---
name: pentest-malware
description: Malware analizi — triage, static analiz, dynamic sandbox, IOC extract, YARA imza yazimi advisory. Triggers on malware analiz, malware triage, sandbox, Cuckoo, IDA, Ghidra, dynamic analysis, IOC, YARA imza, packer, unpacker, reverse malware.
license: MIT
compatibility: Works with Claude Code
allowed-tools: Read Write Edit Bash Grep
metadata:
  author: badi
  badi-version: ">=1.24.0"
  category: pentest
  scope: advisory
  inspired-by: 0xSteph/pentest-ai-agents malware-analyst
---

# pentest-malware

Malware analiz advisory — static, dynamic, IOC, YARA. Aktif analiz icin **izole sandbox** zorunlu (production'da yapilmaz).

## Triggers

- "malware analiz"
- "sample triage"
- "Cuckoo / VMRay sandbox"
- "IDA / Ghidra ile RE"
- "YARA imza yaz"
- "packer tespiti"
- "IOC extract"

## Triage Akisi

```
1. Hash hesapla (SHA256)
2. VirusTotal sorgu (offline detection mevcut mu)
3. Strings + magic byte
4. Packer detection (PEiD, DIE)
5. Static disassembly (Ghidra/IDA)
6. Dynamic sandbox (Cuckoo, Any.run)
7. Network IOC (C2 domain, IP, JA3)
8. YARA imza yaz
9. Report
```

## Hash + VT Lookup

```bash
# Hash
sha256sum sample.exe
md5sum sample.exe

# VT (API key gerekli, offline rapor)
curl -s "https://www.virustotal.com/api/v3/files/$(sha256sum sample.exe | cut -d' ' -f1)" \
  -H "x-apikey: $VT_KEY" | jq '.data.attributes'

# Onceki analiz hash uzerinden cikabilir -> dynamic kacir
```

## Static Analiz

```bash
# File type
file sample.exe
file sample.bin

# Strings (ASCII + UTF-16)
strings -a -el sample.exe | grep -iE 'http|cmd|powershell|exec|reg|task'
strings sample.exe | grep -iE '\.exe$|\.dll$|\.bat$'

# PE header (Windows)
pefile.py sample.exe              # imports, exports, sections
peframe sample.exe                # high-level summary
DIE / Detect It Easy              # packer/protector detect

# ELF (Linux)
readelf -a sample.elf
objdump -d sample.elf | head
```

## Packer Detect + Unpack

| Packer | Detect | Unpack |
|--------|--------|--------|
| UPX | DIE / `upx -l sample.exe` | `upx -d sample.exe` |
| ASPack | DIE | OllyScript / ESP trick |
| Themida | DIE (full match) | Manual / VMProtect unpacker |
| Custom | Unknown signature | Sandbox + memory dump |
| .NET obfuscation | dnSpy strings | de4dot, ConfuserEx unpacker |

## Dynamic Sandbox (Izole)

```bash
# Cuckoo (self-hosted)
cuckoo submit --machine win10-clean sample.exe
# Sonuc: behavior log, network capture, dropped files, registry changes

# REMnux (Linux analysis distro)
inetsim                          # fake internet (DNS, HTTP, SMTP)
oletools / olevba.py             # Office macro extract
```

## IDA / Ghidra Workflow

```
1. Open sample.exe
2. Auto-analysis (Ghidra: 5-10 dakika)
3. Entry point (WinMain / main / DllMain)
4. Strings'i sec -> cross-reference
5. Suspicious imports: VirtualAlloc, CreateRemoteThread, WinExec
6. C2 hardcoded -> search "http://" "https://"
7. XOR decryption loops -> mark + decode
8. Anti-debug check: IsDebuggerPresent, PEB.BeingDebugged
9. Anti-VM check: registry keys, MAC prefix, CPU count
10. Behavior chain: file dropper -> persistence -> C2
```

## YARA Imza Yazimi

```yara
rule Trickbot_Loader_v2 {
    meta:
        author = "Security Team"
        date = "2026-05-15"
        family = "Trickbot"
        description = "Trickbot loader version 2"
        reference = "https://malpedia.../trickbot"

    strings:
        $magic = { 4D 5A }                      // MZ header

        // Unique strings
        $s1 = "TrickBot" wide ascii
        $s2 = "GroupTag" wide
        $s3 = "ClientID" wide

        // Crypto routine signature
        $crypto = {
            8B 4D ?? 8B 55 ?? 33 D1 89 4D ??
            8B 55 ?? 81 EA 78 56 34 12
        }

        // C2 URL pattern
        $url = /https?:\/\/[a-z0-9]{8,16}\.(top|xyz|info)\/[a-z]{4,8}\.php/

    condition:
        $magic at 0
        and filesize < 500KB
        and (
            (2 of ($s*) and $crypto)
            or (1 of ($s*) and $url)
        )
}
```

## IOC Output Sablonu

```markdown
## Malware Analiz — sample_$(sha256).exe

### Triage
- SHA256: abc123def456...
- Family: Trickbot (v2)
- First seen: 2026-05-10 (VT)
- Detection rate: 23/72 AV

### Static
- PE, Win32, .NET (obfuscated with ConfuserEx)
- Packed: ConfuserEx -> de4dot ile unpack edildi
- Imports: VirtualAlloc, CreateRemoteThread, RegSetValueExA
- Strings: 5 URL, 3 user-agent, 2 service name

### Dynamic (sandbox)
- Dropper: %APPDATA%\Microsoft\<random>.exe
- Persistence: Registry Run + Scheduled Task
- C2: hxxps://malicious-domain[.]top/api.php
- Beacon: 60sn aralik, JA3 fingerprint cb02...

### IOC
| Type | Value |
|------|-------|
| SHA256 | abc123... |
| C2 Domain | malicious-domain.top |
| C2 IP | 203.0.113.45 |
| Mutex | Global\TrickBot_v2_1 |
| User-Agent | Mozilla/5.0 (compatible; MSIE 10.0; ...) |
| Reg Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate |
```

## Out-of-Scope

- Production malware unleash (sandbox zorunlu)
- Reverse engineering 3. taraf legitimate yazilim (lisans ihlali)
- 0-day exploit gelistirme