@article{oai:tsukuba.repo.nii.ac.jp:00046267, author = {大山, 恵弘 and Oyama, Yoshihiro}, issue = {1}, journal = {Journal of Computer Virology and Hacking Techniques}, month = {Feb}, note = {Some malwares execute operations that determine whether they are running in an analysis environment created by monitoring software, such as debuggers, sandboxing systems, or virtual machine monitors, and if such an operation finds that the malware is running in an analysis environment, it terminates execution to prevent analysis. The existence of malwares that execute such operations (anti-analysis operations) is widely known. However, the knowledge acquired thus far, regarding what proportion of current malwares execute anti-analysis operations, what types of anti-analysis operations they execute, and how effectively such operations prevent analysis, is insufficient. In this study, we analyze FFRI Dataset, which is a dataset of dynamic malware analysis results, and clarify the trends in the anti-analysis operations executed by malware samples collected in 2016. Our findings revealed that, among 8243 malware samples, 856 (10.4%) samples executed at least one type of the 28 anti-analysis operations investigated in this study. We also found that, among the virtual machine monitors, VMware was the most commonly searched for by the malware samples.}, pages = {69--85}, title = {Trends of anti-analysis operations of malwares observed in API call logs}, volume = {14}, year = {2017} }