AnyRun
README
AnyRun
ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
- Interactive access
- Research threats by filter in public submissions
- File and URL dynamic analysis
- Mitre ATT&CK mapping
- Detailed malware reports
Requirements
You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.
- Provide your API token as a value for the
token parameter.
- Define the privacy setting in
privacy_type parameter.
- Set
verify_ssl parameter as false if you connection requires it
Optional Parameters
AnyRun provides a number of parameters that can be modified to do additional/different analysis.
- Set the "bitness" of your runtime environment with the env_bitness parameter.
- Select which version of Windows to use by setting env_version parameter.
- Select which products to install by default with env_type parameter.
- Enable/disable networking with opt_network_connect parameter.
- Enable/disable "FakeNet" with opt_network_fakenet parameter.
- Enable/disable the TOR network with opt_network_tor parameter.
- Enable/disable MITM for https connections with opt_network_mitm parameter.
- Need a specific geolocation? use opt_network_geo parameter.
- Need to analyze something with evasion tactics? opt_kernel_heavyevasion
- Change the timeout settings with opt_timeout parameter.
- Select which folder the analysis starts in with obj_ext_startfolder parameter.
- Select which browser to use for analysis with obj_ext_browser parameter.
AnyRun_Sandbox_Analysis
Author: Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
License: AGPL-V3
Version: 1.1
Supported observables types:
- file
- url
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://any.run/
Description
Any.Run Sandbox file analysis
Configuration
| token |
API token |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| privacy_type |
Define the privacy setting (Allowed values: public, bylink, owner) |
| Default value if not configured |
bylink |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| verify_ssl |
Verify SSL certificate |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| env_bitness |
default OS bitness; 32 or 64 |
| Default value if not configured |
32 |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| env_version |
Which version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10" |
| Default value if not configured |
7 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| env_type |
How much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete" |
| Default value if not configured |
complete |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_network_connect |
Do you want to disable networking? set false to disable |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_network_fakenet |
FakeNet feature status; set true to enable. |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_network_tor |
TOR using. |
| Default value if not configured |
False |
| Type of the configuration item |
Boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_network_mitm |
HTTPS MITM proxy option. |
| Default value if not configured |
False |
| Type of the configuration item |
Boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_network_geo |
Geo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT" |
| Default value if not configured |
fastest |
| Type of the configuration item |
String |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_kernel_heavyevasion |
Heavy evasion option. Default value: false |
| Default value if not configured |
False |
| Type of the configuration item |
Boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| opt_timeout |
Timeout option. Size range: 10-660 |
| Default value if not configured |
60 |
| Type of the configuration item |
Number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| obj_ext_startfolder |
Start object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root" |
| Default value if not configured |
temp |
| Type of the configuration item |
String |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| obj_ext_browser |
Choose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer" |
| Default value if not configured |
Internet Explorer |
| Type of the configuration item |
String |
| The configuration item can contain multiple values |
False |
| Is required |
False |
Templates samples for TheHive
