Virtualization/Sandbox Evasion: Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.[1]

ID: T1497.003
Sub-technique of:  T1497
Tactics: Defense Evasion, Discovery
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Deloitte Threat Library Team
Version: 1.1
Created: 06 March 2020
Last Modified: 01 April 2021

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has waited a specified time before downloading a second stage payload.[2]

S0534 Bazar

Bazar can use a timer to delay execution of core functionality.[3]

S0574 BendyBear

BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.[4]

S0554 Egregor

Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.[5]

S0396 EvilBunny

EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.[6]

S0512 FatDuke

FatDuke can turn itself on or off at random intervals.[7]

S0493 GoldenSpy

GoldenSpy's installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.[8]

S0588 GoldMax

GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.[9]

S0439 Okrum

Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.[10]

S0453 Pony

Pony has delayed execution using a built-in function to avoid detection and analysis.[11]

S0565 Raindrop

After initial installation, Raindrop runs a computation to delay execution.[12]

S0559 SUNBURST

SUNBURST remained dormant after initial access for a period of up to two weeks.[13]

S0595 ThiefQuest

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.[14]

S0386 Ursnif

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[15]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References