Tasks in ANY.RUN sandbox are like projects in GitHub. Every time you start an analysis of a suspicious object or link you create a new one. Follow these steps to get started.
Create a new task
First, let’s open the configuration window. This is how we’ll be able to set up our virtual machine and network options.
- Click on the “New task” button in the sidebar to get started.
This is accessible from your dashboard and when browsing public submissions. A modal window will pop up with options to set up the VM.
Choose the setup mode
There are a couple of ways to configure your virtual machine in the cloud.
- A default mode, which is our ‘plug-and-play’ option
- And a “Pro” mode — this is the one you will likely use most of the time
In the default mode you can:
- Upload a file — by choosing it from the filesystem or drag-and-dropping — or insert a link.
- Choose an operating system
- Specify the “bitness”
For our paid users, tasks will run with privacy setting set to “private”. This means that the result will not be saved in public submissions. And for our community plan users the default mode will be set to “public”.
Switch to the pro mode to configure these and other settings.
Configure advanced settings
Flip the “Pro” toggle to access advanced settings.
The first thing you’ll probably notice after the window transforms is the “New VM video streaming” toggle. It optimizes the VM to be responsive with a higher frame rate.
You can use the dropdowns to choose the startup directory and, when analyzing links, a default web browser. You can select Chrome, Firefox, Opera, or Internet explorer.
Then add a cmd command to customize the startup behavior — type your own or use a preset.
The “Change extension to valid” option controls what happens when a file lacks an extension or comes with an invalid one. Set it to “on” and it will edit the extension when necessary, so the file always runs.
Extend the time limit
Use the slider to set the execution time limit — it controls how long your VM stays alive and goes up to 20 minutes, depending on your plan.
Configure network settings
Network stream analysis will quickly become one of your most-used ANY.RUN features. Try experimenting with these options:
- MITM Proxy intercepts the traffic coming in and out of the sandbox. Select it to analyze traffic that was HTTPS encrypted.
- Fake net mimics an internet environment without actually connecting to the web.
For an extra layer of security, you can also choose to route traffic via TOR or a custom VPN configuration.
Set up the virtual machine
One of ANY.RUN’s major pros is how rapidly you can analyze the same sample in a variety of machine configs.
- Select the OS, from Windows from 7 through 11 — 32-bit or 64-bit versions, or Linux — Ubuntu 22.04.2.
- Set the locale. This is useful for seeing how malware behaves with different language settings.
You can also change what software comes pre-installed in your VM.
- Clean will give you an OS with nothing installed.
- The Office preset comes with only the Microsoft Office software suite.
- The Complete option is similar to a real PC and has various popular programs.
Activate Residential proxy to mask the IP address of the sandbox.
- By using a residential proxy, the virtual machine’s IP address will appear to be from the country you’ve chosen. This will make the malware’s C2 server perceive it as a typical user.
Control the task privacy and save a preset
And finally, make sure to set the privacy settings before you hit the “Run” button. Here you can control who has access to the task or set a self-delete timer.
You might find yourself using a similar configuration over and over again. If that’s the case, there’s a better way than configuring the VM manually every time. Save a preset and you’ll be able to recall that VM config later.
Allow ChatGPT access
Enabling ChatGPT’s access to the task allows you to use AI-generated reports that summarize the entire task or concentrate on specific network, file, registry, and synchronization events.
If you have concerns about data privacy, you may choose to disable this feature. Disabling it ensures that data related to the task won’t be sent to OpenAI as you generate ChatGPT reports. Similarly, ChatGPT reports can only be enabled for public tasks.
Starting a task
At this point, all that’s left is to click “run” and see the VM fire up. You will be taken to a new window with the virtual machine video streaming. Almost immediately after initialization, you’ll be able to interact with it — type, click on files, or open programs.
ANY.RUN will simultaneously record system activity. It will display processes spawned by the object in question in real time — and mark suspicious and malicious activity.
Check out the video guide in our YouTube:
Did you find this overview useful? Let us know in the comments below. Want to read more content like this? Check out our full guide to using ANY.RUN.
3 comments
Hi there! Thank you for the article, I’ve refreshed a couple of moments
how would i run a shell script or initiate terminal to run specific script.
github dot com slash MegaManSec slash SSH-Snake
Hi there! There are two possible ways to run a custom script.
1. Enter it into the “Command line” field in the “Create a new task” window before launching your task. It will run automatically after you start the analysis process.
2. Run it in an active task by simply opening a command prompt or PowerShell in the virtual machine.