--- name: malware-triage description: Rapid assessment, classification, and prioritization of malware samples. Use when you need to perform initial malware assessment, classify a sample's type and family, determine analysis priority, identify quick indicators, or decide on next analysis steps. --- # Malware Triage Systematic workflow for rapid malware assessment, classification, and prioritization for professional malware analysis and enterprise security operations. ## When to Use This Skill Use this skill when the user needs to: - Perform initial assessment of malware samples - Quickly classify and prioritize samples - Identify key indicators without deep analysis - Decide whether to proceed with full analysis - Triage multiple samples efficiently - Create initial findings summary - Predict malware behaviors before dynamic analysis ## Overview Triage is the critical first phase of malware analysis that: 1. Quickly identifies key characteristics 2. Classifies malware type and threat level 3. Determines analysis priority 4. Predicts behaviors to guide deeper analysis 5. Extracts immediate IOCs **Goal:** Make informed decisions about analysis approach within 5-30 minutes per sample. ## Triage Workflow ### Phase 1: Basic Information Gathering (5 minutes) **Calculate Hashes:** ```bash python scripts/hash_calculator.py sample.exe ``` Document: - MD5, SHA1, SHA256 - Original filename - File size - File type (PE32/PE64/Script/Document) **Check Online Reputation:** - VirusTotal (virustotal.com) - MalwareBazaar (bazaar.abuse.ch) - Hybrid Analysis - Any.Run Record: - Detection rate - Known family name (if identified) - Previous submission dates - Community comments ### Phase 2: Quick Static Analysis (10 minutes) **For PE Files:** 1. Check packing/obfuscation - Use Detect It Easy (DIE) or PEiD - Check entropy (>7.0 = likely packed) - Document packer name if identified 2. Examine PE structure - Compilation timestamp - Section names and characteristics - Digital signature status - Entry point location - Overlay data presence 3. Review import table - See `references/indicators.md` for suspicious APIs - Note process injection functions - Note network functions - Note anti-analysis functions 4. Extract strings - URLs and IP addresses - File paths - Registry keys - Mutex names - Error messages - Email addresses **For Scripts (PowerShell, VBS, JavaScript):** 1. Check obfuscation level 2. Look for Base64/hex encoding 3. Identify download/execute patterns 4. Extract URLs and IPs 5. Check for embedded payloads **For Office Documents:** 1. Check for macros 2. Examine OLE streams 3. Look for external references 4. Check metadata 5. Identify exploit indicators ### Packed Sample Handling When a sample is packed or protected, static analysis yields limited results. Identify and document packing before proceeding. **Identify Packing:** - **Entropy analysis** — Overall entropy >7.0 or individual sections with entropy >6.8 strongly indicate packing or encryption - **Import table** — Very few imports, or imports limited to `LoadLibrary` / `GetProcAddress` / `VirtualAlloc` / `VirtualProtect` (runtime loading pattern) - **Section names** — Known packer section names: `UPX0`, `UPX1`, `UPX2` (UPX); `.themida`, `.winlicence` (Themida/WinLicense); `.vmp0`, `.vmp1` (VMProtect); `.aspack` (ASPack); `.MPRESS1`, `.MPRESS2` (MPRESS) - **Section characteristics** — Executable sections with no readable strings, or a single large section combining code and data - **PE anomalies** — Entry point outside the first section, missing standard sections (`.text`, `.data`, `.rsrc`), or unusually small code section **Common Packers and Indicators:** | Packer | Key Indicators | Reversible? | |--------|----------------|-------------| | **UPX** | `UPX0`/`UPX1` sections, high entropy, `UPX!` magic in overlay | Yes — `upx -d sample.exe` | | **Themida / WinLicense** | `.themida` section, virtualized code, anti-debug tricks, large protected section | No — dynamic analysis required | | **VMProtect** | `.vmp0`/`.vmp1` sections, custom VM bytecode, heavy anti-tamper | No — dynamic analysis required | | **ASPack** | `.aspack` section, low import count, `aSPack` string in binary | Partially — tools available | | **MPRESS** | `.MPRESS1`/`.MPRESS2` sections, LZMA compression | Partially — tools available | | **Enigma Protector** | `.enigma1`/`.enigma2` sections, license-check stubs | No — dynamic analysis required | | **Custom packer** | Unknown section names, high entropy, minimal imports, no recognizable signature | No — dynamic analysis required | **What to Do When Packing is Detected:** 1. **Document packing in triage findings** — Note the packer name (if identified), entropy values per section, and import count 2. **Attempt UPX unpacking if applicable:** ```bash upx -d packed_sample.exe -o unpacked_sample.exe # Verify unpacking succeeded python scripts/hash_calculator.py unpacked_sample.exe ``` 3. **Record both packed and unpacked hashes** — The packed hash is the delivery artifact; the unpacked hash may match known malware families 4. **Re-run static analysis on the unpacked sample** — Import table and strings will be significantly richer 5. **Flag for dynamic analysis** — For non-UPX packers, the sample must unpack itself in a sandbox; document this as the recommended next step 6. **Note sophistication level** — Commercial protectors (Themida, VMProtect, Enigma) indicate higher-sophistication threats; custom packers indicate APT-level development **Tools for Packer Detection:** - **Detect It Easy (DIE)** — Primary tool; identifies 300+ packers and compilers by signature, shows per-section entropy - **PEiD** — Signature-based packer detection (older but widely referenced signatures) - **pestudio** — PE analysis with packer detection and entropy visualization - **ExeinfoPE** — Additional packer signatures, useful when DIE is inconclusive **Triage Report Updates for Packed Samples:** - Set `Packed: Yes - [Packer name or "Unknown packer"]` in the File Information section - Add entropy values per section under PE Analysis - If unpacked: record unpacked SHA256 and note unpacking method - Set Sophistication to at minimum **Moderate** for known packers, **Advanced** for commercial protectors, **Advanced/APT** for custom packers - Add "Requires dynamic analysis for full static indicators" to Next Steps if not UPX-unpacked ### Phase 3: Classification (5 minutes) **Determine Malware Type:** Consult `references/indicators.md` for patterns. Common types: - **Trojan/RAT** - Remote access, C2 communication - **Ransomware** - File encryption, ransom demands - **Infostealer** - Credential theft, browser data - **Dropper/Loader** - Delivers additional payloads - **Cryptominer** - Cryptocurrency mining - **Backdoor** - Persistent remote access - **Worm** - Self-propagating **Assess Threat Level:** - **Critical** - Destructive, ransomware, APT - **High** - Data theft, full system compromise - **Medium** - Limited capabilities, targeted - **Low** - Minimal impact, commodity malware **Evaluate Sophistication:** - **Simple** - Basic functionality, no obfuscation - **Moderate** - Some protection, standard techniques - **Advanced** - Heavy obfuscation, anti-analysis - **APT-level** - Custom, targeted, advanced evasion ### Phase 4: Behavior Prediction (5 minutes) Based on static indicators, predict: **Process Activity:** - Will it create child processes? - Process injection expected? - Which processes targeted? **File System:** - Files likely to be created (paths) - Files likely to be modified - Files likely to be deleted **Registry:** - Persistence keys likely to be used - Configuration storage locations - System modifications expected **Network:** - C2 communication expected? - Protocol (HTTP/HTTPS/Raw TCP/IRC/DNS) - Beacon interval pattern - Data exfiltration likely? **Persistence:** - Mechanism (Run key/Service/Task/Startup) - Location and method ### Phase 5: Priority and Decision (5 minutes) **Determine Priority:** **Immediate** (analyze now): - Unknown samples unclear threat - Active incident-related - Destructive capabilities - APT/targeted indicators - Recent threat intel matches **Standard** (normal queue): - Known variant - Commodity malware - Clear signatures available - Historical/research samples **Low** (defer if needed): - Clearly identified common malware - Adware/PUP minimal impact - Old/outdated samples - Likely false positives **Analysis Decision:** Proceed with full analysis if: - Unknown/new sample - Need behavioral confirmation - Creating signatures required - Investigating specific functionality Quick report if: - Known malware with existing docs - Time-constrained triage - Clear identification from reputation check ## Triage Report Template Use this format to document findings: ```markdown ## Malware Triage Report **Sample:** [filename] **Date:** [date] **Analyst:** [name] ### File Information - **MD5:** [hash] - **SHA1:** [hash] - **SHA256:** [hash] - **Size:** [bytes] - **Type:** [PE32/PE64/Script/etc] - **Packed:** [Yes/No - Packer name] ### Online Reputation - **VirusTotal:** [XX/YY detections - Link] - **Known Family:** [Family name or Unknown] - **First Seen:** [Date or Unknown] ### Static Indicators **PE Analysis:** - Compilation Date: [date] - Digital Signature: [Valid/Invalid/None] - Sections: [names and entropy] - Entry Point: [location] **Suspicious Imports:** - [DLL]: [Function, Function, ...] - [Key: Process injection, Network, Anti-analysis] **Notable Strings:** - URLs: [list] - IPs: [list] - Paths: [list] - Registry: [list] - Mutex: [name if found] ### Classification **Type:** [Trojan/Ransomware/Infostealer/etc] **Threat Level:** [Critical/High/Medium/Low] **Sophistication:** [Simple/Moderate/Advanced/APT] **Primary Capabilities:** - [Capability 1] - [Capability 2] - [Capability 3] ### Predicted Behaviors **Process Activity:** - [Expected behavior] **File System:** - [Expected modifications] **Registry:** - [Expected changes] **Network:** - [Expected communication] **Persistence:** - [Expected mechanism] ### Initial IOCs **File Indicators:** - Hashes listed above - [Additional file indicators] **Network Indicators:** - [IPs from strings] - [Domains from strings] **Host Indicators:** - [Registry keys] - [File paths] - [Mutex names] ### Recommendation **Priority:** [Immediate/Standard/Low] **Next Steps:** 1. [Action 1 - e.g., Proceed with full dynamic analysis] 2. [Action 2 - e.g., Create YARA rule] 3. [Action 3 - e.g., Search network for IOCs] **Analysis Approach:** [Full analysis / Behavioral confirmation / Quick signature creation] **Estimated Time:** [time estimate for full analysis] ``` ## Time Management ### Professional Analysis Context When analyzing multiple samples, efficient triage is critical: **Quick Triage (5 min/sample):** - Hashes + VirusTotal - Basic file info - Quick priority decision **Standard Triage (15 min/sample):** - Above + imports analysis - String extraction - Classification - Behavior prediction **Comprehensive Triage (30 min/sample):** - Above + detailed documentation - Initial IOC list - Full prediction writeup - YARA concept notes **Strategy:** - Quick triage ALL samples first - Prioritize based on findings - Comprehensive triage high-priority samples - Defer or quick-report low-priority samples ## Key References ### Suspicious Indicators See `references/indicators.md` for comprehensive lists of: - Suspicious API imports by category - Common string patterns - Behavioral indicators - Packer signatures - Red flags by file type - Quick classification patterns ### Detailed Checklist See `references/triage_checklist.md` for: - Complete step-by-step checklist - Decision tree guidance - Dynamic analysis go/no-go criteria - Common pitfalls to avoid - Tools quick reference ## Tools and Scripts ### Hash Calculator ```bash # Run from the malware-triage/ directory: python scripts/hash_calculator.py # Or from the repo root: python malware-triage/scripts/hash_calculator.py ``` Quickly calculates all three hashes (MD5, SHA1, SHA256) for documentation. ### Recommended External Tools **Static Analysis:** - Detect It Easy (DIE) - Packer detection - PEStudio - PE analysis - strings / FLOSS - String extraction - HxD - Hex editor - CFF Explorer - PE structure **Online Services:** - VirusTotal - Multi-engine scanning - MalwareBazaar - Sample database - Hybrid Analysis - Automated analysis - Any.Run - Interactive sandbox ## Best Practices ### Do: - Always calculate all three hashes immediately - Check multiple reputation sources - Document findings as you discover them - Use checklists to ensure completeness - Consider false positive possibilities - Predict behaviors before dynamic analysis - Prioritize samples logically ### Don't: - Skip basic file information - Rely solely on VirusTotal results - Assume packing means malicious - Execute without proper isolation - Trust timestamps (easily forged) - Ignore negative findings - Rush classification decisions ### Efficiency Tips: 1. Have tools ready and scripts prepared 2. Use templates for documentation 3. Automate hash calculation 4. Keep a reference of common indicators 5. Build up a personal knowledge base 6. Take notes during, not after 7. Use multiple monitors if possible ## Common Triage Scenarios ### Scenario 1: Unknown Executable 1. Calculate hashes → not found online 2. Check packing → heavily packed 3. Review imports → suspicious injection/network APIs 4. Classification → likely trojan/RAT 5. Decision → Full analysis required ### Scenario 2: Suspicious Document 1. Calculate hashes → 0 detections 2. Check macros → obfuscated VBA 3. Extract strings → download URLs found 4. Classification → dropper via macro 5. Decision → Dynamic analysis of macro behavior ### Scenario 3: Known Malware Variant 1. Calculate hashes → 50+ detections, identified as Emotet 2. Review VirusTotal → well-documented 3. Quick checks → confirms expected indicators 4. Classification → confirmed Emotet variant 5. Decision → Quick report, no deep analysis needed ## Integration with Full Analysis Triage findings guide the full analysis: **Use predictions to:** - Know what to monitor during dynamic analysis - Set up appropriate monitoring tools - Focus on predicted areas first - Validate or refute hypotheses **Triage report becomes:** - Introduction section of full report - Hypothesis to test during analysis - Quick reference during investigation - Foundation for IOC development ## Quality Checklist Before concluding triage: - [ ] All three hashes calculated and verified - [ ] Online reputation checked (at least VirusTotal) - [ ] File type and basic info documented - [ ] Packing status determined - [ ] Key imports identified - [ ] Notable strings extracted - [ ] Classification assigned with reasoning - [ ] Threat level assessed - [ ] Behaviors predicted - [ ] Priority determined - [ ] Next steps documented - [ ] Initial IOCs listed - [ ] Findings clearly documented ## Example Usage **User request:** "I have a suspicious .exe file, help me triage it" **Workflow:** 1. Guide user to calculate hashes 2. Check online reputation together 3. Examine PE structure and imports 4. Extract and review strings 5. Classify based on indicators 6. Predict behaviors 7. Recommend next steps 8. Create triage report