Abstract
In today’s ever evolving technology, malware is one of the most significant threats faced by individuals and corporate organizations. With the increasing sophistication of malware attacks, detecting malware becomes harder as many malware variants use different techniques, such as obfuscation, to evade detection. Even though advanced techniques, such as use of deep learning, prove to be of great success in classifying malware, the high computational resources needed for training and deploying deep learning models may not be feasible for all organizations or individuals. It is therefore essential to use fewer computational techniques to understand how malware can be analysed using shared code execution, which uses less computational resources. In this paper, we explored shared code execution as a novel approach for analyzing and understanding the behavior of malware. We dynamically analysed the shared code execution of the malicious payloads by looking at the dynamic link library found in NTDLL.dll. We demonstrated how samples make use of the LoadLibrary function using inline hooking techniques to overwrite the actual function code to create service execution and persistence using shared code execution. We identified functions that address the problem of encoding routine and domain obfuscation when malware uses seDebug Privilege to escalate privilege. Through realistic experiments, we found that executables such as Mod_77D4 Module, change at different instances using XOR encoding operations for each payload byte with a pre-defmed key. This helps sophisticated malware to create and bind address structures for remote control. Our proposed technique shows high analytical accuracy for sophisticated samples that use encoding and obfuscation methods to evade detection.
Original language | English |
---|---|
Title of host publication | 2024 International Conference on Artificial Intelligence, Computer, Data Sciences and Applications (ACDSA) |
Publisher | IEEE |
Number of pages | 9 |
ISBN (Electronic) | 9798350394528 |
ISBN (Print) | 9798350394535 |
DOIs | |
Publication status | Published - 20 Mar 2024 |
Event | International Conference on Artificial Intelligence, Computer, Data Sciences and Applications - Mahé Island, Seychelles Duration: 1 Feb 2024 → 2 Feb 2024 http://acdsa.org/2024/ (Link to conference website) |
Publication series
Name | |
---|---|
ISSN (Print) | None |
Conference
Conference | International Conference on Artificial Intelligence, Computer, Data Sciences and Applications |
---|---|
Abbreviated title | ACDSA 2024 |
Country/Territory | Seychelles |
City | Mahé Island |
Period | 1/02/24 → 2/02/24 |
Internet address |
|
Keywords
- obfuscation
- malware
- code execution
- suspicious XOR encoding
ASJC Scopus subject areas
- Software
- Information Systems and Management
- Artificial Intelligence
- Information Systems
- Health Informatics
- Computer Science Applications