npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use this skill to create, enhance, or distribute malware. This skill is for defensive analysis only.
# Hash the sample
sha256sum suspicious.apk
# Check VirusTotal
curl -s "https://www.virustotal.com/api/v3/files/<SHA256>" \
-H "x-apikey: <VT_API_KEY>" | jq '.data.attributes.last_analysis_stats'
# Extract permissions from AndroidManifest.xml
aapt dump permissions suspicious.apk
# High-risk permission combinations:
# READ_SMS + INTERNET = SMS stealer
# RECEIVE_SMS + SEND_SMS = SMS interceptor/banker trojan
# ACCESSIBILITY_SERVICE + INTERNET = overlay attack capability
# CAMERA + RECORD_AUDIO + INTERNET = spyware
# DEVICE_ADMIN + INTERNET = ransomware capability
# READ_CONTACTS + INTERNET = contact exfiltration
# Upload to MobSF
curl -F "file=@suspicious.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
# Review malware indicators in report:
# - Hardcoded C2 server addresses
# - Dynamic code loading (DexClassLoader)
# - Reflection-based API calls (to evade static analysis)
# - Encrypted/obfuscated payloads
# - Root detection (malware often checks for root)
# - Anti-emulator checks (malware evades sandbox)
# Start packet capture on emulator
tcpdump -i any -w malware_traffic.pcap
# Or use mitmproxy for HTTP/HTTPS
mitmproxy --mode transparent
# Monitor for:
# - DNS lookups to suspicious/newly registered domains
# - Connections to known C2 infrastructure
# - Data exfiltration patterns (large POST requests)
# - Beaconing behavior (regular interval connections)
# - Non-standard ports and protocols
# - Domain Generation Algorithm (DGA) patterns
// monitor_malware.js - Comprehensive behavior monitoring
Java.perform(function() {
// Monitor SMS access
var SmsManager = Java.use("android.telephony.SmsManager");
SmsManager.sendTextMessage.overload("java.lang.String", "java.lang.String",
"java.lang.String", "android.app.PendingIntent", "android.app.PendingIntent")
.implementation = function(dest, sc, text, sent, delivery) {
console.log("[SMS] Sending to: " + dest + " Text: " + text);
// Allow or block based on analysis needs
return this.sendTextMessage(dest, sc, text, sent, delivery);
};
// Monitor file operations
var FileOutputStream = Java.use("java.io.FileOutputStream");
FileOutputStream.$init.overload("java.lang.String").implementation = function(path) {
console.log("[FILE-WRITE] " + path);
return this.$init(path);
};
// Monitor network connections
var URL = Java.use("java.net.URL");
URL.openConnection.overload().implementation = function() {
console.log("[NET] " + this.toString());
return this.openConnection();
};
// Monitor dynamic code loading
var DexClassLoader = Java.use("dalvik.system.DexClassLoader");
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
console.log("[DEX-LOAD] Loading: " + dexPath);
return this.$init(dexPath, optDir, libPath, parent);
};
// Monitor command execution
var Runtime = Java.use("java.lang.Runtime");
Runtime.exec.overload("java.lang.String").implementation = function(cmd) {
console.log("[EXEC] " + cmd);
return this.exec(cmd);
};
// Monitor camera/audio access
var Camera = Java.use("android.hardware.Camera");
Camera.open.overload("int").implementation = function(id) {
console.log("[CAMERA] Camera opened: " + id);
return this.open(id);
};
// Monitor content provider access (contacts, call log)
var ContentResolver = Java.use("android.content.ContentResolver");
ContentResolver.query.overload("android.net.Uri", "[Ljava.lang.String;",
"java.lang.String", "[Ljava.lang.String;", "java.lang.String")
.implementation = function(uri, proj, sel, selArgs, sort) {
console.log("[QUERY] " + uri.toString());
return this.query(uri, proj, sel, selArgs, sort);
};
console.log("[*] Malware behavior monitor active");
});
Based on observed behaviors, classify the sample:
| Behavior Pattern | Malware Type |
|---|---|
| SMS interception + C2 communication | Banking Trojan |
| Camera/mic access + data upload | Spyware/Stalkerware |
| File encryption + ransom note display | Mobile Ransomware |
| Ad injection + click fraud traffic | Adware |
| Root exploit + persistence | Rootkit |
| Contact harvesting + SMS spam | Worm/SMS Spammer |
| Overlay attacks + credential capture | Credential Stealer |
| Crypto mining network activity | Cryptojacker |
| Term | Definition |
|---|---|
| Dynamic Code Loading | Loading executable code at runtime from external sources, commonly used by malware to evade static analysis |
| C2 Beacon | Regular network check-in from malware to command-and-control server, identifiable by periodic timing patterns |
| DGA | Domain Generation Algorithm creating pseudo-random domain names for resilient C2 infrastructure |
| Overlay Attack | Drawing fake UI over legitimate apps to capture credentials, requiring SYSTEM_ALERT_WINDOW permission |
| Anti-Emulator | Techniques malware uses to detect sandbox/emulator environments and suppress malicious behavior |