Malware analysts face challenges related to increasing number of malware variants emerging everyyear. Conventional classification of Windows PE32 executables into benign and malicious is nolonger sufficient and needs refinement when it comes to detecting similar functionality malwaresamples belonging to the same category. Thus, it is important to explore sources of multiple dynamiccharacteristics that can substantially improve similarity-based malware detection through indicatorsof compromise from disk, network and memory. The goal of this thesis is to explore a way toimprove multinomial malware classification by exploiting available dynamic characteristics.
In this work dynamic features were extracted with the help of the automated malware analysissystem Cuckoo Sandbox and classified into their ten respective families with the machine learninglibrary Weka. It has been analysed which dynamic features contribute the most for multinomialmalware classification and what the performance gain is compared to static feature-based malwareclassification. An overall classification result of 87.5% could be achieved with the best performingdynamic features being the modified and opened registry keys, the created and modified files, theloaded DLLs and the resolved hosts. The best performing classifier was Random Forest. This result,however, can be improved by adding more dynamic features or combine them with selected staticfeatures in the future.