| FeatureMaliciousness |
Object |
This analysis extracts Manalyze features from the submitted PE file, and compares those features to extracted features we've seen in millions of other files. This is done in two ways: first, the features are fed through a random forest trained on millions of benignware / malware Manalyze features, which gives us an accurate score (0-100) indicating if the file is malicious. That (calibrated) score is currently used as the 'overall_score' for this section (found in ml_file.overall_scores.feature_maliciousness). To visualize this to the customer, each individual Manalyze feature from their submitted PE file is also looked up in the training data used to train the random forest. e.g. if feature X was associated with 4000 malicious files during training, and 100 benign files, it has a very high maliciousness score and was likely very relevant in our random forest's decision-making process. Though a submitted file may generate many Manalyze features, only the top (most malicious) 10 are returned in the output. This section is a dictionary of key-value pairs, where each key is the Manalyze feature in question found in the file, and each value is a dictionary of information describing the feature, and the maliciousness of that feature. * category - Manlyze feature category (if you split up the feature by '→' arrows, this is the first element) * indicator - same as the key - the full Manalyze feature string * description - Manlyze feature description (if you split up the feature by '→' arrows, this is the last two elements) * benign - int, the number of benign files in our training set that also had this feature * malware - int, the number of malicious files in our training set that also had this feature * percent - float between 0 and 100 - the percentage of malicious files in our training set that had this feature example: { "Summary -> Debug artifacts -> \"Embedded COFF debugging symbols\"": { "category": "Summary", "benign": 61689, "indicator": "Summary: Debug artifacts: \"Embedded COFF debugging symbols\"", "description": "Debug artifacts: \"Embedded COFF debugging symbols\"", "probability": 5.302182777485837, "malware": 3454 }, "Imports -> Functions which can be used for anti-debugging purposes -> \"QueryPerformanceCounter\"": { "category": "Imports", "benign": 1040942, "indicator": "Imports: Functions which can be used for anti-debugging purposes: \"QueryPerformanceCounter\"", "description": "Functions which can be used for anti-debugging purposes: \"QueryPerformanceCounter\"", "probability": 12.617273255729417, "malware": 150303 }, "Imports -> [!] The program may be hiding some of its imports -> \"LoadLibraryExA\"": { "category": "Imports", "benign": 267308, "indicator": "Imports: [!] The program may be hiding some of its imports: \"LoadLibraryExA\"", "description": "[!] The program may be hiding some of its imports: \"LoadLibraryExA\"", "probability": 13.29114472350597, "malware": 40974 }, "Compilers -> \"Borland C / Borland Builder\"": { "category": "Compilers", "benign": 8681, "indicator": "Compilers: \"Borland C / Borland Builder\"", "description": "Compilers: \"Borland C / Borland Builder\"", "probability": 0.8420515384741805, "malware": 74 }, "Packer -> \"Unusual section name found: .debug\"": { "category": "Packer", "benign": 8985, "indicator": "Packer: \"Unusual section name found: .debug\"", "description": "Packer: \"Unusual section name found: .debug\"", "probability": 1.634983439408563, "malware": 149 }, "Packer -> \"Unusual section name found: CODE\"": { "category": "Packer", "benign": 131833, "indicator": "Packer: \"Unusual section name found: CODE\"", "description": "Packer: \"Unusual section name found: CODE\"", "probability": 19.252079487197864, "malware": 31432 }, "Imports -> [!] The program may be hiding some of its imports -> \"GetProcAddress\"": { "category": "Imports", "benign": 1246034, "indicator": "Imports: [!] The program may be hiding some of its imports: \"GetProcAddress\"", "description": "[!] The program may be hiding some of its imports: \"GetProcAddress\"", "probability": 22.225573409883452, "malware": 356079 }, "Mitigation -> Stack Canary -> \"disabled\"": { "category": "Mitigation", "benign": 2573984, "indicator": "Mitigation: Stack Canary: \"disabled\"", "description": "Stack Canary: \"disabled\"", "probability": 15.435381249489767, "malware": 469823 }, "Imports -> Enumerates local disk drives -> \"GetDriveTypeA\"": { "category": "Imports", "benign": 136787, "indicator": "Imports: Enumerates local disk drives: \"GetDriveTypeA\"", "description": "Enumerates local disk drives: \"GetDriveTypeA\"", "probability": 31.576599490610228, "malware": 63126 }, "Packer -> \"Unusual section name found: DATA\"": { "category": "Packer", "benign": 130633, "indicator": "Packer: \"Unusual section name found: DATA\"", "description": "Packer: \"Unusual section name found: DATA\"", "probability": 19.524015449196582, "malware": 31692 } } |
[optional] |