Hacktricks-skills malware-analysis

Malware analysis and reverse engineering toolkit. Use this skill whenever the user needs to analyze suspicious files, extract IOCs, deobfuscate malware, analyze Android APKs, trace Node.js loaders, or perform any malware-related investigation. Trigger on mentions of malware, suspicious executables, PE/ELF analysis, Yara rules, ClamAV, Android malware, obfuscation, control-flow analysis, or any security investigation involving potentially malicious software.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis/SKILL.MD

source content

Malware Analysis Skill

A comprehensive toolkit for malware analysis, reverse engineering, and threat investigation.

Quick Start

# Install core tools
sudo apt-get install -y yara clamav

# Download Yara rules
python scripts/yara_rules_fetcher.py

# Scan a file
yara -w rules/malware_rules.yar /path/to/suspicious/file

Core Analysis Workflows

1. Static Analysis Pipeline

Run this sequence for initial triage of suspicious files:

# Step 1: Hash the file
md5sum file.exe
sha256sum file.exe

# Step 2: Check online services
# - VirusTotal: https://www.virustotal.com/gui/home/upload
# - HybridAnalysis: https://www.hybrid-analysis.com
# - Any.Run: https://any.run/

# Step 3: Local scanning
./scripts/malware_scanner.sh /path/to/file

# Step 4: Capability detection (PE/ELF/.NET)
capa file.exe

# Step 5: String extraction and analysis
strings file.exe | grep -iE "(http|url|cmd|powershell|reg|wmi)"

2. Yara Rule Management

# Download and merge community Yara rules
python scripts/yara_rules_fetcher.py

# Scan single file
yara -w rules/malware_rules.yar suspicious.exe

# Scan directory recursively
yara -w -r rules/malware_rules.yar /path/to/directory/

# Generate custom Yara rules from binary
python3 yarGen.py --excludegood -m /path/to/malware/

3. Android Malware Analysis

APK Triage

# Extract APK contents
unzip -l app.apk
unzip -o app.apk -d extracted/

# Check for suspicious patterns
grep -r "su\|Runtime.exec\|getDeviceId\|getSimSerial" extracted/

# Look for hidden boot receivers
grep -A5 "BOOT_COMPLETED" extracted/AndroidManifest.xml

Native Library Analysis (JNI Deobfuscation)

Use the bundled angr script to decode obfuscated JNI strings:

# Run the decoder (requires angr and Ghidra)
python scripts/angr_jni_decoder.py \
  --so /path/to/libnative.so \
  --base-addr 0x00100000 \
  --decoder-addr 0x00100e10 \
  --output decoded_strings.json

# Load results into Ghidra with the annotation script
# (See scripts/ghidra_annotate_jni.py)

Kimwolf Botnet Detection

# Check for abstract UNIX socket mutexes
ls -la /dev/ | grep -E "@niggabox|@niggakernel"

# Look for process title masquerading
ps aux | grep -E "netd_services|tv_helper"

# Check for DNS-over-TLS connections
ss -tunap | grep ":853"

# Analyze the ELF payload
file /data/data/<pkg>/niggakernel
strings niggakernel | grep -iE "(c2|http|dns|google|cloudflare)"

4. Control-Flow Obfuscation Analysis

For malware using JMP/CALL RAX dispatchers (e.g., SLOW#TEMPEST):

# Run the Unicorn-based dispatcher analyzer
python scripts/unicorn_dispatcher.py \
  --input suspicious.exe \
  --dispatcher-addr 0x00401234 \
  --output patched.exe

# The script will:
# 1. Locate all indirect jumps/calls to RAX
# 2. Extract dispatcher bytecode
# 3. Emulate with both flag states (ZF/CF)
# 4. Patch with direct jumps
# 5. Re-analyze in IDA

5. Node.js Loader Analysis

# Extract embedded JavaScript from nexe binaries
npx nexe_unpacker suspicious.exe

# Run with API tracer to bypass anti-analysis
node -r ./tracer.js extracted/main.js

# Configure tracer.js:
# - LOG_HTTP_REQUESTS: true (capture C2 traffic)
# - SAVE_FILE_WRITES: true (preserve dropped files)
# - Override environment probes (RAM, CPU, hostname)

6. AutoIt Loader Analysis

# Look for .a3x files and AutoIt artifacts
find / -name "*.a3x" 2>/dev/null
find / -name "AutoIt3.exe" 2>/dev/null

# Check scheduled tasks for AutoIt execution
schtasks /query /fo LIST /v | findstr /i "AutoIt3"

# Decrypt .a3x payloads (generic skeleton)
python scripts/autoit_decryptor.py \
  --input payload.a3x \
  --secret <hmac-secret> \
  --output decrypted.bin

Detection Techniques

File Stacking

# Find files modified after a specific date
find /var/www -type f -newermt "2024-01-01" -ls

# Compare modification times across web server
ls -lt /var/www/html/ | head -20

Baseline Comparison

# Create baseline hashes
find /important/folder -type f -exec sha256sum {} \; > baseline.txt

# Compare current state
find /important/folder -type f -exec sha256sum {} \; > current.txt
diff baseline.txt current.txt

Statistical Analysis

# Analyze web server access logs for suspicious patterns
awk '{print $7}' access.log | sort | uniq -c | sort -rn | head -20

# Look for unusual file access patterns
grep -E "\.php|\.asp|\.aspx" access.log | awk '{print $7}' | sort | uniq -c | sort -rn

IOC Management

Extract IOCs from Analysis

# Extract URLs
strings file.exe | grep -oE "https?://[^ ]+"

# Extract IPs
strings file.exe | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

# Extract domains
strings file.exe | grep -oE "[a-zA-Z0-9-]+\.[a-zA-Z]{2,}"

# Extract hashes (if present in strings)
strings file.exe | grep -oE "[a-fA-F0-9]{32,64}"

Loki IOC Scanner

# Run Loki with custom IOC file
./Loki -f /path/to/file -i iocs.txt

# Detection methods:
# 1. File Name IOC (regex match)
# 2. Yara Rule Check
# 3. Hash Check (MD5/SHA1/SHA256)
# 4. C2 Back Connect Check

Apple Binary Analysis

# Get code signer information
codesign -vv -d /path/to/binary 2>&1 | grep -E "Authority|TeamIdentifier"

# Verify signature integrity
codesign --verify --verbose /path/to/binary

# Check with spctl
spctl --assess --verbose /path/to/binary

Reference Tools

Tool	Purpose	Command
Yara	Pattern matching	`yara -w rules.yar target`
ClamAV	Antivirus scanning	`clamscan target`
Capa	Capability detection	`capa target.exe`
Loki	IOC scanning	`./Loki -f target -i iocs.txt`
FLOSS	String extraction	`floss target.exe`
PEpper	PE analysis	`./PEpper target.exe`
DiE	Packer detection	`die target.exe`
rkhunter	Rootkit detection	`rkhunter --check`

Online Analysis Services

VirusTotal: https://www.virustotal.com/gui/home/upload
HybridAnalysis: https://www.hybrid-analysis.com
Koodous (Android): https://koodous.com
Intezer: https://analyze.intezer.com
Any.Run: https://any.run/

Safety Guidelines

Always analyze in isolated environments (VMs, sandboxes)
Network isolation - disable or monitor network access
Snapshot before execution - save VM state for rollback
Don't run unknown malware on production systems
Use proper PPE - gloves, masks when handling physical media
Document everything - maintain chain of custody

Output Formats

Analysis Report Template

# Malware Analysis Report

## Sample Information
- Filename: <name>
- Size: <bytes>
- MD5: <hash>
- SHA256: <hash>
- File Type: <type>

## Static Analysis
- Packers: <detected packers>
- Imports: <suspicious imports>
- Strings: <notable strings>
- Capabilities: <capa results>

## Dynamic Analysis
- Behavior: <observed behavior>
- Network: <C2, domains, IPs>
- File System: <created/modified files>
- Registry: <registry changes>

## IOCs
- Hashes: <list>
- Domains: <list>
- IPs: <list>
- File Paths: <list>

## Conclusion
<summary of findings>

Next Steps

After initial analysis:

Correlate with threat intelligence - check IOCs against known campaigns
Deep reverse engineering - use IDA/Ghidra for detailed analysis
Behavioral analysis - run in sandbox with monitoring
Yara rule creation - generate rules for detection
Report generation - document findings for stakeholders