Esc

Dynamic Analysis

D3-DA
D3-DA (Dynamic Analysis)

Definition

Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.

Synonyms: Malware Detonation , and Malware Sandbox .

How it works

Analyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.

Considerations

  • Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.
  • Malware can attempt to determine if it is being debugged, and change its behavior accordingly.
  • For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.
  • Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.

Implementations

loading...
json
loading...

References

All
Patent

The following references were used to develop the Dynamic Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Malware analysis system

MITRE Comments

This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file.

Reference Type: Patent Organization: Palo Alto Networks Inc Author: Huagang Xie; Xinran Wang; Jiangxia Liu
Source: https://patents.google.com/patent/US20150319136A1

Use of an application controller to monitor and control software file and application environments

MITRE Comments

This patent describes received files being open in an environment such as a virtual machine or quarantined environment to associate file reputation information that determines if a file is a threat.

Reference Type: Patent Organization: Sophos Ltd Author: Andrew J. Thomas
Source: https://patents.google.com/patent/US20180032727A1

A knowledge graph of cybersecurity countermeasures