ClawHub

Ctf Malware

v1.0.0

Provides malware analysis and network traffic techniques for CTF challenges. Use when analyzing obfuscated scripts, malicious packages, custom crypto protoco...

0· 165·1 current·1 all-time
by@gandli

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gandli/ctf-malware.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ctf Malware" (gandli/ctf-malware) from ClawHub.
Skill page: https://clawhub.ai/gandli/ctf-malware
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ctf-malware

ClawHub CLI

Package manager switcher

npx clawhub@latest install ctf-malware
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the content: the SKILL.md and supporting docs provide static/dynamic malware-analysis techniques, tool lists, and code snippets. Required capabilities (running strace/tcpdump, reading memory, installing analysis packages) are consistent with that purpose. Minor inconsistency: SKILL.md metadata sets user-invocable: "false" while the registry flags list user-invocable as enabled.
Instruction Scope
Instructions explicitly direct the agent/operator to run and monitor potentially malicious samples (strace/ltrace, tcpdump, running samples, dumping /proc/<pid>/mem, using sudo), to install many analysis packages, and to call external APIs (e.g., Telegram API examples). These are expected for malware analysis but are high-risk operations: they require privileged access and an isolated sandbox. The instructions do not attempt to read unrelated secrets or other skills' configs.
Install Mechanism
This is instruction-only (no install spec or code files executed by installer). The SKILL.md lists packages to pip/apt/brew-install, but no automated download/install steps are embedded in the skill itself. That minimizes installer risk.
Credentials
The skill requests no environment variables, credentials, or config paths. Some examples show use of tokens (Telegram bot token) as part of analysis workflows — these are placeholders for analyst-supplied secrets and not required by the skill itself. Overall, requested environment access is proportionate to malware-analysis tasks.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. It does require a filesystem-capable agent to fully follow its instructions (metadata notes compatibility with agents that can run bash/Python), which is expected for an analysis guide. Note the metadata/user-invocable mismatch mentioned above.
Assessment
This skill is essentially a detailed malware-analysis cheat-sheet and is internally consistent with that purpose. However: - Do NOT run these commands on your primary machine. The instructions intentionally run and inspect malicious samples, read process memory, and call network captures — run only in an isolated, up-to-date VM or hardened sandbox with no sensitive data or network access to production systems. - Several commands require sudo or elevated privileges (tcpdump, reading /proc/<pid>/mem, installing packages). Grant those only in controlled environments. - The skill contains examples that use tokens (Telegram bot token) and shows how to fetch data when such a token is present — never supply real production tokens unless you understand the consequences. The skill does not require any env vars by default. - There is a metadata mismatch: SKILL.md sets user-invocable: "false" while registry metadata indicates the skill is user-invocable. Verify which is intended before enabling autonomous invocation. - Verify the skill author/source before installing or following instructions; this bundle came from an unknown source. If you plan to allow the agent to execute commands, restrict the agent's execution privileges and network access (no internet or limited/monitored egress) and prefer manual invocation rather than autonomous runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739zh69fthyy1qnn4dcsqzz583w1cy
165downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@gandli
latest
Download

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Prerequisites

Python packages (all platforms):

pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike

Linux (apt):

apt install strace ltrace tshark binwalk binutils

macOS (Homebrew):

brew install wireshark binwalk binutils ghidra

Manual install:

  • dnSpy — GitHub, .NET decompiler (Windows)

Additional Resources

  • scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection)
  • c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
  • pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

When to Pivot

  • If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to /ctf-reverse.
  • If the main job is network reconstruction, disk carving, or host artifact recovery, switch to /ctf-forensics.
  • If the challenge turns into public attribution or infrastructure tracing, switch to /ctf-osint.

Quick Start Commands

# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file

Obfuscated Scripts

  • Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

  • JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
  • PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

  • NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

  • Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
  • ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

  • Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

  • Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

  • AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

  • Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

  • Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

  • Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

  • VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

Anti-Analysis Techniques

VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.

PyInstaller + PyArmor Unpacking

  • pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

  • Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

YARA Rules for Malware Detection

Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.

Shellcode Analysis

Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.

Memory Forensics for Malware

vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

Comments

Loading comments...