Monday, July 13, 2020

TrickBot's new API-Hammering explained




As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.

The full analysis report of the TrickBot variant is available here.


Two Stage API Hammering


Right after the entry point, the sample tries to load taskmgr.exe as a DLL:





This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next, it performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls do basically nothing:










This code has been directly copied from the documentation of printf:






So what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including the 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. As a result, the final payload is never called. 

This behavior is called API HammeringAPI Hammering is not a new technique, we have already seen it several years ago e.g. in the Nymaim Loader. Joe Sandbox detects the API hammering successfully and rates it as malicious:





Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps:









Again, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid. 


WERMGR


Finally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit wermgr.exe - the process responsible for Windows error handling and reporting:









It's noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit.

In wermgr.exe TrickBot fully unpacks itself:





This enables Joe Sandbox to successfully detect TrickBot and extract full configurations:







Conclusion


In contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly exploits the design of a sandbox. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly. 

You are interested to get a list of other evasive malware analyses? Check out these other blogs:





or this extensive list of evasive samples.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!