Forensic analysis of ransomware families using static and dynamic analysis


Forensic analysis of executables or binary files is the common practice of detecting malware characteristics. Reverse engineering is performed on executables at different levels such as raw binaries, assembly codes, libraries, and function calls to better analyze and interpret the purpose of malware code segments. In this work, we applied data-mining techniques to correlate multi-level code components (derived from reverse engineering process) for finding unique association rules to identify ransomware families. However a reverse process and analysis of code structure do not always provide run-time behavior of executables so we used a combined approaches (static and dynamic) to better unveil hidden intent of the program. We performed analysis of 450 samples of ransomware and experimental results reported some important correlation among different code components from our combined analysis.

Publication Title

Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018