The platform, named SNDBOX, makes the approach of behavior-based malware research more easier and accurate: it is not just capable of analyzing malware samples by monitoring their behavior, but it also converts dynamic behavioral inputs into searchable vectors, allowing users to search its vast online malware analysis database.
The platform has been presented at BlackHat conference on December, 5 2018.
How it works?
SNDBOX executes submitted binaries in a controlled environment using an invisible kernel-mode agent: with this trick, malware believe that it is being executed in the real system it wants to attack.
The invisible kernel-mode agent is located between the User mode and Kernel mode and allows the execution of malware into its full range of intended functionality, revealing its true malicious nature and capabilities.
The agent monitors executables behavior and then leverages machine learning algorithms to process a large amount of gathered data (200MB for a small binary of 10KB).
Researchers have also shared SNDBOX analysis for some well known malware, for example the WannaCry Ransomware: the analysis engine highlights its behavior of changing registry settings, using file encryption and creating files with different extensions.
I’ve tested the platform also with an harmless executable (an installation package of KeePass): the AI has marked it as 23% Malicious.