On Adding Context to Automated .NET Malware Analysis
DOI:
https://doi.org/10.34190/iccws.20.1.3275Keywords:
Malware analysis, .NET, Reverse engineering, .Net malwareAbstract
Malware analysis benefits substantially with the help of automation. When it comes to analysing .NET malware samples, there is a dearth of automated analysis tools that provide quality results. Streamlining the malware analysis workflow to assist in completing the process in a timely manner is another challenging task. We determine that adding context to each piece of extractable information could help an analyst in understanding the functionality of the .NET sample better. In this paper, we introduce a standalone command-line application developed in Python, designed to assist analysts in .NET malware analysis. We follow a static analysis approach to extract features from the samples, to identify higher-level capabilities and to provide exact indicators of compromise. We do not rely on dynamic analysis as it only follows one path of execution. We compare the results of the tool with similar existing tools that can analyse .NET samples. Through a qualitative evaluation, we showcase the utility of the tool in terms of providing significant insights to a malware analyst. We study openly published Malware Analysis Reports (MARs) that are generated through extensive analysis and observe how the tool can provide the same insights in a simple and reliable manner.
Downloads
Published
24-03-2025
Issue
Section
Academic Papers
License
Copyright (c) 2025 Chaitanya Rahalkar, Anushka Virgaonkar
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
