Tuning sandbox behavior based on static characteristics of malware

Assignee

• Trend Micro Incorporated · JP

Inventors

• Xiaochuan Wan · Xibeiwang, CN
• Ben Huang · Tecate Mission Road, US
• Xuebin Chen · Tangxia, CN
• Xiaodong Huang · Hangzhou City, CN
• Hailiang Fan · Nanjing, CN

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1441
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

An emulator on a host computer includes a static analysis module that analyzes executable code of a suspicious sample to determine whether the code identifies that a particular packing program (packer) has packed the sample. Once identified, a custom configuration file is generated that identifies particular API hooks or instructions that should be disabled (or enabled) so that the sample file cannot use these hooks or instructions to detect that it is executing within an emulator. The emulator (such as a virtual machine or sandbox) is configured using the configuration file. The suspicious sample is then executed and its behaviors are collected. The sample is prevented from detecting that it is operating within an emulator and thus prevented from terminating prematurely. Malicious behaviors are scored and a total score indicates whether or not the suspicious sample is malicious or not. Static analysis identifies signatures, instructions or strings.