An exploration of shared code execution for malware analysis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)
71 Downloads (Pure)

Abstract

In today’s ever evolving technology, malware is one of the most significant threats faced by individuals and corporate organizations. With the increasing sophistication of malware attacks, detecting malware becomes harder as many malware variants use different techniques, such as obfuscation, to evade detection. Even though advanced techniques, such as use of deep learning, prove to be of great success in classifying malware, the high computational resources needed for training and deploying deep learning models may not be feasible for all organizations or individuals. It is therefore essential to use fewer computational techniques to understand how malware can be analysed using shared code execution, which uses less computational resources. In this paper, we explored shared code execution as a novel approach for analyzing and understanding the behavior of malware. We dynamically analysed the shared code execution of the malicious payloads by looking at the dynamic link library found in NTDLL.dll. We demonstrated how samples make use of the LoadLibrary function using inline hooking techniques to overwrite the actual function code to create service execution and persistence using shared code execution. We identified functions that address the problem of encoding routine and domain obfuscation when malware uses seDebug Privilege to escalate privilege. Through realistic experiments, we found that executables such as Mod_77D4 Module, change at different instances using XOR encoding operations for each payload byte with a pre-defmed key. This helps sophisticated malware to create and bind address structures for remote control. Our proposed technique shows high analytical accuracy for sophisticated samples that use encoding and obfuscation methods to evade detection.
Original languageEnglish
Title of host publication2024 International Conference on Artificial Intelligence, Computer, Data Sciences and Applications (ACDSA)
PublisherIEEE
Number of pages9
ISBN (Electronic)9798350394528
ISBN (Print)9798350394535
DOIs
Publication statusPublished - 20 Mar 2024
EventInternational Conference on Artificial Intelligence, Computer, Data Sciences and Applications - Mahé Island, Seychelles
Duration: 1 Feb 20242 Feb 2024
http://acdsa.org/2024/ (Link to conference website)

Publication series

Name
ISSN (Print)None

Conference

ConferenceInternational Conference on Artificial Intelligence, Computer, Data Sciences and Applications
Abbreviated titleACDSA 2024
Country/TerritorySeychelles
CityMahé Island
Period1/02/242/02/24
Internet address

Keywords

  • obfuscation
  • malware
  • code execution
  • suspicious XOR encoding

ASJC Scopus subject areas

  • Software
  • Information Systems and Management
  • Artificial Intelligence
  • Information Systems
  • Health Informatics
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'An exploration of shared code execution for malware analysis'. Together they form a unique fingerprint.

Cite this