malware-analysis-claude-skills

🥈Silver

Complete Claude skills toolkit for professional malware analysis. 5 specialized skills covering triage, dynamic analysis, detection engineering, and reporting. Works with REMnux/FlareVM offline environments.

3000Updated 4mo ago

Intermediate30min to implementautomation

Saves ~240 min per use

Quick InstallView Source

git clone https://github.com/gl0bal01/malware-analysis-claude-skills.git

Works with:

Claude

Overview

About This Skill

This toolkit provides five integrated Claude skills for professional malware analysis workflows: initial triage and prioritization, safe dynamic execution with behavior monitoring, specialized analysis for non-PE files (documents, scripts, archives, disk images), detection rule creation (YARA, Sigma, Suricata), and professional report generation. It handles batch workflows and multi-sample analysis through an orchestrator skill that routes tasks automatically. The skills are designed for offline analysis environments like REMnux and FlareVM, accepting exported evidence from isolated analysis VMs and generating IOCs and detection rules on internet-connected host machines. Security analysts and incident response teams can use it to accelerate malware assessment, from initial triage through final reporting, without requiring deep reverse engineering capabilities.

How to Use

Upload the root SKILL.md orchestrator and five sub-skill folders to Claude or Claude Code. The orchestrator automatically routes requests to the appropriate sub-skill based on your analysis needs. For offline analysis, run Claude Code on your internet-connected host machine and feed it evidence exported from isolated analysis VMs.

Use Cases

Quickly assess and prioritize unknown malware samples for threat level

Safely execute malware and analyze behavioral indicators, network traffic, and process trees

Analyze non-executable files like Office macros, PDFs, PowerShell scripts, and disk images

Create YARA, Sigma, and Suricata detection rules from analysis findings

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/gl0bal01/malware-analysis-claude-skills

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Analyze the following malware sample [MALWARE_SAMPLE] using the malware-analysis-claude-skills toolkit. Perform a comprehensive analysis including triage, dynamic analysis, detection engineering, and generate a detailed report. The analysis should be conducted in a REMnux/FlareVM offline environment.

Example Output

# Malware Analysis Report

## Summary
- **Malware Type**: Trojan
- **Severity**: High
- **First Seen**: 2023-10-15
- **Last Updated**: 2023-10-20

## Triage Analysis
- **File Hash**: SHA256: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6
- **File Size**: 456 KB
- **Compiled Date**: 2023-09-28
- **Packed**: Yes (UPX)

## Dynamic Analysis
- **Processes Created**:
  - `explorer.exe`
  - `svchost.exe`
- **Network Connections**:
  - `192.168.1.100:443`
  - `10.0.0.1:8080`
- **Registry Modifications**:
  - `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`

## Detection Engineering
- **YARA Rule**:
  ```
  rule Trojan_Example {
    meta:
      description = "Detects Example Trojan"
      author = "Claude"
    strings:
      $s1 = "MaliciousString1"
      $s2 = "MaliciousString2"
    condition:
      $s1 or $s2
  }
  ```

## Recommendations
- **Immediate Actions**:
  - Isolate infected systems
  - Block network connections to identified IPs
- **Long-term Actions**:
  - Update antivirus signatures
  - Educate users on phishing awareness