Claude Code Plugins

Community-maintained marketplace

Feedback

malware-triage

@gl0bal01/malware-analysis-claude-skills
0
0

Systematic malware triage and initial assessment workflow for professional malware analysis. Use when the user needs to perform initial malware assessment, classify samples, determine analysis priority, identify quick indicators, or decide on next analysis steps. Also use for rapid malware identification and threat classification.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name malware-triage
description Systematic malware triage and initial assessment workflow for professional malware analysis. Use when the user needs to perform initial malware assessment, classify samples, determine analysis priority, identify quick indicators, or decide on next analysis steps. Also use for rapid malware identification and threat classification.

Malware Triage

Systematic workflow for rapid malware assessment, classification, and prioritization for professional malware analysis and enterprise security operations.

When to Use This Skill

Use this skill when the user needs to:

  • Perform initial assessment of malware samples
  • Quickly classify and prioritize samples
  • Identify key indicators without deep analysis
  • Decide whether to proceed with full analysis
  • Triage multiple samples efficiently
  • Create initial findings summary
  • Predict malware behaviors before dynamic analysis

Overview

Triage is the critical first phase of malware analysis that:

  1. Quickly identifies key characteristics
  2. Classifies malware type and threat level
  3. Determines analysis priority
  4. Predicts behaviors to guide deeper analysis
  5. Extracts immediate IOCs

Goal: Make informed decisions about analysis approach within 5-30 minutes per sample.

Triage Workflow

Phase 1: Basic Information Gathering (5 minutes)

Calculate Hashes:

python scripts/hash_calculator.py sample.exe

Document:

  • MD5, SHA1, SHA256
  • Original filename
  • File size
  • File type (PE32/PE64/Script/Document)

Check Online Reputation:

  • VirusTotal (virustotal.com)
  • MalwareBazaar (bazaar.abuse.ch)
  • Hybrid Analysis
  • Any.Run

Record:

  • Detection rate
  • Known family name (if identified)
  • Previous submission dates
  • Community comments

Phase 2: Quick Static Analysis (10 minutes)

For PE Files:

  1. Check packing/obfuscation

    • Use Detect It Easy (DIE) or PEiD
    • Check entropy (>7.0 = likely packed)
    • Document packer name if identified

  2. Examine PE structure

    • Compilation timestamp
    • Section names and characteristics
    • Digital signature status
    • Entry point location
    • Overlay data presence

  3. Review import table

    • See references/indicators.md for suspicious APIs
    • Note process injection functions
    • Note network functions
    • Note anti-analysis functions

  4. Extract strings

    • URLs and IP addresses
    • File paths
    • Registry keys
    • Mutex names
    • Error messages
    • Email addresses

For Scripts (PowerShell, VBS, JavaScript):

  1. Check obfuscation level
  2. Look for Base64/hex encoding
  3. Identify download/execute patterns
  4. Extract URLs and IPs
  5. Check for embedded payloads

For Office Documents:

  1. Check for macros
  2. Examine OLE streams
  3. Look for external references
  4. Check metadata
  5. Identify exploit indicators

Phase 3: Classification (5 minutes)

Determine Malware Type: Consult references/indicators.md for patterns.

Common types:

  • Trojan/RAT - Remote access, C2 communication
  • Ransomware - File encryption, ransom demands
  • Infostealer - Credential theft, browser data
  • Dropper/Loader - Delivers additional payloads
  • Cryptominer - Cryptocurrency mining
  • Backdoor - Persistent remote access
  • Worm - Self-propagating

Assess Threat Level:

  • Critical - Destructive, ransomware, APT
  • High - Data theft, full system compromise
  • Medium - Limited capabilities, targeted
  • Low - Minimal impact, commodity malware

Evaluate Sophistication:

  • Simple - Basic functionality, no obfuscation
  • Moderate - Some protection, standard techniques
  • Advanced - Heavy obfuscation, anti-analysis
  • APT-level - Custom, targeted, advanced evasion

Phase 4: Behavior Prediction (5 minutes)

Based on static indicators, predict:

Process Activity:

  • Will it create child processes?
  • Process injection expected?
  • Which processes targeted?

File System:

  • Files likely to be created (paths)
  • Files likely to be modified
  • Files likely to be deleted

Registry:

  • Persistence keys likely to be used
  • Configuration storage locations
  • System modifications expected

Network:

  • C2 communication expected?
  • Protocol (HTTP/HTTPS/Raw TCP/IRC/DNS)
  • Beacon interval pattern
  • Data exfiltration likely?

Persistence:

  • Mechanism (Run key/Service/Task/Startup)
  • Location and method

Phase 5: Priority and Decision (5 minutes)

Determine Priority:

Immediate (analyze now):

  • Unknown samples unclear threat
  • Active incident-related
  • Destructive capabilities
  • APT/targeted indicators
  • Recent threat intel matches

Standard (normal queue):

  • Known variant
  • Commodity malware
  • Clear signatures available
  • Historical/research samples

Low (defer if needed):

  • Clearly identified common malware
  • Adware/PUP minimal impact
  • Old/outdated samples
  • Likely false positives

Analysis Decision:

Proceed with full analysis if:

  • Unknown/new sample
  • Need behavioral confirmation
  • Creating signatures required
  • Investigating specific functionality

Quick report if:

  • Known malware with existing docs
  • Time-constrained triage
  • Clear identification from reputation check

Triage Report Template

Use this format to document findings:

## Malware Triage Report

**Sample:** [filename]
**Date:** [date]
**Analyst:** [name]

### File Information
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **Size:** [bytes]
- **Type:** [PE32/PE64/Script/etc]
- **Packed:** [Yes/No - Packer name]

### Online Reputation
- **VirusTotal:** [XX/YY detections - Link]
- **Known Family:** [Family name or Unknown]
- **First Seen:** [Date or Unknown]

### Static Indicators

**PE Analysis:**
- Compilation Date: [date]
- Digital Signature: [Valid/Invalid/None]
- Sections: [names and entropy]
- Entry Point: [location]

**Suspicious Imports:**
- [DLL]: [Function, Function, ...]
- [Key: Process injection, Network, Anti-analysis]

**Notable Strings:**
- URLs: [list]
- IPs: [list]
- Paths: [list]
- Registry: [list]
- Mutex: [name if found]

### Classification

**Type:** [Trojan/Ransomware/Infostealer/etc]
**Threat Level:** [Critical/High/Medium/Low]
**Sophistication:** [Simple/Moderate/Advanced/APT]

**Primary Capabilities:**
- [Capability 1]
- [Capability 2]
- [Capability 3]

### Predicted Behaviors

**Process Activity:**
- [Expected behavior]

**File System:**
- [Expected modifications]

**Registry:**
- [Expected changes]

**Network:**
- [Expected communication]

**Persistence:**
- [Expected mechanism]

### Initial IOCs

**File Indicators:**
- Hashes listed above
- [Additional file indicators]

**Network Indicators:**
- [IPs from strings]
- [Domains from strings]

**Host Indicators:**
- [Registry keys]
- [File paths]
- [Mutex names]

### Recommendation

**Priority:** [Immediate/Standard/Low]

**Next Steps:**
1. [Action 1 - e.g., Proceed with full dynamic analysis]
2. [Action 2 - e.g., Create YARA rule]
3. [Action 3 - e.g., Search network for IOCs]

**Analysis Approach:**
[Full analysis / Behavioral confirmation / Quick signature creation]

**Estimated Time:** [time estimate for full analysis]

Time Management

Professional Analysis Context

When analyzing multiple samples, efficient triage is critical:

Quick Triage (5 min/sample):

  • Hashes + VirusTotal
  • Basic file info
  • Quick priority decision

Standard Triage (15 min/sample):

  • Above + imports analysis
  • String extraction
  • Classification
  • Behavior prediction

Comprehensive Triage (30 min/sample):

  • Above + detailed documentation
  • Initial IOC list
  • Full prediction writeup
  • YARA concept notes

Strategy:

  • Quick triage ALL samples first
  • Prioritize based on findings
  • Comprehensive triage high-priority samples
  • Defer or quick-report low-priority samples

Key References

Suspicious Indicators

See references/indicators.md for comprehensive lists of:

  • Suspicious API imports by category
  • Common string patterns
  • Behavioral indicators
  • Packer signatures
  • Red flags by file type
  • Quick classification patterns

Detailed Checklist

See references/triage_checklist.md for:

  • Complete step-by-step checklist
  • Decision tree guidance
  • Dynamic analysis go/no-go criteria
  • Common pitfalls to avoid
  • Tools quick reference

Tools and Scripts

Hash Calculator

python scripts/hash_calculator.py <sample_path>

Quickly calculates all three hashes (MD5, SHA1, SHA256) for documentation.

Recommended External Tools

Static Analysis:

  • Detect It Easy (DIE) - Packer detection
  • PEStudio - PE analysis
  • strings / FLOSS - String extraction
  • HxD - Hex editor
  • CFF Explorer - PE structure

Online Services:

  • VirusTotal - Multi-engine scanning
  • MalwareBazaar - Sample database
  • Hybrid Analysis - Automated analysis
  • Any.Run - Interactive sandbox

Best Practices

Do:

  • Always calculate all three hashes immediately
  • Check multiple reputation sources
  • Document findings as you discover them
  • Use checklists to ensure completeness
  • Consider false positive possibilities
  • Predict behaviors before dynamic analysis
  • Prioritize samples logically

Don't:

  • Skip basic file information
  • Rely solely on VirusTotal results
  • Assume packing means malicious
  • Execute without proper isolation
  • Trust timestamps (easily forged)
  • Ignore negative findings
  • Rush classification decisions

Efficiency Tips:

  1. Have tools ready and scripts prepared
  2. Use templates for documentation
  3. Automate hash calculation
  4. Keep a reference of common indicators
  5. Build up a personal knowledge base
  6. Take notes during, not after
  7. Use multiple monitors if possible

Common Triage Scenarios

Scenario 1: Unknown Executable

  1. Calculate hashes → not found online
  2. Check packing → heavily packed
  3. Review imports → suspicious injection/network APIs
  4. Classification → likely trojan/RAT
  5. Decision → Full analysis required

Scenario 2: Suspicious Document

  1. Calculate hashes → 0 detections
  2. Check macros → obfuscated VBA
  3. Extract strings → download URLs found
  4. Classification → dropper via macro
  5. Decision → Dynamic analysis of macro behavior

Scenario 3: Known Malware Variant

  1. Calculate hashes → 50+ detections, identified as Emotet
  2. Review VirusTotal → well-documented
  3. Quick checks → confirms expected indicators
  4. Classification → confirmed Emotet variant
  5. Decision → Quick report, no deep analysis needed

Integration with Full Analysis

Triage findings guide the full analysis:

Use predictions to:

  • Know what to monitor during dynamic analysis
  • Set up appropriate monitoring tools
  • Focus on predicted areas first
  • Validate or refute hypotheses

Triage report becomes:

  • Introduction section of full report
  • Hypothesis to test during analysis
  • Quick reference during investigation
  • Foundation for IOC development

Quality Checklist

Before concluding triage:

  • All three hashes calculated and verified
  • Online reputation checked (at least VirusTotal)
  • File type and basic info documented
  • Packing status determined
  • Key imports identified
  • Notable strings extracted
  • Classification assigned with reasoning
  • Threat level assessed
  • Behaviors predicted
  • Priority determined
  • Next steps documented
  • Initial IOCs listed
  • Findings clearly documented

Example Usage

User request: "I have a suspicious .exe file, help me triage it"

Workflow:

  1. Guide user to calculate hashes
  2. Check online reputation together
  3. Examine PE structure and imports
  4. Extract and review strings
  5. Classify based on indicators
  6. Predict behaviors
  7. Recommend next steps
  8. Create triage report