Malware authors are continuously evolving their code base to include counter-analysis methods that can significantly hinder their detection and blocking. While the execution of malware in a sandboxed environment may provide a lot of insightful feedback about what the malware actually does in a machine, anti-virtualisation and hooking evasion methods may allow malware to bypass such detection methods. The main objective of this work is to complement sandbox execution with the use of binary emulation frameworks. The core idea is to exploit the fact that binary emulation frameworks may quickly test samples quicker than a sandbox environment as they do not need to open a whole new virtual machine to execute the binary. While with this approach, we lose the granularity of the data that can be collected through a sandbox, due to scalability issues, one may need to simply determine whether a file is malicious or to which malware family it belongs. To this end, we record the API calls that are performed and use them to explore the efficacy of using them as features for binary and multiclass classification. Our extensive experiments with real-world malware illustrate that this approach is very accurate, achieving state-of-the art outcomes with a statistically robust set of classification experiments while simultaneously having a relatively low computational overhead compared to traditional sandbox approaches. In fact, we compare the binary analysis results with a commercial sandbox, and our classification outperforms it at the expense of the fine-grained results that a sandbox provides.
Authors: Vouvoutsis, V.; Casino, F.; and Patsakis, C.
Date of Publication: April 2022