Interactive Analysis with ANY.RUN

ANY.RUN is undoubtedly one of my favourite tools when I am investigating a sample of malware. Whether it’s for searching for additional samples, trying to get a basic overview of malware functionality, or even gathering IOC’s, ANY.RUN is an extremely useful asset to have in your malware analysis arsenal. The aim of this post is to explain how to use it effectively, in order to gather as much information as possible from it. I am also very excited to say that we have partnered with ANY.RUN, to provide an exclusive plan and many other benefits to students of the Zero2Automated malware analysis course, to enhance the learning of different topics. You can find out more about this exclusive offer here!

To cover the basics of interactive analysis with ANY.RUN, I’ve chosen a sample of Emotet to focus on. If you want to follow along, you can grab the sample here (An ANY.RUN account is required to download the sample, however you can get a community account for free!).

In the image below, you can see the main “dashboard” visible during and after analysis of the sample. There are many different data points here, so I will just cover the most important sections in this.

On the right, there is a list of processes involved in the execution of the malware, easily differentiating between parent and child processes. Additionally, there are icons under the process ID of 3 of the processes. These icons give basic information on any malicious tasks performed by the process, such as connecting to the network, whether an executable was dropped, as well as if persistence was set up!

The “image” taking up most of the screen is in fact the virtual machine setup to detonate the sample. Screenshots are taken during execution of the sample and can be viewed after analysis has completed. When analysis is taking place, you can interact with this as if it was your own machine, whether you want to open up the browser and trigger a banking trojan to inject into a site, or to move the mouse to prevent those pesky GetCursorPos() anti-analysis techniques.

The last notable data point in the image is the section at the bottom covering any network connections going in and out of the machine. This section will allow you to extract IOCs extremely quickly, since as soon as the sample makes a connection, it will be logged in the Connections tab. What makes this feature even better is the ability to download any downloaded files, or even download the entire PCAP for further analysis.

Sometimes, you just want a simple graph showing process execution – luckily, if you click the Processes Graph button in the instance information section at the top right, you can get a much cleaner visualization of process execution, such as seen in the image below.

Want to view POST request data without downloading the PCAP or reverse engineering the malware to figure out the request building function? Head over to the Connections Tab, and you’ll be able to find information about which process is triggering the communications, as well as the IP and port it is connecting to. On the right side of this section is where you’ll find the request and response data, along with the size of the data sent to, or received from the server.

In the case of Emotet, we can view POST data to the C2 server, and indeed confirm it is in fact Emotet. This is useful in niche cases where the sample is brand new or has no detection rules written for it, and therefore we must manually identify the sample, based on packet structure.

Moving onto one of my favourite features of ANY.RUN, we will be stepping away from the Emotet sample, and looking at a sample that exploits legitimate executables in order to load its own DLL – specifically, PlugX and it’s usage of DLL Side Loading. If you want to look at this sample, you can grab that here. In the case of PlugX, it will usually involve a legitimate executable, a malicious DLL, and an encrypted binary file. The malicious DLL will be loaded by the legitimate executable through side loading, and will then load the encrypted binary file, decrypt it, and execute it. With ANY.RUN, we can view and download these modules, to deal with them statically or dynamically on our own machine. In the image below, a legitimate NVIDIA executable is “exploited” to load NvSmartMax.dll, which leads to Nv.mp3 being loaded/modified. 

Finally, the last aspect of ANY.RUN I wanted to cover is the searching feature. This is extremely useful for finding the latest malware samples of a specific family, gathering threat intelligence, searching for malware matching a specific MITRE ATT&CK technique, and much more!

There are a huge number of possibilities when it comes to interactive analysis with ANY.RUN, especially considering how readily available information is, especially with a free account. Many sandboxes will wait for analysis of the sample to complete before providing any information, as well as being fairly complex to set up correctly, to avoid anti-analysis/anti-sandbox measures put in place by threat actors. ANY.RUN plays a huge role in my analysis workflow, and based on the sheer number of samples uploaded daily, I’d imagine it plays a huge role in malware analysis workflows in general.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s