# TrickBot's new API-Hammering explained **joesecurity.org/blog/498839998833561473** As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works. [The full analysis report of the TrickBot variant is available here.](https://www.joesandbox.com/analysis/244612/0/html) ## Two Stage API Hammering Right after the entry point, the sample tries to load taskmgr.exe as a DLL: This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next, it performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls do basically nothing: ----- [This code has been directly copied from the documentation of printf:](https://www.codingunit.com/printf-format-specifiers-format-conversions-and-formatted-output) ----- So what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including the 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. As a result, the final payload is never called. This behavior is called API Hammering. API Hammering is not a new technique, we have [already seen it several years ago e.g. in the Nymaim Loader. Joe Sandbox detects the API](https://www.joesecurity.org/blog/3660886847485093803) hammering successfully and rates it as malicious: Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps: ----- Again, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid. ## WERMGR Finally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit wermgr.exe - the process responsible for Windows error handling and reporting: ----- It s noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit. In wermgr.exe TrickBot fully unpacks itself: This enables Joe Sandbox to successfully detect TrickBot and extract full configurations: ----- ## Conclusion In contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly exploits the design of a sandbox. No matter what technology your favorite sandbox uses it has to handle API Hammering correctly ----- You are interested to get a list of other evasive malware analyses? Check out these other blogs: [New Sandbox Evasions spot in VBS samples](https://www.joesecurity.org/blog/745788703303246608) [Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor](https://www.joesecurity.org/blog/9048980422564630717) [Fighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation](https://www.joesecurity.org/blog/5351089351831994293) [Malicious Documents: The Evolution of country-aware VBA Macros](https://www.joesecurity.org/blog/5125095978168980460) or [this extensive list of evasive samples.](https://www.joesecurity.org/joe-sandbox-reports-evasive) [Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or](https://www.joesandbox.com/) [contact us for](https://www.joesecurity.org/contact) an in-depth technical demo! -----