JP5839967B2 - Malware analysis system - Google Patents

Description

  The present invention relates to a technique for specifying an encryption key of malware necessary for specifying information leaked to the outside from the malware when an infection of an information processing terminal connected to the Internet is detected.

  As a conventional technique for analyzing malware, for example, Patent Document 1 discloses a technique for executing malware in a special experimental environment and recording a system call, a usage history of computer resources, and a message transmitted to a remote terminal. Yes.

JP 2009-181335 A

Recently, large-scale information leakage incidents due to malware have attracted attention. When an infection by malware is detected, it is necessary to identify information leaked to the outside from the malware. For this purpose, communication between the Internet and information processing terminals on the in-house network is normally recorded, and when malware infection is detected on a certain terminal, the communication information uploaded from the terminal is extracted from the communication record. Must be analyzed.
These malware have encryption functions such as RC4 and AES inside, and since the information uploaded to the outside is encrypted before being sent, it is necessary to analyze the malware and identify the encryption key. It is not possible to clarify what the contents are.

However, in the prior art, although it is possible to record the operation of malware in the experimental environment, there is no method for extracting the encryption key necessary for decryption from the operation record, and as a result, the communication record was decrypted and leaked. The information could not be identified.
The present invention has been made to solve the above problems, and by analyzing the memory operation of the malware in detail, it is possible to identify the encryption key from various data that the malware writes to the memory. Objective.

The malware analysis system according to this invention
A malware analysis system for identifying an encryption key of malware necessary for identifying information leaked from an information processing terminal connected to the Internet and infected with malware,
Communication record storage means in which communication information between the information processing terminal and the Internet is recorded;
Malware execution means having malware execution means for storing infected malware and executing the malware program, and execution trace recording means for recording execution trace information each time the malware executes a machine language instruction on the malware execution means Equipment,
In response to a connection request from malware, a message transmission device that selects a message from the past communication record of the communication record storage means and returns it to the malware;
Scans the execution trace information from the execution trace recording means, calls the network reception function by the call argument, finds the address of the receive buffer and the receive buffer length among the arguments, stores them in the variable Pmsg, Lmsg area,
Update the data dependency history information that records the correspondence between the dependency data and the malware execution trace information by executing the malware program.
The process of adding the data group that has undergone bit operation or arithmetic operation to the data in the message received by the malware to the dependent data information is performed until the end of the execution trace line of the malware program,
A key specifying means for extracting and outputting a key storage buffer candidate group by grouping the dependent data information to which data is added according to a predetermined criterion;
When a plurality of encryption key candidates are extracted by the key specifying means, the data is decrypted with the extracted encryption key candidates, the data before decryption is compared with the data after decryption, and the encryption key successfully decrypted is determined. An execution trace analysis device having a decoding result determination means to select.

According to the malware analysis system of the present invention, the malware to be analyzed is decrypted in the past while recording the execution trace information, and the past is uploaded by analyzing the execution trace information and specifying the key. There is an effect that the information can be decrypted and the contents can be extracted.
Furthermore, in the key storage buffer candidate group extraction procedure, when identifying key candidates, by grouping the addresses based on whether the referenced machine language instruction addresses are close, the key data is stored on the continuous memory. Even if other data are arranged, there is an effect of preventing the data from being extracted as part of the key data.
Furthermore, when extracting key candidates, the number of key candidates to be extracted can be reduced by narrowing down the analysis to the addresses of the data derived from the reception buffer and the data subjected to bit operation / arithmetic operation. There is.

It is a block diagram which shows the malware analysis system which concerns on Embodiment 1 of this invention. It is explanatory drawing of the execution trace information recorded on an execution trace recording means. It is explanatory drawing of the information recorded on a communication record storage means. It is explanatory drawing of data dependence history information. It is a flowchart which shows the outline | summary of a process of a key specific means. FIG. 11 is a processing flow chart until a union of dependent data information is stored in a variable D in a data dependency history information update procedure. FIG. 11 is a processing flowchart after the copy information of lastFlow generated in the data dependency history information update procedure is stored in a variable newFlow. It is a processing flowchart of a data dependence confirmation procedure. It is a processing flow figure of a key storage buffer candidate group extraction procedure. It is a processing flow figure of a dependent address extraction procedure. It is a block diagram which shows the malware analysis system which concerns on Embodiment 2 of this invention.

Embodiment 1 FIG.
FIG. 1 is a block diagram of an apparatus showing a malware analysis system according to the present invention.
This system includes a message transmission device 101, a malware execution device 104, an execution trace analysis device 108, and communication record storage means 116. The message transmission device 101 and the malware execution device 104 are connected via a network 118. Connections between other devices and between the communication record storage means 116 are freely made as long as information can be input and output.

Next, each device constituting the malware analysis system will be described.
The message transmission device 101 is a device that generates and transmits a message to be input to the analysis target malware 105 operating on the malware execution device 104, and includes a message transmission unit 102 and a message generation unit 103. The message transmission unit 102 is a unit that transmits the message generated by the message generation unit 103 to the malware execution device 104 via the network 118. The message generation means 103 is means for generating a message to be transmitted to the malware execution device 104 based on the communication record recorded in the communication record storage means 116.

  The malware execution device 104 is a device that executes the analysis target malware 105 and records an execution trace as its operation history, and includes a malware execution means 106 and an execution trace recording means 107. The malware execution means 106 is an emulator for executing the analysis target malware 105 in units of one machine word. The execution trace recording means 107 records an execution trace each time the analysis target malware 105 executes a one-machine language instruction on the malware execution means 106.

  The execution trace analysis device 108 analyzes the execution trace recorded in the execution trace recording means 107, specifies the encryption key used by the analysis target malware 105, and then records it in the communication record storage means 116. A device for decoding uplink communication information from the analysis target malware 105, communication record input means 109, decryption function identification means 110, execution trace input means 111, key identification means 112, communication record decryption means 113, analysis result output means 114 and decoding result determination means 115.

  The communication record input means 109 is means for acquiring communication record information to be analyzed from the communication record storage means 116. The execution trace input means 111 is means for receiving execution trace information of the analysis target malware 105 executed by the malware execution means 106 in units of one machine word from the execution trace recording means 107 of the malware execution device 104. The decryption function specifying unit 110 is a unit that specifies the address of the decryption function and the decryption function algorithm in the analysis target malware 105 from the execution trace information of the analysis target malware 105 received by the execution trace input unit 111. The key specifying unit 112 is a unit that specifies the encryption key used for decryption by the analysis target malware 105 from the received execution trace information. The communication record decryption unit 113 uses the encryption key specified by the key specification unit 112 and the decryption function algorithm specified by the decryption function specification unit 110 to perform the analysis acquired from the communication record storage unit 116 by the communication record input unit 109. This is a means for decoding upstream communication information from the target malware 105. The decoding result determination means 115 is a means for comparing the result decoded by the communication record decoding means 113 with the communication information record before decoding to determine whether or not the decoding has succeeded. The analysis result output unit 114 is a unit for outputting the analysis result to the user 117.

Next, the operation will be described.
In this system, HTTP (Hyper Text Transfer Protocol) communication information between each terminal on the intra-organization network and the Internet is recorded in the communication record storage means 116. The communication information recorded in the communication record storage means 116 is shown in FIG. As shown in FIG. 3, in this system, the communication record storage means 116 records the source IP address src ip 301, destination URL 302, upstream data 303, and downstream data 304 in units of requests transmitted from the source. Is done.
Assume that a malware program is found on an information processing terminal on the network in the organization. The user 117 stores the malware program in the malware execution device 104 as the analysis target malware 105, and further sets the IP address of the terminal confirmed to be infected as a parameter at the time of system execution of the message transmission device 101 and the execution trace analysis device 108. After input to a memory (not shown), analysis in this system is started.

  The program of the analysis target malware 105 is started by the malware execution means 106. The malware execution means 106 executes the analysis target malware 105 step by step in machine words. Such means can be configured by using existing technology, for example, step execution of a debugger, or a CPU emulator such as QEMU shown in Non-Patent Document 1; [http://wiki.qemu.org/Main_Page] Therefore, the details of the implementation method will be omitted.

When the machine language in the program of the analysis target malware 105 is executed by the malware execution means 106 for one step, the record is recorded as execution trace information by the execution trace recording means 107. As shown in FIG. 2, the recorded execution trace information includes an execution address 201, an execution instruction 202, a referenced memory address and a stored value 203, a written memory address and a written value 204, and an immediately preceding execution. It consists of a register value 205.
When the analysis target malware 105 program is activated on the malware execution means 106, the analysis target malware 105 program attempts to connect to the command server on the Internet through the network 118. Since the message transmission device 101 is configured to be viewed as an HTTP proxy server from the analysis target malware 105, the analysis target malware 105 program transmits an HTTP request to the message transmission device 101.

In the message transmission device 101 that has received the HTTP request, the message generation unit 103 has confirmed the destination URL included in the HTTP request from the analysis target malware 105 program and the infection that the user 117 has input in advance. The communication record storage means 116 is searched using the IP address of the terminal as a key, one of the corresponding communication records is selected, the downlink data 304 is taken out and passed to the message transmission means 102. The message transmission unit 102 returns the message passed from the message generation unit 103 to the analysis target malware 105 through the network 118.
After executing such communication several times, the malware execution means 106 stops the program execution of the analysis target malware 105 and sends the execution trace information recorded by the execution trace recording means 107 to the execution trace analysis apparatus 108. To do.

  In the execution trace analysis apparatus 108, the execution trace input means 111 receives the execution trace information recorded by the execution trace recording means 107 transmitted from the malware execution apparatus 104, and this execution trace information is first identified by the decryption function. Input to means 110. Based on the execution trace information, the decryption function specifying unit 110 specifies the address of the decryption function and the name of the decryption algorithm used by the function. For example, Non-Patent Document 2; [Z. Wang, X. Jiang, W. Cui, and X. Wang. ReFormat: Automatic reverse engineering of encrypted messages. In European Symposium on Research in Computer Security, Saint- Malo, France, September 2009.] and Non-Patent Document 3; [Felix Grobert, Carsten Willems, and Thorsten Holz Automated Identification of Cryptographic Primitives in Binary Programs, 14th International Symposium on Recent Advances in Intrusion Detection (RAID)] It can be realized by using it.

After specifying the address of the decryption function and the name of the decryption algorithm used by the decryption function identifying unit 110, the execution trace information is input to the key identifying unit 112, and the encryption key used for decryption is identified. . The operation of the key specifying means 112 will be described in detail with reference to FIGS.
First, the outline of the processing of the key specifying means 112 will be described with reference to FIG. The key specifying unit 112 scans the input execution trace information and skips the execution trace information until the network reception function is called by the call argument (S501). The network reception function is provided by the OS (operating system) as standard, and the arguments required for the call are clear. Therefore, among the arguments passed to the network reception function, the address of the reception buffer and the reception buffer length are obtained from the execution trace information of the stack operation instruction such as PUSH recorded immediately before the function call, and each of the key specifying means 112 is obtained. Are stored in the Pmsg and Lmsg areas of the memory (S502).

Next, the execution trace information is skipped to the address after execution of the network reception function, and the execution trace line at that time is stored in the variable cur of the key specifying means 112 (S503). Further, the memory variable P and variable Flows of the key specifying means 112 are initialized (S504, S505).
Here, data stored in the memory P and the memory Flows will be described. First, information stored in the memory Flows will be described. In Flows, information called data dependency history information is stored as analysis of the analysis target malware 105 proceeds. The data dependency history information is a record of data on which each register / memory and data written therein depend on when a certain instruction on the execution trace is executed. Here, the dependent data refers to data on a memory that is directly or indirectly referenced through a register when calculating the value of certain data.

The data dependency relationship history information is information as shown in FIG. 4 and includes an execution trace line number 401, an execution address 402, and dependency relationship information 403. The dependency relationship information 403 further includes a data storage location 404 and dependency data information 405. The dependency data information 405 further includes an address 406 and a valid execution trace line number 407.
The effective execution trace line number 407 refers to the value stored in the address 406 described in the dependency data information 405 when the instruction indicated by the execution trace line number 401 is executed. Points to the execution trace line number indicating whether This is information necessary for tracking at which point data is written when data is written to the same memory address a plurality of times. In FIG. 4, a character string described in parentheses in each information name is an abbreviation for each information name when used in the subsequent operation description.

Next, the information / variable P stored in the memory P will be described. When decoding the message received by the malware 105 to be analyzed, the memory P stores a data group obtained by performing bit operation / arithmetic operation with the data in the message in the form of dependent data information (described in FIG. 4405). Is done. Data that has undergone bit operations or arithmetic operations with data in such messages may be data derived from encryption keys, such as encryption keys or extended encryption keys. The purpose is to record them as encryption key candidates.
Finally, the purpose of the key specifying means 112 is to specify the encryption key by tracing back the data on which each data recorded in the memory P depends using the variable Flows of the memory Flows.

  Returning to FIG. 5 again, the operation will be described. This analysis is executed in a loop until cur of the key specifying means 112 reaches the end of the decryption function (S506). In the loop, first, the data dependency history information update procedure of the processing program of the key specifying unit 112 is called according to the contents of the execution trace line currently indicated by cur, and the data dependency history information is updated (S507). Next, if the instruction executed in cur is a bit operation / arithmetic operation (S508), whether the register or memory referenced in the operation includes data depending on the received message, The data dependency confirmation procedure of the processing program is called and confirmed (S509). If the data depending on the received message is referenced (S510), the dependent data is added to P (S511). Then, cur is moved to the next execution trace line, and the process returns to the top S506 of the loop (S512).

  When the determination in S506 is true, that is, cur is the end of the decryption function, the key storage buffer candidate group extraction procedure of the processing program of the key specifying means 112 is called in S513, and encryption is performed among the data included in P. A memory area to be a key candidate is extracted and substituted into a variable K of the key candidate buffer set. Finally, the variable K of the key candidate buffer set is output as the processing result of this means (S514).

Next, the data dependency history information update procedure processing of the processing program of the key specifying means 112 will be described with reference to FIGS. This procedure receives the execution trace information trace of the analysis target malware 105 and the current data dependency history information F as inputs, updates the data dependency history information F according to the contents of the execution trace information trace, and updates the data dependency after the update. Return and record the relationship history information F.
First, variables are initialized in S601 to S604. In S601, the dependency information calculated as the execution result immediately before the execution trace information trace (that is, the execution trace line number is one less than the current execution trace information trace) is extracted from Flows and stored in the variable lastFlow. Next, the instruction recorded in the trace is analyzed, and the source operand and destination operand of the instruction are stored in the variables Op_s and Op_d (S602) and (S603). Op_s may not exist depending on the instruction, but in that case, a null value is substituted. Finally, the set D of the dependency data information (see FIG. 4405) is initialized to an empty set (S604).

  After initialization, actual processing is performed. First, in S605, it is determined whether Op_s is a null value or Op_s is an immediate value (immediate). If the determination result is true, the processing is skipped to S701 in FIG. If the determination in S605 is false, it is determined whether Op_s points to a register (S606). If it is a register, lastFlow [store = Op_s] is substituted for variable D in S612. Here, the notation xxx [yyy = zzz] selects all of the dependency information xxx whose information name yyy matches zzz, and executes the process of extracting the dependency data information (FIG. 4405) as a set. Represents.

If the determination in S606 is false, Op_s represents a memory reference. In Intel's 80386 (or its successor), the memory reference is determined by combining four parameters: base, index, scale, and displacement. The base and index specify the register name. The scale is a constant, and the displacement is specified by a memory address. The three parameters excluding the scale and the actually referenced memory address are stored in the corresponding variables (base, index, disp, addr) in S607 to S610.
Next, in S611, the dependent data information corresponding to base, index, and disp is extracted, and the union of these is stored in the dependent data information set D. Furthermore, the line number of address = addr, d_line = trace is added to the set D, which is a variable, as new dependency data information.

  The subsequent processing will be described with reference to FIG. In S701, information obtained by copying lastFlow is generated as new dependency relationship information and stored in the variable newFlow. Subsequent processing branches depending on the type of Op_d. If Op_d is a register (branch to S702 yes), the register indicated by Op_d is directly substituted for variable dest (S707). Otherwise (branch to S702 no), since Op_d is a memory reference, the memory address referred to by Op_d is calculated and assigned to dest (S703).

Next, in S704, it is checked whether the instruction of the execution trace information trace currently being analyzed is a mov instruction. If it is a mov instruction, the contents of the variable D of the set of dependent data information are substituted into newFlow [store = dest] (S708). This operation is an operation of removing the dependency data information corresponding to store = dest in newFlow and substituting the set variable D instead.
If the determination in S704 is false, newFlow [store = dest] is updated with the union of current newFlow [store = dest] and variable D (S705). Finally, in S706, an entry consisting of (line = trace line number, instruction address in exec = trace, dependency information = newFlow) is added to F, and the current data dependency history information F is returned and processing is performed. finish.

Next, details of the data dependency confirmation procedure will be described with reference to FIG. This procedure determines whether the data given as an argument depends on the receive buffer.
In S801, information given as an argument is stored in each variable. In S802, the history of line = tr is acquired from the FS and substituted into the current data dependency history information F (S802), and the current data dependency history information F [store = s] is a variable of the dependency data information Substitute into set D (S803). Next, in S804 to S810, the processing shown in S805 to S809 is performed on each piece of dependent data information in the set D. In S805 and S806, the address (FIG. 4406) and d_line (FIG. 4407) of the entry are substituted into variables m and i. If m points to the reception buffer indicated by Pmsg (S807 yes), this procedure returns true and ends.
Otherwise, it recursively checks whether the memory on which the data stored in m depends depends on the reception buffer (S808). If the result is true (S809 yes), it returns true and the process ends. If not, the same check is performed on the next entry.
Finally, if all the entries in the set D, which is a variable of the dependent data information, do not depend on the reception buffer, FALSE is returned and the process ends.

Next, details of the key storage buffer candidate group extraction procedure will be described with reference to FIG. This procedure tracks the dependency of the dependency data information given as an argument, and returns a set of buffer areas that are considered key candidates.
First, as initialization processing, the information given as an argument in S901 is substituted for each variable, and the key candidate buffer set K is initialized to an empty set (S902).
Next, in S903, for each element (address, d_line) in the dependency data information set P, the execution address (exec) corresponding to the effective execution trace line number (d_line) is set to multiple dependency data and multiple malware execution traces. It is obtained by referring to the set FS of data dependency history information in which the correspondence with the information is recorded, and is set as a three-element tuple (adderss, d_line, exec).

  Next, the elements having similar execution address exec values are gathered from the three-element tuple set generated in S904 to create a group. Whether or not they are close is determined by a predefined threshold value T1. To determine whether a tuple belongs to a group, select the one with the execution address exec value closest to the target tuple within the group, and if the difference between the target tuple execution address exec is within T1, It is determined that it belongs to the group. If it does not belong to any existing group, a new group is created.

  Next, the generated groups (G1 to GN) are taken out by the loop (S905), and the processes indicated by S906 to S912 are executed. S906 to S912 are loops for sequentially extracting each element (address, d_line, exec) of the selected group Gi and executing the processing of S907 to S911. In S907, first, an address group (a set of tuples of addresses and valid execution trace line numbers) on which the memory indicated by address and d_line depends is fetched and stored in A using a dependent address extraction procedure. In step S908, a memory map is created using the extracted address group and execution trace information, and a continuous area on the map is extracted as a memory group. The memory map is a set of (address, value), and is generated by acquiring the reference memory address / value in the execution trace information using the address stored in A and the effective execution trace line number as a key. Each of the generated groups Mm (m = 1 to M) is a key storage buffer candidate. Therefore, the data stored in each buffer area is registered in the key candidate buffer set K (S910).

Finally, details of the dependent address extraction procedure (see FIG. 9, S907) will be described with reference to FIG. This procedure traverses the address on which the data at the given address depends and returns a set of addresses that do not depend on anywhere else.
First, in S1001, the information input as an argument is substituted into a variable. Next, in S1002, the dependency information corresponding to the specified execution trace line number is extracted from the data dependency history information set FS and assigned to the current data dependency history information F, and F [store = s] is dependent Substitute into set D, which is a variable of data information (S1003). If set D is an empty set (S1004 yes), given address s is an address that does not depend on anywhere else, and (s, trace) is added to set A (S1011). End.

If set D is not an empty set, execute the loop from S1005 to S1010 to recursively call the dependent address extraction procedure for each entry in set D, so that set A can be found anywhere else Create a set of independent addresses. After the dependency address extraction procedure is completed for all entries, the generated set A is returned, and the process ends.
Thus, the description of the operation of the key specifying means is finished, and the description of the overall operation is resumed.

  Using each of the key candidates generated as a result of the processing by the key specifying unit 112, the communication recording / decrypting unit 113 attempts to decrypt. The communication record decoding unit 113 acquires the upstream data information (303 in FIG. 3) included in the communication record stored in the communication record storage unit and included in the one matching the infected terminal IP address and the destination URL. On the other hand, decryption is performed using an algorithm identified as a key candidate. The decoding result determination unit 115 is called by inputting the decoding result and the original uplink data.

Decoding result determination means 115 determines whether or not the original data has been successfully decoded by measuring the randomness of the data. The determination is that the original data and the decoded data are compressed using a common compression algorithm, and the compressed data size when the decoded data is compressed is the compressed data when the pre-decoded data is compressed. Decoding is considered successful when it is significantly smaller (eg, 10%) or smaller than the size.
If the decryption result determination means 115 determines that the decryption has succeeded, the decryption result and the key at that time are notified to the user through the analysis result output means, and the operation of this system ends.
In the present embodiment, the communication stored in the communication record storage unit 116 has been described by focusing on HTTP. However, it is of course possible to analyze communication records of other communication protocols.

As described above, while analyzing the execution trace information, the analysis target malware decrypts the message accumulated in the past, analyzes the execution trace and identifies the key, and decrypts the information uploaded in the past, The content can be taken out.
Furthermore, when a plurality of key candidates appear, there is an effect that the user can select the correct key without visual confirmation by comparing the randomness of the data before and after decryption.

Furthermore, in the key storage buffer candidate group extraction procedure, when identifying key candidates, by grouping the addresses based on whether the referenced machine language instruction addresses are close, the key data is stored on the continuous memory. Even if other data are arranged, there is an effect of preventing the data from being extracted as part of the key data.
Furthermore, when extracting key candidates, the number of key candidates to be extracted can be reduced by narrowing down the analysis to the addresses of the data derived from the reception buffer and the data subjected to bit operation / arithmetic operation. There is.

Embodiment 2. FIG.
In the first embodiment described above, the decoding result determination means uses a change in compression rate. In the present embodiment, however, the determination is made based on whether the data after the decoding result matches a known file format. . Information regarding the file format is stored in the format definition storage means 119.
As described above, it is possible to correctly determine the success or failure of the decryption even if the decrypted data is compressed by using the condition of whether or not it matches the known file format in the determination of the decryption result. is there.

  The malware analysis system according to the present invention is applied to, for example, an information processing terminal on an intra-organization network connected to the Internet, and can infect information leaked from the information processing terminal using an encryption key. It has the potential to be used for countermeasures against infection leakage information.

  101; Message sending device, 102; Message sending means, 103; Message generation means, 104; Malware execution device, 105; Analysis target malware, 106; Malware execution means, 107; Execution trace recording means, 108; Execution trace analysis device, 109; communication record input means, 110; decryption function specifying means, 111; execution trace input means, 112; key specifying means, 113; communication record decoding means, 114; analysis result output means, 115; Communication record storage means 117; user 118; network 119; format definition storage means.

Claims (5)

A malware analysis system for identifying an encryption key of malware necessary for identifying information leaked from an information processing terminal connected to the Internet and infected with malware,
Communication record storage means in which communication information between the information processing terminal and the Internet is recorded;
Malware execution means having malware execution means for storing infected malware and executing the malware program, and execution trace recording means for recording execution trace information each time the malware executes a machine language instruction on the malware execution means Equipment,
In response to a connection request from malware, a message transmission device that selects a message from the past communication record of the communication record storage means and returns it to the malware;
Scans the execution trace information from the execution trace recording means, calls the network reception function by the call argument, finds the address of the receive buffer and the receive buffer length among the arguments, stores them in the variable Pmsg, Lmsg area,
Update the data dependency history information that records the correspondence between the dependency data and the malware execution trace information by executing the malware program.
The process of adding the data group that has undergone bit operation or arithmetic operation to the data in the message received by the malware to the dependent data information is performed until the end of the execution trace line of the malware program,
A key specifying means for extracting and outputting a key storage buffer candidate group by grouping the dependent data information to which data is added according to a predetermined criterion;
When a plurality of encryption key candidates are extracted by the key specifying means, the data is decrypted with the extracted encryption key candidates, the data before decryption is compared with the data after decryption, and the encryption key successfully decrypted is determined. A malware analysis system comprising: an execution trace analysis device having a decryption result determination means to select.   Whether the key identification means grouping of the dependent data information to which the data in the key storage buffer candidate group extraction processing is added is whether the machine instruction address of the malware program corresponding to the effective execution trace line number of the dependent data information is close The malware analysis system according to claim 1, wherein the addresses are grouped on the basis of and the dependency data information is grouped. A set of data dependency history information in which correspondence between multiple dependency data and multiple malware execution trace information is recorded,
The key identification means is
Scans the execution trace information from the execution trace recording means, finds the address of the reception buffer and the reception buffer length among the call arguments of the network reception function by the call argument, stores them in the variables Pmsg and Lmsg areas,
The data dependency information corresponding to the execution trace line number during execution of the malware program is extracted from the set of data dependency history information as the current data dependency history information, and the dependency data information of the current data dependency history information is set to set D. The substitution process is executed up to the end of the execution trace line of the malware program, and if the set D is an empty set, the set of addresses of the reception buffer is output as an address that does not depend on anywhere else,
2. If the set D is not an empty set, dependent address extraction procedure processing is performed for each entry in the set D, and a set of addresses that do not depend anywhere else is generated and output. Malware analysis system described in. The decryption result determination means
Decrypt the data with the encryption key candidates extracted by the key identification means,
The original data and the decoded data are compressed using a common compression algorithm, and the compressed data size when the decoded data is compressed is compared with the compressed data size when the data before decoding is compressed. The malware analysis system according to claim 1, wherein the malware analysis system is configured to identify an encryption key that has been successfully decrypted. A format definition storage means for storing information on the file format;
The decryption result determining means decrypts the data with the encryption key candidate extracted by the key specifying means, and the encryption key is obtained on the condition that the data after the decryption result matches the file format stored in the format definition storage means. The malware analysis system according to claim 1, wherein the malware analysis system is configured to specify

Images