Precise system-wide concatic malware unpacking

TL;DR

Minerva is a new malware unpacking tool that precisely uncovers execution waves and generates analyzable PE files, improving over existing dynamic analysis solutions in accuracy and applicability.

Contribution

It introduces a unified, system-wide approach with novel information flow modeling, execution wave merging, and API call collection for more effective automatic malware unpacking.

Findings

Significantly improves unpacking accuracy on real-world malware

Produces PE files well-suited for static analysis

Outperforms previous unpacking tools in key metrics

Abstract

Run time packing is a common approach malware use to obfuscate their payloads, and automatic unpacking is, therefore, highly relevant. The problem has received much attention, and so far, solutions based on dynamic analysis have been the most successful. Nevertheless, existing solutions lack in several areas, both conceptually and architecturally, because they focus on a limited part of the unpacking problem. These limitations significantly impact their applicability, and current unpackers have, therefore, experienced limited adoption. In this paper, we introduce a new tool, called Minerva, for effective automatic unpacking of malware samples. Minerva introduces a unified approach to precisely uncover execution waves in a packed malware sample and produce PE files that are well-suited for follow-up static analysis. At the core, Minerva deploys a novel information flow model of system-wide dynamically generated code, precise collection of API calls and a new approach for merging execution waves and API calls. Together, these novelties amplify the generality and precision of automatic unpacking and make the output of Minerva highly usable. We extensively evaluate Minerva against synthetic and real-world malware samples and show that our techniques significantly improve on several aspects compared to previous work.