Malware file analysis API is an essential part of understanding malware’s behaviour, techniques and intention. The practice involves running malware samples in a controlled environment to comprehend their conduct and extract valuable indicators of compromise (IOCs) and payloads.
Avira’s cloud sandbox API allows technology partners to quickly upload files for detailed threat intelligence and classification. The solution incorporates a range of technologies such as machine learning, powerful cloud scanning engines and virtualized environments that sandbox and emulate many key OS systems. The platform is highly available, reliable and scalable.
Static analysis will show how a single executable operates however a typical kill chain often includes multiple files and scripts which trigger each other and it’s these IOCs that are difficult or impossible to identify using static methods alone. This has led to an increase in malware authors implementing packers, crypters and protectors which make it hard or even impossible to perform static analysis of their malicious code.
Deciphering Malicious Intent: A Deep Dive into Malware File Analysis API for Enhanced Security Measures
Dynamic analysis is performed by executing a malware sample within a sandbox or in a VM where the behaviour can be observed in real-time. This can highlight risky API calls, memory allocations, and NTFS transactions including process Doppelganging injections which are notoriously hard to detect using static methods alone.
Several tools can be used to capture the dynamic behavior of malware in real-time including ProcMon and Process Hacker. Using these tools in tandem with a hex editor such as x64dbg allows the malware analyst to manually debug and reverse engineer the sample revealing the full functionality of the binary. x64dbg also enables the analyst to glean useful IOCs from any imports made by the malware such as the API CreateFileW which could reveal file locations and paths where the malware intends to run.