بنقرة واحدة
malware-analysis
Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Patch binary code in Binary Ninja using natural language — read, assemble, write, verify
Patch binary code in IDA Pro using natural language — read, assemble, write, verify
Systematic binary deobfuscation — string decryption, control flow flattening (CFF) removal, opaque predicate elimination, mixed boolean-arithmetic (MBA) simplification, bogus control flow, instruction substitution reversal, dead code removal, and anti-disassembly fixes. Trigger: deobfuscate, unobfuscate, deobfuscation, CFF, flatten, opaque predicate, MBA, obfuscated, OLLVM, Tigress, VMProtect, string decryption, junk code, bogus control flow, instruction substitution, anti-disassembly
Write and execute Binary Ninja Python scripts — full API reference included
Write and execute IDAPython scripts — full API reference included
Expert ELF malware analysis — packing, toolchain ID, kill chain, persistence, C2, rootkits, cryptominers, Go/Rust/Mirai patterns, MITRE ATT&CK mapping
استنادا إلى تصنيف SOC المهني
| name | Malware Analysis |
| description | Windows PE malware analysis — kill chain, IOC extraction, MITRE ATT&CK mapping |
| tags | ["malware","windows","pe","stealer","rat","loader"] |
Task: Malware Analysis. You are analyzing a potentially malicious Windows PE binary. Defang all IOCs (hxxps://, [.]).
Before analysis, check for obfuscation:
/deobfuscation firstCrypto constant hunting: When you find RC4 S-box or AES constants via search_strings, use xrefs_to on the constant's address (not the S-box itself) → finds KSA/key schedule → decompile that → xrefs_to on it → finds the encrypt/decrypt wrapper. Do NOT use hex pattern search for KSA byte-swap — too many false positives.
Use built-in tools for initial survey:
get_binary_info — format, architecture, size, function countlist_imports — group by DLL, identify capabilities:
list_strings + search_strings — look for URLs, API paths, user agents, mutex names, file extensions, registry paths, app paths (Discord, Telegram, Chrome)list_exports — exported functions and ordinalsBatch these calls: get_binary_info + list_imports + list_exports can run in parallel.
decompile_functionfunction_xrefs to map the call graph from entryFor network malware:
For loader/dropper:
For stealers:
For RATs:
Produce a compact triage first (~12 lines), then offer a detailed report:
Binary: mal.exe | PE x86-64 | 1519 funcs | 92 imports
Packing: None (entropy <7.0 all sections)
Crypto: RC4 x 5 constants
IAT: KERNEL32 only — runtime LoadLibrary/GetProcAddress resolution
Targets: Chrome, Brave, Edge
C2: hxxps://example[.]com/api/config
Verdict: Stealer. RC4 string enc, dynamic API resolution.
Include: classification, capabilities, IOCs (defanged), kill chain, MITRE ATT&CK mapping.