ANY.RUN‘s interactive malware sandbox is evolving. We are excited to introduce Automated Interactivity (ML). Exclusive to Hunter and Enterprise plans, this feature is designed to improve the accuracy and success rate of tasks launched via API and automate your malware analysis process when using the interface.
Automated file processing through API and UI
The Automated Interactivity (ML) feature is switched on by default for tasks launched via the API. You can also enable it when creating a new task in the interface.
What are the benefits of Automated Interactivity (ML)?
- For API tasks: In tasks where manual interaction is required, such as bypassing CAPTCHAs on phishing sites used as an evasion tactic, ANY.RUN will automatically interact with elements to circumvent the evasion.
- When working with the interface: You can now save time by allowing tasks to auto-complete in the background while you focus on other activities. ANY.RUN will use machine learning to complete necessary actions. And if you need to adjust the sandbox’s approach to a task, you have the option to take control and complete it manually.
Understanding Automated interactivity (ML)
The new feature mimics human interactions during task execution, functioning similarly to an auto-clicker, specifically for button clicks. It categorizes buttons by their importance, always prioritizing actions that advance the task, such as navigating through an installer form or bypassing captchas.
Crucially, this is effective for both API and interface tasks. However, the feature is particularly advantageous when you deploy it using the API since it enables you to automatically analyze samples that would otherwise require manual work. Automated Interactivity drastically improves detection rates in cases when you need automated processing.
How to activate automated Interactivity (ML)?
For API tasks, the automated Interactivity (ML) is switched on by default. You can learn how to further configure it in our API documentation.
In the interface, to take advantage of the new feature, you can simply flip on the automated Interactivity (ML), switch in a new task pop-up, in the additional settings of the Pro setup window mode. There’s no additional configuration necessary, as the sandbox will start performing auto-click behavior automatically.
Using automated Interactivity (ML) in the real world
Let’s look at a few real-world examples using automated Interactivity is beneficial.
Completing captcha challenges in phishing sites
Phishing sites have increasingly adopted methods to evade automated security measures. One prevalent technique involves integrating CAPTCHAs, making them more challenging to block automatically. Our recent article highlighted the use of QR codes, but CAPTCHAs are now the primary focus.
To access a phishing site, users are prompted to solve a CAPTCHA. This presents a significant obstacle for automated solutions, particularly when leveraging APIs.
The task linked below demonstrates that CAPTCHA from is bypassed using automated interactivity (ML), enabling direct access to phishing sites (this works with other providers, like Google, too). This capability is crucial for malware analysts investigating phishing operations.
See this CloudFlare CAPTCHA task for reference.
Analyzing installers
Malware authors frequently embed malware in legitimate software, deceiving users into inadvertently installing it. This often occurs when users download programs from the Internet. Installers typically demand user interaction, necessitating clicks on buttons like ‘OK’ and ‘Next’. Our feature automates this process for you:
You can check out how it works in this task
Working with infected files
Attackers commonly embed malicious or phishing links in various file types, such as PDFs. These links either redirect users to harmful sites or initiate the download and opening of malicious software. Automated interactivity (ML) not only opens these links and downloads the associated files but also executes them, thus accelerating the analysis process:
See this task for reference.
But we’ve only scratched the surface — there are many more scenarios when Automated interactivity (ML) is very beneficial. For example, since you can also submit URLs to ANY.RUN, in some cases it is possible to use Automated Interactivity not only to download but also launch and install linked files automatically.
Wrapping up
To summarize, the automated interactivity feature available to our Hunter and Enterprise users serves two primary purposes:
- Increase detection rate in automated processing scenarios.
- Enhance analysis accuracy via API by effectively circumventing evasion tactics.
- Reduce workload in ANY.RUN’s interface by automating the analysis process.
The second use case is particularly noteworthy, as the new feature enables ANY.RUN to tackle cases that typically pose significant challenges to automated solutions, often resulting in misinterpreted verdicts.
About ANY.RUN
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.
0 comments