Final Year Project Automatic Malware Analysis using Deep Learning and Sandboxing Technology

By: Ee Sheng

Next

Introduction

Project 1: To explore Deep Learning on malware binary and classify their threat groups.

​

Project 2: To explore open source sandboxing tools for automatic malware analysis.

Back

Next

Table of Contents

Deep Learning

1

2

4

Research on Android & Linux Sandboxes

3

Enhancing CAPEv2

> From Chaos to Control: Multi-classification in Malware Analysis

Back

Next

> The Hunt for Zero-Days: Android and Linux Exploits

> A Malware Analyst's Secret weapon

​

​

Conclusion

> The Epilogue: Putting it all together

Final Year Project Timeline (W1-6)

Week 1

​

Research on various CNN architecture (VGG16)

​

Data Pre-processing

Week 2

​

Research on how to build own CNN models

​

Data Pre-processing

​

Start on Sandbox project -

Setting up tools

​

​

​

Week 4

​

Data Pre-processing

​

Build own CNN models

​

Research and testing of Linux and Android Sandboxes

Week 6

​

Fine-tune my CNN models

​

Setup the Linux & Android Tools

Week 3

​

Data Pre-processing

​

Build own CNN models

​

Research on the potential enhancements on CapeV2

​

Week 5

​

Reconfigure VGG16 architecture to suit grayscale images

​

Build own CNN models

​

​

​

Final Year Project Timeline (W7-12)

Week 7

​

Fine-tune my CNN models

​

Setup the Linux & Android Tools

​

Midterm presentation

Week 8

​

Install & Dual Boot Ubuntu LTS 22.04

​

Setup latest CAPEv2 Sandbox

​

Fix tiny bugs on latest CAPEv2

​

​

Week 10

​

Implement enhanced features

​

Fix bugs with latest CAPEv2

Week 12

​

Final Presentation

Week 9

​

Setup latest CAPEv2 Sandbox

​

Implement enhanced features

​

​

​

Week 11

​

Fixed codes upon developers request

​

Ensure test cases pass

​

​

​

Deep Learning

Decoding the Mysteries of the CNN Universe

​

Back

Next

“What are Convolutional Neural Networks (CNNs)”

Back

Next

• CNNs are a powerful type of deep learning algorithm that are particularly well-suited for analyzing images and videos.
• E.g. Object recognition and face detection

“From pixels to predictions: Understanding the Architecture of CNNs”

Back

Next

"Building Brains: Understanding the Training of a CNN"

Back

Next

1. "Optimization Algorithm"
1. Help the network change its settings.
2. Adaptive gradient algorithms (Adam, Adagrad, RMSprop)

​

1. "Loss Function"
2. Check how good the network is doing.
3. Mean squared error (MSE)

​

1. "Evaluation Metrics"
2. Check if the network is accurate
3. Accuracy, F1 score

“CNNs in Action: Real-world Solutions and Their Impact”

Back

Next

1. Real-life examples of the application of CNNs, such as:
1. CNNs being used in self-driving cars to detect and recognize objects on the road.
2. CNNs being used in the medical field to analyze medical images and detect diseases.
3. CNNs being used to automatically extract features from malware samples and classify them into different families.

Deep Learning

From Chaos to Control - Multi-classification in Malware Analysis

​

Back

Next

“Uncovering the Magic of Data Pre-processing: A Crucial Step in Data Analysis”

Back

Next

Data pre-processing is the process of preparing raw data for analysis by cleaning, formatting, and transforming it into a usable form.

1. Ensure that data is accurate, consistent and relevant to the analysis.
2. Without proper data pre-processing, the results of data analysis may be unreliable or misleading.

​

​

“Mastering the Art of Data Preprocessing: A Step-by-Step Guide”

Back

Next

Step 1: Identify the purpose of the analysis and the types of data needed

Step 2: Collect and import the raw data

Step 3: Clean and format the data in a usable format

Step 4: Transform the data as needed to make it more suitable for analysis (e.g.,Pixel-normalizing)

Identify the purpose of the analysis and the types of data needed

Back

Next

• Executable files and other related files associated with the malware

Step 1: Identify the purpose of the analysis and the types of data needed

Back

Next

Step 1: Identify the purpose of the analysis and the types of data needed (Cont’d)

Back

Next

Step 2: Collect and import the raw data

Back

Next

1. CSIT Samples (Password: malware, internal zip password: infected)
2. Script to import data
3. Unzip.py

- Unzip recursively .7z, .rar, .zip folders regardless of OS.

​

​

Step 2: Collect and import the raw data (unzip.py)

Back

Next

Step 3: Clean and format the data in a usable format

Back

Next

1. Remove the low count sample files
2. Remove unusable sample files (i.e., HTML, XML files)
3. Scripts to format data:
• convert_bin_to_img.py
• Convert compiled malware (i.e., .msi, .exe) including PDFs and Word Docs into grayscale images.
• resize_recursively.py
• Able to resize original images in directory **recursively** to specific width and height (1024px1024p)
• pad_resize_recursively.py
• Able to pad original images in directory **recursively** to specific width and height (1024px1024p)

Step 3: Clean and format the data in a usable format (convert_bin_to_img.py)

Back

Next

Step 3: Clean and format the data in a usable format (resize_recursively.py)

Back

Next

Step 3: Clean and format the data in a usable format (pad_resize_recursively.py)

Back

Next

resize_recursively.py

pad_resize_recursively.py

Back

Next

resize_recursively.py

pad_resize_recursively.py

Back

Next

Step 4: Transform the data for analysis

Back

Next

Pixel-wise Normalization: The process of adjusting the pixel values of the image so that they have a common scale, without distorting the content of the image.

• Use Min-max normalization: Set range 0 to 1
• Enable the data to be in common range and removing the influence of outliers.

Step 1: Resize images from (1024x1024) to (224x224)

Step 2: Convert to 1 Dimension Array

Step 3: Arrays / 255

Pixel-wise Normalization: Resize images and convert to arrays

Pixel-wise Normalization: Resize images and convert to arrays (Cont’d)

Pixel-wise Normalization: Convert arrays into range of 0 to 1

Pixel-wise Normalization: Convert arrays into range of 0 to 1 (Cont’d)

Why is this important?

1. CNN can make use of the entire range of values and it can perform better when learning patterns and features

​

1. Imagine picture of a cat, but the colors and brightness of the image are all over the place

​

• Normalizing the image, makes all the pixels have consistent brightness and color, which makes it easier for the computer to understand what's in the image.

"Unleashing the Power of Machine Learning: A Step-by-Step Guide to Model Training"

Step 1: Choose models and define the training process

Step 2: Train the models

Step 3: Evaluate the models

Step 4: Fine-tune the models

​

4idzm7

Step 1: Choose models and define the training process (First CNN)

Step 1: Choose models and define the training process (First CNN)

(Cont’d)

Step 2: Train the models

Step 2: Train the models

Step 3: Evaluate the models (Padded Dataset)

Step 3: Evaluate the models (Padded Dataset)

Step 4: Fine-tune the models

​

Bias regularization is like putting a weight on some of the blocks, so they're harder to move around. This makes it harder to build the tower in one spot, so it becomes more stable.

​

Dropout regularization is like taking away some of the blocks from the box randomly, so you don't have as many blocks to work with. This makes it so the tower has to be built with a lot of different blocks and not just rely on a few blocks.

​

Result: Strong & Stable Tower

Step 4: Fine-tune the models (Cont’d)

Step 4: Fine-tune the models (Cont’d)

Step 4: Fine-tune the models (Cont’d)

The learning rate is a value that controls how much the model's parameters are updated in each iteration.

​

When we teach a computer to do something, like recognizing pictures, we need to adjust how it's thinking and understanding.

Fine-tune the models

Addition: Transfer Learning: (VGG16)

• Chosen VGG16 Model
• Pre-trained on thousands of image classes (“ImageNet”) total of 14,197,122 images.
• Used pre-trained VGG16 weights to train on “Grayscale images > 3 Dimensions > Arrays”
• (Transfer Learning)

​

​

Addition: Transfer Learning: (VGG16) (Cont’d)

Addition: extract_pe_features & extract_opcodes

Addition: Flask Web App with deployed AI Model

The Hunt for Zero-Days:

Android and Linux Exploits

Back

Next

Android and Linux Malwares

​

• Android Package (.apk)
• Executable and Linkable Format (.elf)

Successful Android Analysis Tools: MobSf

Mobile Security Framework (MobSF)

• Best Static and Dynamic analysis sandboxing tool for android
• Supports Android/IOS/Windows
• Supports APK, XAPK, IPA & APPX
• Easy installation
• Most Information displayed
• Multiple VM options (Android Studio, Genymotion)

​

Successful Android Analysis Tools: MobSf

Successful Android Analysis Tools: APKLeaks

APKLeaks

• Static Analysis Only
• Scans APK files for Uniform Resource Identifier (URI),endpoints and secrets
• Creates a txt file and saves a copy of Output
• Not Dynamic
• Best Suited for finding vulnerabilities

​

• LinkFinder

Successful Android Analysis Tools: APKLeaks

Successful Android Analysis Tools: RiskinDroid

RiskinDroid

• Analyses apk and calculates risk level from 0-100
• analyses: Declared permissions, Exploited permissions, Ghost permissions, Useless permissions
• The higher the score the bigger the threat
• Only takes permissions into considerations

• Inspects and rates permissions

Successful Android Analysis Tools: RiskinDroid

Successful Android Analysis Tools:Quark-Engine

Quark-Engine

• Made for penetration Testing
• Open Source (Early - Stage)
• Static Analysis
• Detects crime done by Applications

• Reusable & Shareable (customisable script)

Successful Android Analysis Tools:Quark-Engine

Successful Android Analysis Tools

Mobile Security Framework (MobSF)

• Best Static and dynamic analysis sandboxing tool for android
• Supports Android/IOS/Windows
• Supports APK, XAPK, IPA & APPX
• Easy installation
• Most Information displayed
• Multiple VM options (Android Studio, Genymotion)

​

Quark-Engine

• Made for penetration Testing
• Open Source (Early - Stage)
• Static Analysis
• Detects crime done by Applications

APKLeaks

• Static Analysis Only
• Scans APK files for Uniform Resource Identifier (URI),endpoints and secrets
• Creates a txt file and saves a copy of Output
• Not Dynamic
• Best Suited for finding vulnerabilities

​

RiskinDroid

• Analyses apk and calculates risk level from 0-100
• analyses: Declared permissions, Exploited permissions, Ghost permissions, Useless permissions
• The higher the score the bigger the threat
• Only takes permissions into considerations

• LinkFinder

• Inspects and rates permissions

• Reusable & Shareable (customisable script)

Comparison Table

Successful Linux Analysis & Sandbox Tool: LiSa

• An open-source sandbox project providing automated Linux malware analysis on various CPU architectures (GitHub - danieluhricek/LiSa: Sandbox for automated Linux malware analysis.)

​

• Provides for an overview, static analysis, dynamic analysis, and network analysis of submitted Linux files:

​

​

​

​

Back

Next

Overview:

File Overview, Downloads, Anomalies

​

Static Analysis:

ELF Info, Imports, Exports, Libraries, Relocations, Symbols, Sections, Strings

​

Dynamic Analysis:

Process Tree, Opened Files, Syscalls

​

Network Analysis:

Endpoints, HTTP Requests, DNS Questions, Telnet Data, IRC Messages

Successful Linux Analysis & Sandbox Tool: LiSa

Back

Next

Using & Enhancing CAPEv2

A Malware Analyst's Secret weapon

Back

Next

Memory Snapshot At Different Phases

Back

Next

• To better understand the different processes, services, etc. that are running during the execution of the malware, we can create memory dumps of the VM during different phases of execution.

​

1. Modify CAPEv2 scheduler script to dump the memory of the VM before and during the analysis at customizable time intervals

​

1. Utilize Volatility API to process and parse the memory dump for readability

​

1. Create Python scripts and HTML templates to display the memory dump information in the web interface

​

1. Modify existing configuration files and relevant Python scripts to ensure that the memory dumps before and during the analysis would be processed and displayed on the web interface

Memory Snapshot At Different Phases

Back

Next

Memory Dumps Before, During, and After the Analysis

(using Cerber Ransomware as an example)

CAPEv2 Threat Attribution (with MISP)

Back

Next

• As part of the client requirements, having threat attribution for samples submitted to CAPEv2 would help to provide better context (i.e. relevant events, threat actors, IOCs, etc.)

​

​

• Malware Information Sharing Platform (MISP) is an “open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security” which can be integrated with other solutions

CAPEv2 Threat Attribution (with MISP)

Back

Next

Examples of MISP Events:

Information:

• Country
• Target
• Sector
• Attack Tool
• Attack Pattern
• Threat Actor
• etc.

CAPEv2 Threat Attribution (with MISP)

Back

Next

Screenshots of Successfully Correlated Samples from VX-Underground

More test results are available at https://docs.google.com/document/d/1O-GqjsxMuTSLMuxnk822z4u1gSQSwpcG_Hie_86MErU/edit?usp=sharing

Backup of Reports to Google Drive

Back

Next

• To provide backups of analyses results, we have created a Google Service Account and utilized the Google API to authenticate and upload the reports to a shared Google Drive folder
• The credentials file are stored in directory /opt/CAPEv2/utils, which is the working directory of the reporting script

CAPEv2 WHOIS Lookup (with WhoisXML)

Back

Next

• Some forms of malware may utilize Command-and-Control (C2) servers to receive commands and send data from the infiltrated devices back to the servers, e.g. botnets, trojans, etc.

​

• An example is Emotet, a banking trojan aimed at stealing banking credentials from infected hosts

​

• When we submit an Emotet sample to CAPEv2, this is a section of the analysis result:

By default, CAPEv2 would return the IP addresses contacted, as well as countries that they are located in, using GeoIP

​

To gather more information about the contacted domains, WHOIS Lookup can be utilized

CAPEv2 WHOIS Lookup (with WhoisXML)

Back

Next

• For the CAPEv2 development, we utilized the WHOIS lookup service to obtain more information about contacted domains (if any)

​

Information:

• Expiry Date
• Registrant Org.
• Registrant State
• Registrant Country
• Name Servers
• etc.

CAPEv2 WHOIS Lookup (with WhoisXML)

Back

Next

• WhoisXML API (https://www.whoisxmlapi.com/) provides services such as domain discovery, email verification, DNS lookup, WHOIS lookup, etc.

• For the CAPEv2 development, we utilized the WHOIS lookup service to obtain more information about contacted domains (if any)

​

• Below is a section of the JSON output for the WHOIS lookup against domain “google.com”:

​

Information:

• Expiry Date
• Registrant Org.
• Registrant State
• Registrant Country
• Name Servers
• etc.

CAPEv2 WHOIS Lookup (with WhoisXML)

Back

Next

1. Register for a WhoisXML account and generate API key (each free account is entitled to only 500 WHOIS lookup API requests)

​

1. Modify CAPEv2 processing scripts, configuration files and HTML templates to extract and display the domain information in the web interface

network.py

If the submitted sample contacts any host/s, then perform a WHOIS lookup against the host/s and obtain the output in JSON format

processing.conf

Add necessary information for network.py to perform the API query and obtain domain information

CAPEv2 WHOIS Lookup (with WhoisXML)

Back

Next

Screenshots of WHOIS lookup results for malware that contacts domains

Challenges

Back

Next

Software Engineer Problems: Trial & Error

Back

Next

Software Engineer Problems: Pull Request Conflicts

Back

Next

Software Engineer Problems: Failed Test Cases

Back

Next

Software Engineer Problems: Failed Ruff Tests

Back

Next

Software Engineer Problems: Trial & Error (Cont’d)

Back

Next

Software Engineer: Pending Outcome

Back

Next

Enhancements Merged - Google Backup

Back

Next

Enhancements Merged - Google Backup (Cont’d)

Back

Next

Enhancements Merged - Google Backup (Cont’d)

Back

Next

Enhancements Merged - Google Backup (Cont’d)

Back

Next

Enhancements Merged - MISP

Back

Next

Enhancements Merged - MISP (Cont’d)

Back

Next

Enhancements - WHOIS (Pending)

Back

Next

Enhancements - WHOIS (Pending)

Back

Next

Enhancements - Memory Analysis (Rejected)

Back

Next

Enhancements Community Merged

Back

Next

Enhancements Community Merged - WHOIS

Back

Next

Enhancements Community Merged - MISP

Back

Next

Enhancements Community Merged - MISP HTML

Back

Next

Enhancements Community Merged - MISP HTML

Back

Next

Drakvuf Setup Ubuntu 22.04 LTS - In Progress

Back

Next

The Epilogue

Putting it all together

​

Back

Next

Challenges & issues faced

Back

Next

​

​

• No Godfather to sponsor GPU
• Not enough data
• Ambiguous documentation
• Inexperienced in malware analysis
• Update predecessor codes

​

Takeaways from the Project

Back

Next

​

• Deep Learning Malware Classification
• Linux & Android sandboxes
• The processes of automated malware analysis
• Time management for 2 major projects

Further exploration

Back

Next

​

• Test out other malware analysis tools
• Obfuscate the malware
• Result will be compared with other AI models
• Combined models and average predictions

​

Thank you!

Next

Back

Credits: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik