The WildFire cloud now analyzes secondary payloads (samples) of multi-stage PE, APK, and ELF malware packages. Analyzing the original sample submission alone does not provide complete coverage, as advanced threats typically use multiple samples during attacks; instead, analyzing secondary payloads can provide additional leverage to disrupt these sophisticated attacks by maximizing detection and coverage. These advanced threats operate by executing code which activate additional malicious payloads with various objectives, including those designed to assist in the circumvention of security measures as well as facilitate proliferation of the primary payload. WildFire analyzes the multi-stage threats by processing them in static, dynamic, or bare metal analysis environments. Files found in the multi-stage malware attack are treated independently during analysis; as a result, verdicts and protections are delivered as soon as they finish for each stage of the attack. The overall verdict for the original submission is determined based on a threat assessment of malicious content found in all analyzed stages of the attack.

The following example shows a malicious PE file that contains two intermediate stages, both with two pairs of PE files. When WildFire analyzes each stage, protections are generated and distributed to products and services that integrate with WildFire.