NtDelayExecution Not Skipped?

[kevross33]

Hi,

I am not sure but it appears that malware sleeping is not being skipped correctly as you can see in the below screenshots. I am not sure if this is meant to be the case but I thought I had better raise it & I am not sure if it is perhaps an error in the sig identifying if it was indeed skipped. While discussing this a general idea for environment aware malware may be:

• Allow setting of system clock in analysis environment per-analysis (code already implemented in cuckoo-modified)
• The obvious issue with skipping is that malware detects the acceleration by checking the time or whatever, taking note of that, sleeping and checking again. Perhaps it would be possible if a sleep function is skipped that the system time is moved forward for the amount of time the sleep is for. Obviously this wouldn't help in all sleep scenarios but it may help in some where the malware immediately exits (or goes down another execution path).

[kevross33]

Oh FYI this was Maktub sample 7ec89220dde5a1c2714d7dc0cd55e3c3 under analysis

[rajiv2790]

I encountered another issue. If the sleep is longer than the analysis time, the sleep API call doesn't even show up in the report.