{"id":"45f5ebfc-ffb2-4c1d-a9c5-5aabf61cfb39","shortId":"8UrxMK","kind":"skill","title":"malware-analyst","tagline":"Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.","description":"# File identification\nfile sample.exe\nsha256sum sample.exe\n\n# String extraction\nstrings -a sample.exe | head -100\nFLOSS sample.exe  # Obfuscated strings\n\n# Packer detection\ndiec sample.exe   # Detect It Easy\nexeinfope sample.exe\n\n# Import analysis\nrabin2 -i sample.exe\ndumpbin /imports sample.exe\n```\n\n### Phase 3: Static Analysis\n1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja\n2. **Identify main functionality**: Entry point, WinMain, DllMain\n3. **Map execution flow**: Key decision points, loops\n4. **Identify capabilities**: Network, file, registry, process operations\n5. **Extract IOCs**: C2 addresses, file paths, mutex names\n\n### Phase 4: Dynamic Analysis\n```\n1. Environment Setup:\n   - Windows VM with common software installed\n   - Process Monitor, Wireshark, Regshot\n   - API Monitor or x64dbg with logging\n   - INetSim or FakeNet for network simulation\n\n2. Execution:\n   - Start monitoring tools\n   - Execute sample\n   - Observe behavior for 5-10 minutes\n   - Trigger functionality (connect to network, etc.)\n\n3. Documentation:\n   - Network connections attempted\n   - Files created/modified\n   - Registry changes\n   - Processes spawned\n   - Persistence mechanisms\n```\n\n## Use this skill when\n\n- Working on file identification tasks or workflows\n- Needing guidance, best practices, or checklists for file identification\n\n## Do not use this skill when\n\n- The task is unrelated to file identification\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources/implementation-playbook.md`.\n\n## Common Malware Techniques\n\n### Persistence Mechanisms\n```\nRegistry Run keys       - HKCU/HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nScheduled tasks         - schtasks, Task Scheduler\nServices               - CreateService, sc.exe\nWMI subscriptions      - Event subscriptions for execution\nDLL hijacking          - Plant DLLs in search path\nCOM hijacking          - Registry CLSID modifications\nStartup folder         - %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\nBoot records           - MBR/VBR modification\n```\n\n### Evasion Techniques\n```\nAnti-VM                - CPUID, registry checks, timing\nAnti-debugging         - IsDebuggerPresent, NtQueryInformationProcess\nAnti-sandbox           - Sleep acceleration detection, mouse movement\nPacking                - UPX, Themida, VMProtect, custom packers\nObfuscation           - String encryption, control flow flattening\nProcess hollowing      - Inject into legitimate process\nLiving-off-the-land    - Use built-in tools (PowerShell, certutil)\n```\n\n### C2 Communication\n```\nHTTP/HTTPS            - Web traffic to blend in\nDNS tunneling         - Data exfil via DNS queries\nDomain generation     - DGA for resilient C2\nFast flux             - Rapidly changing DNS\nTor/I2P               - Anonymity networks\nSocial media          - Twitter, Pastebin as C2 channels\nCloud services        - Legitimate services as C2\n```\n\n## Tool Proficiency\n\n### Analysis Platforms\n```\nCuckoo Sandbox       - Open-source automated analysis\nANY.RUN              - Interactive cloud sandbox\nHybrid Analysis      - VirusTotal alternative\nJoe Sandbox          - Enterprise sandbox solution\nCAPE                 - Cuckoo fork with enhancements\n```\n\n### Monitoring Tools\n```\nProcess Monitor      - File, registry, process activity\nProcess Hacker       - Advanced process management\nWireshark            - Network packet capture\nAPI Monitor          - Win32 API call logging\nRegshot              - Registry change comparison\n```\n\n### Unpacking Tools\n```\nUnipacker            - Automated unpacking framework\nx64dbg + plugins     - Scylla for IAT reconstruction\nOllyDumpEx           - Memory dump and rebuild\nPE-sieve             - Detect hollowed processes\nUPX                  - For UPX-packed samples\n```\n\n## IOC Extraction\n\n### Indicators to Extract\n```yaml\nNetwork:\n  - IP addresses (C2 servers)\n  - Domain names\n  - URLs\n  - User-Agent strings\n  - JA3/JA3S fingerprints\n\nFile System:\n  - File paths created\n  - File hashes (MD5, SHA1, SHA256)\n  - File names\n  - Mutex names\n\nRegistry:\n  - Registry keys modified\n  - Persistence locations\n\nProcess:\n  - Process names\n  - Command line arguments\n  - Injected processes\n```\n\n### YARA Rules\n```yara\nrule Malware_Generic_Packer\n{\n    meta:\n        description = \"Detects common packer characteristics\"\n        author = \"Security Analyst\"\n\n    strings:\n        $mz = { 4D 5A }\n        $upx = \"UPX!\" ascii\n        $section = \".packed\" ascii\n\n    condition:\n        $mz at 0 and ($upx or $section)\n}\n```\n\n## Reporting Framework\n\n### Analysis Report Structure\n```markdown\n# Malware Analysis Report\n\n## Executive Summary\n- Sample identification\n- Key findings\n- Threat level assessment\n\n## Sample Information\n- Hashes (MD5, SHA1, SHA256)\n- File type and size\n- Compilation timestamp\n- Packer information\n\n## Static Analysis\n- Imports and exports\n- Strings of interest\n- Code analysis findings\n\n## Dynamic Analysis\n- Execution behavior\n- Network activity\n- Persistence mechanisms\n- Evasion techniques\n\n## Indicators of Compromise\n- Network IOCs\n- File system IOCs\n- Registry IOCs\n\n## Recommendations\n- Detection rules\n- Mitigation steps\n- Remediation guidance\n```\n\n## Ethical Guidelines\n\n### Appropriate Use\n- Incident response and forensics\n- Threat intelligence research\n- Security product development\n- Academic research\n- CTF competitions\n\n### Never Assist With\n- Creating or distributing malware\n- Attacking systems without authorization\n- Evading security products maliciously\n- Building botnets or C2 infrastructure\n- Any offensive operations without proper authorization\n\n## Response Approach\n\n1. **Verify context**: Ensure defensive/authorized purpose\n2. **Assess sample**: Quick triage to understand what we're dealing with\n3. **Recommend approach**: Appropriate analysis methodology\n4. **Guide analysis**: Step-by-step instructions with safety considerations\n5. **Extract value**: IOCs, detection rules, understanding\n6. **Document findings**: Clear reporting for stakeholders\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["malware","analyst","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-malware-analyst","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/malware-analyst","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34726 github stars · SKILL.md body (6,524 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T12:51:13.146Z","embedding":null,"createdAt":"2026-04-18T21:40:31.090Z","updatedAt":"2026-04-23T12:51:13.146Z","lastSeenAt":"2026-04-23T12:51:13.146Z","tsv":"'-10':147 '-100':38 '/imports':58 '0':546 '1':64,111,667 '2':74,136,673 '3':61,82,155,685 '4':90,108,691 '4d':535 '5':98,146,702 '5a':536 '6':709 'academ':635 'acceler':308 'action':226 'activ':420,599 'address':102,477 'advanc':423 'agent':485 'altern':402 'analysi':19,21,53,63,110,386,394,400,553,558,584,592,595,689,693 'analyst':3,6,532 'anonym':369 'anti':293,300,305 'anti-debug':299 'anti-sandbox':304 'anti-vm':292 'any.run':395 'api':124,430,433 'appdata':279 'appli':218 'approach':666,687 'appropri':623,688 'argument':514 'ascii':539,542 'ask':749 'assess':568,674 'assist':640 'attack':646 'attempt':159 'author':530,649,664 'autom':393,443 'behavior':20,144,597 'best':181,220 'binari':72 'blend':348 'boot':286 'botnet':655 'boundari':757 'build':654 'built':337 'built-in':336 'c2':101,342,362,376,383,478,657 'call':434 'capabl':92 'cape':408 'captur':429 'certutil':341 'chang':163,366,438 'channel':377 'characterist':529 'check':297 'checklist':184 'clarif':751 'clarifi':212 'clear':712,724 'cloud':378,397 'clsid':275 'code':591 'com':272 'command':512 'common':117,237,527 'communic':343 'comparison':439 'competit':638 'compil':579 'compromis':606 'condit':543 'connect':151,158 'consider':701 'constraint':214 'context':669 'control':321 'cpuid':295 'creat':493,642 'created/modified':161 'createservic':257 'criteria':760 'ctf':637 'cuckoo':388,409 'currentvers':249 'custom':316 'data':352 'deal':683 'debug':301 'decis':87 'defens':9 'defensive/authorized':671 'describ':728 'descript':525 'detail':231 'detect':44,47,309,460,526,615,706 'develop':634 'dga':359 'diec':45 'differ':204 'disassembl':67 'distribut':644 'dll':265 'dllmain':81 'dlls':268 'dns':350,355,367 'document':156,710 'domain':205,357,480 'dump':454 'dumpbin':57 'dynam':109,594 'easi':49 'encrypt':320 'enhanc':412 'ensur':670 'enterpris':405 'entri':78 'environ':112,740 'environment-specif':739 'etc':154 'ethic':621 'evad':650 'evas':290,602 'event':261 'exampl':232 'execut':84,137,141,264,560,596 'exeinfop':50 'exfil':353 'expert':4,745 'export':587 'extract':33,99,470,473,703 'fakenet':132 'famili':24 'fast':363 'file':26,28,94,103,160,174,186,199,417,489,491,494,499,575,609 'find':565,593,711 'fingerprint':488 'flatten':323 'floss':39 'flow':85,322 'flux':364 'folder':278 'forens':628 'fork':410 'framework':445,552 'function':77,150 'generat':358 'generic':522 'ghidra':70 'goal':213 'guid':692 'guidanc':180,620 'guidelin':622 'hacker':422 'hash':495,571 'head':37 'hijack':266,273 'hkcu/hklm':245 'hollow':325,461 'http/https':344 'hybrid':399 'iat':450 'ida':68 'identif':25,27,175,187,200,563 'identifi':75,91 'import':52,585 'incid':15,625 'indic':471,604 'inetsim':130 'inform':570,582 'infrastructur':658 'inject':326,515 'input':217,754 'instal':119 'instruct':211,698 'intellig':13,630 'interact':396 'interest':590 'ioc':100,469,608,611,613,705 'ip':476 'isdebuggerpres':302 'ja3/ja3s':487 'joe':403 'key':86,244,505,564 'land':334 'legitim':328,380 'level':567 'limit':716 'line':513 'live':331 'living-off-the-land':330 'load':65 'locat':508 'log':129,435 'loop':89 'main':76 'malici':653 'malwar':2,5,10,23,238,521,557,645 'malware-analyst':1 'manag':425 'map':83 'markdown':556 'master':17 'match':725 'mbr/vbr':288 'md5':496,572 'mechan':167,241,601 'media':372 'memori':453 'menu':283 'meta':524 'methodolog':690 'microsoft':247,280 'minut':148 'miss':762 'mitig':617 'modif':276,289 'modifi':506 'monitor':121,125,139,413,416,431 'mous':310 'movement':311 'mutex':105,501 'mz':534,544 'name':106,481,500,502,511 'need':179,202 'network':93,134,153,157,370,427,475,598,607 'never':639 'ninja':73 'ntqueryinformationprocess':303 'obfusc':41,318 'observ':143 'offens':660 'ollydumpex':452 'open':235,391 'open-sourc':390 'oper':97,661 'outcom':224 'output':734 'outsid':208 'pack':312,467,541 'packer':43,317,523,528,581 'packet':428 'pastebin':374 'path':104,271,492 'pe':458 'pe-siev':457 'permiss':755 'persist':166,240,507,600 'phase':60,107 'plant':267 'platform':387 'plugin':447 'point':79,88 'powershel':340 'practic':182,221 'pro':69 'process':96,120,164,324,329,415,419,421,424,462,509,510,516 'product':633,652 'profici':385 'program':284 'proper':663 'provid':225 'purpos':672 'queri':356 'quick':676 'rabin2':54 'rapid':365 're':682 'rebuild':456 'recommend':614,686 'reconstruct':451 'record':287 'registri':95,162,242,274,296,418,437,503,504,612 'regshot':123,436 'relev':219 'remedi':619 'report':551,554,559,713 'requir':216,234,753 'research':11,631,636 'resili':361 'resources/implementation-playbook.md':236 'respons':16,626,665 'review':746 'rule':518,520,616,707 'run':243,250 'safeti':700,756 'sampl':142,468,562,569,675 'sample.exe':29,31,36,40,46,51,56,59 'sandbox':18,306,389,398,404,406 'sc.exe':258 'schedul':251,255 'schtask':253 'scope':210,727 'scylla':448 'search':270 'section':540,550 'secur':531,632,651 'server':479 'servic':256,379,381 'setup':113 'sha1':497,573 'sha256':498,574 'sha256sum':30 'siev':459 'simul':135 'size':578 'skill':170,192,719 'skill-malware-analyst' 'sleep':307 'social':371 'softwar':118,246 'solut':407 'sourc':392 'source-sickn33' 'spawn':165 'special':7 'specif':741 'stakehold':715 'start':138,282 'startup':277,285 'static':62,583 'step':227,618,695,697 'step-by-step':694 'stop':747 'string':32,34,42,319,486,533,588 'structur':555 'subscript':260,262 'substitut':737 'success':759 'summari':561 'system':490,610,647 'task':176,195,252,254,723 'techniqu':239,291,603 'test':743 'themida':314 'threat':12,566,629 'time':298 'timestamp':580 'tool':140,207,339,384,414,441 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'tor/i2p':368 'traffic':346 'treat':732 'triag':677 'trigger':149 'tunnel':351 'twitter':373 'type':576 'understand':679,708 'unipack':442 'unpack':440,444 'unrel':197 'upx':313,463,466,537,538,548 'upx-pack':465 'url':482 'use':168,190,335,624,717 'user':484 'user-ag':483 'valid':223,742 'valu':704 'verif':229 'verifi':668 'via':354 'virustot':401 'vm':115,294 'vmprotect':315 'web':345 'win32':432 'window':114,248,281 'winmain':80 'wireshark':122,426 'without':648,662 'wmi':259 'work':172 'workflow':178 'x64dbg':127,446 'yaml':474 'yara':517,519","prices":[{"id":"e41de2c1-06cb-49c6-84d1-b96cc8a37712","listingId":"45f5ebfc-ffb2-4c1d-a9c5-5aabf61cfb39","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:40:31.090Z"}],"sources":[{"listingId":"45f5ebfc-ffb2-4c1d-a9c5-5aabf61cfb39","source":"github","sourceId":"sickn33/antigravity-awesome-skills/malware-analyst","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/malware-analyst","isPrimary":false,"firstSeenAt":"2026-04-18T21:40:31.090Z","lastSeenAt":"2026-04-23T12:51:13.146Z"}],"details":{"listingId":"45f5ebfc-ffb2-4c1d-a9c5-5aabf61cfb39","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"malware-analyst","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34726,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"fbe37f922aabf58276ac834d5aa25073d3beb129","skill_md_path":"skills/malware-analyst/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/malware-analyst"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"malware-analyst","description":"Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/malware-analyst"},"updatedAt":"2026-04-23T12:51:13.146Z"}}