Skip to content
Reverse Engineering
Anti-Analysisbeginner

System Uptime Sandbox Check

Using GetTickCount uptime and the scarcity of recently-used files to detect freshly-booted automated analysis sandboxes.

Automated sandboxes boot a clean image, detonate the sample, and tear the machine down — usually within minutes. Two cheap heuristics exploit that lifecycle: the system has only been up for a short time, and the user profile contains almost no recently-used files. A real, lived-in workstation has hours or days of uptime and a populated Recent folder.

These checks need no special privileges and produce no obvious anti-analysis artifact, so they show up in commodity loaders alongside heavier VM checks.

How it works

GetTickCount64 returns milliseconds since boot. If uptime is below a threshold (a few minutes), the sample assumes a sandbox. It may also count entries in the user's Recent directory or check the boot time gap.

c
#include <windows.h>

ULONGLONG uptimeMs = GetTickCount64();
if (uptimeMs < 10 * 60 * 1000ULL) {     // less than 10 minutes
    // Freshly booted — likely a sandbox.
    ExitProcess(0);
}

// Secondary heuristic: too few recently-used files.
WIN32_FIND_DATAW fd;
int count = 0;
HANDLE h = FindFirstFileW(
    L"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", &fd);
if (h != INVALID_HANDLE_VALUE) {
    do { count++; } while (FindNextFileW(h, &fd));
    FindClose(h);
}
if (count < 3) {
    // Sparse profile — likely a sandbox.
}

Variants compare GetTickCount before and after a Sleep to catch sandboxes that fast-forward sleeps, combining the uptime idea with sleep-skipping detection.

Detection & analysis

  • Static analysis: look for GetTickCount / GetTickCount64 results compared against a minute-scale constant, and FindFirstFile enumeration of the Recent folder with a low count threshold.
  • Dynamic analysis: age the analysis image before detonation — keep it booted for a realistic interval and pre-populate the Recent folder and documents — or hook GetTickCount64 to return a large, plausible uptime.
  • Detection rule hint: YARA-match GetTickCount64 plus the Recent path string; in telemetry, alert when a process reads uptime or counts recent files and exits early within seconds of launch.
Votes

Comments(0)