Hackers of India

What’s Up Doc? - Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis

By  Shyam Sundar Ramaswami  on 20 Nov 2020 @ Deepsec

Abstract

“Catch me if you can!” is the right phrase to describe today’s malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too.

What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in “H.E.L.E.N” and “Dummy” and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key “attributes” that are extracted are used for ML, how we build bipartite graphs, build instruction based sequence detection models and win32 api based detection models “leveraging HELEN’s intelligence”.