[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-b7933e3e-2e70-42d7-96fa-5dd422b2c5a1":3,"$fN_gaa2G_eIIHkmMpO_Xv-cA3R3IqU8YzkOZ4kp_mroI":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"b7933e3e-2e70-42d7-96fa-5dd422b2c5a1","malware-analyst","专业恶意软件分析师，专注于防御性恶意软件研究、威胁情报和事件响应。精通沙箱分析、行为分析和恶意软件家族识别。","cat_life_career","mod_other","sickn33,other","---\nname: malware-analyst\ndescription: Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.\nrisk: unknown\nsource: community\ndate_added: '2026-02-27'\n---\n\n# File identification\nfile sample.exe\nsha256sum sample.exe\n\n# String extraction\nstrings -a sample.exe | head -100\nFLOSS sample.exe  # Obfuscated strings\n\n# Packer detection\ndiec sample.exe   # Detect It Easy\nexeinfope sample.exe\n\n# Import analysis\nrabin2 -i sample.exe\ndumpbin \u002Fimports sample.exe\n```\n\n### Phase 3: Static Analysis\n1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja\n2. **Identify main functionality**: Entry point, WinMain, DllMain\n3. **Map execution flow**: Key decision points, loops\n4. **Identify capabilities**: Network, file, registry, process operations\n5. **Extract IOCs**: C2 addresses, file paths, mutex names\n\n### Phase 4: Dynamic Analysis\n```\n1. Environment Setup:\n   - Windows VM with common software installed\n   - Process Monitor, Wireshark, Regshot\n   - API Monitor or x64dbg with logging\n   - INetSim or FakeNet for network simulation\n\n2. Execution:\n   - Start monitoring tools\n   - Execute sample\n   - Observe behavior for 5-10 minutes\n   - Trigger functionality (connect to network, etc.)\n\n3. Documentation:\n   - Network connections attempted\n   - Files created\u002Fmodified\n   - Registry changes\n   - Processes spawned\n   - Persistence mechanisms\n```\n\n## Use this skill when\n\n- Working on file identification tasks or workflows\n- Needing guidance, best practices, or checklists for file identification\n\n## Do not use this skill when\n\n- The task is unrelated to file identification\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Common Malware Techniques\n\n### Persistence Mechanisms\n```\nRegistry Run keys       - HKCU\u002FHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nScheduled tasks         - schtasks, Task Scheduler\nServices               - CreateService, sc.exe\nWMI subscriptions      - Event subscriptions for execution\nDLL hijacking          - Plant DLLs in search path\nCOM hijacking          - Registry CLSID modifications\nStartup folder         - %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\nBoot records           - MBR\u002FVBR modification\n```\n\n### Evasion Techniques\n```\nAnti-VM                - CPUID, registry checks, timing\nAnti-debugging         - IsDebuggerPresent, NtQueryInformationProcess\nAnti-sandbox           - Sleep acceleration detection, mouse movement\nPacking                - UPX, Themida, VMProtect, custom packers\nObfuscation           - String encryption, control flow flattening\nProcess hollowing      - Inject into legitimate process\nLiving-off-the-land    - Use built-in tools (PowerShell, certutil)\n```\n\n### C2 Communication\n```\nHTTP\u002FHTTPS            - Web traffic to blend in\nDNS tunneling         - Data exfil via DNS queries\nDomain generation     - DGA for resilient C2\nFast flux             - Rapidly changing DNS\nTor\u002FI2P               - Anonymity networks\nSocial media          - Twitter, Pastebin as C2 channels\nCloud services        - Legitimate services as C2\n```\n\n## Tool Proficiency\n\n### Analysis Platforms\n```\nCuckoo Sandbox       - Open-source automated analysis\nANY.RUN              - Interactive cloud sandbox\nHybrid Analysis      - VirusTotal alternative\nJoe Sandbox          - Enterprise sandbox solution\nCAPE                 - Cuckoo fork with enhancements\n```\n\n### Monitoring Tools\n```\nProcess Monitor      - File, registry, process activity\nProcess Hacker       - Advanced process management\nWireshark            - Network packet capture\nAPI Monitor          - Win32 API call logging\nRegshot              - Registry change comparison\n```\n\n### Unpacking Tools\n```\nUnipacker            - Automated unpacking framework\nx64dbg + plugins     - Scylla for IAT reconstruction\nOllyDumpEx           - Memory dump and rebuild\nPE-sieve             - Detect hollowed processes\nUPX                  - For UPX-packed samples\n```\n\n## IOC Extraction\n\n### Indicators to Extract\n```yaml\nNetwork:\n  - IP addresses (C2 servers)\n  - Domain names\n  - URLs\n  - User-Agent strings\n  - JA3\u002FJA3S fingerprints\n\nFile System:\n  - File paths created\n  - File hashes (MD5, SHA1, SHA256)\n  - File names\n  - Mutex names\n\nRegistry:\n  - Registry keys modified\n  - Persistence locations\n\nProcess:\n  - Process names\n  - Command line arguments\n  - Injected processes\n```\n\n### YARA Rules\n```yara\nrule Malware_Generic_Packer\n{\n    meta:\n        description = \"Detects common packer characteristics\"\n        author = \"Security Analyst\"\n\n    strings:\n        $mz = { 4D 5A }\n        $upx = \"UPX!\" ascii\n        $section = \".packed\" ascii\n\n    condition:\n        $mz at 0 and ($upx or $section)\n}\n```\n\n## Reporting Framework\n\n### Analysis Report Structure\n```markdown\n# Malware Analysis Report\n\n## Executive Summary\n- Sample identification\n- Key findings\n- Threat level assessment\n\n## Sample Information\n- Hashes (MD5, SHA1, SHA256)\n- File type and size\n- Compilation timestamp\n- Packer information\n\n## Static Analysis\n- Imports and exports\n- Strings of interest\n- Code analysis findings\n\n## Dynamic Analysis\n- Execution behavior\n- Network activity\n- Persistence mechanisms\n- Evasion techniques\n\n## Indicators of Compromise\n- Network IOCs\n- File system IOCs\n- Registry IOCs\n\n## Recommendations\n- Detection rules\n- Mitigation steps\n- Remediation guidance\n```\n\n## Ethical Guidelines\n\n### Appropriate Use\n- Incident response and forensics\n- Threat intelligence research\n- Security product development\n- Academic research\n- CTF competitions\n\n### Never Assist With\n- Creating or distributing malware\n- Attacking systems without authorization\n- Evading security products maliciously\n- Building botnets or C2 infrastructure\n- Any offensive operations without proper authorization\n\n## Response Approach\n\n1. **Verify context**: Ensure defensive\u002Fauthorized purpose\n2. **Assess sample**: Quick triage to understand what we're dealing with\n3. **Recommend approach**: Appropriate analysis methodology\n4. **Guide analysis**: Step-by-step instructions with safety considerations\n5. **Extract value**: IOCs, detection rules, understanding\n6. **Document findings**: Clear reporting for stakeholders\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,92,1819,"2026-05-16 13:27:51",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"9706a261-cc40-408e-b0dc-6f96112f55d0","1.0.0","malware-analyst.zip",3195,"uploads\u002Fskills\u002Fb7933e3e-2e70-42d7-96fa-5dd422b2c5a1\u002Fmalware-analyst.zip","8a71053567bd84b8c6deda9e56263236847822345160ba7002fb95fc7ee07c02","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":6819}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]