Skip to content

T1497.003 Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.1

Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.23 Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).45

Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment’s timestamp before and after execution of a sleep function.6

Item Value
ID T1497.003
Sub-techniques T1497.001, T1497.002, T1497.003
Tactics TA0005, TA0007
Platforms Linux, Windows, macOS
Version 1.2
Created 06 March 2020
Last Modified 15 October 2021

Procedure Examples

ID Name Description
S0584 AppleJeus AppleJeus has waited a specified time before downloading a second stage payload.41
S0642 BADFLICK BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.31
S0534 Bazar Bazar can use a timer to delay execution of core functionality.13
S0574 BendyBear BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.12
S0268 Bisonal Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.1920
S1063 Brute Ratel C4 Brute Ratel C4 can call NtDelayExecution to pause execution.87
S1039 Bumblebee Bumblebee has the ability to set a hardcoded and randomized sleep interval.10
S0660 Clambling Clambling can wait 30 minutes before initiating contact with C2.45
S0611 Clop Clop has used the sleep command to avoid sandbox detection.43
S0115 Crimson Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.36
S1066 DarkTortilla DarkTortilla can implement the kernel32.dll Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.16
S0694 DRATzarus DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to measure function timing.42 DRATzarus can also remotely shut down into sleep mode under specific conditions to evade
detection.42
S0554 Egregor Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.40
S0396 EvilBunny EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.38
S0512 FatDuke FatDuke can turn itself on or off at random intervals.39
S0493 GoldenSpy GoldenSpy‘s installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.24
S0588 GoldMax GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.30
S0632 GrimAgent GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.25
S0561 GuLoader GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.17
S0697 HermeticWiper HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.35
S0513 LiteDuke LiteDuke can wait 30 seconds before executing additional code if security software is detected.39
S0447 Lokibot Lokibot has performed a time-based anti-debug check before downloading its third stage.26
S1059 metaMain metaMain has delayed execution for five to six minutes during its persistence establishment process.44
S0439 Okrum Okrum‘s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.27
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.42
S0626 P8RAT P8RAT has the ability to “sleep” for a specified time to evade detection.29
S0453 Pony Pony has delayed execution using a built-in function to avoid detection and analysis.18
S0650 QakBot The QakBot dropper can delay dropping the payload to evade detection.1415
S0565 Raindrop After initial installation, Raindrop runs a computation to delay execution.32
S1018 Saint Bot Saint Bot has used the command timeout 20 to pause the execution of its initial loader.11
S0627 SodaMaster SodaMaster has the ability to put itself to “sleep” for a specified time.29
S1034 StrifeWater StrifeWater can modify its sleep time responses from the default of 20-22 seconds.22
S0559 SUNBURST SUNBURST remained dormant after initial access for a period of up to two weeks.23
S1064 SVCReady SVCReady can enter a sleep stage for 30 minutes to evade detection.9
S0595 ThiefQuest ThiefQuest invokes time call to check the system’s time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.46
S0671 Tomiris Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.21
S0266 TrickBot TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.5
S0386 Ursnif Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.28
S0689 WhisperGate WhisperGate can pause for 20 seconds to bypass antivirus solutions.3433
S0658 XCSSET Using the machine’s local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, XCSSET executes additional modules.37

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution

References


  1. Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021. 

  2. Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021. 

  3. Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021. 

  4. Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021. 

  5. Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021. 

  6. Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021. 

  7. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023. 

  8. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  9. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  10. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  11. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  12. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  13. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  14. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  15. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  16. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  17. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. 

  18. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  19. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  20. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  21. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  22. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  23. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  24. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  25. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  26. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. 

  27. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  28. Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019. 

  29. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  30. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  31. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  32. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  33. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023. 

  34. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  35. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  36. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  37. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  38. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  39. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  40. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. 

  41. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  42. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  43. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021. 

  44. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  45. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  46. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.