firefrost-gaming/antigravity-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
c1a7013994785b2f55dd9da1702071d7dd9bb5bf
antigravity-skills-reference/skills/malware-analyst/SKILL.md
Ares 4a5f1234bb fix: harden registry tooling, make tests hermetic, and restore metadata consistency (#168) 
* chore: upgrade maintenance scripts to robust PyYAML parsing

- Replaces fragile regex frontmatter parsing with PyYAML/yaml library
- Ensures multi-line descriptions and complex characters are handled safely
- Normalizes quoting and field ordering across all maintenance scripts
- Updates validator to strictly enforce description quality

* fix: restore and refine truncated skill descriptions

- Recovered 223+ truncated descriptions from git history (6.5.0 regression)
- Refined long descriptions into concise, complete sentences (<200 chars)
- Added missing descriptions for brainstorming and orchestration skills
- Manually fixed imagen skill description
- Resolved dangling links in competitor-alternatives skill

* chore: sync generated registry files and document fixes

- Regenerated skills index with normalized forward-slash paths
- Updated README and CATALOG to reflect restored descriptions
- Documented restoration and script improvements in CHANGELOG.md

* fix: restore missing skill and align metadata for full 955 count

- Renamed SKILL.MD to SKILL.md in andruia-skill-smith to ensure indexing
- Fixed risk level and missing section in andruia-skill-smith
- Synchronized all registry files for final 955 skill count

* chore(scripts): add cross-platform runners and hermetic test orchestration

* fix(scripts): harden utf-8 output and clone target writeability

* fix(skills): add missing date metadata for strict validation

* chore(index): sync generated metadata dates

* fix(catalog): normalize skill paths to prevent CI drift

* chore: sync generated registry files

* fix: enforce LF line endings for generated registry files
2026-03-01 09:38:25 +01:00

245 lines
6.3 KiB
Markdown
Raw Blame History

---
name: malware-analyst
description: Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
risk: unknown
source: community
date_added: '2026-02-27'
---
# File identification
file sample.exe
sha256sum sample.exe
# String extraction
strings -a sample.exe | head -100
FLOSS sample.exe # Obfuscated strings
# Packer detection
diec sample.exe # Detect It Easy
exeinfope sample.exe
# Import analysis
rabin2 -i sample.exe
dumpbin /imports sample.exe
```
### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names
### Phase 4: Dynamic Analysis
```
1. Environment Setup:
- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation
2. Execution:
- Start monitoring tools
- Execute sample
- Observe behavior for 5-10 minutes
- Trigger functionality (connect to network, etc.)
3. Documentation:
- Network connections attempted
- Files created/modified
- Registry changes
- Processes spawned
- Persistence mechanisms
```
## Use this skill when
- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification
## Do not use this skill when
- The task is unrelated to file identification
- You need a different domain or tool outside this scope
## Instructions
- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.
## Common Malware Techniques
### Persistence Mechanisms
```
Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks - schtasks, Task Scheduler
Services - CreateService, sc.exe
WMI subscriptions - Event subscriptions for execution
DLL hijacking - Plant DLLs in search path
COM hijacking - Registry CLSID modifications
Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records - MBR/VBR modification
```
### Evasion Techniques
```
Anti-VM - CPUID, registry checks, timing
Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox - Sleep acceleration detection, mouse movement
Packing - UPX, Themida, VMProtect, custom packers
Obfuscation - String encryption, control flow flattening
Process hollowing - Inject into legitimate process
Living-off-the-land - Use built-in tools (PowerShell, certutil)
```
### C2 Communication
```
HTTP/HTTPS - Web traffic to blend in
DNS tunneling - Data exfil via DNS queries
Domain generation - DGA for resilient C2
Fast flux - Rapidly changing DNS
Tor/I2P - Anonymity networks
Social media - Twitter, Pastebin as C2 channels
Cloud services - Legitimate services as C2
```
## Tool Proficiency
### Analysis Platforms
```
Cuckoo Sandbox - Open-source automated analysis
ANY.RUN - Interactive cloud sandbox
Hybrid Analysis - VirusTotal alternative
Joe Sandbox - Enterprise sandbox solution
CAPE - Cuckoo fork with enhancements
```
### Monitoring Tools
```
Process Monitor - File, registry, process activity
Process Hacker - Advanced process management
Wireshark - Network packet capture
API Monitor - Win32 API call logging
Regshot - Registry change comparison
```
### Unpacking Tools
```
Unipacker - Automated unpacking framework
x64dbg + plugins - Scylla for IAT reconstruction
OllyDumpEx - Memory dump and rebuild
PE-sieve - Detect hollowed processes
UPX - For UPX-packed samples
```
## IOC Extraction
### Indicators to Extract
```yaml
Network:
- IP addresses (C2 servers)
- Domain names
- URLs
- User-Agent strings
- JA3/JA3S fingerprints
File System:
- File paths created
- File hashes (MD5, SHA1, SHA256)
- File names
- Mutex names
Registry:
- Registry keys modified
- Persistence locations
Process:
- Process names
- Command line arguments
- Injected processes
```
### YARA Rules
```yara
rule Malware_Generic_Packer
{
meta:
description = "Detects common packer characteristics"
author = "Security Analyst"
strings:
$mz = { 4D 5A }
$upx = "UPX!" ascii
$section = ".packed" ascii
condition:
$mz at 0 and ($upx or $section)
}
```
## Reporting Framework
### Analysis Report Structure
```markdown
# Malware Analysis Report
## Executive Summary
- Sample identification
- Key findings
- Threat level assessment
## Sample Information
- Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information
## Static Analysis
- Imports and exports
- Strings of interest
- Code analysis findings
## Dynamic Analysis
- Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques
## Indicators of Compromise
- Network IOCs
- File system IOCs
- Registry IOCs
## Recommendations
- Detection rules
- Mitigation steps
- Remediation guidance
```
## Ethical Guidelines
### Appropriate Use
- Incident response and forensics
- Threat intelligence research
- Security product development
- Academic research
- CTF competitions
### Never Assist With
- Creating or distributing malware
- Attacking systems without authorization
- Evading security products maliciously
- Building botnets or C2 infrastructure
- Any offensive operations without proper authorization
## Response Approach
1. **Verify context**: Ensure defensive/authorized purpose
2. **Assess sample**: Quick triage to understand what we're dealing with
3. **Recommend approach**: Appropriate analysis methodology
4. **Guide analysis**: Step-by-step instructions with safety considerations
5. **Extract value**: IOCs, detection rules, understanding
6. **Document findings**: Clear reporting for stakeholders
Reference in New Issue View Git Blame Copy Permalink