{
	"id": "e3039a75-9187-46ba-accc-3835ec12671d",
	"created_at": "2026-04-06T00:15:21.94145Z",
	"updated_at": "2026-04-10T03:20:46.594562Z",
	"deleted_at": null,
	"sha1_hash": "bb7427bfff8d7ae0d6601aafe4b29d6f371ccbdd",
	"title": "Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat Sandboxes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79117,
	"plain_text": "Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat\r\nSandboxes\r\nBy Richard Wartell\r\nPublished: 2015-10-06 · Archived: 2026-04-05 21:06:21 UTC\r\nThe Upatre family of malware is frequently updated, with the authors adding new features and protecting the\r\nmalware from detection in various ways. If you aren’t yet familiar with Upatre, it’s one of the most common\r\ndownloaders in the wild today, typically infecting systems through phishing e-mails and downloading the Dyre\r\nbanking Trojan to steal victim’s credentials. Recently, the authors of Upatre added a very simple anti-analysis\r\nmeasure in an attempt to defeat sandboxes, which dynamically analyze executables to identify malicious behavior.\r\nThe new anti-analysis trick involves using the Windows API GetTickCount. GetTickCount returns the number of\r\nmilliseconds that the system has been alive, up to a maximum of approximately 49 days. Programs can use this\r\nvalue to determine how long a system has been running and make decisions based on that value. The following\r\nimage shows Upatre executing these instructions inside of a debugger:\r\nThe code calls GetTickCount and compares the returned value to 0xAFE74 (720,500 milliseconds, or ~12\r\nminutes). If GetTickCount returns a value less than 0xAFE74, Upatre determines that the system has been running\r\nfor less than 12 minutes and exits.\r\nTo understand why this is an effective anti-analysis technique, we have to look at the normal startup procedure for\r\na sandbox:\r\n1. Start up a virtual machine with the target operating system on it\r\n2. Copy the malicious binary to the virtual machine\r\n3. Let the malware run for an extended period of time (usually about 5 minutes)\r\n4. Retrieve a report of what the malware did from the VM\r\n5. Shut down the virtual machine and clean up\r\nSince this whole process usually takes around 6 minutes at most, GetTickCount typically returns a value much\r\nlower than 12 minutes. If this was an actual user’s system the value would almost certainly be larger than 12\r\nminutes, so a lower value gives the malware a clear indication that it is executing in a sandbox. By exiting at this\r\npoint in the execution flow, the malware doesn’t perform any malicious actions and will be flagged as benign in a\r\nsandbox.\r\nIn the Palo Alto Networks WildFire analysis system, we modify the value returned by GetTickCount to make it\r\nappear as though the machine has been running for hours. By doing this, Upatre is fooled into continuing to\r\nexecute its malicious routine, resulting in a malicious verdict.\r\nhttps://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\r\nPage 1 of 2\n\nWe recently detected a surge of new Upatre malware samples exhibiting this behavior and Brendan Griffin at\r\nMalcovery published a report on the activity recently. Palo Alto Networks customers using WildFire are fully\r\nprotected from this anti-analysis technique and Palo Alto Networks AutoFocus users can find new Upatre samples\r\nusing the Upatre tag.\r\nSource: https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\r\nhttps://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/"
	],
	"report_names": [
		"ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes"
	],
	"threat_actors": [],
	"ts_created_at": 1775434521,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb7427bfff8d7ae0d6601aafe4b29d6f371ccbdd.pdf",
		"text": "https://archive.orkl.eu/bb7427bfff8d7ae0d6601aafe4b29d6f371ccbdd.txt",
		"img": "https://archive.orkl.eu/bb7427bfff8d7ae0d6601aafe4b29d6f371ccbdd.jpg"
	}
}