How to use AnyRun for in-depth malware analysis

AnyRun is an analysis application in a sandbox environment used to open suspicious files or visit websites and record the activities of applications or websites related to network or system performance. You can also subscribe to unlock even more features, but for your purposes the free version is more than enough. In this article, I will share two different ways that I use this powerful tool.

In short if you doubt a Is the application a virus?, let it run on AnyRun, one copy process analysis appears and you’ll see which components of Windows the application affects.

Research malicious code on AnyRun

The first way to use AnyRun is to study malicious code using the results of other people’s previous research. In the free version, all submissions are public. This makes AnyRun a very valuable tool for Open Source Intelligence (OSINT). We use these public assets to identify malware, extract Indicators of Compromise (IOC) and Behaviors of Compromise (BOC), and to identify threat trends. From the homepage, click on the icon that looks like dog ear shape to view research results publicly. This list is updated in real time as people submit samples for analysis. Use the filter icon to the right of the search bar to narrow your search.

Research on AnyRun

Eg: If I see a suspicious domain while tracking or searching, I can use the filter above to search for available public studies. Or if you’re interested in specific malware like Ursnif, you can find the malware by entering its name in the above fields.

Analyze malware with AnyRun

The second way to use AnyRun is analytics. If you cannot find existing studies, you can submit a URL or file for analysis. After you create your free account, click New Task. Basic mode allows you to choose your operating system and then provide a URL or upload a file for analysis. An advanced screen is available if you want to make any adjustments like auto-acknowledge UAC, Anti-evasion, Browser Type and use Fakenet or Tor. The gray option requires you to subscribe to Anyrun.

How to use AnyRun - an in-depth malware analysis website

Once everything is set up, click Run. You will then be shown real-time malware execution or access to any URL you provide.

The session will end by displaying the results of the analysis. URLs listed in the browser bar can be saved as reference or shared with others.

It’s important to note that in the free version, all running tasks are public, which means everyone else can see the results. So do not run any malware or visit any websites that you think are targeting your organization or may reveal sensitive information. You also need to be careful of two things: session timeouts and user request actions.

Session timeout

AnyRun by default will only run the virtual machine for 60 seconds. While the analysis is running, you can press Add 60s in the top right box to add 60 seconds. You only have a few time extensions with the free version. This is important because sometimes the download takes a long time or the malware author slows down the attack time to avoid automatic sandbox analysis tools. Another reason you might want more time is because you need to perform user actions.

User request action

Sometimes the malware or website you are trying to analyze will ask you to take some action. Your mouse and keyboard can be used in the virtual machine. For example, an unzipped file might have several files inside, and you’ll need to choose which one to run. Or a credential scam site may ask for your information to proceed. Be aware of these types of actions and be prepared to extend the session time if needed.

Analysis results

Regardless of whether you’ve found existing studies or created your own research sample, you’ll have a wealth of information once you’ve done your analysis.

Information

Anyrun malware analysis results

  • Sample source: environmental conditions under which the file or url is run and threats are detected.
  • IOC to list all relevant captured IOCs.
  • Sample download option.
  • Process graph to show parent-child relationships of observed processes. In this screen, you can click on any item to get more information about it.
  • ATT&CK matrix shows the techniques observed in the sample.

Process

Process

  • The related processes are listed using the full command line as parent processes and nested child processes. The icons displayed in the process ID show behaviors such as information networking, launched executables, etc.
  • Clicking on any of these brings up the details window at the bottom with additional information, warnings, and hazards.
  • The “More Info” advanced details screen shows the full command line, as well as the system-level actions of this process, such as modified files, registry changes, network traffic, and more. For example: clicking on the PowerShell process and then clicking “More Info” will bring up the Base64 encoded command.

Network

Network

  • HTTP Requests will show HTTP results, calling process, full URL, document type, and more. Clicking on one of the items displays the information, Exchangeable Image File (EXIF), Hex data, as well as a link to download the resulting data.
  • Connections shows connection by protocol, calling process, Domain/IP/ASN information, port and traffic. Clicking on one of the entries will show a Hex dump of the packet data in the network session. Here we can see things like HTTP request and response headers as well as payload data.
  • The DNS request shows the query and response.
  • Threats will have alerts triggered from a Suricata IDS instance with associated alert details.
  • The PCAP icon on the far right allows you to download a packet capture of the sample.

Files

Files

  • Modify files shows the process, full path, and filename and file type of any file created or modified.
  • Clicking on any of these will bring up the details of the file including its hash, MIME, asset preview, and even the option to download a copy.

Conclude

I use this tool every day for threat analysis and research to help build a community of threat search and ever-changing threat awareness. Finally, AnyRun has a pretty intuitive interface and I hope I’ve covered all of its extremely useful features to encourage you to give it a try.

Leave a Reply