Virtualization/Sandbox Evasion: Time Based Checks, Sub-technique T1497.003 - Enterprise (original) (raw)
AppleJeus has waited a specified time before downloading a second stage payload.[2]
BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.[3]
Bazar can use a timer to delay execution of core functionality.[4]
BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.[5]
Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.[6][7]
Brute Ratel C4 can call NtDelayExecution to pause execution.[8][9]
Bumblebee has the ability to set a hardcoded and randomized sleep interval.[10]
Clambling can wait 30 minutes before initiating contact with C2.[11]
Clop has used the sleep command to avoid sandbox detection.[12]
Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.[13]
DarkTortilla can implement the kernel32.dll Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.[14]
DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to measure function timing.[15] DRATzarus can also remotely shut down into sleep mode under specific conditions to evade
detection.[15]
Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.[16]
EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.[17]
evilginx2 has the ability to hide phishing lures for a set time to avoid scanning by sandboxes.[18]
FatDuke can turn itself on or off at random intervals.[19]
GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.[20]
GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.[21]
Gootloader can designate a sleep period of more than 22 seconds between stages of infection.[22]
GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.[23]
GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.[24]
The Havoc demon agent can be set to sleep for a specified time.[25][26]
HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.[27]
HiddenFace can sleep randomly between 30 and 60 seconds to avoid behavioral analysis.[28]
IPsec Helper will sleep for a random number of seconds, iterating 200 times over sleeps between one to three seconds, before continuing execution flow.[29]
LiteDuke can wait 30 seconds before executing additional code if security software is detected.[19]
Lokibot has performed a time-based anti-debug check before downloading its third stage.[30]
LunarWeb can pause for a number of hours before entering its C2 communication loop.[31]
metaMain has delayed execution for five to six minutes during its persistence establishment process.[32]
Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.[33]
During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.[15]
P8RAT has the ability to "sleep" for a specified time to evade detection.[34]
Pony has delayed execution using a built-in function to avoid detection and analysis.[35]
The QakBot dropper can delay dropping the payload to evade detection.[36][37]
After initial installation, Raindrop runs a computation to delay execution.[38]
RansomHub can sleep for a set number of minutes before beginning execution.[39]
Saint Bot has used the command timeout 20 to pause the execution of its initial loader.[40]
Snip3 can execute WScript.Sleep to delay execution of its second stage.[41]
SodaMaster has the ability to put itself to "sleep" for a specified time.[34]
StrifeWater can modify its sleep time responses from the default of 20-22 seconds.[42]
SUNBURST remained dormant after initial access for a period of up to two weeks.[43]
SVCReady can enter a sleep stage for 30 minutes to evade detection.[44]
ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.[45]
Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.[46]
TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.[47]
Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[48]
WhisperGate can pause for 20 seconds to bypass antivirus solutions.[49][50]
Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.[51]