Skip to content

AnyRun#

README

AnyRun#

ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:

  • Interactive access
  • Research threats by filter in public submissions
  • File and URL dynamic analysis
  • Mitre ATT&CK mapping
  • Detailed malware reports

Requirements#

You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.

  • Provide your API token as a value for the token parameter.
  • Define the privacy setting in privacy_type parameter.
  • Set verify_ssl parameter as false if you connection requires it

Optional Parameters#

AnyRun provides a number of parameters that can be modified to do additional/different analysis. - Set the "bitness" of your runtime environment with the env_bitness parameter. - Select which version of Windows to use by setting env_version parameter. - Select which products to install by default with env_type parameter. - Enable/disable networking with opt_network_connect parameter. - Enable/disable "FakeNet" with opt_network_fakenet parameter. - Enable/disable the TOR network with opt_network_tor parameter. - Enable/disable MITM for https connections with opt_network_mitm parameter. - Need a specific geolocation? use opt_network_geo parameter. - Need to analyze something with evasion tactics? opt_kernel_heavyevasion - Change the timeout settings with opt_timeout parameter. - Select which folder the analysis starts in with obj_ext_startfolder parameter. - Select which browser to use for analysis with obj_ext_browser parameter.

AnyRun_Sandbox_Analysis#

Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
License: AGPL-V3
Version: 1.1
Supported observables types:
- file
- url
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://any.run/

Description#

Any.Run Sandbox file analysis

Configuration#

token API token
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
privacy_type Define the privacy setting (Allowed values: public, bylink, owner)
Default value if not configured bylink
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
verify_ssl Verify SSL certificate
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required True
env_bitness default OS bitness; 32 or 64
Default value if not configured 32
Type of the configuration item number
The configuration item can contain multiple values False
Is required False
env_version Which version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10"
Default value if not configured 7
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
env_type How much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete"
Default value if not configured complete
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
opt_network_connect Do you want to disable networking? set false to disable
Default value if not configured True
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
opt_network_fakenet FakeNet feature status; set true to enable.
Default value if not configured False
Type of the configuration item boolean
The configuration item can contain multiple values False
Is required False
opt_network_tor TOR using.
Default value if not configured False
Type of the configuration item Boolean
The configuration item can contain multiple values False
Is required False
opt_network_mitm HTTPS MITM proxy option.
Default value if not configured False
Type of the configuration item Boolean
The configuration item can contain multiple values False
Is required False
opt_network_geo Geo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT"
Default value if not configured fastest
Type of the configuration item String
The configuration item can contain multiple values False
Is required False
opt_kernel_heavyevasion Heavy evasion option. Default value: false
Default value if not configured False
Type of the configuration item Boolean
The configuration item can contain multiple values False
Is required False
opt_timeout Timeout option. Size range: 10-660
Default value if not configured 60
Type of the configuration item Number
The configuration item can contain multiple values False
Is required False
obj_ext_startfolder Start object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root"
Default value if not configured temp
Type of the configuration item String
The configuration item can contain multiple values False
Is required False
obj_ext_browser Choose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer"
Default value if not configured Internet Explorer
Type of the configuration item String
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

AnyRun: Short report template

AnyRun: Long report template