{
	"id": "dd7c1ec7-0195-4e1a-bfdc-8177b8e42160",
	"created_at": "2026-04-06T00:19:35.721763Z",
	"updated_at": "2026-04-10T13:12:10.615054Z",
	"deleted_at": null,
	"sha1_hash": "a7aaf2936544f6a03560852836313db4ed69d7d5",
	"title": "There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 939783,
	"plain_text": "There Is More Than One Way to Sleep: Dive Deep Into the\r\nImplementations of API Hammering by Various Malware Families\r\nBy Mark Lim, Riley Porter\r\nPublished: 2022-06-24 · Archived: 2026-04-05 19:58:28 UTC\r\nExecutive Summary\r\nUnit 42 has discovered Zloader and BazarLoader samples that had interesting implementations of a sandbox\r\nevasion technique. This blog post will go into details of the unique implementations of API Hammering in these\r\ntypes of malware. API Hammering involves the use of a massive number of calls to Windows APIs as a form of\r\nextended sleep to evade detection in sandbox environments.\r\nSandboxing is a popular technique used to detect if a sample is malicious. A sandbox analyzes the behaviors of the\r\nbinary as it executes inside a controlled environment. Sandboxes have to deal with many challenges while\r\nanalyzing a large number of binaries with limited computing resources. Malware sometimes abuses these\r\nchallenges by “sleeping” in the sandbox before carrying out malicious procedures to hide its real intentions.\r\nPalo Alto Networks customers receive protections from malware families using evasion techniques through\r\nCortex XDR or the Next-Generation Firewall with WildFire and Threat Prevention security subscriptions.\r\nCommon Ways for Malware to Sleep\r\nThe most common way for malware to sleep is to simply call the Windows API function Sleep. A sneakier way\r\nthat we often see is the Ping Sleep technique where the malware constantly sends ICMP network packets to an IP\r\naddress (ping) in a loop. To send and receive such useless ping messages takes a certain amount of time, thus the\r\nmalware indirectly sleeps. However, all these methods are easily detected by many sandboxes.\r\nWhat Is API Hammering?\r\nAPI Hammering has been a known sandbox bypass technique that is sometimes used by malware authors to evade\r\nsandboxes. We’ve recently observed Zloader – a dropper for multiple types of malware – and the backdoor\r\nBazarLoader using new and unique implementations of API Hammering to remain stealthy.\r\nAPI Hammering consists of a large number of garbage Windows API function calls. The execution time of these\r\ncalls delays the execution of the real malicious routines of the malware. This allows the malware to indirectly\r\nsleep during the sandbox analysis process.\r\nAPI Hammering in BazarLoader\r\nAn older variant of BazarLoader made use of a fixed number (1550) of printf function calls to time out malware\r\nanalysis. While analyzing a newer version of BazarLoader, we found a new and more complex implementation of\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 1 of 9\n\nAPI Hammering.\r\nThe following decompiled procedure shows how this new variant is implemented in the BazarLoader sample we\r\nanalyzed. It makes use of a huge loop with a random count that repeatedly accesses a list of random registry keys\r\nin Windows.\r\nFigure 1. API Hammering loop in BazarLoader.\r\nTo generate the random loop count and list of registry keys, the sample reads the first file from the System32\r\ndirectory that matches a defined size. This file is then encoded (see Figure 2) to remove most of its null bytes. The\r\nrandom count is then computed based on the offset of the first null byte in that file. The list of random registry\r\nkeys are generated from fixed length chunks from the encoded file.\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 2 of 9\n\nFigure 2. Encoding the selected file in BazarLoader.\r\nWith a different Windows version (Windows 7, 8, etc.) and a different set of applied updates, there is also a\r\ndifferent set of files in the System32 directory. This results in a varying loop count and list registry keys used by\r\nBazarLoader when executed in different machines.\r\nThe API Hammering function is located in the packer of the BazarLoader sample (see Figure 3). It delays the\r\npayload unpacking process to evade detection of the aforementioned. Without completing the unpacking process,\r\nthe BazarLoader sample would appear to be just accessing random registry keys, a behavior that can be also seen\r\nin many legitimate types of software.\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 3 of 9\n\nFigure 3. API Hammering delaying unpacking process in BazarLoader.\r\nAPI Hammering in Zloader\r\nWhile the BazarLoader sample relied on a loop to carry out API Hammering, Zloader uses a different approach. It\r\ndoes not require a huge loop, but instead consists of 4 large functions which contain nested calls to multiple other\r\nsmaller functions (see Figure 4).\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 4 of 9\n\nFigure 4. One of the large functions responsible for API Hammering in ZLoader.\r\nInside each of these small procedures are four API function calls related to file I/O. The functions are\r\nGetFileAttributesW, ReadFile, CreateFileW and WriteFile (see Figure 5).\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 5 of 9\n\nFigure 5. One of the small functions responsible for API Hammering in ZLoader.\r\nBy using a debugger, we could figure out the number of calls made to four file I/O functions (see Figure 6). The\r\nlarge and smaller functions together generate more than a million function calls in total, without the use of a single\r\nlarge loop as seen in BazarLoader.\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 6 of 9\n\nFigure 6. Debugger log for APIs responsible for API Hammering in ZLoader.\r\nThe following table shows the API function call counts made during our analysis process:\r\nI/O API function Total Call Count\r\nReadFile 278,850\r\nWriteFile 280,921\r\nGetFileAttributesW 113,389\r\nCreateFileW 559,771\r\nTable 1. API function call counts.\r\nThe execution time of the four large functions delays the injection of the Zloader payload. Without complete\r\nexecution of these functions, the sample would appear to be a benign sample just carrying out file I/O operations.\r\nThe following disassembled code shows the four API hammering procedures followed by the injection\r\nprocedures:\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 7 of 9\n\nFigure 6. API Hammering before payload injection in ZLoader.\r\nConclusion: WildFire vs API Hammering\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 8 of 9\n\nResults from analyzing various implementations of API Hammering enabled the detection of malware samples\r\nusing API Hammering for sandbox evasion in WildFire. WildFire detects the use of API Hammering by\r\nBazarLoader, Zloader, and other malware families.\r\nThe following excerpt from the WildFire report of our BazarLoader sample shows the detected entry for API\r\nHammering.\r\nFigure 7. WildFire detected API Hammering along with other behaviors in a Bazarloader sample.\r\nPalo Alto Networks customers receive further protections against other malware families using similar sandbox\r\nevasion techniques through Cortex XDR or our Next-Generation Firewall with WildFire and Threat Prevention\r\nsecurity subscriptions.\r\nIndicators of Compromise\r\nBazarLoader Sample\r\nce5ee2fd8aa4acda24baf6221b5de66220172da0eb312705936adc5b164cc052\r\nZloader Sample\r\n44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b\r\nSource: https://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nhttps://unit42.paloaltonetworks.com/api-hammering-malware-families/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/api-hammering-malware-families/"
	],
	"report_names": [
		"api-hammering-malware-families"
	],
	"threat_actors": [],
	"ts_created_at": 1775434775,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7aaf2936544f6a03560852836313db4ed69d7d5.pdf",
		"text": "https://archive.orkl.eu/a7aaf2936544f6a03560852836313db4ed69d7d5.txt",
		"img": "https://archive.orkl.eu/a7aaf2936544f6a03560852836313db4ed69d7d5.jpg"
	}
}