Malware hunters often look for malicious objects to investigate threat features and build protection strategies. The hindrance for striving cybersecurity specialists is to access new malicious code samples to practice on. ANY.RUN is an excellent resource for obtaining malware for free. In this post, we will tell you how to do it.
Where can you get malware samples?
ANY.RUN is an online interactive sandbox with a vast malware sample database of 6,2m public submissions. Each registered user can make use of these tasks to rerun and analyze a sample, get reports and IOCs, and other options. Fresh samples are delivered constantly. Researchers worldwide comprise this collection and run more than 14k tasks every day.
The “Public submissions” window is where you can dive into fresh malware samples and explore malware techniques. Here you can go through all the tasks that service users upload publicly. Users of premium subscriptions have an opportunity to analyze their tasks privately. So the window above includes only public submissions that a user chose to share with the community.
How to find a specific malware sample?
During the research, you may need an exact malicious program. To save your time in the search, ANY.RUN service has a helpful filter system. You can navigate through numerous samples using the following parameters:
- Run type of analyzed object (URL or file)
You can also filter submissions using the sample’s threat level status and the verdict. There are three types of verdicts:
- Malicious. Malicious activity is detected.
- Suspicious. Suspicious activity was detected, and there is a possibility of the file being malicious, but it isn’t proven.
- No threats detected. ANY.RUN has detected no malicious or suspicious activity.
- Specified tag
You can find a sample by a malware name, family, technique, and vulnerabilities that the malicious program exploits. Read our blog post to check the list of tags and get more details about them. All the trending tags are displayed on the dashboard.
You can type the sample’s unique data like a file hash, domain, IP address, MITRE ATT&CK, and Suricata SID in the context part.
Apply one or several parameters to find a specific malicious example. Try it yourself with a possibly infected IOC – use the filter, and similar cases will be displayed.
Once you find the sample you need, you see the analysis results immediately. They are shown in the visual form of a video or a screenshot slideshow.
What reports can you get?
Different reports on our malware samples site can help you examine the malicious object.
Summary of indicators of compromise. Check out the object’s hash sums, DNS requests, connections, and HTTP/HTTPS requests. The window allows you to copy the necessary data and filter information. Icons and the number of IOCs let you run through the report and understand what you are dealing with at once.
- Text report
The text reports are convenient. The most significant data is at the top, so you won’t miss anything. A detailed report contains general information about a sample, behavior activities, screenshots, data about the process, registry, files, network, debug output, etc.
You can also export or print this report in a preferable form – hide blocks by clicking on the “eye” icon.
The export in different formats is also available:
- JSON Summary
- JSON IOC
- HTML Document
- Export Process Graph (SVG)
- JSON MISP format
- Process graph
The best overview of a sample is to examine its events in the process graph. A brief look, and you already know what is going on here.
- MITRE ATT&CK matrix
The more information you have, the better analysis you perform. MITRE ATT&CK matrix gives a full view of the investigated malware’s tactics.
Of course, that is not all the details that you get. Each process has descriptive information about network stream, static discovering, and advanced information about events. You can find it out during the analysis or go through our guide on how to use ANY.RUN.
- PCAP files
You can download PCAP files from the tasks to further analyze the network traffic in programs such as Wireshark. If the task was started with HTTPS MITM Proxy on, then the SSL Key Log file will also be available for download that allows you to decrypt HTTPS traffic.
Rerun a task that you have found in the public submissions and watch the process by yourself. With ANY.RUN’s premium subscriptions – Searcher and Hunter, you get extra features: customize configurations and see malware behavior on VM in a different environment. Check out a video to watch these plans in action:
Be attentive if you want to submit a malware sample and research files with sensitive information. A Community account’s investigation is available to the public by default.
ANY.RUN is an online sandbox. But it is also a service for education and research. If you are interested in malware trends, you can take a look at our Malware Trends Tracker to monitor malicious activity daily with its dynamic articles.
Check out the public submissions and start your analysis of malware samples with detailed reports now!
The malware samples used in the post: https://app.any.run/tasks/064e8183-009b-486c-9e5b-6d549a568612/