Speeding up the Clock for Malware Analysis With Accelerify

Some malware delays "interesting" actions for hours or days to evade automated analysis tools. Cylance's free Accelerify utility addresses this by accelerating the lab system's clock, allowing analysts to compress what would normally take hours into minutes.

Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool Accelerify helps analysts in such situations by accelerating the lab system’s clock.

Accelerify modifies the system’s time at the rate specified by the analyst. For instance, in the video attached to this article, I directed the tool to modify the clock every second, advancing it by 300 seconds. This had the effect of accelerating the time by the factor of 300.

The “-i” parameter sets the interval, in seconds, between adjusting the time. I used 1; the default is 10. The “-a” parameter specifies the number of seconds by which to advance the clock. I used 300; the default is 3600.

You can use Accelerify in conjunction with behavioral monitoring tools to explore situations where the specimen’s actions are triggered by the passage of time or by specific date and time values. In such scenarios, you could activate the monitoring tools, launch Accelerify, infect the laboratory system and see what develops.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →