ANY.RUN is a service for deep malware analysis and it has always been our priority. Besides that, it is an excellent platform for education. The searcher subscription is a more advanced plan than the Community one, about which we have already talked about. And it is the best choice if you have just started your journey in cybersecurity. Independent researchers, junior malware analysts, and all interested in the subject can boost their training with the help of this subscription plan. Moreover, Searcher’s affordable price and expanded functionalities are a great combination for investigators who work on their own.
Advanced Searcher’s features
Today, we’ll cover the Searcher’s features to help you navigate through the analysis.
- Commercial usage and privacy
The first benefit we’d like to talk about is commercial usage. It means that you can access the privacy settings and not share your tasks publicly as the analyzed data can contain sensitive information. Of course, this functionality is essential as part of the training. You can manage the range of the tasks’ privacy by giving access to your team members via a link or keep it completely confidential. By the way, delete tasks or join them to the public submissions whenever you need. Concerning the API keys, conceal their source to avoid exposure.
2. Windows 7x64bit
Some samples may either not work properly or fully in x86 systems. Unlike a free plan, you can expand your analysis with this subscription. A good advantage is to run a task with a 64-bit version of Windows 7. Launching files in this OS reflects the complete attack’s direction. Moreover, it allows an opportunity to receive extra payloads designed just for this build.
3. Timeout and file size
It’s worth pointing out that your task can be executed for 360 seconds coupled with 4 additional minutes. That is very convenient when you’ve just dipped your toe in the malware analysis and you need some time to figure out what to do next. Furthermore, the uploaded file size can reach up to 32 Mb. It’s more than enough to investigate malware inside and out.
4. Suricata IDS rule sets
Searcher also includes Suricata IDS rules from premium providers. Those rules can be the key advantages of the detection process. Owing to them, various kinds of malware families and their behavior can be identified by Network activities.
5. Video record
You can also record the task execution on the video with Searcher. That means all activity inside the virtual machine will be captured including added pop-up messages about the start of the processes and other task’s significant activities. This feature gives users the ability to rewatch the chain of action which were made during the task and share their experience with colleagues or the community.
6. MITM proxy for HTTPS requests
With the MITM Proxy feature, you can intercept HTTP & HTTPS requests and responses, as well as save SSL keys. After the task is ended, analysts may download PCAP and the keys and decrypt traffic in the program by choice. When malware uses SSL/TLS protocols to send or receive information, analysts can use the “HTTPS MITM proxy” feature.
When it is on, the SSL/TLS keys will be logged and saved and analysts can decrypt SSL/TLS connections traffic while using programs like Wireshark. You can watch a video with the Danabot trojan example, that shows the practical use of the feature.
A use case
The Searcher plan comes in handy when samples work only in 64-bit operating system’s versions like in the following task:
In this example, we‘re dealing with a malicious document. When the task starts and maldoc opens, we notice some operations going on. Immediately in the process tree, we can see that the EXCEL.EXE creates a child process Powershell, which starts network activity and downloads the deobfuscated file. The next step is the Powershell process that runs the Base64 encoded script. The latter downloads and executes deobfuscated and encrypted files, then injects one of them into the MSBuild process.
At this very moment, the problem is appearing on x86 systems — the MSBuild process doesn’t act as it is supposed to and spawns without stopping. Regardless of the reasons, such behavior doesn’t allow us to make full analysis and collect IOCs because the task doesn’t run properly. So we just select 64-bit Windows 7 in the settings.
As you can notice the task works well: all processes are in place, the payload is downloaded and a Netwire trojan is detected. In this particular case, the malware is detected by the local signature, the registry changes in the operating system, to be precise. Despite that, we can get a lot of additional information from others ANY.RUN’s features, and we can do that even if the task hasn’t received the main payload successfully. On the Searcher plan, the rule sets from premium providers are available. So we can easily get more information about network activities inside our task.
By taking a look at Network threats, we can see that in the task Powershell process requests .txt file from the server with minimal headers, receives packets with an inbound Powershell script, and drops either obfuscated Portable Executable (PE) file or Dynamic Link Library (DLL) file. With such rule sets, we don’t even need to look inside the packets — everything is in full view after less than 10 seconds in the task’s execution and can be reached in two clicks.
The Searcher plan is very diverse, so we are sure it’ll live up to your expectations. It is suitable for all kinds of specialists who are eager to improve their cybersecurity skills.
That is a common deal when an organization purchases this kind of subscription to test the waters of ANY.RUN’s fundamentals and work with samples that include sensitive data at the same time. More experienced members of a team get Hunters and other work on the Searcher account.
Found this article interesting? Check out other ones of this series and make your choice!