| CPC G06F 21/566 (2013.01) [G06N 5/022 (2013.01); G06F 2221/033 (2013.01)] | 17 Claims |
|
1. A method comprising:
obtaining an executable program compiled for a first execution environment;
processing, by a processing device, the executable program using an emulation function of a second execution environment to create an execution profile for the executable program, wherein the emulation function of the second execution environment is configured to emulate an execution of the executable program and to replace an application programming interface (API) function call within the executable program with an emulated API function call that is called within the second execution environment, and wherein the processing further comprises recording, as part of the execution profile, a plurality of executable instructions serially processed by the emulation function through one or more conditional or unconditional jump statements within the executable program; and
determining a malware classification for the executable program based on the execution profile and an analysis of the plurality of executable instructions.
|