{"id":4064,"date":"2022-11-16T06:34:00","date_gmt":"2022-11-16T06:34:00","guid":{"rendered":"\/cybersecurity-blog\/?p=3128"},"modified":"2022-12-21T06:42:22","modified_gmt":"2022-12-21T06:42:22","slug":"release-notes-november-16-2022","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/","title":{"rendered":"Release notes  November 16, 2022"},"content":{"rendered":"\n<p>Hello, <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release1611&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ANY.RUN (opens in a new tab)\">ANY.RUN<\/a> users! Today we announce a new update on the service. This time, we discuss a new browser that will blow the lid on threats that exploit Microsoft Edge. Also, we will unveil 3 fingerprinting methods that can change your malware analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Update overview:<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Analyze with Microsoft Edge<\/strong><\/li><\/ul>\n\n\n\n<p>Launch tasks in a new, more functional, and modern browser. Conquer all threats that exploit Edge.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>New JA3, JA3S, JARM fingerprinting methods<\/strong><\/li><\/ul>\n\n\n\n<p>Find out more about TLS connections, improve the results of malware analysis, and get your report more informative.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Microsoft Edge use case&nbsp;<\/h2>\n\n\n\n<p>For a long time, the default browser in Windows was Internet Explorer. But time goes on, and it is outdated and can no longer cover all users&#8217; needs.&nbsp;<br><\/p>\n\n\n\n<p>It has been replaced by a more functional and modern browser: Microsoft Edge. The malware creators do not sleep either and have learned to take advantage of a new browser.<br><\/p>\n\n\n\n<p>For example, they adapt phishing sites or write exploits working only in Edge. ANY.RUN online malware sandbox is caring for its users \u2013&nbsp;we have added a Microsoft Edge browser to analyze new threats so that you can open malicious sites directly without unnecessary actions.<br><\/p>\n\n\n\n<p>Let\u2019s analyze <a href=\"https:\/\/app.any.run\/tasks\/ff0dc3bb-e159-4ed5-93d7-3b33cf71c50b?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release1611&amp;utm_content=task1\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">a sample in Microsoft Edge<\/a> together.<br><\/p>\n\n\n\n<p>First of all, open a phishing link through the Edge browser.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/rMQk3bEJl6K5Nct035CELbdxZp7kkwY7o0CqGLNE1MiWeTYD_1Wnp7HlOhS72-RZcyHTc2-G_F8_9qAaRepej0qeI3aJItDHrU1veO007A6y7eVOg2plr99GDgjerSzccbUUbPmUEKhFmNap_dAiBToKufLqkObLDI9wF8E50NNUbuSlhrSNXD_D_TXzrg\" alt=\" Edge browser in ANY.RUN\"\/><\/figure>\n\n\n\n<p>After the link is launched in VM, the HTML file will be downloaded. Pay attention: the file will automatically run via Microsoft Edge (a standard Windows browser).<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/r80TZsWx5bYc7PUNnwriKQwQpU75agejmmuszCW3o70vPVsjQ4ZM0X7ubvC5REzyo3CPisS6RRgC4Uycp3xp_xLiphciz3rWZ_nHUBiOOGD2CtwggYJOVubFjOL02zHCCZmkhdvI-VkoRQ2aeil6RH6CyvrLoDtHxciKcDLhQ3lgqVSrhtUvR23F01dwCw\" alt=\"The link is launched in Microsoft Edge\"\/><\/figure>\n\n\n\n<p>If we enter the data and click Next, we are redirected to an error. And if we look at the Requests this time, we see a POST request.&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/PXBuydve11-k4NiKlb7QthkYwJIciBQJ2SqV1iBCTEafDR3aawEWg2ifpOSsk4nfx2Th50-eD2DjI-X7FB8ifQgLH4AADhmns9NkbQdKPXeDZAbuZvoBi--UbSH2x-MFDAq0Hvify4u3ARRwGV7BDoTtXiEZFGBWKhMFVN8D0Zy41o_0rl--UiBOC-MkIw\" alt=\"HTTP Requests in ANY.RUN\"\/><\/figure>\n\n\n\n<p>Inside of the POST request, we can find our data.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/9QOEXmT9XI6qmGkFFJ17McSlVndyl3vy4U-nLQdxIzCAn0foYgiWUsSNKqvOR3NekVhnU6MffKgTbkN_0DpKB2e5PsCjkou_-fLZEfg04dcnW4tYqmDiz4UXdHQ7L6cHCEmxx3ddnfBR9yeQMOZxcHMnKoXmTQ6vitXoijxPnwZBd_3FsAmWWv4OVXeoZQ\" alt=\" POST request in ANY.RUN\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">TLS fingerprinting<\/h2>\n\n\n\n<p>Malware creators use SSL\/TLS protocols to hide malicious objects in encrypted traffic to make the detection and removal harder. Because the TLS encryption negotiation is transmitted in open, client applications can be tracked and identified.<br><\/p>\n\n\n\n<p>TLS fingerprinting is designed to quickly identify known TLS connections and trace unknown TLS connections. Input data is received either by traffic monitoring or by reading PCAP files.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">There are several implementations that the community uses:<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>passive method using JA3 and JA3S hashes<\/li><li>active tool for TLS server fingerprinting \u2013 JARM hashes.<\/li><\/ol>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table class=\"\"><tbody><tr><td><strong>JA3<\/strong><\/td><td><strong>JA3S<\/strong><\/td><td><strong>JARM<\/strong><\/td><\/tr><tr><td>A method collects decimal<br> byte values for the following fields<br> in the client&#8217;s welcome packet:&nbsp;<br><br> &#8211; TLS version&nbsp;<br>&#8211; cipher suit&nbsp;<br>&#8211; list of TLS protocol extensions&nbsp;<br>&#8211; elliptic curves<br>&#8211; elliptic curve formats<br><br><\/td><td>A server identification hash.&nbsp;<br><br>A method is used to collect<br> the decimal byte values<br> for the following fields<br> in the server&#8217;s welcome packet:&nbsp;<br><br>&#8211; TLS version<br>&#8211; cipher suite&nbsp;<br>&#8211; a list of TLS protocol extensions.<\/td><td><br>It is a hybrid fuzzy hash.<br><br>A method uses a combination<br> of reversible and irreversible<br> hashing algorithms to create<br> a 62-character fingerprint.<br><br><br><br><br><br><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>TLS fingerprinting is a useful part of malware analysis, with it you can:&nbsp;<br><\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Make sure that all servers in the group have the same TLS configuration.&nbsp;<\/li><li>Group various servers on the Internet by configuration.<\/li><li>Identify default applications or infrastructure.<\/li><li>Detect command centers and other malicious servers on the Internet.<\/li><\/ol>\n\n\n\n<p>In our today\u2019s update, we have added these fingerprinting methods in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release1611&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ANY.RUN sandbox, (opens in a new tab)\">ANY.RUN sandbox,<\/a> so now you can carry out the analysis with them like in this <a href=\"https:\/\/app.susp.io\/tasks\/98397dc3-1b6c-43fb-b3f4-7ff280beac42?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release1611&amp;utm_content=task2\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">sample<\/a>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/2Oti1ueSe7eyKmoqwcJqlFq-6qIbCqLtw4BbuRGbZ-5-viiOhc273G844d7gms6p-XjuAyY3WL0O3IfRbh8EPx1ZUqOhUhaNHvk7Zcz8j-nsbe2t02M67GAS_dVMgFQydCVimrLYoULMJf9SOMV-ZNYZmHUw7Eyv_E1pE3wxl8GLbcU4tFF2qN2qQoImvw\" alt=\"TLS fingerprinting methods in ANY.RUN\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Hello, ANY.RUN users! Today we announce a new update on the service. This time, we discuss a new browser that will blow the lid on threats that exploit Microsoft Edge. Also, we will unveil 3 fingerprinting methods that can change your malware analysis. Update overview: Analyze with Microsoft Edge Launch tasks in a new, more [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3724,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,55,56],"class_list":["post-4064","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-release","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Release notes November 16, 2022 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"ANY.RUN has updated the service with a new release on the 16th of November. Meet a new Microsoft Edge browser and JA3, JA3S, JARM fingerprinting methods.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Release notes November 16, 2022\",\"datePublished\":\"2022-11-16T06:34:00+00:00\",\"dateModified\":\"2022-12-21T06:42:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\"},\"wordCount\":563,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"release\",\"update\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\",\"name\":\"Release notes November 16, 2022 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-11-16T06:34:00+00:00\",\"dateModified\":\"2022-12-21T06:42:22+00:00\",\"description\":\"ANY.RUN has updated the service with a new release on the 16th of November. Meet a new Microsoft Edge browser and JA3, JA3S, JARM fingerprinting methods.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Release notes November 16, 2022\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Release notes November 16, 2022 - ANY.RUN&#039;s Cybersecurity Blog","description":"ANY.RUN has updated the service with a new release on the 16th of November. Meet a new Microsoft Edge browser and JA3, JA3S, JARM fingerprinting methods.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Release notes November 16, 2022","datePublished":"2022-11-16T06:34:00+00:00","dateModified":"2022-12-21T06:42:22+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/"},"wordCount":563,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","release","update"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/","url":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/","name":"Release notes November 16, 2022 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-11-16T06:34:00+00:00","dateModified":"2022-12-21T06:42:22+00:00","description":"ANY.RUN has updated the service with a new release on the 16th of November. Meet a new Microsoft Edge browser and JA3, JA3S, JARM fingerprinting methods.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-november-16-2022\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Release notes November 16, 2022"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4064"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=4064"}],"version-history":[{"count":2,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4064\/revisions"}],"predecessor-version":[{"id":4066,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4064\/revisions\/4066"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3724"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=4064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=4064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=4064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}