AnyRun
README
AnyRun
ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
- Interactive access
- Research threats by filter in public submissions
- File and URL dynamic analysis
- Mitre ATT&CK mapping
- Detailed malware reports
Requirements
You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.
- Provide your API token as a value for the
token
parameter.
- Define the privacy setting in
privacy_type
parameter.
- Set
verify_ssl
parameter as false if you connection requires it
Optional Parameters
AnyRun provides a number of parameters that can be modified to do additional/different analysis.
- Set the "bitness" of your runtime environment with the env_bitness
parameter.
- Select which version of Windows to use by setting env_version
parameter.
- Select which products to install by default with env_type
parameter.
- Enable/disable networking with opt_network_connect
parameter.
- Enable/disable "FakeNet" with opt_network_fakenet
parameter.
- Enable/disable the TOR network with opt_network_tor
parameter.
- Enable/disable MITM for https connections with opt_network_mitm
parameter.
- Need a specific geolocation? use opt_network_geo
parameter.
- Need to analyze something with evasion tactics? opt_kernel_heavyevasion
- Change the timeout settings with opt_timeout
parameter.
- Select which folder the analysis starts in with obj_ext_startfolder
parameter.
- Select which browser to use for analysis with obj_ext_browser
parameter.
AnyRun_Sandbox_Analysis
Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
License: AGPL-V3
Version: 1.1
Supported observables types:
- file
- url
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://any.run/
Description
Any.Run Sandbox file analysis
Configuration
token |
API token |
Default value if not configured |
N/A |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
privacy_type |
Define the privacy setting (Allowed values: public, bylink, owner) |
Default value if not configured |
bylink |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
verify_ssl |
Verify SSL certificate |
Default value if not configured |
True |
Type of the configuration item |
boolean |
The configuration item can contain multiple values |
False |
Is required |
True |
env_bitness |
default OS bitness; 32 or 64 |
Default value if not configured |
32 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
False |
env_version |
Which version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10" |
Default value if not configured |
7 |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
env_type |
How much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete" |
Default value if not configured |
complete |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_network_connect |
Do you want to disable networking? set false to disable |
Default value if not configured |
True |
Type of the configuration item |
boolean |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_network_fakenet |
FakeNet feature status; set true to enable. |
Default value if not configured |
False |
Type of the configuration item |
boolean |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_network_tor |
TOR using. |
Default value if not configured |
False |
Type of the configuration item |
Boolean |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_network_mitm |
HTTPS MITM proxy option. |
Default value if not configured |
False |
Type of the configuration item |
Boolean |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_network_geo |
Geo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT" |
Default value if not configured |
fastest |
Type of the configuration item |
String |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_kernel_heavyevasion |
Heavy evasion option. Default value: false |
Default value if not configured |
False |
Type of the configuration item |
Boolean |
The configuration item can contain multiple values |
False |
Is required |
False |
opt_timeout |
Timeout option. Size range: 10-660 |
Default value if not configured |
60 |
Type of the configuration item |
Number |
The configuration item can contain multiple values |
False |
Is required |
False |
obj_ext_startfolder |
Start object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root" |
Default value if not configured |
temp |
Type of the configuration item |
String |
The configuration item can contain multiple values |
False |
Is required |
False |
obj_ext_browser |
Choose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer" |
Default value if not configured |
Internet Explorer |
Type of the configuration item |
String |
The configuration item can contain multiple values |
False |
Is required |
False |
Templates samples for TheHive

