Hello, ANY.RUN users! Today we announce a new update on the service. This time, we present more than 100 signatures for TTPs analysis and detection and also fast and flawless virtual machine video streaming.
- Detect more successfully
+100 new signatures and fewer false positives.
- Enjoy fast and smooth interaction with VM
A new beta functionality for virtual machine video streaming.
New signatures for improved detection
We’ve added more than 100 new signatures both for malware detection and analysis of different TTPs used by threat actors so that your analysis is complete and better. And we’ve reduced the number of false positives.
Our usual signatures provide a detailed report on what is going on while the program is running. And the data is demonstrated in plain language, so anyone can get the whole picture of malware behavior.
Check out examples of fresh ANY.RUN signatures for new malware versions and, of course, we’ll continue to work on it.
|Fresh ANY.RUN signatures||The detection usage|
|Emotet||Now it’s spreading over the network again and continues|
to infect computers on a large scale. We have updated
the signatures for this malware.
all requests and what
they are responsible for
|WMIC are used by many malware because its responses|
contain data about the computer and connections.
Now you can find out what information the malware has asked for.
|Mitre 1012 – Query Registry||A common technique used by malicious objects|
|Detected use of alternative|
data streams (AltDS)
|NFTS threads are often used for covert running.|
|The DLL Hijacking||DLL spoofing is an attack based on replacing a legitimate|
DLL file with a malicious library.
|Starts NET.EXE to manage|
|The process starts NET.EXE to manage network settings|
|Connection from MS Office application||Microsoft Office applications, such as Word, Excel, PowerPoint,|
or another, made a network connection
|Loading modules from|
mounted disk drive
|The process loaded its module from the mounted disk drive|
binary or script
|The process downloads the executable file or script from the Internet|
|Check the default browser||The process checks which Internet browser set as default in the OS|
|The process checks|
if it is being run
in the virtual environment
|The process checks if it is being run in a different |
virtual environment to avoid detonation
|Process checks computer|
|The process checks computer location settings in the registry, |
which may lead to geofencing
|Unusual connections from|
system programs and MOs
|Malware often connects to servers via these programs|
|Stealerium||A popular data theft malware|
|LimeRAT||Malicious software written in VB.NET|
|StRRAT||A trojan-RAT written in Java|
|Ransomware koxoc note||The signature helps to detect ransomware|
|ISO mounted||Many malware types use disk-mounting|
Next level of virtual machine video streaming
VM video streaming area is where you work with the virtual machine. We used to cut pieces and put them over the initial shot. It was a very complex algorithm to show numerous small changes during the analysis. But it isn’t suitable for all types of data.
The virtual machine in our understanding of a useful sandbox must flawlessly allow examining files of any kind. During the analysis of suspicious files, you may face documents with numerous lines, videos with repetitive elements, and other objects with repetitive small changes. So, we just raised to the challenge, and here are our results.
Let’s take a sneak peek at what we have done behind the scenes.
ANY.RUN’s team decided to alter the approach to this issue. Now, we are streaming anything you need on your virtual machine with HTML5 video and moreover, managing the stable bit rate at the same time.
Owing to this approach, you can notice the following improvements:
- VM video streaming is now faster than it ever has been before. Smooth, fast performance just as it is on your own computer. The number of frames per second has increased, and that is why the image is sleek and stable. Watch videos, streams, endless documents, and spreadsheets with a bunch of data and whatsoever.
The technology of this solution is new, complex, and is still in beta version and ANY.RUN users have a choice. You can turn this new functionality on in your profile or the New task window– the beta version checkbox is responsible for it. And turn it off if you don’t need this option or face any difficulties due to the state of your machine.
- ANY.RUN’s main goal is to make a perfect area where users interact with a sample. And this time we also focused on decreasing lags and the delay from the performance of any action (drag and click a mouse, push the button). The virtual machine that is so responsive, flexible, and fast simplifies the process of analysis significantly.
Try this new enhancement now at ANY.RUN sandbox and don’t forget to check out our previous November update!