. Dedicated VM (VirtualBox, VMware, KVM) — NEVER use your main machine
  2. Host-only or isolated network adapter (NO internet access by default)
  3. Snapshot before analysis — restore after each sample
  4. Disable shared folders and clipboard (data exfiltration prevention)

Recommended sandbox stack:

Analysis VM (Windows 10/11 or Ubuntu):
├── FakeNet-NG or INetSim — Simulate network services
├── Wireshark — Capture network traffic
├── ProcessMonitor (Windows) / strace (Linux) — Monitor syscalls
├── Regshot (Windows) — Compare registry before/after
├── Autoruns (Windows) — Monitor persistence locations
└── Cuckoo/CAPE Agent — Automated collection

Network Layer:
└── Host-only adapter → no real internet → INetSim captures C2 attempts

Anti-anti-VM measures:

  • Install VMware Tools (some malware checks for missing tools)
  • Set reasonable RAM (4GB+) and CPU count (2+)
  • Add some benign user files and browser history
  • Set realistic screen resolution (1920x1080)
  • Remove obvious VM artifacts (registry keys, device names)

IOC Extraction & Output Format

For every analyzed sample, produce:

## Malware Analysis Report — [Sample Name]

**Hashes:**
- MD5:    [hash]
- SHA1:   [hash]
- SHA256: [hash]
- SSDeep: [fuzzy hash]

**Classification:** [Ransomware / RAT / Infostealer / etc.]
**Confidence:** [High / Medium / Low]
**Family:** [Family Name, if identified]
**First Seen:** [Date from TI sources]

**Network IOCs:**
- IPs: [list]
- Domains: [list]
- URLs: [list]
- User-Agent: [string]

**Host IOCs:**
- File Paths: [list]
- Registry Keys: [list]
- Mutex Names: [list]
- Services: [list]

**MITRE ATT&CK Mapping:**
- [Tactic]: [Technique ID] — [Technique Name]

**YARA Rules:** [Attached]
**Sigma Rules:** [Attached, for Skill 12]

Script Reference
static_analyzer.py
python scripts/static_analyzer.py --file malware.exe --output report.json
python scripts/static_analyzer.py --file sample.dll --hashes --strings --imports --entropy
yara_generator.py
python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar
python scripts/yara_generator.py --file single_sample.exe --rule-name "MyMalware" --output rule.yar

Skill Integration

| Condition | Adjacent Skill | |-----------|---------------| | Needs deeper disassembly | → Skill 04 (Reverse Engineering) | | IOCs ready for environment-wide hunting | → Skill 06 (Threat Hunting) | | Malware collected during IR | ← Skill 07 (Incident Response) | | Create detection signatures | → Skill 15 (Blue Team Defense) |


References

v3.0 Enhancements (2026 Update)

Aligned to the current threat landscape:

  • Dominant families/TTPs (2025-26) — infostealers (Lumma, Redline-successors), loaders (initial-access brokers), and ransomware affiliates; Linux/ESXi ransomware; cross-platform Go/Rust payloads.
  • EDR evasion & BYOVD — detect Bring-Your-Own-Vulnerable-Driver, EDR-killer tooling, direct/indirect syscalls, unhooking, and AMSI/ETW patching.
  • Fileless / memory-only — prioritize memory forensics (→ Skill 07); hunt LOLBins (rundll32, mshta, regsvr32, msbuild) and PowerShell/.NET reflective loads.
  • Config extraction — pull C2 config from common families (decode strings/keys, dump beacon profiles) and emit IOCs as STIX/CSV for Skill 06.
  • AI-generated malware — watch for high-variability, low-shared-code samples; rely on behavioral + YARA-on-behavior rather than hash matching.
  • Detonation services — pivot via MalwareBazaar, Triage, and Hybrid Analysis for family attribution before local detonation.

Safety rule: detonate only in an isolated, snapshot-restored VM with no production network reachability; document the sandbox config in the report.

按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。