Malware Analysis in ANY.RUN:
The Ultimate Guide 

Welcome to ANY.RUN! This crash course will walk you through the basics of using our interactive sandbox to help you achieve your malware analysis goals. 

Let’s get started! 

About ANY.RUN 

ANY.RUN is an online sandbox for interactive malware research. The service delivers a comprehensive and instant analysis of cybersecurity threats, while allowing users to engage with potentially malicious samples in real time within a safe virtual machine (VM) environment. 

The sandbox solves a host of problems related to malware analysis, as it: 

• Simplifies SOC/DFIR operations by providing valuable data for threat detection and elimination 
• Saves clients resources by offering a more affordable alternative to on-premises VMs 
• Makes cybersecurity more accessible with an intuitive interface that is easy to grasp for both students and seasoned experts alike 

Now, let’s dive into the platform’s interface. 

Setting up your account

Step 1: Sign up 

For non-business email users, use the #verification channel on our Discord server to request a free ANY.RUN account.

Step 2: Choose your subscription plan 

After logging in to your account, you will be greeted by the dashboard page. From there, you can go to your Profile settings to choose your subscription plan.  

We offer a free Community plan that provides you with a wide range of tools for thorough analysis.  

However, if you require a more advanced level of malware analysis, our paid plans are the ideal choice. 

Learn more: ANY.RUN plans

With your account all set-up and firing on all cylinders, it is time you get started with your first task. 

Setting up a virtual machine for malware analysis 

Watch the video →

In order to set up a virtual machine (VM) for malware analysis in ANY.RUN, you need to create a new task. 

Access an interactive tutorial by visiting the FAQ page‘s Tutorials tab and clicking the “How to analyze threats” button. 

In case you prefer written instructions, continue reading this article and follow these steps:

Step 1: Open the task window 

Click the New Task button on the left sidebar to open the task window.  

Step 2: Choose an analysis mode

The newly opened task window will be set to the User Mode by default, which lets you quickly analyze your file or link but limits your VM settings to only choosing an OS version:

• Windows from 7 through 11 — 32-bit or 64-bit versions.
• Linux — Ubuntu 22.04.2. 

To open the rest of the VM customization features, enable the Pro Mode by pressing the respective button on top of the task window. 

Step 3: Configure the VM

In the Pro mode, you can fine-tune your analysis environment. Click on the question mark icon in the top right corner to access tooltips with detailed explanations of each setting.  

After completing the VM setup, begin your analysis by pressing the Run a Private/Public Task button. 

Learn more: Guide to Creating a Task in ANY.RUN

Analyzing malware 

Once your task is launched, you will be taken to a page where you will be able to analyze your sample in real time and, once it is done, review the findings of the investigation.

Here are the things you can perform as part of your analysis: 

Interact with the sample 

ANY.RUN enables you to manually interact with your sample in a VM environment like you would on a normal computer. 

You can run programs, open tabs in a browser, and even restart the system without delay. 

Learn more: Interactive Malware Analysis

Watch the video →

Track network activity

Watch the video →

The Network section monitors and records network activity as it is occurring and provides the following information:

• HTTP Requests: Displays details of connection requests, including URL connection response and content 
• Connections: Shows other protocols that were not mentioned in HTTP Requests 
• DNS Requests: Indicates the correlation between a domain name and IP address 
• Threats: Detects intrusion using Suricata rules (Detection with Suricata IDS)

You can examine traffic packet by packet using the Network stream feature, enabling you to identify unusual patterns or connections, stolen data, C2 addresses, proxies, and downloaded files. 

Learn more: Analyzing the Network Stream

Let us show you how ANY.RUN can help your SOC team – book a call with us ⬇️

Review modified files

Watch the video →

The Files Modification section lists all files used during the task execution. Click on each file’s content to access downloadable Static discovering data.

ANY.RUN’s Static discovering feature is modular, letting you analyze a wide range of file types including PDF, LNK, ZIP, RAR, Office documents, and others.  

Learn more: Static Analysis for Various File Types

Utilize debugging

The Debug section displays information on how to debug the program afterward. If you happen to encounter malware like Dridex, debug output messages will be helpful in your investigation.

Inspect processes

The Processes section lays out a hierarchical view of all processes, accompanied by corresponding indicators.  

Learn more: Indicators and Tags Used in ANY.RUN

To investigate a specific process, simply click on it. This will bring up the Process details window, from which you can navigate to the Advanced details by pressing the “More Info” button.

The Advanced details menu can help you track the timeline of any process.

Additionally, here you can download process dumps. The complete list of process details includes: 

• Modified files / Files in a raw view; 
• Registry changes / Registry keys; 
• Synchronization; 
• HTTP Requests; 
• Connections; 
• Network threats; 
• Modules; 
• Debug. 

Learn more: Fast and Simple Access to Malware Details

Access malware analysis reports

In the top right corner, you can view the key threat information generated as part of the task, including: 

Indicators of compromise (IOCs)

Indicators of compromise are an essential piece of information that you can use for timely detection of malware. 

Learn more: Indicators of Compromise

Malware’s configuration

Malware configurations can include a variety of information, such as IP addresses and ports of C2 servers, malware family name, type, and version, encryption keys, anti-debugging, anti-sandbox, and other evasion methods, and much more.  

Learn more: Dive into Analysis with Malware Configuration

MITRE ATT&CK Matrix

The built-in MITRE ATT&CK Matrix allows you to view the techniques utilized by the malware with action mapping and explore each of them. 

Learn more: MITRE ATT&CK Matrix

ChatGPT insights (Available only for public tasks)

This feature provides you with a deeper understanding of malware’s behavior by providing AI-powered explanations of important elements, such as processes, rules, and connections.  

To use this feature, simply click on the ChatGPT icon next to any important element in your report.  

Learn more: Sandbox Results with ChatGPT

Malware analysis text report

The sandbox generates a comprehensive report for each file and URL you analyze. It includes all of the details we mentioned earlier.  

The report can be exported in your preferred format, including JSON and HTML. 

Learn more: Malware Analysis Report in One Click

Restart the task 

You can always restart any task with different VM settings to test a sample in a new environment. 

Working with public malware samples

In addition to analyzing your own samples, you can access ANY.RUN’s database of over 6 million malware samples submitted by users from around the world. 

Learn more: How to Get Free Malware Samples and Reports

Managing a team 

All Enterprise-plan users can take advantage of the Teamwork feature that allows analysts to work together on different samples in real time.  

It makes it easy to monitor your team’s activities and train junior analysts. It is also a great way to track productivity and manage large, dynamic teams.

Watch the video →

Here are some of its benefits: 

• Real-time collaboration: Analysts can join their forces, saving time and improving accuracy. 
• Common task history: Team history can be configured to show all tasks, only the leader’s tasks, or only links to the leader’s tasks. 
• Employee activity tracking: Team leaders can view employee activity, which can help them identify areas where training or extra resources are needed. 
• Subscription management: Team leaders can manage subscriptions and assign licenses to team members. 

Learn more: Teamwork

Conclusion 

ANY.RUN is your best tool for both static and dynamic malware analysis.  

Run an unlimited number of tasks, explore millions of reports and malware samples, and collect valuable data by studying the ins and outs of malicious programs and links.  

With our cloud-based sandbox, your threat investigations will become a walk in the park.

Unlock the full potential of ANY.RUN with a 14-day free trial!