Time-based sandbox evasion techniques
Sandbox emulation is typically brief because sandboxes are typically filled with thousands of samples. Rarely does emulation time exceed three to five minutes. Malware can, therefore, take advantage of this fact to avoid detection by delaying its malicious actions for an extended period of time.
Sandboxes can incorporate features that manipulate time and execution delays to counteract this. Cuckoo Sandbox, for instance, has a sleep-skipping feature that replaces delays with a very brief value. This should compel the malware to initiate its malicious behavior prior to the expiration of the analysis timer.
A simple example
Delaying execution may circumvent sandbox analysis by exceeding the sample execution’s duration limit. Nonetheless, it is not as simple as Sleep(1000000).
We can check the uptime of the system before and after sleeping. Additionally, we can use a lower-level userland API for sleeping (there is a slightly smaller...
