The behavioral signals that sharpen Trojan malware detection

This report summarizes a study that built a Trojan detection pipeline for Windows-based IoT/industrial gateways: 3,000 Windows executables were run in the ANY.RUN sandbox, 146 candidate features were distilled to 33 discriminative signals, and a custom neural network (TrDNN) was evaluated against other models. The retained features map to Trojan lifecycle behaviors (persistence via autorun keys and services, execution/evasion via process injection and memory allocation, C2 patterns like low-jitter beacons and encrypted POSTs, and binary anomalies), while excluded signals (e.g., generic HTTP chains, living-off-the-land binaries) were dropped for poor discriminatory value; the paper also details a lightweight three-minute monitoring loop runnable on a standard Intel Core i7 workstation and calls out limits including single-sandbox data, dormancy/sandbox-detection evasion, and Windows-only applicability.