diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index 57bdd9759..f1a2a3e76 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -1,7 +1,7 @@ { "name": "AnyRun_Sandbox_Analysis", - "version": "1.0", - "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT", + "version": "1.1", + "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Any.Run Sandbox file analysis", @@ -31,6 +31,102 @@ "multi": false, "required": true, "defaultValue": true + }, + { + "name": "env_bitness", + "description": "default OS bitness; 32 or 64", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 32 + }, + { + "name": "env_version", + "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "7" + }, + { + "name": "env_type", + "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "complete" + }, + { + "name": "opt_network_connect", + "description": "Do you want to disable networking? set false to disable", + "type": "boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status; set true to enable.", + "type": "boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using.", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option.", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_kernel_heavyevasion", + "description": "Heavy evasion option. Default value: false", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_timeout", + "description": "Timeout option. Size range: 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "60" + }, + { + "name": "obj_ext_startfolder", + "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "temp" + }, + { + "name": "obj_ext_browser", + "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "Internet Explorer" } ], "registration_required": true, diff --git a/analyzers/AnyRun/README.md b/analyzers/AnyRun/README.md index 999e0e5de..2829e2d40 100644 --- a/analyzers/AnyRun/README.md +++ b/analyzers/AnyRun/README.md @@ -12,4 +12,19 @@ You need a valid AnyRun API integration subscription to use the analyzer. Free p - Provide your API token as a value for the `token` parameter. - Define the privacy setting in `privacy_type` parameter. -- Set `verify_ssl` parameter as false if you connection requires it \ No newline at end of file +- Set `verify_ssl` parameter as false if you connection requires it + +#### Optional Parameters +AnyRun provides a number of parameters that can be modified to do additional/different analysis. +- Set the "bitness" of your runtime environment with the `env_bitness` parameter. +- Select which version of Windows to use by setting `env_version` parameter. +- Select which products to install by default with `env_type` parameter. +- Enable/disable networking with `opt_network_connect` parameter. +- Enable/disable "FakeNet" with `opt_network_fakenet` parameter. +- Enable/disable the TOR network with `opt_network_tor` parameter. +- Enable/disable MITM for https connections with `opt_network_mitm` parameter. +- Need a specific geolocation? use `opt_network_geo` parameter. +- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion` +- Change the timeout settings with `opt_timeout` parameter. +- Select which folder the analysis starts in with `obj_ext_startfolder` parameter. +- Select which browser to use for analysis with `obj_ext_browser` parameter. diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py index 67a5e521f..94e8fdf0a 100755 --- a/analyzers/AnyRun/anyrun_analyzer.py +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -16,6 +16,18 @@ def __init__(self): self.verify_ssl = self.get_param("config.verify_ssl", True, None) if not self.verify_ssl: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.env_bitness = self.get_param("config.env_bitness", None, None) + self.env_version = self.get_param("config.env_version", None, None) + self.env_type = self.get_param("config.env_type", None, None) + self.opt_network_connect = self.get_param("config.opt_network_connect", None, None) + self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None) + self.opt_network_tor = self.get_param("config.opt_network_tor", None, None) + self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None) + self.opt_network_geo = self.get_param("config.opt_network_geo", None, None) + self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None) + self.opt_timeout = self.get_param("config.opt_timeout", None, None) + self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None) + self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None) def summary(self, raw): taxonomies = [] @@ -50,7 +62,18 @@ def run(self): while status_code in (None, 429) and tries <= 15: with open(filepath, "rb") as sample: files = {"file": (filename, sample)} - data = {"opt_privacy_type": self.privacy_type} + data = {"opt_privacy_type": self.privacy_type, + "env_bitness": self.env_bitness, + "env_version": self.env_version, + "env_type": self.env_type, + "opt_network_connect": self.opt_network_connect, + "opt_network_fakenet": self.opt_network_fakenet, + "opt_network_tor": self.opt_network_tor, + "opt_network_mitm": self.opt_network_mitm, + "opt_network_geo": self.opt_network_geo, + "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, + "opt_timeout": self.opt_timeout, + "obj_ext_startfolder": self.obj_ext_startfolder } response = requests.post( "{0}/analysis".format(self.url), files=files, @@ -71,7 +94,20 @@ def run(self): self.error(response.json()["message"]) elif self.data_type == "url": url = self.get_param("data", None, "Url is missing") - data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type} + data = {"obj_type": "url", + "obj_url": url, + "opt_privacy_type": self.privacy_type, + "env_bitness": self.env_bitness, + "env_version": self.env_version, + "env_type": self.env_type, + "opt_network_connect": self.opt_network_connect, + "opt_network_fakenet": self.opt_network_fakenet, + "opt_network_tor": self.opt_network_tor, + "opt_network_mitm": self.opt_network_mitm, + "opt_network_geo": self.opt_network_geo, + "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, + "opt_timeout": self.opt_timeout, + "obj_ext_browser": self.obj_ext_browser } while status_code in (None, 429) and tries <= 15: response = requests.post( "{0}/analysis".format(self.url), @@ -130,4 +166,4 @@ def run(self): if __name__ == "__main__": - AnyRunAnalyzer().run() \ No newline at end of file + AnyRunAnalyzer().run()