Welcome to ANY.RUN! This crash course will walk you through the basics of using our interactive sandbox to help you achieve your malware analysis goals.
Let’s get started!
About ANY.RUN
ANY.RUN is an online sandbox for interactive malware research. The service delivers a comprehensive and instant analysis of cybersecurity threats, while allowing users to engage with potentially malicious samples in real time within a safe virtual machine (VM) environment.
The sandbox solves a host of problems related to malware analysis, as it:
- Simplifies SOC/DFIR operations by providing valuable data for threat detection and elimination
- Saves clients resources by offering a more affordable alternative to on-premises VMs
- Makes cybersecurity more accessible with an intuitive interface that is easy to grasp for both students and seasoned experts alike
Now, let’s dive into the platform’s interface.
Setting up your account
Step 1: Sign up
Get started with ANY.RUN
Analyze malware with no limit inside fully interactive Windows VMs to collect fresh IOCs.
Use your business email to register.
For non-business email users, use the #verification channel on our Discord server to request a free ANY.RUN account.
Step 2: Choose your subscription plan
After logging in to your account, you will be greeted by the dashboard page. From there, you can go to your Profile settings to choose your subscription plan.
We offer a free Community plan that provides you with a wide range of tools for thorough analysis.
However, if you require a more advanced level of malware analysis, our paid plans are the ideal choice.
Learn more: ANY.RUN plans.
With your account all set-up and firing on all cylinders, it is time you get started with your first task.
Setting up a virtual machine for malware analysis
In order to set up a virtual machine (VM) for malware analysis in ANY.RUN, you need to create a new task.
Access an interactive tutorial by visiting the FAQ page‘s Tutorials tab and clicking the “How to analyze threats” button.
In case you prefer written instructions, continue reading this article and follow these steps:
Step 1: Open the task window
Launch your task in two clicks
Click the New Task button on the left sidebar to open the task window.
Step 2: Choose an analysis mode
Switch to the Pro mode to customize your VM environment
The newly opened task window will be set to the User Mode by default, which lets you quickly analyze your file or link but limits your VM settings to only choosing a Windows version.
To open the rest of the VM customization features, enable the Pro Mode by pressing the respective button on top of the task window.
Step 3: Configure the VM
Open tooltips to explore every VM setting available to you
In the Pro mode, you can fine-tune your analysis environment. Click on the question mark icon in the top right corner to access tooltips with detailed explanations of each setting.
After completing the VM setup, begin your analysis by pressing the Run a Private/Public Task button.
Learn more: Guide to Creating a Task in ANY.RUN.
Analyzing malware
Once your task is launched, you will be taken to a page where you will be able to analyze your sample in real time and, once it is done, review the findings of the investigation.
Try advanced malware analysis with ANY.RUN
Request a free trialHere are the things you can perform as part of your analysis:
Interact with the sample
ANY.RUN enables you to manually interact with your sample in a VM environment like you would on a normal computer.
You can run programs, open tabs in a browser, and even restart the system without delay.
Learn more: Interactive Malware Analysis.
Track network activity
You can view malware’s connections and traffic
The Network section monitors and records network activity as it is occurring and provides the following information:
- HTTP Requests: Displays details of connection requests, including URL connection response and content
- Connections: Shows other protocols that were not mentioned in HTTP Requests
- DNS Requests: Indicates the correlation between a domain name and IP address
- Threats: Detects intrusion using Suricata rules (Detection with Suricata IDS)
Use network stream analysis to expose evasive malware
You can examine traffic packet by packet using the Network stream feature, enabling you to identify unusual patterns or connections, stolen data, C2 addresses, proxies, and downloaded files.
Learn more: Analyzing the Network Stream.
Review modified files
Easily switch between the Network and Files sections
The Files Modification section lists all files used during the task execution. Click on each file’s content to access downloadable Static discovering data.
Static discovering enables you to gain insight into any file
ANY.RUN’s Static discovering feature is modular, letting you analyze a wide range of file types including PDF, LNK, ZIP, RAR, Office documents, and others.
Learn more: Static Analysis for Various File Types.
Utilize debugging
Debugging can come in handy when handling certain malware families
The Debug section displays information on how to debug the program afterward. If you happen to encounter malware like Dridex, debug output messages will be helpful in your investigation.
Inspect processes
The process tree depicts processes taking place in real time
The Processes section lays out a hierarchical view of all processes, accompanied by corresponding indicators.
Learn more: Indicators and Tags Used in ANY.RUN.
To investigate a specific process, simply click on it. This will bring up the Process details window, from which you can navigate to the Advanced details by pressing the “More Info” button.
By clicking on a process, you can discover more information on it
The Advanced details menu can help you track the timeline of any process.
Advanced details let you discover extra information about processes
Additionally, here you can download process dumps. The complete list of process details includes:
- Modified files / Files in a raw view;
- Registry changes / Registry keys;
- Synchronization;
- HTTP Requests;
- Connections;
- Network threats;
- Modules;
- Debug.
Learn more: Fast and Simple Access to Malware Details.
Access malware analysis reports
This segment contains the malware analysis data that you can download
In the top right corner, you can view the key threat information generated as part of the task, including:
Indicators of compromise (IOCs)
ANY.RUN helps you collect fresh IOCs of the latest threats
Indicators of compromise are an essential piece of information that you can use for timely detection of malware.
Learn more: Indicators of Compromise.
Malware’s configuration
ANY.RUN offers configurations for dozens of malware families
Malware configurations can include a variety of information, such as IP addresses and ports of C2 servers, malware family name, type, and version, encryption keys, anti-debugging, anti-sandbox, and other evasion methods, and much more.
Learn more: Dive into Analysis with Malware Configuration.
MITRE ATT&CK Matrix
Analyze malware and see which tactics it employs
The built-in MITRE ATT&CK Matrix allows you to view the techniques utilized by the malware with action mapping and explore each of them.
Learn more: MITRE ATT&CK Matrix.
ChatGPT insights (Available only for public tasks)
Discover AI-generated explanations of different elements detected by ANY.RUN
This feature provides you with a deeper understanding of malware’s behavior by providing AI-powered explanations of important elements, such as processes, rules, and connections.
To use this feature, simply click on the ChatGPT icon next to any important element in your report.
Learn more: Sandbox Results with ChatGPT.
Malware analysis text report
Each task contains an analytical report on the sample you provide
The sandbox generates a comprehensive report for each file and URL you analyze. It includes all of the details we mentioned earlier.
The report can be exported in your preferred format, including JSON and HTML.
Learn more: Malware Analysis Report in One Click.
Restart the task
You can always restart any task with different VM settings to test a sample in a new environment.
Working with public malware samples
Use the database to stay up-to-date on the latest threats.
In addition to analyzing your own samples, you can access ANY.RUN’s database of over 6 million malware samples submitted by users from around the world.
Learn more: How to Get Free Malware Samples and Reports.
Managing a team
All Enterprise-plan users can take advantage of the Teamwork feature that allows analysts to work together on different samples in real time.
It makes it easy to monitor your team’s activities and train junior analysts. It is also a great way to track productivity and manage large, dynamic teams.
Here are some of its benefits:
- Real-time collaboration: Analysts can join their forces, saving time and improving accuracy.
- Common task history: Team history can be configured to show all tasks, only the leader’s tasks, or only links to the leader’s tasks.
- Employee activity tracking: Team leaders can view employee activity, which can help them identify areas where training or extra resources are needed.
- Subscription management: Team leaders can manage subscriptions and assign licenses to team members.
Learn more: Teamwork.
Conclusion
ANY.RUN is your best tool for both static and dynamic malware analysis.
Run an unlimited number of tasks, explore millions of reports and malware samples, and collect valuable data by studying the ins and outs of malicious programs and links.
With our cloud-based sandbox, your threat investigations will become a walk in the park.
Unlock the full potential of ANY.RUN with a 14-day free trial!
The post Malware Analysis in ANY.RUN: The Ultimate Guide appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: A Guide to Malware Analysis with a Sandbox