Time accelerated checks

Overview

"Time accelerated checks" refer to a technique used in sandbox evasion where the malware program detects if it is being executed in a virtual environment, such as an antivirus sandbox, by analyzing the time interval between certain system events.

In a typical sandbox environment, the execution of the malware program is isolated from the host system, which means that some system events may take longer to occur than they would on a real system. By analyzing the time interval between specific events, the malware can detect if it is running in a sandbox and evade detection.

For example, a malware program may use a timer to measure the time interval between two specific system events, such as the creation of a file and its subsequent modification. If the time interval is shorter than a certain threshold, the malware assumes that it is running in a sandbox environment and terminates its malicious behavior to avoid detection.

Code example

[DllImport("ntdll.dll", SetLastError = true)]
public static extern uint NtQuerySystemTime(out long SystemTime);

[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);

[StructLayout(LayoutKind.Sequential)]

static void Main(string[] args)
{
    long systemTimeThen = 0;
    long systemTimeNow = 0;
    NtQuerySystemTime(out systemTimeThen);
    Sleep(2000);
    NtQuerySystemTime(out systemTimeNow);
    TimeSpan difference = DateTime.FromFileTime(systemTimeNow) - DateTime.FromFileTime(systemTimeThen);
    if (difference.TotalSeconds < 1.5)
    {
        Console.Writeline("Abandon ship !!");
        return;
    }
}