ANY.RUN cloud virtual machines already come with a selection of pre-installed software that you can choose from when setting up your environment. However, to enhance your analysis, you might need external files, such as custom scripts, debugging tools, or secondary malware components.
Now, you can upload additional files, with a total size limit of 500 MB, into ongoing tasks. This feature allows you to incorporate your own tools into ANY.RUN’s cloud VMs as needed.
Additional file uploads are available across all plans. However, plans starting from Hunter and above offer extra functionalities, such as manual file deletion from recent tasks and a Tools collection feature that allows users to save lists of favorite tools.
Where can I upload files into a VM?
You can access this new feature in two locations within our interface: when initially configuring a task, and from the top-right corner of the main task view while the task is running.
By clicking on the arrow upload icon (higlighted above), a modal for uploading files will open, showing the statuses of your files and your file lists.
Uploading additional files into active tasks
The new Upload files to VM modal window is where you can manage your files while a task is running.
The modal has two tabs: Recently uploaded and Tools collection. Only the Recently uploaded tab is accessible to users on our Free and Searcher plans.
- Recently uploaded: This section shows your last 500 MB of file uploads, quickly loadable into the virtual machine. Available for all users. Note: when the 500 MB limit is reached, non-favorited files are auto-deleted with new uploads. Files are linked to your account, not specific tasks, facilitating access to recent files for analysis across multiple tasks.
- Tools collection: Exclusive to Hunter and Enterprise users, this tab stores up to 500 MB of your favorite files for easy access. Unlike the Recently Uploaded section, surpassing the 500 MB limit doesn’t auto-delete old uploads; manual file deletion is required when space runs out.
Additionally, any file uploaded while in the Tools collection tab will be automatically marked as a favorite.
Uploading files during environment configuration
Another way to manage file uploads is by dropping files into a VM while creating a task. Note that in this scenario, files can only be loaded into the ‘Tools collection’ section, which is not available for Free and Searcher plans.
You’ll notice that there is no separate option to choose where the file is loaded. Instead, this is controlled by the directory selected in the Start object from selector.
When should you upload additional files into an active task?
Case 1
Analysts can upload tools of their choice, either from the Tools collection or by directly uploading them from Recently Uploaded. Since our paid plans allow tasks to run for up to 24 minutes, it’s very convenient for debugging certain malware samples or creating memory dumps directly within a running virtual machine, without the need to install software on the workstation.
Here’s an example of a basic toolset: Click Download sample in this task to get it.
Case 2
Another use case for the upload feature is to study a new strain of ransomware.
If you analyze the ransomware algorithm to identify errors in its execution and create a decryptor, study its behavior, and develop a counteraction algorithm, then this feature gives you the ability to upload additional files inside the virtual machine during the execution of the ransomware and even after the decryption of the files
Conclusion
This feature significantly expands the capabilities of our cloud virtual sandbox, allowing you to bring in any tool of your choice, limited only by the upload size. Have questions or feedback? Let us know what you think of this feature in the comment section below!
About ANY.RUN
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.
0 comments