Project Ire autonomously identifies malware at scale
Spotlight: Microsoft research newsletter Microsoft Research Newsletter Stay connected to the research community at Microsoft. Subscribe today Opens in a new tab
Microsoft Research Newsletter Stay connected to the research community at Microsoft. Subscribe today
Microsoft Research Newsletter Stay connected to the research community at Microsoft. Subscribe today
The binary contains a function named ‘MonitorAndTerminateExplorerThread_16f64’ that runs an infinite loop waiting on synchronization objects and terminates system threads upon certain conditions. It queries system or process information, iterates over processes comparing their names case-insensitively to ‘Explorer.exe’, and manipulates registry values related to ‘Explorer.exe’. This function appears to monitor and potentially terminate or manipulate the ‘Explorer.exe’ process, a critical Windows shell process. Such behavior is suspicious and consistent with malware that aims to disrupt or control system processes. Another function, ‘HttpGetRequestAndResponse_174a4’, perfor
The binary contains several functions indicative of malicious intent. The function register_and_log_known_processes_140001000 logs and registers process names associated with antivirus and security software, such as ‘avp.exe’, ‘avpui.exe’, and ‘360Tray.exe’. It calls another function, TerminateProcessesByNameSubstring_1400010f4, which enumerates system processes and terminates those whose names contain specified substrings. This behavior is typical of malware attempting to disable or evade security software by killing their processes. Another function, check_and_handle_special_state_14000502c, performs checks on a global variable and triggers software interrupts if certain conditions are not met.
