smither

New Member
Hello malwaretips community,

We are developing a new malware analyser service for malware researchers https://malwareanalyser.io.
Its' main purpose is to tag anomalies in (x86\x64) PE files and show extended reports.
Only static analysis of PE files is available for now.
We use both heuristic rules and machine learning to classify and detect whether file is malicious or clean.

For example, we test this sample Ims00ry / ch4x0 ransomware - KernelMode.info
Result: MalwareAnalyser.io - Ultimate Online Malware Analyser & Heuristic Detection Engine powered by data mining and machine learning (ZeroVector)
wannacry: MalwareAnalyser.io - Ultimate Online Malware Analyser & Heuristic Detection Engine powered by data mining and machine learning (ZeroVector)

We kindly ask community to help us with service testing on different PE files and suggest features to improve.

Some technical information:

Heuristic core is written in C++ from scratch (more then 10k lines of code).
Prediction core is trained on Random Forests ensemble with more then 70 major features to classify if file malicious or not.

To train it we used dataset with about 1k malware samples and ~1k clean samples (from Program files, Windows and etc).
Prediction rate is about 97% on training set.

Also we have full db of virusshare samples (100k++) but we need almost same clean samples to build better dataset.
It will be great if someone tells us how to get 100k clean files of real (PE) program files :).

Some parts of engine will be open sourced on our github ( progressionnetwork - Overview).
 

Andrew3000

Level 6
Verified
Malware Tester

The Cog in the Machine

Level 11
Verified
Thanks for sharing!
It will be nice to follow the evolution of the project.
I wanted to warn you that I tried to upload a legit setup (avast secure browser) and it is flagged as malicious with 92% score.
You can find the report link here: MalwareAnalyser.io - Ultimate Online Malware Analyser & Heuristic Detection Engine powered by data mining and machine learning (ZeroVector)
The same with 7-zip installer? MalwareAnalyser.io - Ultimate Online Malware Analyser & Heuristic Detection Engine powered by data mining and machine learning (ZeroVector)
 

LDogg

Level 30
Verified
Very good startup idea from the offset however seems strange that it would 2 non-malicious software installers as malicious.

~LDogg
 

smither

New Member
Guys,
first of all thank you for tests and feedback.

We excluded all installation PEs from training set due to it's features (basically all installers use compression and almost all encryption) as result their resource sections (or overlay) will be highly likely as malicious.
Later we'll add more rules to process installer PE files too, but for now we are focused on detecting malicious (packed\crypted) files and avoid legit.
Also from training set was excluded dotnet files. Will be processed in near future.

I forgot to say about anomalies detection ability - in fact this is AV with white-box or advanced version of pe viewer with prediction and indicators.
Everyone is able to download any sample and test it personally. (Be careful and use virtual environments, password is infected).

For new dataset we'll try to train neural network to increase the success rate of classification.
 
Last edited:

smither

New Member
Same with Air Explorer setup
As we also described - classification of setup tools and installers is not main goal for now.
Due to nature of setup files (high entropy, encrypted resources or overlay and etc) it's classification should be training separately from other files.

We kindly ask to test malicious or any other (non-installers and non-setup) PE files.

Thank you.