Sandbox Evasion Counter Technology Based On Dynamic Analysis

Nowadays,a large number of new malware emerges every day,and the use of automated analysis systems for dynamic analysis of malware is more necessary than ever.Automated analysis usually runs samples in a sandbox environment to prevent damage or infection of the analysis environment,while at the same time obtaining higher authority observations.However,malware developers always evade sandbox detection by hiding the real behavior of malware,and various evasion techniques are emerging.Therefore,the value of researching sandbox evasion counter technology is getting higher and higher.First of all,the technology proposed uses Intel PT(Intel Processor Trace)to record control flow information,obtains the control flow graph through malware disassembly,and matches the Intel PT data and control flow graph to restore the execution path of the malware,which can identify all code locations that the malware has not executed during the analysis.Secondly,by discarding error handling functions,filtering these untriggered code locations,to identify a subset of valuable functions.After that,the execution path from these unexecuted code locations to the previous conditional branches that depend on environmental conditions is traced back.Through the system call information captured by the Hypervisor,the data analysis process can be enhanced with higher accuracy,and the capture process is transparent to the malware samples and difficult to detect.Apply symbolic execution to identify paths(conditions)of valuable unexecuted basic blocks,on these paths,use solvers to generate specific values to trigger their execution.Finally,adjust the system environment to ensure that all environmental conditions meet the values required to reach the hidden basic block,re-analyze the sample,execute the hidden basic block,never achieve the effect of multi-path exploration,and expose more behaviors of malware for security researchers to analyze.The sandbox evasion counter technology based on dynamic analysis has been tested for functionality and effectiveness.Through analysis of real malware Shamoon,etc.,the sandbox evasion counter technology can effectively explore more paths,and the ratio of related path coverage increases.Most of them are above 20%,and they can obtain the execution path of their malicious behavior,determine the conditions that trigger the malware,and reproduce the malicious attack.