Journal of Computer Networks and Communications

Research Article

A Data Mining Classification Approach for Behavioral Malware Detection

Box 1

A sample part of XML file contains a malware behavior.
?xml version=“1.0” ?
- <!- -
This analysis was created by CWSandbox (c) CWSE GmbH/Sunbelt Software
- ->
<analysis cwsversion=“2.1.12” time=“08.08.2009 05:22:19”
file=“c:\260589951029048b3e6d93316b3c2507”
md5=“260589951029048b3e6d93316b3c2507”
sha1=“0089453df77890ae95ce7d9130a4ef85eaea36e8”
logpath=“c:\cwsandbox\log\260589951029048b3e6d93316b3c2507\run_1\”
analysisid=“647702” sampleid=“431657”>
<calltree>
<process_call index=“1” pid=“1940”
filename=“c:\260589951029048b3e6d93316b3c2507” starttime=“00:01.922”
startreason=“AnalysisTarget”>
<calltree>
 <process_call index=“2” pid=“2084” filename=“C:\Programme\Internet
Explorer\iexplore.exe” starttime=“00:05.343” startreason=“CreateProcess” />
 </calltree>
 </process_call>
 <process_call index=“3” pid=“948”
filename=“C:\WINDOWS\system32\svchost.exe” starttime=“00:07.062”
startreason=“DCOMService” />
 </calltree>
<processes>
<process index=“1” pid=“1940”
filename=“c:\260589951029048b3e6d93316b3c2507” filesize=“761856”
md5=“260589951029048b3e6d93316b3c2507”
sha1=“0089453df77890ae95ce7d9130a4ef85eaea36e8” username=“Administrator”
parentindex=“0” starttime=“00:01.922” terminationtime=“00:07.484”
startreason=“AnalysisTarget” terminationreason=“NormalTermination”
executionstatus=“OK” applicationtype=“Win32Application”>
<dll_handling_section>
 <load_image filename=“c:\260589951029048b3e6d93316b3c2507” successful=“1”
address=400000” end_address=4C1000” size=“790528” />
 <load_dll filename=“C:\WINDOWS\system32\ntdll.dll” successful=“1”
address=7C910000” end_address=7C9C9000” size=“757760” quantity=“16”/>
 <load_dll filename=“C:\WINDOWS\system32\kernel32.dll” successful=“1”
address=7C800000” end_address=7C908000” size=“1081344” quantity=“2” />
 <load_dll filename=“C:\WINDOWS\system32\gdi32.dll” successful=“1”
address=77EF0000” end_address=77F39000” size=“299008” quantity=“2” />
 <load_dll filename=“C:\WINDOWS\system32\USER32.dll” successful=“1”
address=7E360000” end_address=7E3F1000” size=“593920” quantity=“2” />
 </dll_handling_section>
<filesystem_section>