Malware Analysis & Sandboxing

# Malware Analysis & Sandboxing

## Purpose

Enable Claude to assist with malware analysis workflows including static analysis of file properties and code, dynamic behavioral analysis interpretation, YARA rule generation, sandbox configuration, and malware family identification. Claude analyzes provided artifacts directly and orchestrates scripts for automated processing.

> **Safety Warning**: Never execute suspicious files outside of isolated, controlled environments. Use dedicated VMs or sandboxes with network isolation and snapshot capability.

---

## Activation Triggers

This skill activates when the user asks about:
- Analyzing a suspicious file, binary, or script
- Generating YARA rules for malware detection
- Setting up a malware analysis sandbox
- Interpreting Cuckoo/CAPE/AnyRun sandbox reports
- Identifying malware family or behavior
- Creating IOCs from malware samples
- Static analysis of PE/ELF files
- Memory forensics for malware artifacts
- Behavioral analysis (process creation, network, registry, file changes)

---

## Prerequisites

```bash
pip install yara-python pefile python-magic requests ssdeep
```

**Recommended analysis tools:**
- `Cuckoo Sandbox / CAPE` — Automated dynamic analysis
- `VirusTotal API` — Multi-engine scanning and intel
- `YARA` — Pattern matching engine
- `Ghidra / IDA Pro` — Deep binary analysis (→ Skill 04)
- `Volatility 3` — Memory forensics
- `DIE (Detect-It-Easy)` — Packer/compiler detection
- `Pestudio` — Windows PE static analysis

---

## Core Capabilities

### 1. Static Malware Analysis

**When the user provides a suspicious file or hash for analysis:**

Claude performs analysis in this order:

**Step 1 — File Identification:**
```bash
file malware.exe              # File type from magic bytes
md5sum malware.exe            # MD5 hash (legacy, for lookups)
sha256sum malware.exe         # SHA-256 (primary identifier)
python scripts/static_analyzer.py --file malware.exe --hashes
```

**Step 2 — Threat Intelligence Lookup:**
- Query VirusTotal (requires API key or paste hash in browser)
- Check MalwareBazaar, AbuseIPDB, URLhaus
- Search for existing analysis reports
```bash
# VirusTotal hash lookup via API
curl "https://www.virustotal.com/api/v3/files/<sha256>" -H "x-apikey: YOUR_KEY"
```

**Step 3 — PE Analysis (Windows executables):**
```bash
python scripts/static_analyzer.py --file malware.exe --strings --imports --output report.json
```

Look for these indicators in the output:

**Suspicious Import Functions:**
| Category | Suspicious APIs |
|----------|----------------|
| Process Injection | `CreateRemoteThread`, `WriteProcessMemory`, `VirtualAllocEx`, `NtMapViewOfSection`, `RtlCreateUserThread` |
| Persistence | `RegSetValueEx`, `CreateService`, `SHFileOperation`, `ITaskScheduler` |
| Anti-Analysis | `IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, `GetTickCount`, `QueryPerformanceCounter`, `GetSystemInfo` |
| Network C2 | `InternetOpenUrl`, `HttpSendRequest`, `WSAStartup`, `socket`, `URLDownloadToFile`, `WinHttpOpen` |
| Crypto Operations | `CryptEncrypt`, `CryptDecrypt`, `BCryptEncrypt`, `CryptHashData` |
| Credential Access | `SamOpenDatabase`, `LsaOpenPolicy`, `NtlmGetUserInfo` |
| Keylogging | `SetWindowsHookEx`, `GetAsyncKeyState`, `GetKeyboardState` |
| Defense Evasion | `VirtualProtect`, `NtSetInformationProcess`, `Wow64DisableWow64FsRedirection` |

**Step 4 — String Extraction & Analysis:**
```bash
strings -a malware.exe | grep -E "(http|ftp|/[a-z]|[0-9]{1,3}\.[0-9]{1,3}|HKEY|reg|cmd|powershell)"
```

Categorize extracted strings:
- **Network indicators**: URLs, IPs, domains, user agents
- **File system**: paths, filenames, registry keys
- **Crypto**: base64 blobs, hex strings (potential keys/payloads)
- **Anti-analysis**: VM/sandbox detection strings (VMware, VirtualBox, Sandboxie)
- **Mutex names**: unique identifiers preventing double-infection

**Step 5 — Entropy Analysis:**
```bash
python scripts/static_analyzer.py --file malware.exe --entropy
```

| Entropy Range | Interpretation |
|---------------|---------------|
| 0.0 – 1.0 | Near-empty or all-zeros section |
| 1.0 – 5.0 | Normal code/data section |
| 5.0 – 7.0 | Compressed data or code |
| 7.0 – 8.0 | Encrypted or packed data — investigate |
| 7.9 – 8.0 | Highly suspicious — likely encrypted payload |

### 2. YARA Rule Generation

**When the user asks to create YARA rules from a sample or indicators:**

Claude generates YARA rules following this methodology:

1. **Select stable, unique indicators** — Avoid generic patterns; choose bytes/strings unique to this family
2. **Prefer structural patterns** — Header magic bytes, specific offsets, section names
3. **Balance specificity vs. coverage** — Avoid rules that are too specific (catch only one sample) or too broad (false positives)
4. **Test against benign files** — Rule should NOT match clean Windows system files

**YARA Rule Templates:**

```yara
// Tier 1: Specific sample (hash-based)
rule MalwareFamily_Variant_Hash {
    meta:
        author = "Analyst Name"
        date = "2025-05-28"
        description = "Detects [MalwareFamily] [Variant] — specific sample"
        sha256 = "aabbcc..."
        tlp = "GREEN"
        reference = "https://example.com/analysis"
    
    condition:
        hash.sha256(0, filesize) == "aabbcc..."
}

// Tier 2: Family-level detection (behavioral strings)
rule MalwareFamily_Generic {
    meta:
        author = "Analyst Name"
        date = "2025-05-28"
        description = "Detects [MalwareFamily] family by strings and structure"
        tlp = "GREEN"
    
    strings:
        // C2 patterns
        $c2_ua   = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ascii
        $c2_uri  = "/gate.php?id=" ascii
        
        // Crypto constants
        $rc4_key = { 52 43 34 5F 4B 45 59 }  // "RC4_KEY" hex
        
        // Mutex
        $mutex   = "Global\\MSDTC_MUTEX_" ascii wide
        
        // Registry persistence key
        $reg_key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\