analyzing-malware-family-relationships-with-malpedia

使用 Malpedia 平台和 API 研究恶意软件家族关系、追踪变体演化、将家族关联到威胁行为者,并整合 YARA 规则用于跨恶意软件谱系的检测。

9 stars

Best use case

analyzing-malware-family-relationships-with-malpedia is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 Malpedia 平台和 API 研究恶意软件家族关系、追踪变体演化、将家族关联到威胁行为者,并整合 YARA 规则用于跨恶意软件谱系的检测。

Teams using analyzing-malware-family-relationships-with-malpedia should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How analyzing-malware-family-relationships-with-malpedia Compares

Feature / Agentanalyzing-malware-family-relationships-with-malpediaStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 Malpedia 平台和 API 研究恶意软件家族关系、追踪变体演化、将家族关联到威胁行为者,并整合 YARA 规则用于跨恶意软件谱系的检测。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Malpedia 分析恶意软件家族关系

## 概述

Malpedia 是由弗劳恩霍夫 FKIE 维护的协作平台,收录了恶意软件家族的别名、YARA 规则、威胁行为者关联和参考报告。收录超过 2,600 个恶意软件家族,是了解恶意软件谱系、追踪变体演化以及将恶意软件关联到特定威胁组织的权威资源。本技能涵盖查询 Malpedia API、映射恶意软件家族关系、提取 YARA 规则用于检测,以及构建对手所用恶意软件生态系统的情报。

## 前置条件

- Python 3.9+,安装 `requests`、`yara-python`、`stix2` 库
- Malpedia API 密钥(在 https://malpedia.caad.fkie.fraunhofer.de/ 注册)
- 了解恶意软件分类和命名规范
- 熟悉用于检测的 YARA 规则语法
- 访问恶意软件样本进行验证(可选)

## 核心概念

### Malpedia 数据模型

Malpedia 将恶意软件组织为家族(如"win.cobalt_strike"),每个家族包含:别名(厂商特定名称,如"Beacon"、"CobaltStrike")、YARA 规则(社区和厂商贡献)、行为者关联(使用该家族的威胁组织)、参考报告(记录该家族的 CTI 报告)和样本哈希(每个变体的代表性样本)。

### 恶意软件家族命名

Malpedia 使用 `平台.家族名称` 格式(如 `win.emotet`、`elf.mirai`、`apk.flubot`)。平台包括 win(Windows)、elf(Linux)、apk(Android)、osx(macOS)和 py(Python)。这种标准化命名解决了不同厂商对同一恶意软件使用不同名称的"多名问题"。

### 家族关系

恶意软件家族之间存在以下关系:父子关系(代码复用、分叉)、加载器-载荷关系(Emotet 加载 TrickBot 加载 Ryuk)、共同作者关系(同一威胁行为者开发多种工具)以及基础设施共享(共同 C2 框架)。

## 实践步骤

### 步骤 1:查询 Malpedia API 获取恶意软件家族

```python
import requests
import json
from collections import defaultdict

class MalpediaClient:
    BASE_URL = "https://malpedia.caad.fkie.fraunhofer.de/api"

    def __init__(self, api_key):
        self.headers = {"Authorization": f"apitoken {api_key}"}

    def get_family_list(self):
        """获取所有恶意软件家族列表。"""
        resp = requests.get(f"{self.BASE_URL}/list/families",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            families = resp.json()
            print(f"[+] Malpedia: {len(families)} malware families")
            return families
        return {}

    def get_family_info(self, family_name):
        """获取恶意软件家族的详细信息。"""
        resp = requests.get(f"{self.BASE_URL}/get/family/{family_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            info = resp.json()
            print(f"[+] Family: {family_name}")
            print(f"    Aliases: {info.get('alt_names', [])}")
            print(f"    Actors: {[a.get('value', '') for a in info.get('attribution', [])]}")
            print(f"    URLs: {len(info.get('urls', []))} references")
            return info
        print(f"[-] Family not found: {family_name}")
        return None

    def get_family_yara(self, family_name):
        """获取恶意软件家族的 YARA 规则。"""
        resp = requests.get(f"{self.BASE_URL}/get/yara/{family_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            rules = resp.json()
            rule_count = sum(len(v) for v in rules.values()) if isinstance(rules, dict) else 0
            print(f"[+] YARA rules for {family_name}: {rule_count} rules")
            return rules
        return {}

    def get_actor_families(self, actor_name):
        """获取与威胁行为者关联的恶意软件家族。"""
        resp = requests.get(f"{self.BASE_URL}/get/actor/{actor_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            data = resp.json()
            families = data.get("families", {})
            print(f"[+] {actor_name}: {len(families)} malware families")
            return data
        return {}

    def search_families(self, keyword):
        """按关键词搜索家族。"""
        all_families = self.get_family_list()
        matches = {
            name: info for name, info in all_families.items()
            if keyword.lower() in name.lower()
            or keyword.lower() in str(info.get("alt_names", [])).lower()
        }
        print(f"[+] Search '{keyword}': {len(matches)} matches")
        return matches

client = MalpediaClient("YOUR_MALPEDIA_API_KEY")
families = client.get_family_list()
emotet_info = client.get_family_info("win.emotet")
```

### 步骤 2:映射恶意软件家族关系

```python
class MalwareFamilyMapper:
    def __init__(self, malpedia_client):
        self.client = malpedia_client
        self.relationship_graph = defaultdict(list)

    def map_actor_ecosystem(self, actor_name):
        """映射威胁行为者使用的恶意软件生态系统。"""
        actor_data = self.client.get_actor_families(actor_name)
        families = actor_data.get("families", {})

        ecosystem = {
            "actor": actor_name,
            "families": [],
            "family_count": len(families),
        }

        for family_name in families:
            info = self.client.get_family_info(family_name)
            if info:
                ecosystem["families"].append({
                    "name": family_name,
                    "aliases": info.get("alt_names", []),
                    "description": info.get("description", "")[:200],
                    "shared_actors": [
                        a.get("value", "")
                        for a in info.get("attribution", [])
                    ],
                    "reference_count": len(info.get("urls", [])),
                })

        print(f"\n=== {actor_name} 恶意软件生态系统 ===")
        for fam in ecosystem["families"]:
            shared = [a for a in fam["shared_actors"] if a != actor_name]
            print(f"  {fam['name']}")
            print(f"    别名: {fam['aliases'][:5]}")
            if shared:
                print(f"    同时被以下使用: {shared}")

        return ecosystem

    def find_shared_tooling(self, actor_names):
        """发现威胁行为者之间共享的恶意软件家族。"""
        actor_families = {}
        for actor in actor_names:
            data = self.client.get_actor_families(actor)
            actor_families[actor] = set(data.get("families", {}).keys())

        # 发现重叠
        shared = {}
        for i, actor1 in enumerate(actor_names):
            for actor2 in actor_names[i+1:]:
                common = actor_families[actor1] & actor_families[actor2]
                if common:
                    shared[f"{actor1} <-> {actor2}"] = sorted(common)

        print(f"\n=== 共享工具分析 ===")
        for pair, families in shared.items():
            print(f"  {pair}: {len(families)} 个共享家族")
            for f in families[:5]:
                print(f"    - {f}")

        return shared

    def build_loader_payload_chain(self, family_name):
        """构建家族的加载器-载荷投递链。"""
        info = self.client.get_family_info(family_name)
        if not info:
            return {}

        chain = {
            "family": family_name,
            "description": info.get("description", ""),
            "known_loaders": [],
            "known_payloads": [],
        }

        # 已知投递链
        known_chains = {
            "win.emotet": {"loaders": ["email/macro"], "payloads": ["win.trickbot", "win.qakbot", "win.cobalt_strike"]},
            "win.trickbot": {"loaders": ["win.emotet"], "payloads": ["win.ryuk", "win.conti", "win.cobalt_strike"]},
            "win.qakbot": {"loaders": ["email/macro", "win.emotet"], "payloads": ["win.cobalt_strike", "win.blackbasta"]},
            "win.cobalt_strike": {"loaders": ["win.emotet", "win.trickbot", "win.qakbot"], "payloads": ["ransomware"]},
        }

        if family_name in known_chains:
            chain["known_loaders"] = known_chains[family_name]["loaders"]
            chain["known_payloads"] = known_chains[family_name]["payloads"]

        return chain

mapper = MalwareFamilyMapper(client)
ecosystem = mapper.map_actor_ecosystem("Wizard Spider")
shared = mapper.find_shared_tooling(["Wizard Spider", "FIN7", "Lazarus Group"])
chain = mapper.build_loader_payload_chain("win.emotet")
```

### 步骤 3:提取并编译 YARA 规则

```python
def compile_yara_ruleset(client, family_names, output_file="malware_yara_rules.yar"):
    """为多个恶意软件家族编译 YARA 规则。"""
    all_rules = []
    for family in family_names:
        yara_data = client.get_family_yara(family)
        if isinstance(yara_data, dict):
            for source, rules in yara_data.items():
                if isinstance(rules, list):
                    for rule in rules:
                        all_rules.append(f"// Source: {source} - Family: {family}\n{rule}")
                elif isinstance(rules, str):
                    all_rules.append(f"// Source: {source} - Family: {family}\n{rules}")

    with open(output_file, "w") as f:
        f.write(f"// Malpedia YARA Rules - {len(all_rules)} rules\n")
        f.write(f"// Families: {', '.join(family_names)}\n\n")
        for rule in all_rules:
            f.write(rule + "\n\n")

    print(f"[+] 已编译 {len(all_rules)} 条 YARA 规则到 {output_file}")
    return all_rules

compile_yara_ruleset(client, ["win.emotet", "win.trickbot", "win.cobalt_strike"])
```

## 验收标准

- 成功查询 Malpedia API 获取恶意软件家族
- 检索到包含别名、行为者和参考资料的家族信息
- 正确映射行为者-家族关系
- 识别行为者之间的共享工具
- 提取并编译 YARA 规则用于检测
- 记录加载器-载荷链以用于威胁情报

## 参考资料

- [Malpedia Platform](https://malpedia.caad.fkie.fraunhofer.de/)
- [Malpedia API Documentation](https://malpedia.caad.fkie.fraunhofer.de/usage/api)
- [Malpedia Research Paper](https://www.botconf.eu/wp-content/uploads/formidable/2/2017-DanielPlohmann-Malpedia.pdf)
- [YARA Rules Project](https://github.com/Yara-Rules/rules)
- [malwoverview Multi-Platform Tool](https://github.com/alexandreborges/malwoverview)
- [CyberAtlas: Malpedia Integration](https://www.cyberatlas.io/malpedia)

Related Skills

reverse-engineering-rust-malware

9
from killvxk/cybersecurity-skills-zh

使用 IDA Pro 和 Ghidra 对 Rust 编译的恶意软件进行逆向工程,掌握处理非空终止字符串、提取 crate 依赖项和 Rust 特有控制流分析的专项技术。

reverse-engineering-malware-with-ghidra

9
from killvxk/cybersecurity-skills-zh

使用 NSA 的 Ghidra 反汇编器和反编译器对恶意软件二进制文件进行逆向工程,在汇编和伪 C 代码层面理解其内部逻辑、密码学例程、C2 协议和规避技术。适用于恶意软件逆向工程、反汇编分析、反编译、二进制分析或理解恶意软件内部机制等请求。

reverse-engineering-dotnet-malware-with-dnspy

9
from killvxk/cybersecurity-skills-zh

使用 dnSpy 反编译器和调试器对 .NET 恶意软件进行逆向工程,分析 C#/VB.NET 源代码,识别混淆技术,提取配置信息,理解包括信息窃取器、远程访问木马(RAT)和加载器在内的恶意功能。适用于 .NET 恶意软件分析、C# 恶意软件反编译、托管代码逆向工程或 .NET 混淆分析等请求。

reverse-engineering-android-malware-with-jadx

9
from killvxk/cybersecurity-skills-zh

使用 JADX 反编译器对恶意 Android APK 文件进行逆向工程,分析 Java/Kotlin 源代码,识别包括数据窃取、C2 通信、权限提升和覆盖攻击在内的恶意功能。检查 Manifest 权限、Receiver、Service 及原生库。适用于 Android 恶意软件分析、APK 逆向工程、移动端恶意软件调查或 Android 威胁分析等请求。

performing-static-malware-analysis-with-pe-studio

9
from killvxk/cybersecurity-skills-zh

使用 PEStudio 对 Windows PE(可移植可执行文件)恶意软件样本进行静态分析, 检查文件头、导入表、字符串、资源和指标,无需执行二进制文件。 识别可疑特征,包括加壳、反分析技术和恶意导入。适用于静态恶意软件分析、 PE 文件检查、Windows 可执行文件分析或执行前恶意软件分级等请求场景。

performing-malware-triage-with-yara

9
from killvxk/cybersecurity-skills-zh

使用 YARA 规则对文件模式、字符串、字节序列和结构特征进行匹配,快速分级和分类恶意软件样本, 识别已知恶意软件家族及可疑指标。涵盖规则编写、扫描和与分析流程的集成。适用于 YARA 规则创建、 恶意软件分类、模式匹配、样本分级或基于签名的检测等请求场景。

performing-malware-persistence-investigation

9
from killvxk/cybersecurity-skills-zh

系统性地调查 Windows 和 Linux 系统上的所有持久化机制,以识别恶意软件如何在重启后存活并维持访问。

performing-malware-ioc-extraction

9
from killvxk/cybersecurity-skills-zh

恶意软件 IOC(失陷指标)提取是指通过分析恶意软件,识别可操作的失陷指标,包括文件哈希、网络指标(C2 域名、IP 地址、URL)、注册表修改、互斥体名称、嵌入字符串和行为产物。

performing-malware-hash-enrichment-with-virustotal

9
from killvxk/cybersecurity-skills-zh

使用 VirusTotal API 富化恶意软件文件哈希,获取检测率、行为分析、YARA 匹配和上下文威胁情报,用于事件分类和 IOC 验证。

performing-firmware-malware-analysis

9
from killvxk/cybersecurity-skills-zh

分析固件镜像中嵌入的恶意软件、后门和未授权修改,目标包括路由器、IoT 设备、UEFI/BIOS 和嵌入式系统。涵盖固件提取、文件系统分析、二进制逆向工程和 Bootkit 检测。适用于固件安全 分析、IoT 恶意软件调查、UEFI Rootkit 检测或嵌入式设备入侵评估等请求场景。

performing-automated-malware-analysis-with-cape

9
from killvxk/cybersecurity-skills-zh

部署和操作 CAPEv2 沙箱,进行自动化恶意软件分析,具备行为监控、载荷提取、配置解析和反规避能力。

extracting-iocs-from-malware-samples

9
from killvxk/cybersecurity-skills-zh

从恶意软件样本中提取攻陷指标(IoC),包括文件哈希、网络指标(IP、域名、URL)、 主机痕迹(文件路径、注册表键、互斥锁)以及行为模式,用于威胁情报共享和检测规则创建。 适用于 IoC 提取、威胁指标采集、恶意软件指标收集或从样本构建检测内容等请求场景。