AnyRun
README
AnyRun
ANY.RUN is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
Interactive access
Research threats by filter in public submissions
File and URL dynamic analysis
Mitre ATT&CK mapping
Detailed malware reports
Requirements
You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.
Provide your API token as a value for the token
parameter.
Define the privacy setting in privacy_type
parameter.
Set verify_ssl
parameter as false if you connection requires it
Optional Parameters
AnyRun provides a number of parameters that can be modified to do additional/different analysis.
- Set the "bitness" of your runtime environment with the env_bitness
parameter.
- Select which version of Windows to use by setting env_version
parameter.
- Select which products to install by default with env_type
parameter.
- Enable/disable networking with opt_network_connect
parameter.
- Enable/disable "FakeNet" with opt_network_fakenet
parameter.
- Enable/disable the TOR network with opt_network_tor
parameter.
- Enable/disable MITM for https connections with opt_network_mitm
parameter.
- Need a specific geolocation? use opt_network_geo
parameter.
- Need to analyze something with evasion tactics? opt_kernel_heavyevasion
- Change the timeout settings with opt_timeout
parameter.
- Select which folder the analysis starts in with obj_ext_startfolder
parameter.
- Select which browser to use for analysis with obj_ext_browser
parameter.
AnyRun_Sandbox_Analysis
Author : Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU
License : AGPL-V3
Version : 1.1
Supported observables types :
- file
- url
Registration required : True
Subscription required : True
Free subscription : False
Third party service : https://any.run/
Description
Any.Run Sandbox file analysis
Configuration
token
API token
Default value if not configured
N/A
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
privacy_type
Define the privacy setting (Allowed values: public, bylink, owner)
Default value if not configured
bylink
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
True
verify_ssl
Verify SSL certificate
Default value if not configured
True
Type of the configuration item
boolean
The configuration item can contain multiple values
False
Is required
True
env_bitness
default OS bitness; 32 or 64
Default value if not configured
32
Type of the configuration item
number
The configuration item can contain multiple values
False
Is required
False
env_version
Which version of Windows do you want to use by default? allowed values: "vista", "7", "8.1", "10"
Default value if not configured
7
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
env_type
How much do you want pre-installed in the runtime environment? allowed values: "clean", "office", "complete"
Default value if not configured
complete
Type of the configuration item
string
The configuration item can contain multiple values
False
Is required
False
opt_network_connect
Do you want to disable networking? set false to disable
Default value if not configured
True
Type of the configuration item
boolean
The configuration item can contain multiple values
False
Is required
False
opt_network_fakenet
FakeNet feature status; set true to enable.
Default value if not configured
False
Type of the configuration item
boolean
The configuration item can contain multiple values
False
Is required
False
opt_network_tor
TOR using.
Default value if not configured
False
Type of the configuration item
Boolean
The configuration item can contain multiple values
False
Is required
False
opt_network_mitm
HTTPS MITM proxy option.
Default value if not configured
False
Type of the configuration item
Boolean
The configuration item can contain multiple values
False
Is required
False
opt_network_geo
Geo location option. Allowed values: "fastest", "AU", "BR", "DE", "CH", "FR", "KR", "US", "RU", "GB", "IT"
Default value if not configured
fastest
Type of the configuration item
String
The configuration item can contain multiple values
False
Is required
False
opt_kernel_heavyevasion
Heavy evasion option. Default value: false
Default value if not configured
False
Type of the configuration item
Boolean
The configuration item can contain multiple values
False
Is required
False
opt_timeout
Timeout option. Size range: 10-660
Default value if not configured
60
Type of the configuration item
Number
The configuration item can contain multiple values
False
Is required
False
obj_ext_startfolder
Start object from. Allowed values: "desktop", "home", "downloads", "appdata", "temp", "windows", "root"
Default value if not configured
temp
Type of the configuration item
String
The configuration item can contain multiple values
False
Is required
False
obj_ext_browser
Choose which browser to use. Allowed values: "Google Chrome", "Mozilla Firefox", "Opera", "Internet Explorer"
Default value if not configured
Internet Explorer
Type of the configuration item
String
The configuration item can contain multiple values
False
Is required
False
Templates samples for TheHive
December 17, 2024 17:53:42