1

I am new to malware analysis and am currently using Cuckoo to understand some of the basics.

I am trying to figure the time that the malware delays its initial executions. I found a functional call NtDelayExecution in the API/System calls that had two parameters: Status => Skipped and Milliseconds => 1000. The status of the function call reads SUCCESS.

What does the argument Status mean? Does it mean that the call was skipped? Because there are other calls to NtDelayExecution that do not have the argument Status.

schroeder
  • 123,438
  • 55
  • 284
  • 319
cosmicrao
  • 61
  • 1
  • 5

1 Answers1

1

Cuckoo is an automated sandbox meant for malware analysis. It skips the first N seconds of delay functions when a program starts.

NtDelayExecutiom is commonly used to prevent dynamic malware analysis, so it's skipped at program start to prevent the analysis from taking a prohibitively long time.

The function call output is letting you know it skipped a 1000 millisecond delay (1000ms = 1 second).

Daisetsu
  • 5,110
  • 1
  • 14
  • 24