I am not sure but it appears that malware sleeping is not being skipped correctly as you can see in the below screenshots. I am not sure if this is meant to be the case but I thought I had better raise it & I am not sure if it is perhaps an error in the sig identifying if it was indeed skipped. While discussing this a general idea for environment aware malware may be:
Allow setting of system clock in analysis environment per-analysis (code already implemented in cuckoo-modified)
The obvious issue with skipping is that malware detects the acceleration by checking the time or whatever, taking note of that, sleeping and checking again. Perhaps it would be possible if a sleep function is skipped that the system time is moved forward for the amount of time the sleep is for. Obviously this wouldn't help in all sleep scenarios but it may help in some where the malware immediately exits (or goes down another execution path).
Hi,
I am not sure but it appears that malware sleeping is not being skipped correctly as you can see in the below screenshots. I am not sure if this is meant to be the case but I thought I had better raise it & I am not sure if it is perhaps an error in the sig identifying if it was indeed skipped. While discussing this a general idea for environment aware malware may be: