Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public

Yesterday, the interactive malware analysis sandbox service called Any.Run announced that their free community version is open to the public. This allows anyone to register an account and to interactively analyze a particular file in real time.

ANY.RUN was founded in 2016 by cybersecurity researcher Alexey Lapshin. Headquartered in the United Arab Emirates, the company has a team of over 70 employees who work on improving the platform. 

What makes Any.Run different from other sandbox analysis tools is that it is completely interactive. That means that instead of uploading a file and waiting for a sandbox to spit out a report, with Any.Run you can upload a file and in real-time interact with the sandbox while analyzes your file. This allows you to upload programs that require you to click on buttons or malicious documents that require you to enable content or macros.

For example, let's say you wanted to analyze an adware bundle that requires you to click on various installation prompts before it installs unwanted programs. Using Any.Run you can do this.

Any.Run has also told BleepingComputer that this service is not meant for "for mass checks in which no user intervention is required. Also, it is not suitable for in-depth research of thread and executed processes code.". Instead it is meant for users who want to analyze malware that require's user interaction or to analyze attack vectors, PoC of new exploits, and multi-component exploit bundles.

Using Any.Run to analyze a file

Using Any.Run is fairly simple.

First, you need to setup a new task where you select the file or URL you wish to analyze, select the operating system (Windows 7/8.1/10) for the sandbox, what connectivity options you want to use, what software should be preloaded, and how long the interactive session should last.

When ready, you click on the Run button. Any.Run will then build the configured environment, display the sandbox environment that you can interact with, and then launch the requested program.

From here, you can interact with the desktop, click on buttons, open the start menu, user browsers, open the registry editor, open task manager, and run applications just like you normally would. The difference is that the sandbox is going to record all network requests, process calls, file activity, and registry activity as shown in the image below.

This way you can see any network requests, processes being created, and file activity in real-time. If you want to dig down into a network request, you can click on it to see the request and the response.

You can also click on a launched process and see what files it modified, what registry changes it made, whats libraries were used, and more.

As you can see, using Any.Run makes it very easy to analyze malware samples, especially when you need some sort of interactivity.

More features in the works

While the sandbox component works really well, there are some features that are still missing. For example, there is no way to currently generate a report of a particular session. According to Any.Run, they currently do not have an ETA as to when this feature will be ready.

With the currently available free, there are various limitations. For example, this plan does not allow you to use 64 bit operating systems, has limited sample file sizes, and limited time that you can be interactive with the sandbox.

Any.Run had told BleepingComputer they plan on adding different subscription tiers that can be purchased to add more options. These tiers are already available, but pricing has not been set.

While there has been numerous requests for Any.Run to offer these services, Any.Run has told BleepingComputer that they will not be added until they feel that the service is in a stable state. Until, then users will just have access to the free service tier, which still offers quite a lot.