ANY.RUN updates

Release notes
November 16, 2022

Hello, ANY.RUN users! Today we announce a new update on the service. This time, we discuss a new browser that will blow the lid on threats that exploit Microsoft Edge. Also, we will unveil 3 fingerprinting methods that can change your malware analysis.

Update overview:

  • Analyze with Microsoft Edge

Launch tasks in a new, more functional, and modern browser. Conquer all threats that exploit Edge.

  • New JA3, JA3S, JARM fingerprinting methods

Find out more about TLS connections, improve the results of malware analysis, and get your report more informative.

Microsoft Edge use case 

For a long time, the default browser in Windows was Internet Explorer. But time goes on, and it is outdated and can no longer cover all users’ needs. 

It has been replaced by a more functional and modern browser: Microsoft Edge. The malware creators do not sleep either and have learned to take advantage of a new browser.

For example, they adapt phishing sites or write exploits working only in Edge. ANY.RUN online malware sandbox is caring for its users – we have added a Microsoft Edge browser to analyze new threats so that you can open malicious sites directly without unnecessary actions.

Let’s analyze a sample in Microsoft Edge together.

First of all, open a phishing link through the Edge browser.

 Edge browser in ANY.RUN

After the link is launched in VM, the HTML file will be downloaded. Pay attention: the file will automatically run via Microsoft Edge (a standard Windows browser).

The link is launched in Microsoft Edge

If we enter the data and click Next, we are redirected to an error. And if we look at the Requests this time, we see a POST request. 

HTTP Requests in ANY.RUN

Inside of the POST request, we can find our data.

 POST request in ANY.RUN

TLS fingerprinting

Malware creators use SSL/TLS protocols to hide malicious objects in encrypted traffic to make the detection and removal harder. Because the TLS encryption negotiation is transmitted in open, client applications can be tracked and identified.

TLS fingerprinting is designed to quickly identify known TLS connections and trace unknown TLS connections. Input data is received either by traffic monitoring or by reading PCAP files.

There are several implementations that the community uses:

  1. passive method using JA3 and JA3S hashes
  2. active tool for TLS server fingerprinting – JARM hashes.

A method collects decimal
byte values for the following fields
in the client’s welcome packet: 

– TLS version 
– cipher suit 
– list of TLS protocol extensions 
– elliptic curves
– elliptic curve formats

A server identification hash. 

A method is used to collect
the decimal byte values
for the following fields
in the server’s welcome packet: 

– TLS version
– cipher suite 
– a list of TLS protocol extensions.

It is a hybrid fuzzy hash.

A method uses a combination
of reversible and irreversible
hashing algorithms to create
a 62-character fingerprint.

TLS fingerprinting is a useful part of malware analysis, with it you can: 

  1. Make sure that all servers in the group have the same TLS configuration. 
  2. Group various servers on the Internet by configuration.
  3. Identify default applications or infrastructure.
  4. Detect command centers and other malicious servers on the Internet.

In our today’s update, we have added these fingerprinting methods in ANY.RUN sandbox, so now you can carry out the analysis with them. 

TLS fingerprinting methods in ANY.RUN

Notify of
Inline Feedbacks
View all comments