首页龙虾技能列表 › S³ Malware Analyst — 技能工具

S³ Malware Analyst — 技能工具

v1.0.0

Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis,...

0· 131·0 当前·0 累计
by @solomonneas (Solomon Neas)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/20
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill's instructions, requirements, and behavior are consistent with a defensive malware analysis checklist; the primary risk is that the guidance tells a user to run and analyze malicious samples — which must be done in a properly isolated environment.
评估建议
This skill is coherent for defensive malware analysis, but it contains actionable steps to execute and inspect malicious binaries. Only follow these instructions in a properly isolated, instrumented environment (air-gapped or with simulated network like INetSim), with snapshots and containment controls. Verify you have legal/organizational approval to handle malware. Ensure analysis tools (FLOSS, rabin2, IDA/Ghidra, Wireshark, Process Monitor, INetSim, etc.) are installed in the analysis VM and ...
详细分析 ▾
用途与能力
The name/description (malware analyst) match the SKILL.md content: static/dynamic analysis steps, tools, IOCs, YARA rules, and reporting templates. No unrelated binaries, services, or credentials are requested.
指令范围
Instructions explicitly direct running/monitoring of malware samples (e.g., executing sample.exe, using Process Monitor, Wireshark, INetSim). That's appropriate for malware analysis but inherently dangerous if followed on a non-isolated host. The skill does not request unrelated files/credentials or external exfiltration, but it assumes availability of a VM and many analysis tools. It references resources/implementation-playbook.md which may be missing.
安装机制
No install spec (instruction-only). This minimizes disk-write/remote-download risk; the skill does not attempt to fetch or install binaries itself.
凭证需求
No environment variables, credentials, or config paths are requested. The skill's operations (analyzing a local sample in a VM) do not require external secrets.
持久化与权限
always is false and model invocation is allowed (default). The skill does not request permanent presence or modification of other skills or system-wide agent settings.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/20

Initial release of the malware-analyst skill. - Provides comprehensive workflows for static and dynamic malware analysis. - Lists industry-standard tools for file identification, unpacking, and behavioral monitoring. - Includes checklists for IOC extraction and reporting structure. - Details common malware persistence, evasion, and C2 techniques. - Specifies use cases, best practices, and ethical guidelines for responsible analysis.

● 无害

安装命令 点击复制

官方npx clawhub@latest install s3-malware-analyst
镜像加速npx clawhub@latest install s3-malware-analyst --registry https://cn.clawhub-mirror.com

技能文档

file sample.exe sha256sum sample.exe

# String extraction strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings

# Packer detection diec sample.exe # Detect It Easy exeinfope sample.exe

# Import analysis rabin2 -i sample.exe dumpbin /imports sample.exe 



Phase 3: Static Analysis


  • Load in disassembler: IDA Pro, Ghidra, or Binary Ninja
    • 

  • Identify main functionality: Entry point, WinMain, DllMain
    • 

  • Map execution flow: Key decision points, loops
    • 

  • Identify capabilities: Network, file, registry, process operations
    • 

  • Extract IOCs: C2 addresses, file paths, mutex names
Phase 4: Dynamic Analysis
  • Environment Setup:
- Windows VM with common software installed - Process Monitor, Wireshark, Regshot - API Monitor or x64dbg with logging - INetSim or FakeNet for network simulation

  • Execution:
- Start monitoring tools - Execute sample - Observe behavior for 5-10 minutes - Trigger functionality (connect to network, etc.)

  • Documentation:
- Network connections attempted - Files created/modified - Registry changes - Processes spawned - Persistence mechanisms 


Use this skill when
  • Working on file identification tasks or workflows
    • 

  • Needing guidance, best practices, or checklists for file identification
Do not use this skill when
  • The task is unrelated to file identification
    • 

  • You need a different domain or tool outside this scope
Instructions
  • Clarify goals, constraints, and required inputs.
    • 

  • Apply relevant best practices and validate outcomes.
    • 

  • Provide actionable steps and verification.
    • 

  • If detailed examples are required, open resources/implementation-playbook.md.
Common Malware Techniques
Persistence Mechanisms
Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled tasks - schtasks, Task Scheduler Services - CreateService, sc.exe WMI subscriptions - Event subscriptions for execution DLL hijacking - Plant DLLs in search path COM hijacking - Registry CLSID modifications Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup Boot records - MBR/VBR modification 


Evasion Techniques
Anti-VM - CPUID, registry checks, timing Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess Anti-sandbox - Sleep acceleration detection, mouse movement Packing - UPX, Themida, VMProtect, custom packers Obfuscation - String encryption, control flow flattening Process hollowing - Inject into legitimate process Living-off-the-land - Use built-in tools (PowerShell, certutil) 


C2 Communication
HTTP/HTTPS - Web traffic to blend in DNS tunneling - Data exfil via DNS queries Domain generation - DGA for resilient C2 Fast flux - Rapidly changing DNS Tor/I2P - Anonymity networks Social media - Twitter, Pastebin as C2 channels Cloud services - Legitimate services as C2 


Tool Proficiency
Analysis Platforms
Cuckoo Sandbox - Open-source automated analysis ANY.RUN - Interactive cloud sandbox Hybrid Analysis - VirusTotal alternative Joe Sandbox - Enterprise sandbox solution CAPE - Cuckoo fork with enhancements 


Monitoring Tools
Process Monitor - File, registry, process activity Process Hacker - Advanced process management Wireshark - Network packet capture API Monitor - Win32 API call logging Regshot - Registry change comparison 


Unpacking Tools
Unipacker - Automated unpacking framework x64dbg + plugins - Scylla for IAT reconstruction OllyDumpEx - Memory dump and rebuild PE-sieve - Detect hollowed processes UPX - For UPX-packed samples 


IOC Extraction
Indicators to Extract
yaml Network: - IP addresses (C2 servers) - Domain names - URLs - User-Agent strings - JA3/JA3S fingerprints

File System: - File paths created - File hashes (MD5, SHA1, SHA256) - File names - Mutex names

Registry: - Registry keys modified - Persistence locations

Process: - Process names - Command line arguments - Injected processes 



YARA Rules
yara rule Malware_Generic_Packer { meta: description = "Detects common packer characteristics" author = "Security Analyst"

strings: $mz = { 4D 5A } $upx = "UPX!" ascii $section = ".packed" ascii

condition: $mz at 0 and ($upx or $section) } 



Reporting Framework
Analysis Report Structure
markdown # Malware Analysis Report

Executive Summary

  • Sample identification
  • Key findings
  • Threat level assessment

Sample Information

  • Hashes (MD5, SHA1, SHA256)
  • File type and size
  • Compilation timestamp
  • Packer information

Static Analysis

  • Imports and exports
  • Strings of interest
  • Code analysis findings

Dynamic Analysis

  • Execution behavior
  • Network activity
  • Persistence mechanisms
  • Evasion techniques

Indicators of Compromise

  • Network IOCs
  • File system IOCs
  • Registry IOCs

Recommendations

  • Detection rules
  • Mitigation steps
  • Remediation guidance
```

Ethical Guidelines

Appropriate Use

  • Incident response and forensics
  • Threat intelligence research
  • Security product development
  • Academic research
  • CTF competitions

Never Assist With

  • Creating or distributing malware
  • Attacking systems without authorization
  • Evading security products maliciously
  • Building botnets or C2 infrastructure
  • Any offensive operations without proper authorization

Response Approach

  • Verify context: Ensure defensive/authorized purpose
  • Assess sample: Quick triage to understand what we're dealing with
  • Recommend approach: Appropriate analysis methodology
  • Guide analysis: Step-by-step instructions with safety considerations
  • Extract value: IOCs, detection rules, understanding
  • Document findings: Clear reporting for stakeholders
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务