How to know the time of compilation

Question

I've read that a malware found by kaspersky was compiled at the moscow time zone. How they know the time of compilation ?

score 2 · Accepted Answer · answered Jan 02 '16 at 02:52

It is possible to get the compilation/linking date/time, for instance from the COFFHeader.TimeDateStamp field. But that doesn't give you the time zone as the field is just "the number of seconds elapsed since midnight (00:00:00), January 1, 1970, UTC". I presume Kaspersky concluded a Moscow TZ by looking at the compile date/time of multiple different versions and seeing most are between 4AM UTC (8AM Moscow) and 2PM UTC (6PM Moscow) (similar to an analysis FireEye did in their Apt28 report, page 27).

score 1 · Answer 2 · edited Jan 01 '16 at 23:40

1

I don't think that it is possible to detect the compilation date/time/timezone until and unless the malware has specified it inside explicitly.

The time reported by Kaspersky must be the date/time/timezone when the first threat of such malware was reported to the Kaspersky virus database.

edited Jan 01 '16 at 23:40

user

7,670
2
30
54

answered Mar 12 '14 at 07:43

Pranav Jituri

228
2
11

How to know the time of compilation

2 Answers2