In dynamic malware analysis, where malware is executed and its behavior analyzed, screenshots (referred to as “analysis screens”) can be used to capture the screens displayed within the analysis environment. These analysis screens can provide information on malware behavior, such as launched applications and end-user deception techniques, thereby contributing to the efficiency of dynamic malware analysis systems. They also have potential applications in expanding analysis systems and improving end-user security awareness through education. However, there has been no comprehensive investigation into the information obtainable from analysis screens, and their potential applications have not been clearly demonstrated. In this study, we conducted an investigation through coding of 3, 590 analysis screens included in 211 analysis reports covering a total of 93 malware families, with the aim of organizing the information obtainable from analysis screens. As a result of this investigation, we identified malware-related information and end-user deception techniques obtainable from analysis screens. Additionally, by comparing analysis screens with logs, we demonstrated the existence of information that can be more easily obtained from analysis screens and examined their potential applications. We believe our findings contribute to the development of dynamic analysis systems and educational guidelines for analysts and end-users in the future.
抄録全体を表示