The document presents a technique for detecting and classifying self-deleting malware using Windows Prefetch files. It trains a KNN classifier to detect malware execution based on prefetch file features. It then applies a Jaccard similarity classifier to attribute the malware to a family. The approach extracts features from over 4,000 malware and benign prefetch files, applies normalization to select relevant features, trains the KNN detector, and uses minimum family features and Jaccard similarity to classify into 48 malware families. The technique can detect malware execution and attribute it to a family using only prefetch file evidence, without accessing the original malware sample.

1. Detecting and Classifying Self-Deleting
Windows Malware Using Prefetch Files
Presentation

2. Research
Objective
• Malware Detection
To present a technique for detecting malware execution
on a Windows Operating systems
• Malware Classification
To further classify the malware into its associated family.

3. Motivation
• Majority of the existing malware classification
techniques depends on the availability of the malware
sample. This is often not the case. For example,
Advanced Persistent Threat (APT) groups are known
to conduct targeted campaigns and then self-delete
the deployed malware. The authors in this paper
proposed an approach to detect evidence of malware
execution and perform malware classification without
assuming access to the original malware sample.
• MITRE ATT&CK framework defines such behavior as
Indicator Removal on Host::File Deletion (T1070.004)2
. Authors queried the ATT&CK repository and found
that 29.8% of threat actors and 33.7% of malware
campaigns have utilized self-deletion tactics.

4. Approach
The authors utilized the Windows Prefetch files to
detect and classify malware.
• A K-Nearest-Neighbor (kNN) classifier was trained to
detect if a prefetch file is evidence of malware
execution or not.
• The authors applied a custom classifier based on
Jaccard similarity to classify the suspected malware
into its closest family.
• The dataset used in the classification process
contained 48 Malware families and 4321 benign files
captured from live production systems.

5. Approach

6. Approach – Key
Terms
• Prefetch Files
• Jaccard Similarity

7. Key Terms –
Prefetch Files
These are the temporary files stored in the System
folder at (ROOT/Windows/Prefetch). A Prefetch file is a
file created when we open an application on our
windows system. Windows OS makes a prefetch record
when an application is run from a specific location for
the first time.

8. Prefetch Directory View

9. Prefetch Files View in Windows OS

10. Prefetch Files
Data
The key content found in a single prefetch file includes:
• Application (executable) name
• Hash of the executable path.
• The path of the executable file
• Timestamp (creation, modification, and accessed time
) of executable
• Run count (Number of times the application is
executed)
• Last run time
• The timestamp for the last 8 run time
• File and Directories referenced by the executable

11. Prefetch Files Tool – WinPrefetchView

12. Prefetch Files Tool – WinPrefetchView

13. Key Terms –
Jaccard Similarity
The Jaccard similarity index (sometimes called the
Jaccard similarity coefficient) compares data for two sets
to see which data is shared and which is unique. It’s a
measure of similarity for the two sets of data, with a
range from 0% to 100%. The higher the percentage, the
more similar is the data.

14. Key Terms –
Jaccard Similarity
Calculation
Jaccard Index %=
(similar number of data in both sets)
(total number of data in both sets)
*100
J(A,B) = (|A∩B| / |A∪B|)

15. Key Terms –
Jaccard Similarity
Example
Suppose
A = {0,1,2,3,4}
B = {0,2,4,6,8,10,12}
Solution: J(A,B) = |A∩B| / |A∪B| = |{0,2,5}| /
|{0,1,2,3,4,5,6,7,9}| = 3/9 = 0.33.
Similarity= 33%

16. Proposed
Methodology
The proposed scheme is divided into three phases.
1. Feature Extraction Selection, and Engineering from
Prefetch Files
2. Malware Detection
3. Malware Family Classification

17. Phase # 1
Feature Extraction, Selection,
and Engineering
1. Extract instances (features) from Prefetch files.
2. Apply Normalization Process to remove extra
features based on the following criteria.
• Concept Drifting
• Overfitting
• Variance
• Correlation

18. Drop Features Criteria
Concept drift: Concept drift is when features in datasets
decay over time due to underlying changes in the
malware.
Overfitting: Overfitting can occur when a dataset
contains features that leak the target class at training
time.
Low Variance: A model with low variance means
sampled data is close to where the model predicted it
would be.
High Correlation: Variables with high correlation (
strong relationship between them) are dropped in the
scheme.

19. Features Normalization
Results
Normalization reduced the data set from 4321
features (references) to 1381 features.
The final pre-process feature set is
represented as an unordered set, or a bag-of-
words (BoW), of the references made by a
process and is used to train the malware
detector and family classifier in the scheme.

20. Phase # 2
Malware Detection
The malware detector identifies which process’ prefetch
file contains evidence of malicious behavior. They
perform steps:
• Train K-Nearest Neighbor (KNN) model using Jaccard
distance metric and K = 5
• Windows OS can store up to 1024 prefetch files,
associated with most recent 1024 system processes.
• Extract features from each of 1024 prefetch files
• Clustered processed features against labeled dataset
of malware and benign softwares
• The 5 closest software instances makes the file
membership as benign or malware.
Note: the prefetch file is not malware but it holds forensic evidences of
malware execution left by each process’s prefetch file

21. Phase # 3
Malware Classification
• Once Malicious Process’s Prefetch file Identified, then
its feature set is used to classify into a known malware
family.
• The learned features dataset used to compute
Similarity metric and extends to Jaccard Similarity
Index to get semantic preservation.
Ensure Semantic Preservation by finding:
• Minimum feature set for each family that is a union of
all prefetch feature sets of malware of the family.
• This minimum feature set follows the intuition that
each malware variant within a family share a common
subset of behaviors. By guaranteeing the minimum
feature set is met before computing similarity, enforce
the assumption that removing core features degrades
program semantics.

22. Dataset
Dataset contains 4,442 prefetch files representing
• 4,442 unique malware process executions collected
from 48 malware families executed in a sandbox
hypervisor. The malware families capture a variety of
malware behavior, including cyber espionage (Duqu
2.0), proxy-enabling click fraud (Nodersok), and
selfpropagating worms that install backdoors
(EternalRocks). The authros executed each malware in
a Windows 10 virtual machine and extracted their
respective prefetch feature sets.
• 4,296 presumed benign prefetch files collected from
twenty Windows computers in a university computer
lab. Benign applications collected include common
Microsoft Office products, text editors, web browsers,
and various integrated development environments
(IDEs).