Windows API, in short, the WinAPI, is a set of functions and procedures, which can abstract much of the tasks you perform everyday on the Windows OS. The Application Programming Interface (API) calls exposes these functions to programmers to make use of procedures when writing one of your own isn’t the most effective.

Although the API calls are a bit hard to work with, they can still help you achieve much of what you’d like, without further coding. For example, you can call the API call ‘RegSetValueA’ in order to set the value of a registry key (which should be in a text format).

Although their legitimate use is great, the exact opposite is possible as well. Malware writers make use of these API calls to interact with the OS and perform nefarious tasks.

With this article, I’ll help you analyze a particular malware sample, along with the identification of a few API calls, and see if we can further identify the behavior of that particular malware sample. Let’s get to it!

Fetch the Sample

First, let’s head over to the amazing malware repository (amongst several others) at theZoo, managed by ytisf.

I’ve downloaded the malware sample for Kovter, a malware that initially started off as a police ransomware and then evolved into a click-fraud malware.

Let’s analyze the sample and see if we can pick apart the Windows API calls which are utilized by this malware sample.

Static Analysis: Kovter

I’ll skip past the usuals we perform for static analysis. I’ll run it through PEStudio, the PE header analyze, that’s capable of much more. Fortunately, it also provides us the libraries and imports which are used by the file.

Let’s open it up and see it in detail. The file name is “PDFXCView.exe” which appears to be a PDF Viewer of some sorts, but we’ll know for sure once we get started. Here’s an overview of the libraries which are imported by this executable:

Overview from PEStudio

Here’s a list of a few libraries which are imported by this executable:

API CallDescription
ws2_32.dllWindows Sockets 2 - Holds networking functions, spawns network connections, and manages connections
wininet.dllInternet Extensions - Access Internet resources by means of interacting with several protocols e.g. HTTP, FTP
version.dllVersion Checking and File Installation - Returns version information for specified files
kernel32.dllWindows NT Base API - Holds core functionality e.g. manipulation of files, memory, and hardware
user32.dllMulti-user Windows User API - Holds user interfaces components
advapi32.dllAdvanced Windows32 Base API - Holds advanced Windows components with access to the registry, security calls, system state, and services
shell32.dllWindows Shell - Holds functions related to the Windows Shell

Before you move forward with it, pick apart the libraries which are going to be useful in the analysis and could actually be utilized by a malware. Some libraries will often be imported for the successful operation of the program in Windows (often useless for the analysis).

Identified API Calls and Imports

Each library has several calls being imported. The import count for this executable is 367. The blacklisted API count is 114, as per PEStudio. Going through all of these is going to take loads of time.

Fortunately, PEStudio groups the API calls with which you can identify the usage of the call itself. But before we start with them, let’s go over the conventions these API calls follow.

API Call Convention

Windows API Calls which are involved with text manipulation are often appended with ‘A’ or ‘W’. The ‘A’ is used to identify functions which work with ANSI strings as input(s) and output(s). The ‘W’ is used to identify functions which work with Unicode strings as input(s) and output(s). By the way, Windows also has native support for Unicode strings, because they’re widely supported and work well with several languages and character sets.

Similarly, the ‘Ex’ at the end of several API calls standards for ‘Extended’ - as in an extension of functionality along with a more detailed interface. For example, the import ‘CreateFile’ works with 4 parameters, whereas the ‘CreateFileEx’ call works with 17 parameters, which much more detail as you can imagine based on the increase in parameters count.

Continuining with the Calls

Here’s a list of the most intriguing API calls, which aren’t most frequently found in Windows programs either:

Registry API Calls

The following pair of API calls can be used to manage the registry, modify the values, and spawn other keys as well. This behavior is particularly useful to identify persistence via the registry. Other than that, almost every configuration and setting is stored in the Registry. You’re likely to find the registry keys for services or other paths used by the malware if you monitor these calls.

API CallDescription
RegSetValueExSet the data-type and value of a certain registry key
RegCreateKeyExCreate a registry key
RegEnumKeyExExtract the data-type and value of a specific registry key
RegQueryValueExGet the data-type and value of a specific registry key
RegOpenKeyExOpen a specific key
RegCloseKeyClose the open handle to the specified registry key
RegEnumValueEnumerate through the values from a given registry key path

Threads and Processes

Monioring processes and threads for unknown activity is also important. Often, malware spawn processes and threads to carry out several tasks without being noticed.

API CallDescription
CreateProcessCreate a new process along with threads
GetCurrentProcessRetrieve a pseudo-handle for a process
GetCurrentProessIdRetrieve the key process identifier
CreateThreadCreate a thread within a process
SetThreadPriority/GetThreadPrioritySet and retrieve the priority for the thread within the context of a process
GetProcessTimesRetrieves the timing information about the process
ExitProcessExit a process and the threads it spawned

System Information

API calls can also extract system information, which is of much use to a malware. This information particularly identifies a system. The actor can even exfiltrate this data out by means of C2 communication.

API CallDescription
GetFileVersionInfoRetrieves the information about a particular file
GetFileVersionInfoSizeChecks whether retrieval of information is possible and returs size, if true
GetSystemMetricsReturns the informationn about a particular metric or configuration. Several values are available to the user, along with the option to pass it as a parameter
GetSystemInfo/GetNativeSystemInfoRetrieves system information
IsDebuggerPresentIdentifies a user-mode debugger on the excecutable
QueryPerformanceCounterGet the current value of the performance monitor

Files

File-based API calls accumulate to a large count. But, just going through the list, I can pick a few apart which are extremely sketchy (especially for an executable that pretends to be a PDF viewer).

API CallDescription
DeleteFileDelete an existing file
GetFileTypeRetrieve the type of the file
MoveFileMove the file from one location to another
GetFileAttributesRetrieve the attributes of the specified file
CopyFileCopy the file from one location to another
FindFirstFileExSearch a file with information
GetFileSizeRetrieves the size of the specified file
ReadFileRead data from the I/O device or a file

Keyboard, Mouses, and Input Devices

Quite obviously, its API calls which are used to send input data to the processor and so on. These API calls are also used by malware (especially keyloggers) with the intent to steal data from a computer and dispatch it away. Here’s a list of API calls found in this sample:

API CallDescription
EnableWindowAbility to enable or disable keyboard or mouse input to the said Window
GetAsyncKeyStateIdentify the state of the keys (pressed or released)

Cryptography

There’s also evidence of some cryptographic API calls being loaded with the executable. These can indeed encrypt the data and hide it from the user’s eyes before sending it off to the HTTP server (yes, we’ll go over the networking API calls next). Here’s a list of those API calls:

API CallDescription
CryptDeriveKeyGenerates cryptographic session keys
CryptEncryptEncrypts data
CryptDecryptDecrypts data which is encrypted by CryptEncrypt
CryptCreateHashObtain handle to the hash object for the encryption function (passed off as a parameter). Also initiates the hashing of a stream of data
CryptHashDataAdds the data to a specified hash object

Networking

Lastly, the Windows Sockets library imports several functions and API calls which are key to spawn connections and used by the malware for C2 communication.

API CallDescription
HttpQueryInfoRetrieve headers related to HTTP requests
HttpSendRequestExSend request to a web server
HttpEndRequestBreak communication with a web server
HttpOpenRequestSpawn an HTTP request handle
InternetConnectAOpen an FTP or HTTP session for a website
InternetGetConnectedStateRetrieves the connection state for the system
InternetSetOptionAChange Internet options
InternetWriteFileWrite data to an Internet file whose handle has already been acquired
InternetCrackUrlADivide the URL into parts
InternetSetStatusCallbackAFunctions made during a state change or progress during an operation

Our Hypothesis

Listing down API calls by groups wasn’t very useful on its own. But, this can help us identify the behavior of the malware by checking out the calls it makes or could make if an opportunity arises.

Starting from system versioning and file version information using version.dll. The API calls clearly suggest the program is capable of retrieving system information, which includes the information on files, the system itself, and whether a debugger is present or not. The last one is perhaps the most important. If the executable is under debugging in user-mode, the API call will yield true and the program can behave differently based on that. This is sketchy behavior!

Secondly, it has much control over the files in the system - the ability to move, create, delete, copy? This clearly suggests the malware would be capable of copying itself elsewhere for evasion and persist itself. But that wouldn’t be on itself would it? It also has access to the registry keys. Say just the Run keys are modified. Just that and the malware could achieve persistence.

Thirdly, the input modifying API calls are capable of collecting keystrokes and information about the key state. This behavior is particularly suggestive of a keylogger. The data could be collected and encrypted using the cryptography module. Then, it could be shipped off by means of POST requests to the actor’s setup web server. This initiates the C2 server communication.

Conclusion

In conclusion, API calls speak much about the malware. They’re a good source to start at if you’re statically analyzing a malware without digging deep. Though in case of packed malware, this approach could require a little digging and that’s for another lecture.

Point being, you should start off with important factors like these calls to identify what you’re dealing with. Till next time, ciao!