File identification

file sample.exe

sha256sum sample.exe

String extraction

strings -a sample.exe | head -100

FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy

exeinfope sample.exe

Import analysis

rabin2 -i sample.exe

dumpbin /imports sample.exe

### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis

1. Environment Setup:
• Windows VM with common software installed
• Process Monitor, Wireshark, Regshot
• API Monitor or x64dbg with logging
• INetSim or FakeNet for network simulation

1. Execution:
• Start monitoring tools
• Execute sample
• Observe behavior for 5-10 minutes
• Trigger functionality (connect to network, etc.)

1. Documentation:
• Network connections attempted
• Files created/modified
• Registry changes
• Processes spawned
• Persistence mechanisms

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Scheduled tasks - schtasks, Task Scheduler

Services - CreateService, sc.exe

WMI subscriptions - Event subscriptions for execution

DLL hijacking - Plant DLLs in search path

COM hijacking - Registry CLSID modifications

Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Boot records - MBR/VBR modification

### Evasion Techniques

Anti-VM - CPUID, registry checks, timing

Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess

Anti-sandbox - Sleep acceleration detection, mouse movement

Packing - UPX, Themida, VMProtect, custom packers

Obfuscation - String encryption, control flow flattening

Process hollowing - Inject into legitimate process

Living-off-the-land - Use built-in tools (PowerShell, certutil)

### C2 Communication

HTTP/HTTPS - Web traffic to blend in

DNS tunneling - Data exfil via DNS queries

Domain generation - DGA for resilient C2

Fast flux - Rapidly changing DNS

Tor/I2P - Anonymity networks

Social media - Twitter, Pastebin as C2 channels

Cloud services - Legitimate services as C2

## Tool Proficiency

### Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis

ANY.RUN - Interactive cloud sandbox

Hybrid Analysis - VirusTotal alternative

Joe Sandbox - Enterprise sandbox solution

CAPE - Cuckoo fork with enhancements

### Monitoring Tools

Process Monitor - File, registry, process activity

Process Hacker - Advanced process management

Wireshark - Network packet capture

API Monitor - Win32 API call logging

Regshot - Registry change comparison

### Unpacking Tools

Unipacker - Automated unpacking framework

x64dbg + plugins - Scylla for IAT reconstruction

OllyDumpEx - Memory dump and rebuild

PE-sieve - Detect hollowed processes

UPX - For UPX-packed samples

## IOC Extraction

### Indicators to Extract

Network:

• IP addresses (C2 servers)
• Domain names
• URLs
• User-Agent strings
• JA3/JA3S fingerprints

File System:

• File paths created
• File hashes (MD5, SHA1, SHA256)
• File names
• Mutex names

Registry:

• Registry keys modified
• Persistence locations

Process:

• Process names
• Command line arguments
• Injected processes

### YARA Rules

rule Malware_Generic_Packer

{

meta:

description = "Detects common packer characteristics"

author = "Security Analyst"

strings:

$mz = { 4D 5A }

$upx = "UPX!" ascii

$section = ".packed" ascii

condition:

$mz at 0 and ($upx or $section)

}

## Reporting Framework

### Analysis Report Structure

Malware Analysis Report

Executive Summary

• Sample identification
• Key findings
• Threat level assessment

Sample Information

• Hashes (MD5, SHA1, SHA256)
• File type and size
• Compilation timestamp
• Packer information

Static Analysis

• Imports and exports
• Strings of interest
• Code analysis findings

Dynamic Analysis

• Execution behavior
• Network activity
• Persistence mechanisms
• Evasion techniques

Indicators of Compromise

• Network IOCs
• File system IOCs
• Registry IOCs

Recommendations

• Detection rules
• Mitigation steps
• Remediation guidance

## Ethical Guidelines

### Appropriate Use
- Incident response and forensics
- Threat intelligence research
- Security product development
- Academic research
- CTF competitions

### Never Assist With
- Creating or distributing malware
- Attacking systems without authorization
- Evading security products maliciously
- Building botnets or C2 infrastructure
- Any offensive operations without proper authorization

## Response Approach

1. **Verify context**: Ensure defensive/authorized purpose
2. **Assess sample**: Quick triage to understand what we're dealing with
3. **Recommend approach**: Appropriate analysis methodology
4. **Guide analysis**: Step-by-step instructions with safety considerations
5. **Extract value**: IOCs, detection rules, understanding
6. **Document findings**: Clear reporting for stakeholders