Classifying evasive malware

Abstract: Malware are become increasingly aware of their execution environment. In order to avoid detection by automated analysis solutions and to obstruct manual analysis, malware authors are coming up with new ways for their malware to decide whether it should express its malicious behavior or not. Previous solutions to this problem focus on for example improving the stealth of analysis environments (to avoid detection by malware), or analyzing differences in malware behavior when analyzed in different environments. This thesis proposes an alternative approach to the problem. We perform automatic dynamic analysis on two sets of malware, containing samples known to be evasive and non-evasive respectively. The dynamic analysis produces logs of system calls, which are used to train a machine learning model, capable of detecting evasive behavior. This resulting model is a proof of concept that evasive behaviour can be detected. A possible use case for the model, is as part of a pipelined solution for malware detection. When testing the developed model, it was shown that it could correctly label 75% of all samples, with an equal success rate when considering only the labeling of evasive samples.