Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

4.4 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Malware Analysis

매 한 줄

"매 악성 binary의 매 behavior + capability + IOC 의 추출". 매 static (disassembly, string, import) ↔ dynamic (sandbox, instrumentation) ↔ hybrid 의 3-tier — 매 2026 매 LLM-assisted reversing 의 confluence — 매 incident response의 bottleneck.

매 핵심

매 3 가지 분석 mode

Static: 매 비실행 — strings, PE header, import table, YARA, signature.
Dynamic: 매 sandbox 실행 — API calls, network, file mod, registry.
Hybrid: 매 static 으로 매 hint 추출 → dynamic 으로 매 path 매 trigger.

매 IOC types

File: SHA256, imphash.
Network: domain, IP, URL, JA3 fingerprint.
Host: registry key, mutex, persistence path.
Behavior: MITRE ATT&CK technique.

매 응용

매 SOC incident triage.
매 threat intel feed 의 enrichment.
매 detection rule (YARA, Sigma) 의 author.

💻 패턴

매 file triage

file suspicious.bin
sha256sum suspicious.bin
strings -n 8 suspicious.bin | head -50
exiftool suspicious.bin

매 PE inspect

pefile-info suspicious.exe  # python pefile
# 매 imphash 매 family clustering
python -c "import pefile; print(pefile.PE('m.exe').get_imphash())"

매 YARA rule

rule SuspiciousLoader {
  meta:
    author = "analyst"
    date = "2026-05-10"
  strings:
    $s1 = "VirtualAlloc" ascii
    $s2 = "WriteProcessMemory" ascii
    $s3 = { 48 8B ?? ?? E8 ?? ?? ?? ?? 48 85 C0 74 }
  condition:
    uint16(0) == 0x5A4D and 2 of ($s*)
}
// scan: yara -r rules.yar samples/

매 Ghidra script (headless)

analyzeHeadless /tmp/proj proj1 -import sample.exe \
  -postScript ExtractStrings.java -deleteProject

매 sandbox (CAPE / Cuckoo)

cape submit suspicious.exe --timeout 120 --options "procmemdump=yes"
# 매 result: API trace, network pcap, dropped files

매 IDA Python

import idautils, idaapi
for func in idautils.Functions():
    name = idaapi.get_name(func)
    if 'crypt' in name.lower():
        print(hex(func), name)

매 unpacking heuristic

# 매 entropy >7.0 매 packed 의 강한 signal
import math, collections
def entropy(data):
    cnt = collections.Counter(data)
    total = len(data)
    return -sum((c/total) * math.log2(c/total) for c in cnt.values())

매 LLM-assisted (Claude Opus 4.7)

# 매 disassembly chunk 의 의미 의 explain
prompt = f"Analyze this x86_64 function and identify behavior:\n{disasm}"
# 매 Ghidra plugin → MCP → Claude API 매 round-trip

매 MITRE ATT&CK mapping

behaviors:
  - tactic: Defense Evasion
    technique: T1055  # Process Injection
    evidence: VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
  - tactic: Persistence
    technique: T1547.001  # Registry Run Keys

매 결정 기준

상황	Approach
매 known-bad triage	hash/imphash lookup
매 unknown sample	static + sandbox 병행
매 packed	unpack + dump 후 static
매 APT custom	매 hybrid + LLM-assisted reversing

기본값: 매 imphash + YARA 의 quick pass → 매 sandbox detonate → 매 manual reverse.

🔗 Graph

부모: Security
변형: Static Analysis
응용: Anomaly-Detection
Adjacent: SAST · Code Obfuscation

🤖 LLM 활용

언제: 매 disassembly 의 의미 해석, 매 obfuscated string 의 deobfuscation. 언제 X: 매 IOC extraction 의 numeric — 매 deterministic tooling 사용.

❌ 안티패턴

production 매 sandbox: 매 lateral movement 의 위험.
YARA rule 매 too generic: 매 false positive 폭발.
strings only: 매 packed 매 useless.
LLM 답 의 blind trust: 매 hallucinated API behavior 위험.

🧪 검증 / 중복

Verified (Ghidra 11.x, YARA 4.5, MITRE ATT&CK v15, 2026).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — static/dynamic/hybrid 분석 + LLM-assisted 정리

4.4 KiB Raw Blame History