Interactive Malware Analysis Tool Any.Run launches
Any.Run, an interactive malware analysis tool based in Russia opened its doors to the public yesterday. A free community version is available at the time which allows anyone to register an account and start analyzing Windows programs, scripts and other files.
While you can use established services like Virustotal to analyze files, most are not interactive. Any.Run supports a full sandboxed environment that you may use to analyze files interactively.
Think of a virtual machine that you run a version of Windows on plus added malware scan tools and data information tools.
Setup asks for an email and password, and requires that you verify the email address before you are can start using the service.
The main page of the service displays lots of information. Particularly useful is the new task button at the top to start a new analysis, and the history feature which lists previous activity.
Note: The free community version has several limitations. It only supports Windows 7 32-bit as virtual environment which means that you can't use it to analyze the behavior of 64-bit files in that version. The maximum file size is set to 16 Megabyte, and you only get some playing around-time in the sandbox before a recording is displayed. Last but not least, any file you upload to the service can be downloaded by anyone. Make sure you don't upload confidential or important files to it.
A click on the new task icon displays the basic task dialog. You use it to select a local file or URL that you want to analyze. You may switch to the advanced mode where you find options to limit access to users with the link or only you, add command line parameters, and make other modifications.
Some of the locked options, the ability to limit file exposure, modify networking parameters, change the running time of the sandbox, or switch to another version of Windows or architecture, are only available in paid plans. These paid plans are not available yet, however.
While pricing information is not available yet, we know already that there are three paid Any.run plans. All improve the timeout period for the analysis, increase the maximum file size, give you faster and better storage, and add useful features such as video recording, reboot support, or MITM proxy support for HTTPS to the environment. Only the two largest plans support different operating system environments (Vista, Windows 8.1 and Windows supported in 32-bit and 64-bit architectures.
Any.run loads the analysis tool after you configured the new analysis. You get a virtual sandboxed environment that you can interact with, and panes listing all kinds of information.
Interactivity is what sets Any.run apart from other services. You can use it to analyze the installation of a software program or the running of a file, check whether an Office document is clean, or if a website behaves in a suspicious manner.
While you are limited to 60 seconds of interactivity in the free version, it is usually enough to complete installations and the loading of files. You are free to interact with the environment during that time; you may open Windows Explorer or the Task Manager, and any other program that is on the system.
Any.run displays lots of information that it picks up while you interact with the sandbox:
- Process information -- lists the processes that the file starts, stops, or uses. You see if the analyzed program kills other processes, creates new Services or Tasks, or check out launched processes in detail to find out about Registry modifications, library use and more.
- Network information -- displays details about network requests, e.g. outbound connections, DNS requests. This includes information about IP addresses, domains, and send and receive bits of data, and download PCAP data.
- Files -- lists files associated with the analyzed file.
- Debug -- debug output.
Any.run lists all network connections a program makes and how it interacts with the underlying system.
What can you use it for?
The service is well suited to analyze any type of file but you get the most out of it if the file requires interaction. Think of software installation dialogs that you need to click through or programs that display various options when you run them.
Any.run lists activity of the file in its interface; handy to find out if it makes network connections without informing the user about them, modifies critical system components, or makes other unwanted modifications to the system.
While you can use Any.run to analyze any file that is within the boundaries of what is supported by the free account, the option to interact with the file in a sandboxed environment is what sets it apart the most from other malware analysis services.
The limitations of the free account limit what you may use it for: you can use it to analyze 32-bit software on Windows 7, can't change the visibility of the analysis to private, and can't select files larger than 16 Megabytes.
Still, Any.run is a good option for users who want to analyze -- some -- files before they run them on their own machines.
Now You: How do you analyze files before you run them? (via Bleeping Computer)