Science and Development Network (SciDev.Net)
Anti-emulation check is nearly essential component in modern malware for evading dynamic analysis by malicious behavior hidden in order to be a long time alive. In this paper, the authors propose a slicing-based approach to deal with such a scenario. With a difference from trace matching solutions presented in references, their approach is performed on one instruction trace without a reference platform. They evaluate their approach with 189 malware samples collected in the wild. The experience shows that their proposed approach can spot efAPI used for anti-emulation check in an efficient way.