Behavioural Analysis of Malware Using Custom Sandbox Environments

Student thesis: Master thesis (including HD thesis)

  • Tarik Muhovic
4. term, Networks and Distributed Systems, Master (Master Programme)
The project and its contents were made for the 10th semester at Aalborg University.

The task for the project was to explore the idea of understanding if changing different parameters called artefacts within an established virtual environment would lead to a behaviour change for malware samples by creating and using a custom sandbox environment. Using software such as the malware analysis tool Cuckoo Sandbox and the VM manager called VirtualBox, a systematic way of testing malware samples in different environments for behaviour change, was made. As such, a system was made consisting of Cuckoo and VirtualBox where two custom VM images were created with one resembling a normal virtual environment and one where all references to the virtual environment were taken out by manipulating different artefacts in the system. During the project, a test setup was created which showed that malware changed behaviour between different tests made when implementing different artefacts. Some malware did however remain dormant because of lack of additional artefacts in the test environment. Overall, out of 21 randomly selected malware samples, 9 were observed to have a change in their behaviour. Because of the small sample size used for testing, concluding that the different artefacts had a definite impact on the behaviour of malware would require more malware and repeated tests to be performed. The project was therefore a success where a system was created that showed behavioural change in different types of malware, but further work would be required in terms of system scaling and repeated tests in order determine what caused each specific change in behaviour.
LanguageEnglish
Publication date10 Jan 2020
Number of pages110
ID: 319237057