1
00:00:00,360 --> 00:00:06,630
In this lesson, we will see the demonstration of how Any.Run simplifies the process of Malware

2
00:00:06,660 --> 00:00:07,290
analysis.

3
00:00:08,420 --> 00:00:13,250
To start with, let's visit the website www.any.run

4
00:00:15,180 --> 00:00:20,250
We would need to create an account to use the service, there is a free version, too.

5
00:00:20,730 --> 00:00:23,860
However, there are few limitations of using the free version.

6
00:00:24,720 --> 00:00:26,610
We will talk about the limitations in a bit.

7
00:00:27,750 --> 00:00:33,930
So I register giving my email address and set a password and also verify my email address.

8
00:00:39,550 --> 00:00:43,300
Then I will login with my account credentials.

9
00:00:44,990 --> 00:00:50,830
Here, I will have to set up a new task and it just asks for two details.

10
00:00:51,650 --> 00:00:56,210
First, what operating system do you want to use to run the malware sample?

11
00:00:56,840 --> 00:01:00,200
Second, to submit the actual malware sample

12
00:01:01,640 --> 00:01:08,260
Simple and easy, if you notice all the other operating systems are greyed out except for Windows 7

13
00:01:09,110 --> 00:01:12,210
and also I can only select 32 bit machine.

14
00:01:13,190 --> 00:01:17,050
These are the limitations of free versions on Any.Run.

15
00:01:18,190 --> 00:01:25,270
The moment I try to slide it to 64 bit, it throws me the message this feature is available on higher

16
00:01:25,270 --> 00:01:27,880
plans, upgrade to use the feature.

17
00:01:29,180 --> 00:01:35,660
So I select Windows 7, 32 bit for this demo, and then we need to submit the sample.

18
00:01:36,920 --> 00:01:40,930
So I will click on choose a file link and select the file in question.

19
00:01:42,050 --> 00:01:44,420
Finally, I have to click on Run.

20
00:01:45,520 --> 00:01:52,660
Again, it throws a warning that all the data we submit that is the file sample, its contents and the

21
00:01:52,660 --> 00:01:55,000
details will be available for public access.

22
00:01:55,690 --> 00:02:00,400
And if you want to run the analysis in private, then you need to choose a plan.

23
00:02:01,620 --> 00:02:08,370
So I don't want the paid plan now, so we'll click on I agree, and then the fun begins.

24
00:02:11,030 --> 00:02:17,330
Take a look at all the installed software like Acrobat Reader and MS office package, VLC media player, etc..

25
00:02:17,330 --> 00:02:24,740
This will help in creating a near real replica of what our users use in the everyday work life.

26
00:02:25,700 --> 00:02:32,840
On the right here, we see the countdown timer, it'll run for one minute by default and we can add

27
00:02:32,840 --> 00:02:34,640
more time by clicking on this button.

28
00:02:37,090 --> 00:02:41,660
As expected, the malware is throwing the message your computer is in danger.

29
00:02:42,280 --> 00:02:46,140
Windows Security Center has detected spyware or adware infection.

30
00:02:46,750 --> 00:02:50,290
It is strongly recommended to use special anti spyware.

31
00:02:51,780 --> 00:02:56,280
As learned during string analysis, the same message appears a couple of times.

32
00:02:58,390 --> 00:03:02,490
Now, the execution of the file is complete and we have let it run for two minutes.

33
00:03:03,780 --> 00:03:12,150
Let's check the reports of Any.Run, one's the allotted time is completed, we can look at the reports of

34
00:03:12,150 --> 00:03:14,130
the sample here.

35
00:03:14,130 --> 00:03:22,200
We see some network activity like a http request going to download.bravesentry.com looks like the website

36
00:03:22,200 --> 00:03:23,870
is hosted in Canada.

37
00:03:25,050 --> 00:03:31,920
There is one TCP request going to the IP 69 50 175 181 on

38
00:03:31,920 --> 00:03:35,370
port 80 and we have 93 bytes downloaded.

39
00:03:36,090 --> 00:03:40,620
Not a lot because as you see here, the request did not get any response.

40
00:03:41,400 --> 00:03:44,010
Maybe the website is not functioning at this point in time.

41
00:03:45,690 --> 00:03:52,020
Further onto the right, we see the name of the submitted sample, if necessary, we could download

42
00:03:52,020 --> 00:03:56,310
the sample again and a password protected file will be downloaded.

43
00:03:57,540 --> 00:04:01,830
All the indicators of compromise that is IOC 's are listed here.

44
00:04:03,820 --> 00:04:08,860
We can start the whole submission again and export the process graph.

45
00:04:10,960 --> 00:04:17,620
We can also download a text report which will highlight all the details of the sample and its behavior.

46
00:04:18,840 --> 00:04:22,530
For example, here we see the static analysis information like.

47
00:04:25,160 --> 00:04:33,890
Any.Run is 64 percent confident that this is a UPX compressed windows 32 bit executable.

48
00:04:35,070 --> 00:04:42,960
It also gives DOS header information like magic number, that is MZ, PE header information like it has

49
00:04:42,960 --> 00:04:44,640
three different sections.

50
00:04:45,000 --> 00:04:48,150
The compile time is 7th May 2007.

51
00:04:49,310 --> 00:04:52,310
Down here, we see the details of the sections.

52
00:04:53,320 --> 00:05:00,940
We notice there are two resources highlighted named 1 and 101 details can be expanded.

53
00:05:02,350 --> 00:05:09,730
List of all the libraries used in applications are highlighted here and also a few screenshots taken

54
00:05:09,730 --> 00:05:11,340
while running the sample.

55
00:05:12,860 --> 00:05:20,480
There were a total of 34 processors running during execution of this malware and one process that is

56
00:05:20,480 --> 00:05:22,690
the malware itself was being monitored.

57
00:05:24,190 --> 00:05:27,940
Here we see the behavior information like the process graph.

58
00:05:29,760 --> 00:05:37,260
It does a total of 7 registered activity, 6 read and 1 write, one such registry write

59
00:05:37,260 --> 00:05:38,400
operation is highlighted.

60
00:05:39,680 --> 00:05:45,470
Even though the file activity says here zero, we know by static analysis that the sample was infact

61
00:05:45,470 --> 00:05:52,550
trying to download a few files like bravesentry.exe, bravesentry.lic, install.dat and xpupdate.exe

62
00:05:54,950 --> 00:05:59,600
Because the website is not operational, the malware could not download the other files.

63
00:06:01,510 --> 00:06:06,040
Further down here, we see the same network activity as highlighted before.

64
00:06:07,060 --> 00:06:14,140
Going back to Any.Run, it will give similar data in various other formats at different places, like

65
00:06:14,710 --> 00:06:19,630
if you click on this PE icon, we get the same details in different format.

66
00:06:21,390 --> 00:06:23,940
Also, we noticed a hex format of the file.

67
00:06:24,420 --> 00:06:29,400
Again, we see the first few bytes to be MZ confirming it is an executable file.

68
00:06:30,910 --> 00:06:36,970
Upon clicking on the name of the sample, we get the detailed report here, I click on more information

69
00:06:37,360 --> 00:06:40,180
and get all the details again in different tabs.

70
00:06:41,920 --> 00:06:47,290
On the left here, we see the indicators, this sample exhibits one such behaviour.

71
00:06:48,160 --> 00:06:54,060
Which talks about creating a new file install.dat at this highlighted location.

72
00:06:56,310 --> 00:07:02,640
Even though Any.Run does not give us a verdict on the sample, we are very sure that this invoice.xlsx

73
00:07:03,780 --> 00:07:06,180
file is definitely a Malware.