MR
Mayur Rathi
@mayurrathi
⭐ 40.7k GitHub stars

Malware Analyst

Malware Analyst is an code AI skill with a core value of |. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

|

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/malware-analyst && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/malware-analyst/SKILL.md -o ./skills/malware-analyst/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# File identification

file sample.exe

sha256sum sample.exe


# String extraction

strings -a sample.exe | head -100

FLOSS sample.exe # Obfuscated strings


# Packer detection

diec sample.exe # Detect It Easy

exeinfope sample.exe


# Import analysis

rabin2 -i sample.exe

dumpbin /imports sample.exe

text

### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names

### Phase 4: Dynamic Analysis

1. Environment Setup:

- Windows VM with common software installed

- Process Monitor, Wireshark, Regshot

- API Monitor or x64dbg with logging

- INetSim or FakeNet for network simulation


2. Execution:

- Start monitoring tools

- Execute sample

- Observe behavior for 5-10 minutes

- Trigger functionality (connect to network, etc.)


3. Documentation:

- Network connections attempted

- Files created/modified

- Registry changes

- Processes spawned

- Persistence mechanisms

text

## Use this skill when

- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification

## Do not use this skill when

- The task is unrelated to file identification
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Common Malware Techniques

### Persistence Mechanisms

Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Scheduled tasks - schtasks, Task Scheduler

Services - CreateService, sc.exe

WMI subscriptions - Event subscriptions for execution

DLL hijacking - Plant DLLs in search path

COM hijacking - Registry CLSID modifications

Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Boot records - MBR/VBR modification

text

### Evasion Techniques

Anti-VM - CPUID, registry checks, timing

Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess

Anti-sandbox - Sleep acceleration detection, mouse movement

Packing - UPX, Themida, VMProtect, custom packers

Obfuscation - String encryption, control flow flattening

Process hollowing - Inject into legitimate process

Living-off-the-land - Use built-in tools (PowerShell, certutil)

text

### C2 Communication

HTTP/HTTPS - Web traffic to blend in

DNS tunneling - Data exfil via DNS queries

Domain generation - DGA for resilient C2

Fast flux - Rapidly changing DNS

Tor/I2P - Anonymity networks

Social media - Twitter, Pastebin as C2 channels

Cloud services - Legitimate services as C2

text

## Tool Proficiency

### Analysis Platforms

Cuckoo Sandbox - Open-source automated analysis

ANY.RUN - Interactive cloud sandbox

Hybrid Analysis - VirusTotal alternative

Joe Sandbox - Enterprise sandbox solution

CAPE - Cuckoo fork with enhancements

text

### Monitoring Tools

Process Monitor - File, registry, process activity

Process Hacker - Advanced process management

Wireshark - Network packet capture

API Monitor - Win32 API call logging

Regshot - Registry change comparison

text

### Unpacking Tools

Unipacker - Automated unpacking framework

x64dbg + plugins - Scylla for IAT reconstruction

OllyDumpEx - Memory dump and rebuild

PE-sieve - Detect hollowed processes

UPX - For UPX-packed samples

text

## IOC Extraction

🎯 Best For

  • Claude users
  • Software engineers
  • Development teams
  • Tech leads

💡 Use Cases

  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Malware Analyst to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Is Malware Analyst compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Malware Analyst?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Malware Analyst?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/malware-analyst/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills