Let's analyze malware with symbolic execution: a practical study

Malware are constantly on the rise and their capabilities to avoid analysis are getting better each day. It is necessary to develop new tools and techniques in order to be able to detect and classify the large amount of malware that appear every day. In this context, the SEMA Toolchain was created to apply symbolic execution to malware samples in order to create a system call dependency graph that can be used as a signature to classify them. The goal of this work is to use the SEMA Toolchain to perform an in-depth analysis of some RAT samples. RATs are a a type of malware that present a variety of malicious features. It is controlled by a command and control server which sends commands to ask for a specific feature to be executed. We will explain in detail the process of applying this type of analysis to two RAT samples. We will also apply symbolic execution to another sample to demonstrate the effectiveness of this type of analysis against anti dynamic analysis technique. Finally, we present our thoughts and suggestions about the automation of this kind of analysis to be able to process a larger number of samples.