Security specialty

Malware Analysis

Browse every cataloged workflow for malware analysis, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

39 skills

cybersecuritySkill

Analyzing Android Malware with Apktool

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

Malware Analysis
androguardandroidapkapktool+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Bootkit and Rootkit Samples

Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection.

Malware Analysis
bootkitmalwarembr-analysisrootkit+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Cobalt Strike Beacon Configuration

Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.

Malware Analysis
beaconc2cobalt-strikeconfig-extraction+3
ATT&CK, 10 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing CobaltStrike Malleable C2 Profiles

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.

Malware Analysis
beacon-analysisc2-detectioncobalt-strikemalleable-c2+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Command-and-Control Communication

Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.

Malware Analysis
beaconc2command-and-controlmalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Golang Malware with Ghidra

Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.

Malware Analysis
binary-analysisdisassemblyghidrago-malware+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Heap Spray Exploitation

Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.

Malware Analysis
exploit-analysisheap-spraymalware-analysismemory-forensics+1
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Linux ELF Malware

Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis.

Malware Analysis
elflinuxmalwarereverse-engineering+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Macro Malware in Office Documents

Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination.

Malware Analysis
document-malwaremacromalwareoffice+1
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Malicious PDF with peepdf

Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.

Malware Analysis
dfirmalware-analysispdfpdf-parser+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Malware Behavior with Cuckoo Sandbox

Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral analysis, or automated malware execution.

Malware Analysis
behavioral-analysiscuckoodynamic-analysismalware+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Malware Persistence with Autoruns

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

Malware Analysis
autorunsincident-responsemalware-analysispersistence+4
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Malware Sandbox Evasion Techniques

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports

Malware Analysis
anyrunbehavioral-analysiscuckoomalware-analysis+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Memory Dumps with Volatility

Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes, injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection detection, or memory-resident malware investigation.

Malware Analysis
incident-responsemalwarememory-forensicsram-analysis+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Network Covert Channels in Malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

Malware Analysis
c2-detectioncovert-channelsdata-exfiltrationdns-tunneling+3
ATT&CK, 4 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Network Traffic of Malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

Malware Analysis
c2-detectionmalwarenetwork-analysispcap+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Packed Malware with UPX Unpacker

Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.

Malware Analysis
malwarepackingstatic-analysisunpacking+1
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing PDF Malware with PDFiD

Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage.

Malware Analysis
document-malwaremalwarepdf-analysispdfid+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Ransomware Encryption Mechanisms

Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.

Malware Analysis
cryptanalysisencryptionmalwareransomware+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Supply Chain Malware Artifacts

Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.

Malware Analysis
3cxdependency-confusionmalware-analysissoftware-integrity+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 2 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Deobfuscating JavaScript Malware

Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated dropper investigation.

Malware Analysis
deobfuscationjavascriptmalwarescript-analysis+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Deobfuscating PowerShell Obfuscated Malware

Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.

Malware Analysis
ast-analysisdeobfuscationincident-responsemalware-analysis+3
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Fileless Malware Techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

Malware Analysis
detectionfilelesslolbinsmalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Process Injection Techniques

Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.

Malware Analysis
defense-evasiondetectionmalwarememory-forensics+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Rootkit Activity

Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, or system call hook analysis.

Malware Analysis
detectionkernel-analysismalwarememory-forensics+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Extracting Config from Agent Tesla RAT

Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints using .NET decompilation and memory analysis.

Malware Analysis
agent-teslaconfig-extractioncredential-theftdotnet+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Extracting IOCs from Malware Samples

Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs, domains, URLs), host artifacts (file paths, registry keys, mutexes), and behavioral patterns for threat intelligence sharing and detection rule creation. Activates for requests involving IOC extraction, threat indicator harvesting, malware indicator collection, or building detection content from samples.

Malware Analysis
detectionindicatorsioc-extractionmalware+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Automated Malware Analysis with CAPE

Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, configuration parsing, and anti-evasion capabilities.

Malware Analysis
automated-analysisbehavioral-analysiscapecuckoo+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Dynamic Analysis with ANY.RUN

Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage.

Malware Analysis
any.rundynamic-analysisinteractive-analysismalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Firmware Malware Analysis

Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, filesystem analysis, binary reverse engineering, and bootkit detection. Activates for requests involving firmware security analysis, IoT malware investigation, UEFI rootkit detection, or embedded device compromise assessment.

Malware Analysis
embedded-securityfirmwareiotmalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Malware Triage with YARA

Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern matching, sample triage, or signature-based detection.

Malware Analysis
classificationmalwarepattern-matchingtriage+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Memory Forensics with Volatility3 Plugins

Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory images.

Malware Analysis
dfirincident-responsemalware-analysismemory-forensics+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Performing Static Malware Analysis with PEStudio

Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage.

Malware Analysis
malwarepe-analysispestudioreverse-engineering+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing YARA Rule Development for Detection

Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.

Malware Analysis
indicator-developmentmalware-detectionpattern-matchingsignature-development+3
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Reverse Engineering .NET Malware with dnSpy

Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.

Malware Analysis
decompilationdnspydotnetmalware+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Reverse Engineering Android Malware with JADX

Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.

Malware Analysis
androidjadxmalwaremobile-malware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Reverse Engineering Malware with Ghidra

Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.

Malware Analysis
decompilationdisassemblyghidramalware+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Reverse Engineering Ransomware Encryption Routine

Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and potential decryption opportunities using static and dynamic analysis.

Malware Analysis
aescryptanalysisdecryptionencryption+4
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Reverse Engineering Rust Malware

Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.

Malware Analysis
binary-analysisghidraida-promalware-analysis+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings