Forced continuation of malware execution beyond exceptions

A malware program often terminates on its own owing to exceptions. Some of these exceptions occur only under certain execution conditions. To understand the potential threat posed by the malware, analysts need to collect information on its behavior observed when these exceptions do not occur. However, most analysis systems do not provide a mechanism to capture this, which makes exception-raising malware analysis an extremely challenging task. In this paper, we propose a method for dynamic analysis of malware programs that raise exceptions. This method intercepts exceptions and “nullifies” so that the malware behaves as if the exceptions did not occur in the first place. This is achieved by modifying the memory and registers of malware at the time of exceptions and flexibly controlling the delivery of intercepted exceptions depending on the exception type and program state. Analysts using this method can continue malware execution beyond critical exceptions and when exceptions do not occur. We developed a sandbox system by extending Cuckoo Sandbox using the proposed method and compared the execution results of 2592 malware samples between the original and extended sandboxes. The results of the experiments indicated that our system increased the number of invoked API calls in 37.8% of the samples, and the number of accessed resources was 32.0%. We believe that our system provides key insights into malware execution, which will help analysts better understand the behavior of malware that was once unobservable.