We covered Dynamic Malware Analysis using API Calls monitoring and logging using tools such as API Logger and API Monitor.This was part of TryHackMe Basic Dynamic Analysis
The Windows OS abstracts the hardware and provides an Application Programmable Interface (API) for performing all tasks. For example, there is an API for creating files, an API for creating processes, an API for creating and deleting registries and so on. Therefore, one way to identify malware behaviour is to monitor which APIs a malware calls. The names of the APIs are generally self-explanatory. However, Microsoft Documentation can be referred to for finding information about the APIs. To open a new process, we can click the highlighted three-dot menu. When clicked, a file browser allows us to select the executable for which we want to monitor the API calls. Once we select the executable, we can click ‘Inject & Log’ to start the API logging process.
API Logger
The API Logger is a simple tool that provides basic information about APIs called by a process.
We can see the PID of the process we monitor and the API called with basic information about the API in the ‘msg’ field. We can click the ‘PID’ menu for the API logger to log API calls of a running process. This Window shows processes with PIDs, the User that ran that process, and the image path of the process. The rest of the process is the same as the case with starting our process.
API Monitor
The API Monitor provides more advanced information about a process’s API calls. API Monitor has 32-bit and 64-bit versions for 32-bit and 64-bit processes, respectively.
As we can see, API Monitor has multiple tabs
- This tab is a filter for the API group we want to monitor. For example, we have a group for ‘Graphics and Gaming’ related APIs, another for ‘Internet’ related APIs and so on. API Monitor will only show us APIs from the group we select from this menu.
- This tab shows the processes being monitored for API calls. We can click the ‘Monitor New Process’ option to start monitoring a new process.
- This tab shows the API call, the Module, the Thread, Time, Return Value, and any errors. We can monitor this tab for APIs called by a process.
- This tab shows running processes that API Monitor can monitor.
- This tab shows the Parameters of the API call, including the values of those Parameters before and after the API calls.
- This tab shows the Hex buffer of the selected value.
- This tab shows the Call Stack of the process.
- Finally, this tab shows the Output.
We see that API Monitor provides us with much more information about API calls by a process than API Logger. However, we must slow down the analysis process to digest all this information. When analyzing malware, we can decide whether to use API Logger or API Monitor based on our needs. Please head to the Introduction to Windows API room to learn more about API calls.
Room Answers
~Desktop\Samples\1.exe
using ProcMon. This sample makes a few network connections. What is the first URL on which a network connection is made?What network operation is performed on the above-mentioned URL?
What is the name with the complete full path of the first process created by this sample?
~Desktop\samples\1.exe
creates a file in the C:\
directory. What is the name with the full path of this file?What API is used to create this file?
In Question 1 of the previous task, we identified a URL to which a network connection was made. What API call was used to make this connection?
We noticed in the previous task that after some time, the sample’s activity slowed down such that there was not much being reported against the sample. Can you look at the API calls and see what API call might be responsible for it?
What is the name of the first Mutex created by the sample ~Desktop\samples\1.exe? If there are numbers in the name of the Mutex, replace them with X.
Is the file signed by a known organization? Answer with Y for Yes and N for No.
Is the process in the memory the same as the process on disk? Answer with Y for Yes and N for No.
~Desktop\Samples\3.exe
using Regshot. There is a registry value added that contains the path of the sample in the format HKU\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXX-XXX\. What is the path of that value after the format mentioned here?Video Walkthrough