Enhancing malware analysis sandboxes with emulated user behavior.

Cybersecurity teams have widely used malware analysis sandboxes to investigate the threat of malware. Correspondingly, armored malware adopts various anti-sandbox techniques to evade analysis, from simple environment-specific traits detection to complex real-user operation environment verification. Particularly, malware may identify sandbox environments by checking several system artifacts that are impacted by the accumulation of normal user activities, such as file accesses. It remains a challenge to defeat this type of anti-sandbox technique. In this paper, we design an emulation-based system called UBER to enhance malware analysis sandboxes. The core idea is to generate realistic system artifacts based on automatically derived user profile models. We solve two major challenges. First, we generate authentic system artifacts continuously to emulate the real-user behaviors. Second, we integrate the generated artifacts stealthily to hide the trace of the emulation. We implement a system prototype using Python system-event monitor and automation control modules. Our experimental results demonstrate that UBER is capable of generating believable system artifacts and effectively mitigates the sandbox evasion techniques that exploit system fingerprinting. (C) 2022 Elsevier Ltd. All rights reserved.