Speeding up the Clock for Malware Analysis With Accelerify

Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool Accelerify helps analysts in such situations by accelerating the lab system’s clock.

Accelerify modifies the system’s time at the rate specified by the analyst. For instance, in the video attached to this article, I directed the tool to modify the clock every second, advancing it by 300 seconds. This had the effect of accelerating the time by the factor of 300.

The “-i” parameter sets the interval, in seconds, between adjusting the time. I used 1; the default is 10. The “-a” parameter specifies the number of seconds by which to advance the clock. I used 300; the default is 3600.

You can use Accelerify in conjunction with behavioral monitoring tools to explore situations where the specimen’s actions are triggered by the passage of time or by specific date and time values. In such scenarios, you could activate the monitoring tools, launch Accelerify, infect the laboratory system and see what develops.

Updated

About the Author

Lenny Zeltser develops teams, solutions, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more