ANY.RUN, a new tool for online malware analysis
Dynamic and static malware analysis using a lot of preconfigured environments.
ANY.RUN is an interactive online malware analysis service that allows both dynamic and static research using environments based on all Windows version from XP to 10, 32 and 64 bit: it analyze events that are happening during the task execution, not the file itself.
Technical details: StatiC vs. Dynamic Malware Analysis
- Static Analysis is performed by dissecting the different resources of the binary file without executing it and studying each component. Some malware is developed using evasive techniques to avoid this type of analysis, embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
- Dynamic analysis is performed by observing the behavior of the malware while it is actually running on a host system. Modern malware can use a wide variety of evasive techniques designed to defeat this kind of analysis: for example testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input. More information at this article: https://www.andreafortuna.org/cybersecurity/malware-hiding-and-evasion-techniques/
ANY.RUN can analyze a large number of file types (all executable files, Java files, Microsoft Office documents, PDF files, scripts, mails, etc) and the suspicious files can be executed in 3 types of pre-installed guest environments:
- Clean - no pre-installed software
- Office - OS with pre-installed Microsoft Office software
- Complete - OS with standard software set, that usual user has on the computer (Microsoft Office, browsers, Skype, etc.)
Currently i'm testing the beta version of the tool, that still have some limitation: for example some malware are not reported as malicious when contains a "long sleep", or when trirs to hide network traffic using TOR.
Anyway, the tool is able to extract a lot of useful information, that cen be exported in PDF, JSON and PCAP format.
Here a video of a malware (OlympicDestroyer.exe) executed into a Windows 7 environment:
[video width="1280" height="720" mp4="https://www.andreafortuna.org/wp-content/uploads/2018/02/f0e6370d-b76c-4198-8828-538a62a71743.mp4"]
[/video]
And below a screenshot of the analysis dashboard:
This is a demo analysis, that can be accessed at this link: https://app.any.run/tasks/f0e6370d-b76c-4198-8828-538a62a71743
If you want to take part of the beta testing, open this link and request to enter the beta: https://any.run/