The ability to swiftly and accurately analyze malware is paramount. Traditional reverse engineering and code analysis methods are often too slow to keep pace with the sheer volume of new threats.
Enter Gemini 1.5 Flash, Google’s latest lightweight and cost-effective model, designed to revolutionize malwareanalysis with remarkable speed and efficiency.
In this article, we delve into Gemini 1.5 Flash’s capabilities, real-world performance, and the infrastructure supporting its deployment.
Gemini 1.5 Flash: A Game Changer in Malware Analysis
According to the Google Cloud report, Gemini 1.5 Flash builds on the robust capabilities of Gemini 1.5 Pro and is engineered for rapid inference and cost-effective deployment.
Both models share the same multimodal capabilities and can handle a context window of over 1 million tokens.
However, Gemini 1.5 Flash stands out with its optimized efficiency and speed, achieved through parallel computation of attention and feedforward components and online distillation techniques.
These architectural optimizations enable Gemini 1.5 Flash to process up to 1,000 requests per minute and 4 million tokens per minute.
This capability is crucial for handling the vast influx of new files analyzed daily by platforms like VirusTotal, which sees an average of 1.2 million unique new files daily.
Real-World Performance: Speed and Accuracy
To evaluate Gemini 1.5 Flash’s real-world performance, we analyzed 1,000 Windows executables and DLLs randomly selected from VirusTotal’s incoming stream.
This diverse selection included both legitimate software and various types of malware. The results were impressive, with Gemini 1.5 Flash processing each file in an average of 12.72 seconds, excluding the unpacking and decompilation stages.
Example 1: Dispelling a False Positive in 1.51 Seconds
In one instance, Gemini 1.5 Flash analyzed the file goopdate.dll (103.52 KB) in just 1.51 seconds. This file triggered a single anti-virus detection on VirusTotal, a common occurrence requiring time-consuming manual review.
Gemini 1.5 Flash quickly identified the file as a simple executable launcher for the BraveUpdate.exe application, allowing analysts to dismiss the alert as a false positive confidently.
False Positive Analysis
Example 2: Resolving Another False Positive
Another example involved the file BootstrapPackagedGame-Win64-Shipping.exe (302.50 KB), flagged by two anti-virus engines on VirusTotal.
Gemini 1.5 Flash analyzed the decompiled code in just 4.01 seconds, revealing that the file was a game launcher. This insight allowed analysts to categorize the file as legitimate, avoiding unnecessary time and effort spent on a potential false positive.
Figure 1Game Launcher Analysis
Example 3: Longest Processing with Obfuscated Code
The file svrwsc.exe (5.91 MB) required the longest processing time: 59.60 seconds. Despite obfuscation techniques like XOR encryption, Gemini 1.5 Flash completed its analysis in less than a minute.
It identified the sample as malicious and pinpointed its backdoor functionality, which was designed to exfiltrate data and connect to command-and-control (C2) servers.
Obfuscated Code Analysis
Example 4: Cryptominer Analysis
Gemini 1.5 Flash analyzes the decompiled code of a crypto-miner named colto.exe. The model receives only the decompiled code as input, without additional metadata or context from VirusTotal.
Within just 12.95 seconds, Gemini 1.5 Flash provides a comprehensive analysis, identifying the malware as a crypto-miner.
It highlights obfuscation techniques and extracts key Indicators of Compromise (IOCs), such as the download URL, file path, mining pool, and wallet address.
Crypro Analysis
Example 5: Unmasking a Zero-Hour Keylogger
This example demonstrates the power of analyzing code for malicious behavior, particularly in detecting threats that traditional security solutions miss.
The executable AdvProdTool.exe (87KB) was submitted to VirusTotal, where it evaded all antivirus engines, sandboxes, and detection systems during its initial upload and analysis.
However, Gemini 1.5 Flash uncovers its true nature. In just 4.7 seconds, the model analyzes the decompiled code, identifies it as a keylogger, and reveals the IP address and port where it exfiltrates stolen data.
The analysis highlights the code’s use of OpenSSL to establish a secure TLS connection to the IP address on port 443.
Crucially, Gemini points out the suspicious use of keyboard input capture functions (GetAsyncKeyState, GetKeyState) and their connection to data transmission over the secure channel (SSL_write).
Zero-Hour Keylogger
Infrastructure and Workflow
The impressive performance of Gemini 1.5 Flash is supported by a robust infrastructure built on Google Compute Engine.
The multi-stage workflow includes scaled unpacking and decompilation stages, leveraging Mandiant Backscatter and Hex-Rays Decompilers.
Mandiant Backscatter
Mandiant Backscatter, an internal cloud-based malware analysis service, dynamically unpacks incoming binaries. The unpacked binaries are then processed by a cluster of Hex-Rays Decompilers running on Google Compute Engine.
This setup ensures that the decompiled code is concise and ready for analysis by Gemini 1.5 Flash.
Hex-Rays Decompiler
The Hex-Rays IDA Pro Decompilers provide the scalable decompilation power necessary for this pipeline. The resulting decompiled pseudo-C code is stored in aGoogleCloud Storage bucket, ready for analysis by Gemini 1.5 Flash.
While Gemini 1.5 Flash’s impressive performance is heavily dependent on the quality of the preceding unpacking and decompilation stages.
Continuous improvement in these areas is essential to ensure the highest quality output for analysis. Ongoing development efforts focus on enhancing Gemini’s analytical capabilities and refining the unpacking and decompilation stages.
Gemini 1.5 Flash represents a significant advancement in malware analysis, offering speed and efficiency that traditional methods cannot match.
By leveraging the power of AI and a robust infrastructure, Gemini 1.5 Flash is poised to transform how we approach malware dissection, making the digital world safer.
Samples Details
The following table contains details on the binary samples discussed in this post.
Filename SHA-256 goopdate.dll0d2115d3de900bcd5aeca87b9af0afac90f99c5a009db7c162101a200fbfeb2cBootstrapPackagedGame-Win64-Shipping.exe07db922be22e4feedbacea7f92983f51404578bd0c495abaae3d4d6bf87ae6d0svrwsc.exe0cdb71e81b07247ee9d4ea1e1005c9454a5d3eb5f1078279a905f0095fd88566colto.exe091e505df4290f1244b3d9a75817bb1e7524ac346a2f28b0ef3c689c445beb453DViewer2009.exe08f20e0a2d30ba259cd3fe2a84ead6580b84e33abfcec4f151c5b2e454602f81AdvProdTool.exe04af0519d0dbe20bc8dc8ba4d97a791ae3e3474c6372de83087394d219babd47
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"-[Free Demo](https://www.cynet.com/request-a-demo/?utm_source=cyber_security_news&utm_medium=display_ad&utm_campaign=Q3-sponsored-webinars)
