TrickBot's new API-Hammering explained

As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.

The full analysis report of the TrickBot variant is available here.

Two Stage API Hammering

Right after the entry point, the sample tries to load taskmgr.exe as a DLL:

This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next, it performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls do basically nothing:

This code has been directly copied from the documentation of printf:

So what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including the 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. As a result, the final payload is never called. 

This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several years ago e.g. in the Nymaim Loader. Joe Sandbox detects the API hammering successfully and rates it as malicious:

Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps:

Again, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid. 

WERMGR

Finally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit wermgr.exe - the process responsible for Windows error handling and reporting:

It's noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit.

In wermgr.exe TrickBot fully unpacks itself:

This enables Joe Sandbox to successfully detect TrickBot and extract full configurations:

Conclusion

In contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly exploits the design of a sandbox. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly. 

You are interested to get a list of other evasive malware analyses? Check out these other blogs:

• New Sandbox Evasions spot in VBS samples
• Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor
• Fighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation
• Malicious Documents: The Evolution of country-aware VBA Macros

or this extensive list of evasive samples.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Joe Sandbox v29 - Ocean Jasper

Today we release Joe Sandbox 29 under the code name Ocean Jasper! This release is packed with brand new features and improvements, designed to make malware analysis deeper and better than ever!

Our Joe Sandbox Cloud Pro, Basic and OEM servers have recently been upgraded to Ocean Jasper.

If you wish to upgrade your on-premise Joe Sandbox Desktop, Mobile, X, Linux, Complete 

or Ultimate installation right away, please run the following command:

mono joeboxserver.exe --updatefast

Even though we're thrilled about many aspects of this release, in this blog post we will highlight only a few of our favorite Joe Sandbox Ocean Jasper features.

447 new Signatures

With these brand new behavior, Yara and Sigma signatures, Joe Sandbox is able to precisely detect various malware families like MassLogger, Bazar(team9 loader), Octopus Scanner, Devilshadow, Kaiji, Exile RAT, Crimson RAT, CloudSnooper, Lucifer Stealer, Wildlogger keylogger, DarkNexus, Blackclaw ransomware, Nefilim, Pedo Ransomware, Payday Ransomware, Avaddon Ransomware and many more.

ReversingLabs Integration

A major new feature of Ocean Jasper is the ReversingLabs integration. ReversingLabs TitaniumCloud customers can add their username and API to Joe Sandbox and increase the detection precision:

Joe Sandbox Ocean Jasper checks all samples and dropped files against ReversingLabs TitaniumCloud.

Urlscan.io Integration

Another great feature of Ocean Jasper is the urlscan.io (A sandbox for the web) integration. With the integration enabled Joe Sandbox customer will benefit from increased precision for phishing detection:

Excel Macro 4.0 Extractor and Deobfuscator

Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catch-up and detect them properly. We, therefore, decided to add a full extractor and deobfuscator to Joe Sandbox v29. The deobfuscated code can be found in the full report under Static - Macro 4.0:

Ocean Jasper also includes several signatures to detect malicious Excel 4.0 macros:

Enhanced Phishing Detection

We have enhanced our Phishing Detection in multiple areas. First, we added a new detection technology based on Internet Explorer cache files. The appearance of a specific image on a foreign web page is a good indicator for phishing. Thanks to the Internet Explorer caching we can easily blacklist images.

The Microsoft phishing page uses the following image resources:

In the Internet Explorer cache those resources can be easily found and blacklisted: 

Secondly, AI-based Phishing detection has been made available for Remote Assistance (Live Interaction). This enables analysts to detect phishing pages for cases where link browsing is hard to automate:

Easy submission of Malware Bundles

Sometimes analysts come across a malware sample that only runs with dependencies file, e.g. a malware.exe requiring a DLL in the same folder. Previously, analysts were required to submit cookbook for launching the malware.exe together with the DLL. With Ocean Jasper this is now becoming super easy - with a new file dialog:

Better Report Overview

We have completely redesigned the overview part of the full analyst report in Ocean Jasper. Analysts can now see all the key information at one glance:

Android 9.0 Support

Ocean Jasper comes with Android 9.0 support:

Final Words

In this blog post, we have presented the most important features of Joe Sandbox Ocean Jasper, but there are some other very interesting features on top:

• Added analysis mode to boost performance
• Added support for Windows 10 build 1903 and 1909
• Added analysis and execution of DMG pre-install scripts (Zoom)
• Added Yara scanning for unpacked AutoIt binaries
• Added download-all option to the Web interface
• Improved config extractor for Emotet
• Improved performance for Remote Assistance
• Large performance optimization for RDTSC time evasions
• Large FP optimization for phishing detection

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

New Sandbox Evasions spot in VBS samples

While hidden Macro 4.0 samples are on the rise, we recently spotted some very interesting evasive VBS samples. In this short blog post, we will look at sample files#_56117.vbs, MD5: 147091e61ec59f67ab598d26f15ad0e7 and outline some of the evasive tricks. 

An initial look at the Joe Sandbox v29 analysis reveals two evasive behavior signature hits:

In addition, there is no payload behavior, the sample shows a fake error message box and deletes itself and quits:

The two evasive signatures hits gave us enough evidence to investigate the sample further. 

ExecuteGlobal

The VBS file itself is obfuscated. Large arrays hold encrypted characters which are decrypted during runtime and executed with the VBA function ExecuteGlobal:

Deobfuscation is straight forward - simply replace ExecuteGlobal with a function to append the code to a text file, or even easier, download the AMSI output which is captured by Joe Sandbox:

It holds all the code executed by ExecuteGlobal. 

You find a complete deobfuscated version of the script for your reference here.

The executed code performs nine different evasive checks which are outlined in the next sections.

Total Disk Size Check

The VBS sample checks if the size of all disks combined is bigger than 60 GB. In addition, the code verifies if there is no empty CD-ROM drive. In case there is an empty CD-ROM drive or the total size of all disks is smaller than 60 GB the sample will quit:

To enumerate all disks it uses the WMI class Win32_LogicalDisk. Likely the authors recognized that many sandbox VMs still have an empty CD-ROM drive connected, meanwhile end-user laptops don't. The CD-ROM drive check is a new evasion method that we haven't seen before.

File Count Check

Next, a file count check follows. The sample verifies if the number of files in the user download folder is bigger than 2. The same check is executed for temporary files:

If the count of either directory is below 3 then the sample quits.

Process Name Check

Checking for debugging and reverse engineer tools is very common for many malware samples. This VBS sample has a very extensive list of debugging tools:

If one of the listed process names is found running on the system the sample quits. In addition, it also verifies that the total number of running processes is bigger than 28. This is a nice trick that has also been used by many other samples, especially VBA droppers. On a real endpoint, a user has usually opened many applications (e.g. web browser, Microsoft Office, etc) while on a VM sandbox there are no applications running. 

Country / Region Check

The sample will quit if the geographical location of Windows is Russia:

In the sample, this check is currently disabled. 

CPU Count Check

If there are less than 3 CPUs available on the system the sample quits:

Memory Check

If the total physical memory is below 1030 MB the sample quits:

Last Boot Time Check

This is a newer evasion and we haven't seen it a lot in malware samples. The sample verifies if the time the system booted is more than 10 minutes ago. Again VM sandboxes might have a much shorted last boot time.

Real end-user systems on the other hand, are rebooting the system less often.

Name and File Checks

Finally, there are also some sample name-checks that are very common. The most prominent one is to check for sample or myapp or in the current case testing:

There is also a weird additional check for microsoft.url in the temp directory. So far we have not yet found which sandbox is targeted by this check:

IOCs

• Full run of the sample - all evasions bypassed
• C&C: https://iplogger.org/1N3Ei7

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!