Malware hunters often look for malicious objects to investigate threat features and build protection strategies. The hindrance for striving cybersecurity specialists is to access new malicious code samples to practice on. ANY.RUN is a good resource to obtain malware examples for free. In this post, we will tell you how to do it.
Where can you get malware samples?
ANY.RUN is an online interactive sandbox that has a vast malware sample database of 3,780,111 public submissions. Each user that is registered can make use of these tasks to rerun and analyze a sample, get reports and IOCs, and other options. Fresh samples are delivered constantly. Researchers all over the world comprise this collection and run more than 9000 tasks every day.
The “Public submissions” window is the place where you can dive into fresh malware samples and explore malware techniques. Here you can go through all the tasks that service users upload publicly. Users of premium subscriptions have an opportunity to analyze their tasks privately. So the window above includes only public submissions that a user chose to share with the community.
How to find a specific malware sample?
During the research, you may need an exact malicious program. To save your time in the search, ANY.RUN service has a helpful filter system. You can navigate through numerous samples using the following parameters:
- Run type of analyzed object (URL or file)
You can also filter submissions using the status of the sample’s threat level, the verdict. There are three types of verdicts:
- Malicious. Malicious activity is detected.
- Suspicious. Suspicious activity was detected and there is a possibility of the file being malicious but it isn’t proved.
- No threats detected. ANY.RUN has detected no malicious or suspicious activity.
- Specified tag
You can find a sample by a malware name, family, technique, vulnerabilities that the malicious program exploits. To check the list of tags and get more details about them, read our blog post. All the trending tags are displayed on the dashboard.
In the context part, you can type the sample’s unique data like a file hash, domain, IP address, MITRE ATT&CK, and Suricata SID.
Apply one or several parameters to find a specific malicious example. Try it yourself with a possibly infected IOC – use the filter and similar cases will be displayed.
Once you find the sample you need, you see the results of the analysis immediately. They are shown in the visual form of a video or a screenshot slideshow.
What reports can you get?
There are different types of reports on our malware samples site that can help you to examine the malicious object.
Summary of indicators of compromise. Check out the object’s hash sums, DNS requests, connections, HTTP/HTTPS requests. The window allows you to copy the necessary data and filter information. Icons and the number of IOCs let you run through the report and understand what you are dealing with at once.
- Text report
The text reports are convenient. The most significant data is at the top, so you won’t miss a thing. A detailed report contains general information about a sample, behavior activities, screenshots, data about the process, registry, files, network, debug output, etc.
You can also export/print this report in a preferable form – hide blocks by clicking on the “eye” icon.
The export in different formats is also available:
- JSON Summary
- JSON IOC
- HTML Document
- Export Process Graph (SVG)
- JSON MISP format
- Process graph
The best overview of a sample is to examine its events in the process graph. A brief look and you already know what is going on here.
- MITRE ATT&CK matrix
The more information you have, the better analysis you perform. MITRE ATT&CK matrix gives a full view of the tactics that the investigated malware applied.
Of course, that is not all the details that you get. Each process has descriptive information about network stream, static discovering, and advanced information of events. You can find it out during the analysis or go through our guide on how to use ANY.RUN.
- PCAP files
You can download PCAP files from the tasks for further analysis of the network traffic in programs such as Wireshark. If the task was started with HTTPS MITM Proxy on, then the SSL Key Log file will also be available for download that allows you to decrypt HTTPS traffic.
Rerun a task that you have found in the public submissions and watch the process by yourself. With ANY.RUN’s premium subscriptions – Searcher and Hunter, you get extra features: customize configurations and see malware behavior on VM in a different environment. Check out a video to watch these plans in action:
Be attentive if you want to submit a malware sample and research files with sensitive information. A Community account’s investigation is available to the public by default.
ANY.RUN is an online sandbox. But it is also a service for education and research. If you are interested in malware trends, you can take a look at our Malware Trends Tracker to monitor malicious activity daily with its dynamic articles.
Take a look at the public submissions and start your analysis of malware samples with detailed reports now!
The malware samples used in the post: