From 4ae36941eaa53429899bdfda2f2bf80c77e15a26 Mon Sep 17 00:00:00 2001
From: Hardy-Cooper <Kevin.Hardy-Cooper@cyber.gc.ca>
Date: Wed, 18 Nov 2020 13:54:55 -0500
Subject: [PATCH 1/2] Adding a result section that lets the analyst know that
 the api calls in report.json have been limited

---
 cuckoo/cuckooresult.py | 38 +++++++++++++++++++++++++++++++++++++-
 cuckoo/signatures.py   |  3 ++-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/cuckoo/cuckooresult.py b/cuckoo/cuckooresult.py
index c259150..bb9e098 100644
--- a/cuckoo/cuckooresult.py
+++ b/cuckoo/cuckooresult.py
@@ -162,6 +162,16 @@ def process_behaviour(behaviour: dict, al_result: Result, process_map: dict, sys
         process_tree_section.body_format = BODY_FORMAT.PROCESS_TREE
         al_result.add_section(process_tree_section)
 
+    # Gathering apistats to determine if calls have been limited
+    apistats = behaviour["apistats"]
+    # Get the total number of api calls per pid
+    api_sums = {}
+    for pid in apistats:
+        api_sums[pid] = 0
+        process_apistats = apistats[pid]
+        for api_call in process_apistats:
+            api_sums[pid] += process_apistats[api_call]
+
     # Get information about processes to return as events
     processes = behaviour["processes"]
     if sysmon_procs:
@@ -180,18 +190,44 @@ def process_behaviour(behaviour: dict, al_result: Result, process_map: dict, sys
             item["first_seen"] = datetime.datetime.strptime(item.pop("timestamp"), "%Y-%m-%d %H:%M:%S.%f").timestamp()
         pids_from_sysmon_we_need = list(set(sysmon_pids) - set(cuckoo_pids))
         processes = processes + [i for i in sysmon_procs if i["pid"] in pids_from_sysmon_we_need]
+
+    limited_calls_section = ResultSection(title_text="Limited Process API Calls")
+    limited_calls_table = []
     for process in processes:
+        pid = str(process["pid"])
+
+        # if the number of calls made by process does not add up to the number recorded
+        # in apistats, then it is assumed that the api calls were limited
+        num_process_calls = len(process["calls"])
+        if num_process_calls > 0:
+            pid_api_sums = api_sums.get(pid, -1)
+            if pid_api_sums > num_process_calls:
+                limited_calls_table.append({
+                    "name": process["process_name"],
+                    "api_calls_made_in_detonation": pid_api_sums,
+                    "api_calls_included_in_report": num_process_calls
+                })
+
         if slist_check_app(process["process_name"]) and process["calls"] == []:
             continue  # on to the next one
         process_struct = {
             "timestamp": datetime.datetime.fromtimestamp(process["first_seen"]).strftime('%Y-%m-%d %H:%M:%S.%f')[:-3],
-            "process_name": process["process_name"] + " (" + str(process["pid"]) + ")",
+            "process_name": process["process_name"] + " (" + pid + ")",
             "image": process["process_path"] if process.get("process_path") else process["process_name"],
             "command_line": process["command_line"]
         }
 
         # add process to events list
         events.append(process_struct)
+    if len(limited_calls_table) > 0:
+        limited_calls_section.body = json.dumps(limited_calls_table)
+        limited_calls_section.body_format = BODY_FORMAT.TABLE
+        descr = f"For the sake of service processing, the number of the following " \
+                f"API calls has been reduced in the report.json. The cause of large volumes of specific API calls is " \
+                f"most likely related to the anti-sandbox technique known as API Hammering. For more information, look " \
+                f"to the api_hammering signature."
+        limited_calls_section.add_subsection(ResultSection(title_text="Disclaimer", body=descr))
+        al_result.add_section(limited_calls_section)
 
     log.debug("Behavior processing completed.")
     return events
diff --git a/cuckoo/signatures.py b/cuckoo/signatures.py
index 9e9d145..02b9771 100644
--- a/cuckoo/signatures.py
+++ b/cuckoo/signatures.py
@@ -525,7 +525,8 @@
   "network_http": "C2",
   "process_needed": "Suspicious Execution Chain",
   "winmgmts_process_create": "WMI",
-  "dll_load_uncommon_file_types": "Suspicious DLL"
+  "dll_load_uncommon_file_types": "Suspicious DLL",
+  "api_hammering": "Anti-sandbox"
 }
 
 CUCKOO_SIGNATURE_CATEGORIES = {

From 5a596dc0e2015688958489e1fd8ce53641c314ca Mon Sep 17 00:00:00 2001
From: Hardy-Cooper <Kevin.Hardy-Cooper@cyber.gc.ca>
Date: Wed, 18 Nov 2020 16:18:03 -0500
Subject: [PATCH 2/2] Little change to column name

---
 cuckoo/cuckooresult.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cuckoo/cuckooresult.py b/cuckoo/cuckooresult.py
index bb9e098..cda6db6 100644
--- a/cuckoo/cuckooresult.py
+++ b/cuckoo/cuckooresult.py
@@ -204,7 +204,7 @@ def process_behaviour(behaviour: dict, al_result: Result, process_map: dict, sys
             if pid_api_sums > num_process_calls:
                 limited_calls_table.append({
                     "name": process["process_name"],
-                    "api_calls_made_in_detonation": pid_api_sums,
+                    "api_calls_made_during_detonation": pid_api_sums,
                     "api_calls_included_in_report": num_process_calls
                 })