← Back to Skills Marketplace
solomonneas

Malware Analyst

by Solomon Neas · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ Security Clean
346
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install malware-analyst
Description
Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identific...
README (SKILL.md)

File identification

file sample.exe sha256sum sample.exe

String extraction

strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings

Packer detection

diec sample.exe # Detect It Easy exeinfope sample.exe

Import analysis

rabin2 -i sample.exe dumpbin /imports sample.exe


### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis

  1. Environment Setup:

    • Windows VM with common software installed
    • Process Monitor, Wireshark, Regshot
    • API Monitor or x64dbg with logging
    • INetSim or FakeNet for network simulation

  2. Execution:

    • Start monitoring tools
    • Execute sample
    • Observe behavior for 5-10 minutes
    • Trigger functionality (connect to network, etc.)

  3. Documentation:

    • Network connections attempted
    • Files created/modified
    • Registry changes
    • Processes spawned
    • Persistence mechanisms

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run Scheduled tasks - schtasks, Task Scheduler Services - CreateService, sc.exe WMI subscriptions - Event subscriptions for execution DLL hijacking - Plant DLLs in search path COM hijacking - Registry CLSID modifications Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup Boot records - MBR/VBR modification


### Evasion Techniques

Anti-VM - CPUID, registry checks, timing Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess Anti-sandbox - Sleep acceleration detection, mouse movement Packing - UPX, Themida, VMProtect, custom packers Obfuscation - String encryption, control flow flattening Process hollowing - Inject into legitimate process Living-off-the-land - Use built-in tools (PowerShell, certutil)


### C2 Communication

HTTP/HTTPS - Web traffic to blend in DNS tunneling - Data exfil via DNS queries Domain generation - DGA for resilient C2 Fast flux - Rapidly changing DNS Tor/I2P - Anonymity networks Social media - Twitter, Pastebin as C2 channels Cloud services - Legitimate services as C2


## Tool Proficiency

### Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis ANY.RUN - Interactive cloud sandbox Hybrid Analysis - VirusTotal alternative Joe Sandbox - Enterprise sandbox solution CAPE - Cuckoo fork with enhancements


### Monitoring Tools

Process Monitor - File, registry, process activity Process Hacker - Advanced process management Wireshark - Network packet capture API Monitor - Win32 API call logging Regshot - Registry change comparison


### Unpacking Tools

Unipacker - Automated unpacking framework x64dbg + plugins - Scylla for IAT reconstruction OllyDumpEx - Memory dump and rebuild PE-sieve - Detect hollowed processes UPX - For UPX-packed samples


## IOC Extraction

### Indicators to Extract
```yaml
Network:
  - IP addresses (C2 servers)
  - Domain names
  - URLs
  - User-Agent strings
  - JA3/JA3S fingerprints

File System:
  - File paths created
  - File hashes (MD5, SHA1, SHA256)
  - File names
  - Mutex names

Registry:
  - Registry keys modified
  - Persistence locations

Process:
  - Process names
  - Command line arguments
  - Injected processes

YARA Rules

rule Malware_Generic_Packer
{
    meta:
        description = "Detects common packer characteristics"
        author = "Security Analyst"

    strings:
        $mz = { 4D 5A }
        $upx = "UPX!" ascii
        $section = ".packed" ascii

    condition:
        $mz at 0 and ($upx or $section)
}

Reporting Framework

Analysis Report Structure

# Malware Analysis Report

## Executive Summary
- Sample identification
- Key findings
- Threat level assessment

## Sample Information
- Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information

## Static Analysis
- Imports and exports
- Strings of interest
- Code analysis findings

## Dynamic Analysis
- Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques

## Indicators of Compromise
- Network IOCs
- File system IOCs
- Registry IOCs

## Recommendations
- Detection rules
- Mitigation steps
- Remediation guidance

Ethical Guidelines

Appropriate Use

  • Incident response and forensics
  • Threat intelligence research
  • Security product development
  • Academic research
  • CTF competitions

Never Assist With

  • Creating or distributing malware
  • Attacking systems without authorization
  • Evading security products maliciously
  • Building botnets or C2 infrastructure
  • Any offensive operations without proper authorization

Response Approach

  1. Verify context: Ensure defensive/authorized purpose
  2. Assess sample: Quick triage to understand what we're dealing with
  3. Recommend approach: Appropriate analysis methodology
  4. Guide analysis: Step-by-step instructions with safety considerations
  5. Extract value: IOCs, detection rules, understanding
  6. Document findings: Clear reporting for stakeholders
Usage Guidance
This skill is coherent for defensive malware analysis but follows procedures that are intrinsically hazardous: only run malware samples in fully isolated, air-gapped or well-simulated environments (snapshotted VMs), and ensure you have explicit authorization to analyze samples. Confirm you have the required tools and licenses (e.g., IDA Pro) and set up network simulation (INetSim/FakeNet) to avoid accidental exfiltration. Be aware the skill references external resource files that are not present in the package; review and vet any external playbooks before following them. If you plan to let an agent invoke this skill autonomously, restrict network access and monitor operations to prevent unintended execution outside a safe sandbox.
Capability Analysis
Type: OpenClaw Skill Name: malware-analyst Version: 1.0.1 The 'malware-analyst' skill bundle is a comprehensive procedural guide and checklist for performing defensive malware analysis. It contains standard security tool commands (e.g., strings, sha256sum, rabin2), analysis workflows, and ethical guidelines that explicitly prohibit offensive use, with no evidence of malicious intent or data exfiltration logic in SKILL.md or _meta.json.
Capability Assessment
Purpose & Capability
The name and description (malware analysis, static/dynamic triage, IOC extraction) align with the SKILL.md instructions. All commands, tools, and workflows listed (strings, FLOSS, rabin2, IDA/Ghidra, VM setup, Process Monitor, Wireshark, etc.) are appropriate for defensive analysis and are proportionate to the stated purpose.
Instruction Scope
The instructions explicitly direct the agent/operator to run static and dynamic analyses and to execute samples in a Windows VM. This is expected for malware analysis but is operationally dangerous if done without proper isolation, authorization, and safety controls. The SKILL.md presumes availability of many external tools and does not include enforcement of explicit safety checks beyond a brief VM recommendation. It also references a resources/implementation-playbook.md that is not present in the manifest.
Install Mechanism
No install spec and no code files are present. The skill is instruction-only and does not pull or write code to disk, which limits its install-time risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The lack of requested secrets is appropriate; however, the workflows depend on many external tools (some commercial, e.g., IDA Pro) and a properly configured VM/network simulation environment.
Persistence & Privilege
always is false and the skill does not request persistent presence or elevated platform privileges. Autonomous invocation is allowed by default but is not combined with any broad credentials or persistent modifications here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install malware-analyst
  3. After installation, invoke the skill by name or use /malware-analyst
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Natural description rewrite
v1.0.0
Initial public release of the malware-analyst skill. - Provides workflows and best practices for malware triage, static/dynamic analysis, and extracting IOCs. - Includes tools and commands for file identification, string extraction, packer detection, import analysis, and unpacking. - Outlines common malware persistence, evasion, and C2 techniques. - Recommends analysis and monitoring tools, and details reporting structures for malware investigations. - Clearly defines appropriate use cases and strict ethical guidelines for responsible use.
Metadata
Slug malware-analyst
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Malware Analyst?

Expert malware analysis for defensive security research. Static and dynamic analysis, sandbox triage, IOC extraction, unpacking, and malware family identific... It is an AI Agent Skill for Claude Code / OpenClaw, with 346 downloads so far.

How do I install Malware Analyst?

Run "/install malware-analyst" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Malware Analyst free?

Yes, Malware Analyst is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Malware Analyst support?

Malware Analyst is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Malware Analyst?

It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments