Skip to content

Commit

Permalink
Merge pull request #1142 from nolsen311/master
Browse files Browse the repository at this point in the history 
AnyRun Sandbox Analyzer v1.1
  • Loading branch information
@nusantara-self
nusantara-self authored Oct 18, 2024
2 parents 6e4a4b3 + bbea1ca commit 9fa2d54
Show file tree
Hide file tree
Showing 3 changed files with 153 additions and 6 deletions.
100 changes: 98 additions & 2 deletions analyzers/AnyRun/AnyRun_Sandbox_Analysis.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "AnyRun_Sandbox_Analysis",
"version": "1.0",
"author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT",
"version": "1.1",
"author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Any.Run Sandbox file analysis",
Expand Down Expand Up @@ -31,6 +31,102 @@
"multi": false,
"required": true,
"defaultValue": true
},
{
"name": "env_bitness",
"description": "default OS bitness; 32 or 64",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 32
},
{
"name": "env_version",
"description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "7"
},
{
"name": "env_type",
"description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "complete"
},
{
"name": "opt_network_connect",
"description": "Do you want to disable networking? set false to disable",
"type": "boolean",
"multi": false,
"required": false,
"defaultValue": true
},
{
"name": "opt_network_fakenet",
"description": "FakeNet feature status; set true to enable.",
"type": "boolean",
"multi": false,
"required": false,
"defaultValue": false
},
{
"name": "opt_network_tor",
"description": "TOR using.",
"type": "Boolean",
"multi": false,
"required": false,
"defaultValue": false
},
{
"name": "opt_network_mitm",
"description": "HTTPS MITM proxy option.",
"type": "Boolean",
"multi": false,
"required": false,
"defaultValue": false
},
{
"name": "opt_network_geo",
"description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"",
"type": "String",
"multi": false,
"required": false,
"defaultValue": "fastest"
},
{
"name": "opt_kernel_heavyevasion",
"description": "Heavy evasion option. Default value: false",
"type": "Boolean",
"multi": false,
"required": false,
"defaultValue": false
},
{
"name": "opt_timeout",
"description": "Timeout option. Size range: 10-660",
"type": "Number",
"multi": false,
"required": false,
"defaultValue": "60"
},
{
"name": "obj_ext_startfolder",
"description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"",
"type": "String",
"multi": false,
"required": false,
"defaultValue": "temp"
},
{
"name": "obj_ext_browser",
"description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"",
"type": "String",
"multi": false,
"required": false,
"defaultValue": "Internet Explorer"
}
],
"registration_required": true,
Expand Down
17 changes: 16 additions & 1 deletion analyzers/AnyRun/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,19 @@ You need a valid AnyRun API integration subscription to use the analyzer. Free p

- Provide your API token as a value for the `token` parameter.
- Define the privacy setting in `privacy_type` parameter.
- Set `verify_ssl` parameter as false if you connection requires it
- Set `verify_ssl` parameter as false if you connection requires it

#### Optional Parameters
AnyRun provides a number of parameters that can be modified to do additional/different analysis.
- Set the "bitness" of your runtime environment with the `env_bitness` parameter.
- Select which version of Windows to use by setting `env_version` parameter.
- Select which products to install by default with `env_type` parameter.
- Enable/disable networking with `opt_network_connect` parameter.
- Enable/disable "FakeNet" with `opt_network_fakenet` parameter.
- Enable/disable the TOR network with `opt_network_tor` parameter.
- Enable/disable MITM for https connections with `opt_network_mitm` parameter.
- Need a specific geolocation? use `opt_network_geo` parameter.
- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion`
- Change the timeout settings with `opt_timeout` parameter.
- Select which folder the analysis starts in with `obj_ext_startfolder` parameter.
- Select which browser to use for analysis with `obj_ext_browser` parameter.
42 changes: 39 additions & 3 deletions analyzers/AnyRun/anyrun_analyzer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,18 @@ def __init__(self):
self.verify_ssl = self.get_param("config.verify_ssl", True, None)
if not self.verify_ssl:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.env_bitness = self.get_param("config.env_bitness", None, None)
self.env_version = self.get_param("config.env_version", None, None)
self.env_type = self.get_param("config.env_type", None, None)
self.opt_network_connect = self.get_param("config.opt_network_connect", None, None)
self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None)
self.opt_network_tor = self.get_param("config.opt_network_tor", None, None)
self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None)
self.opt_network_geo = self.get_param("config.opt_network_geo", None, None)
self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None)
self.opt_timeout = self.get_param("config.opt_timeout", None, None)
self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None)
self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None)

def summary(self, raw):
taxonomies = []
Expand Down Expand Up @@ -50,7 +62,18 @@ def run(self):
while status_code in (None, 429) and tries <= 15:
with open(filepath, "rb") as sample:
files = {"file": (filename, sample)}
data = {"opt_privacy_type": self.privacy_type}
data = {"opt_privacy_type": self.privacy_type,
"env_bitness": self.env_bitness,
"env_version": self.env_version,
"env_type": self.env_type,
"opt_network_connect": self.opt_network_connect,
"opt_network_fakenet": self.opt_network_fakenet,
"opt_network_tor": self.opt_network_tor,
"opt_network_mitm": self.opt_network_mitm,
"opt_network_geo": self.opt_network_geo,
"opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
"opt_timeout": self.opt_timeout,
"obj_ext_startfolder": self.obj_ext_startfolder }
response = requests.post(
"{0}/analysis".format(self.url),
files=files,
Expand All @@ -71,7 +94,20 @@ def run(self):
self.error(response.json()["message"])
elif self.data_type == "url":
url = self.get_param("data", None, "Url is missing")
data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type}
data = {"obj_type": "url",
"obj_url": url,
"opt_privacy_type": self.privacy_type,
"env_bitness": self.env_bitness,
"env_version": self.env_version,
"env_type": self.env_type,
"opt_network_connect": self.opt_network_connect,
"opt_network_fakenet": self.opt_network_fakenet,
"opt_network_tor": self.opt_network_tor,
"opt_network_mitm": self.opt_network_mitm,
"opt_network_geo": self.opt_network_geo,
"opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
"opt_timeout": self.opt_timeout,
"obj_ext_browser": self.obj_ext_browser }
while status_code in (None, 429) and tries <= 15:
response = requests.post(
"{0}/analysis".format(self.url),
Expand Down Expand Up @@ -130,4 +166,4 @@ def run(self):


if __name__ == "__main__":
AnyRunAnalyzer().run()
AnyRunAnalyzer().run()

0 comments on commit 9fa2d54

Please sign in to comment.