Time Bomb

Created the Monday 18 March 2019. Updated 3 years, 6 months ago.

Attacks can be performed during a limited time. To avoid detection some malware contain an deadline date. Once the date is reached the malware do not run anymore. Malware analyst have to change the time of the machine to run the file. This technique can also defeat a sandbox if the date is already outdated.

Technique Identifier

U1005

Technique Tag

timebomb

Code Snippets

Unprotect

Description

Trigger the action on Monday.

#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>

using namespace std;

// Trigger the action only on Monday
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    time_t rawtime;
    struct tm * timeinfo;
    char buffer[100];

    time(&rawtime);
    timeinfo = localtime(&rawtime);

    strftime(buffer, sizeof(buffer), "%A", timeinfo);

    const char * str(buffer);

    if (str == "Monday")
    {
        cout << "Wait!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    else
    {
        cout << "Time of attack!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    return 0;
}
Open Snippet

Unprotect

Description

This code snippet triggers actions after one day since the compile time.

#include <ctime>
#include <iostream>
#include <string>
#include <sstream>

const double time_attack_in_days = 1.0;

using namespace std;

time_t time_when_compiled()
{
    string datestr = __DATE__;
    string timestr = __TIME__;
    istringstream iss_date(datestr);
    string str_month;
    int day;
    int year;
    iss_date >> str_month >> day >> year;

    int month;
    if      (str_month == "Jan") month = 1;
    else if (str_month == "Feb") month = 2;
    else if (str_month == "Mar") month = 3;
    else if (str_month == "Apr") month = 4;
    else if (str_month == "May") month = 5;
    else if (str_month == "Jun") month = 6;
    else if (str_month == "Jul") month = 7;
    else if (str_month == "Aug") month = 8;
    else if (str_month == "Sep") month = 9;
    else if (str_month == "Oct") month = 10;
    else if (str_month == "Nov") month = 11;
    else if (str_month == "Dec") month = 12;
    else exit(-1);

    for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))
    {
    	timestr[pos] = ' ';
    }

    istringstream iss_time(timestr);
    int hour, min, sec;
    iss_time >> hour >> min >> sec;
    tm t = {0};
    t.tm_mon = month - 1;
    t.tm_mday = day;
    t.tm_year = year - 1900;
    t.tm_hour = hour;
    t.tm_min = min;
    t.tm_sec = sec;

    return mktime(&t);
}

int main()
{
    time_t current_time = time(NULL);
    time_t build_time = time_when_compiled();

    double diff_time = difftime(current_time, build_time);
    const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;

    // trigger the time of execution
    if(diff_time > time_to_wait)
    {
        cout << "Time of attack!" << endl;
        exit(-1);
    }
    else
    {
        cout << "Time in second before running the attack: " << time_to_wait << endl;
    }

    return 0;
}
Open Snippet

Additional Resources

External Links

Subscribe to our Newsletter

The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.