Dynamic Ransomware Analysis using CAPEv2 and Retrieval-Augmented Generation

Malware continues to evolve rapidly, exploiting techniques such as obfuscation, encryption and polymorphism to evade traditional cybersecurity mechanisms. However, the outputs of such analysis are often complex and voluminous records, requiring deep expertise and significant a mounts of time to interpret effectively. Manual review of these records is inefficient and prone to human error, especially in time-critical contexts such as threat mitigation and incident response. To address this challenge, we introduce an AI-powered malware analysis framework that uses a Retrieval-Augmented Generation (RAG) strategy to interpret CAPEv2 analysis results. Our solution automatically extracts key information by integrating Large Language Models (LLMs) with behavioral logs, generates human-readable summaries, and facilitates analyst interaction through a web-based interface. The main contribution of our work is the automation of the end-to-end dynamic analysis pipeline, from running malware in a sandboxing environment to log interpretation and report generation. The developed framework provides key functionalities, including real-time log processing, context generation, and automatic report generation with generative AI models through a user-friendly web interface. Our evaluation shows a significant i mprovement in analysis time, with average task times reduced by more than 5x compared to manual review.