Time Bomb

Created the Monday 18 March 2019. Updated 1 month, 2 weeks ago.

Some malware contains a built-in expiration date, after which the malware will no longer run or function. This can be used by attackers to limit the time during which the malware can be detected and analyzed by security researchers. In order to run and analyze the malware after its expiration date, security researchers must manually change the date on the machine where the malware is being analyzed.

This can be effective in defeating sandbox environments, which are typically used to isolate and analyze malware, if the sandbox's clock is not set to the current date. By using this technique, attackers can make it more difficult for researchers to analyze and understand their malware, potentially allowing it to evade detection.

Technique Identifier

U1005

Technique Tags

timebomb change date sandbox environments isolate malware analyze malware clock

Code Snippets

Description

Trigger the action on Monday.

#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>

using namespace std;

// Trigger the action only on Monday
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    time_t rawtime;
    struct tm * timeinfo;
    char buffer[100];

    time(&rawtime);
    timeinfo = localtime(&rawtime);

    strftime(buffer, sizeof(buffer), "%A", timeinfo);

    const char * str(buffer);

    if (str == "Monday")
    {
        cout << "Wait!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    else
    {
        cout << "Time of attack!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    return 0;
}

Description

This code snippet triggers actions after one day since the compile time.

#include <ctime>
#include <iostream>
#include <string>
#include <sstream>

const double time_attack_in_days = 1.0;

using namespace std;

time_t time_when_compiled()
{
    string datestr = __DATE__;
    string timestr = __TIME__;
    istringstream iss_date(datestr);
    string str_month;
    int day;
    int year;
    iss_date >> str_month >> day >> year;

    int month;
    if      (str_month == "Jan") month = 1;
    else if (str_month == "Feb") month = 2;
    else if (str_month == "Mar") month = 3;
    else if (str_month == "Apr") month = 4;
    else if (str_month == "May") month = 5;
    else if (str_month == "Jun") month = 6;
    else if (str_month == "Jul") month = 7;
    else if (str_month == "Aug") month = 8;
    else if (str_month == "Sep") month = 9;
    else if (str_month == "Oct") month = 10;
    else if (str_month == "Nov") month = 11;
    else if (str_month == "Dec") month = 12;
    else exit(-1);

    for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))
    {
    	timestr[pos] = ' ';
    }

    istringstream iss_time(timestr);
    int hour, min, sec;
    iss_time >> hour >> min >> sec;
    tm t = {0};
    t.tm_mon = month - 1;
    t.tm_mday = day;
    t.tm_year = year - 1900;
    t.tm_hour = hour;
    t.tm_min = min;
    t.tm_sec = sec;

    return mktime(&t);
}

int main()
{
    time_t current_time = time(NULL);
    time_t build_time = time_when_compiled();

    double diff_time = difftime(current_time, build_time);
    const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;

    // trigger the time of execution
    if(diff_time > time_to_wait)
    {
        cout << "Time of attack!" << endl;
        exit(-1);
    }
    else
    {
        cout << "Time in second before running the attack: " << time_to_wait << endl;
    }

    return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Time bomb (software) - Wikipedia