In this article, we will tell you about the most efficient ANY.RUN subscription plan — Hunter. It’s a combination of all features both of the Community and Searcher plans. But Hunter has additional functionalities to perform deep analysis.
Intrigued? Without further ado, let’s get started!
Hunter’s Features
1. Timeout and file size
With this subscription, you can add up to 660 sec to the duration of your research! Do you need more? You can have 4 extra minutes as well. The plan gives you an extra advantage — a huge file input of 100 Mb. Don’t even think about the file size, just do your work no worrying about limits.
2. Privacy and video record
The privacy level steps forward here. It’s up to you who gets access to your submission. For business matters, it’s essential to control it. Share the task only with your trusted circle if it is needed or show it in the presentation mode.
Besides, you can record a video of all your actions on the service and present it to your team. Hunter’s owners may turn off the possibility to download any files for the sake of their clients’ security.
3. Priority in the queue and monitoring of system processes
Do you think you need to wait for your turn to run a task? The plan gives you the possibility to spend time on ANY.RUN efficiently as you get the priority in the queue.
As soon as you launch a sample, you may monitor system processes. All system activities are provided.
4. FakeNet and custom OpenVPN configuration
There is a benefit that we can’t help but mention: you get the FakeNet feature that intercepts HTTP requests and returns a 404 error, forcing malware to reveal its C2 links. And, conveniently, you can upload your VPN configurations and work with them as well.
5. API
Sometimes analysts prefer an automatic approach to their work. For these purposes, you can use the API. This functionality allows specialists to work in their framework, unified with ANY.RUN. Using the API, you can synchronize several security systems by uploading files and downloading reports. The bonus is that you manage to share files quickly. It is a great way to optimize the analysis and simplify interactions with the service.
Use cases of deep analysis with Hunter plan
Malware wants to make sure that it’s dealing with a real person, not an automatic virtual machine. To reach this goal, malicious programs use various techniques, for example, they launch only after a user is engaged, they require to take some actions – to drag a mouse, close a file, or tap buttons. Hunter plan gives plenty of tools and features to execute such malware anyway.
Reboot support
Some malware families enter the active phase only after a system reboot to avoid detection from automated sandboxes. This Hunter’s feature is not only helpful when it comes to detecting sneaky malware, but also allows analysts to observe malware behavior after the operating system’s reboot and collect additional IOCs.
To illustrate this malware technique, let’s investigate one example.
In Nanocore’s sample, the loader makes a lot of steps to execute the downloaded payload, maintain its persistence, and access the infected system.
The downloaded executable file adds itself to the OS startup folder and stops its execution. This simple trick is heavily used and works just fine. In addition, the malware adds itself, not directly, but through a text file in a startup folder, with a path to a malicious executable file. This is done to avoid detection by AntiVirus (AV) software.
In the figure below, we can see that in the initial system that runs all processes’ activities stopped, after the y6s2gl.exe process is added into a startup. Now we reboot the system during analysis to take a look at malware activities. As you may notice, after the system reboot malware successfully executes and is detected as Nanocore.
Extended set of Operating Systems
A wide choice of operating systems, where you examine your sample or URL, can be very helpful for many reasons. Hunter gives you multiple options of operating systems — Windows 7, 8.1,10, and even VISTA! You know that malware acts differently in various circumstances and environments. One of the points is the upload simply may not work inside one system and run perfectly inside another. The nature of such troubles might depend on the bitness of the system architecture and despite it, ANY.RUN gives you the necessary tools. Pick the OS to catch malware for good.
The first and popular case is when malware works fine on Windows 10 but fails on other versions such as Windows 7. Runtime errors are related to the sample’s incompatibility with the OS. Here is the Quasar trojan example with such behavior.
Most likely it is caused by the .Net Framework version it is using. We will talk more about that later.
The second example is not so obvious, but nonetheless, analysts should keep this development in mind.
Sometimes the Command & Control (C&C) server may send a different payload to the infected systems based on the type of their versions, bitness, environment, etc. But the server may also not send anything at all to a particular version of the OS. In this example, the C&C server doesn’t send a payload to Windows 7, but successfully sends it to a Windows 8.1 version.
Environment
The malware may not work properly in a virtual machine not only because of the operating system version, but the main reason is the environment:
— an executable crashes because of the .Net framework version;
— a script doesn’t work because of the old Powershell version;
— a malicious document does nothing because of a different Microsoft Office version, etc.
This list is not complete, but that’s enough to understand that many reasons may cause problems during analysis and cybersecurity specialists should be prepared for this.
Thankfully, ANY.RUN gives a variety of instruments for the flexing analysis and allows to control the flow of it. You can go ahead and pick between different versions of application sets, editions, and builds that correspond to certain operating system versions.
In the example below a maldoc doesn’t work in Windows 7 because of the installed version of Microsoft Office, which is 2007. This version of the Office is more familiar and suitable for that out-of-date version of Windows, but it doesn’t support the new macro sets.
ANY.RUN’s Hunter plan feature gives us the ability to change a version of the OS and its environment in two clicks! After we restart the task in Windows 10 with installed MS Office 2019, the malicious document has successfully downloaded a payload and Dridex banking trojan is detected.
Windows 7 + MS Office2010 example
Windows 10 + MS Office 2019 example
Another example of this problem and its solution from ANY.RUN is the case where Powershell script with cmdlets specific to version 5 was used. So this script doesn’t work with the Windows 7 second version of Powershell installed by default. What is the solution? Let’s click a couple of buttons and initiate the task again in Windows 10.
Windows 10 + Powershell 5 task
Some malware is geofenced, so it checks the geolocation of the infected host to avoid delivery in non-target countries. Hunter plan gives you the ability to fool these samples! Let’s get around this trick by using the Tor feature and re-route our traffic through another country.
As you may see in the figure below, the Regsvr32.exe process doesn’t receive any payload and quits execution. Based on the fact that the analyzed malicious document uses a template with the Italian language, we restart our task but now re-route traffic through Italy.
Not surprisingly, we got a different result with such options: Ursnif aka Gozi was downloaded as a payload. During at least the summer of 2020, this malware family often targeted Italy via malicious spam campaigns.
The advanced malicious programs and skilled threat writers often implement the verification of the system’s locale. A widely spread example of a method is ransomware families that check whether the language of the system is on the list or it doesn’t encrypt, if so.
There is a way to make malware exit, pick the necessary options that Hunter offers you: change the keyboard language, currency, time zones, and country of operating systems.
We’d like to investigate an interesting example. Our maldoc doesn’t receive payload, but its template is in French. Let’s restart the sample with fr-FR locale.
As you may see, if you open a task, payload downloads only on the system with French locale. The payload is a Varenyky spambot.
An example with default en-US locale
Don’t forget that you can combine all of Hunter’s features in your tasks! And what about malicious spam campaigns with more than one trick to avoid detection?
Well, let’s dive in!
Maldoc in our example compares MS Office’s LanguageID with values and doesn’t run if language IDs differ from Italian. It also correlates the first char of an opened Excel file’s title. You should remember — don’t rename the files you analyze.
This malicious document is geofenced, the C&C server doesn’t send payload back if it is requested from outside of Italy.
Here you can check out the tasks:
An example with default en-US locale
An example with locale sets to it-IT without TOR
An example with locale sets to it-IT with TOR through Italy
Conclusion
Hunter provides expanded abilities for highly skilled cybersecurity specialists. Try the full power of interactive analysis with the Hunter subscription. Have you checked the info about the other plans? Make sure to read other articles in our blog to compare the different range of functionalities of ANY.RUN subscriptions!
3 comments
I don’t even understand how I finished up here, however I thought this submit was good. Cheers!
Someone essentially help to make critically posts I might state.
This is the very first time I frequented your web page and so
far? I surprised with the research you made to create this
actual publish amazing. Magnificent task!
fantastic issues altogether, you just received a new reader.