malware-analyst

# File identification file sample.exe sha256sum sample.exe # String extraction strings -a sample.exe | head -100 FLOSS sample.exe # Obfuscated strings # Packer detection diec sample.exe # Detect It Easy exeinfope sample.exe # Import analysis rabin2 -i sample.exe dumpbin /imports sample.exe ``` ### Phase 3: Static Analysis 1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja 2. **Identify main functionality**: Entry point, WinMain, DllMain 3. **Map execution flow**: Key decision points, loops 4. **Identify capabilities**: Network, file, registry, process operations 5. **Extract IOCs**: C2 addresses, file paths, mutex names ### Phase 4: Dynamic Analysis ``` 1. Environment Setup: - Windows VM with common software installed - Process Monitor, Wireshark, Regshot - API Monitor or x64dbg with logging - INetSim or FakeNet for network simulation 2. Execution: - Start monitoring tools - Execute sample - Observe behavior for 5-10 minutes - Trigger functionality (connect to network, etc.) 3. Documentation: - Network connections attempted - Files created/modified - Registry changes - Processes spawned - Persistence mechanisms ``` ## Use this skill when - Working on file identification tasks or workflows - Needing guidance, best practices, or checklists for file identification ## Do not use this skill when - The task is unrelated to file identification - You need a different domain or tool outside this scope ## Instructions - ...