Go to DBLP homepageEMHunter: An Evasive Malware Detection Approach to Improve Dynamic Analysis Efficiency
Abstract: Currently, a growing number of malware employ evasion techniques to hinder security analysts from analyzing their dynamic behavior, making them more likely to evade detection and pose a threat to users. The above malware is classified as Evasive Malware. To address this issue, we collect a dataset of labeled samples and propose a novel analysis method for evasive malware detection called EMHunter (Evasive Malware Hunter). After injecting samples into a specially designed software environment, EMHunter modifies the section table to launch from a designated location, and alters the export table to disable evasion-related behavior via identifying 48 commonly used APIs. When the malicious code attempts evasive actions, such as detecting if it's running in an analysis environment, the software cooperates with the dynamic analysis environment to determine the malware's key characteristics. It then selects appropriate countermeasures to lure the malicious code into continued execution, thereby exposing more malicious behavior and improving the accuracy of dynamic analysis. Our dataset consists of 12,543 samples, experiments show that this method successfully induced 4084 samples to exhibit their behavior. Furthermore, we integrated EMHunter into the open-source sandbox CAPE, enabling it to gather more behavioral information from the samples. Finally, we evaluated our approach using a LightGBM model, achieving the accuracy of 96.61%.
Loading