From 430e216ab33f411d33d9ea1c79f4b84cd711868d Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 11:27:23 -0800 Subject: [PATCH 1/9] Additional configuration options for any.run additional config options for any.run to support bitness, os "flavor", etc --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 92 ++++++++++++++++++- 1 file changed, 90 insertions(+), 2 deletions(-) diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index 57bdd9759..dd361d9fb 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -1,7 +1,7 @@ { "name": "AnyRun_Sandbox_Analysis", - "version": "1.0", - "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT", + "version": "1.1", + "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Any.Run Sandbox file analysis", @@ -31,6 +31,94 @@ "multi": false, "required": true, "defaultValue": true + }, + { + "name": "env_bitness", + "description": "default OS bitness; 32 or 64", + "type": "number", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "env_version", + "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "7" + }, + { + "name": "env_type", + "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "complete" + }, + { + "name": "opt_network_connect", + "description": "Do you want to disable networking? set false to disable", + "type": "boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status; set true to enable.", + "type": "boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using.", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": "false" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option.", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": "false" + }, + { + "name": "opt_network_geo", + "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_kernel_heavyevasion", + "description": "Heavy evasion option. Default value: false", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": "false" + }, + { + "name": "opt_timeout", + "description": "Timeout option. Size range: 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "60" + }, + { + "name": "obj_ext_startfolder", + "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "temp" } ], "registration_required": true, From 0a81bfd525ddb91aa4c183ca84ac6e12f8d76eaf Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 11:43:38 -0800 Subject: [PATCH 2/9] missed a closing quote --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index dd361d9fb..990f9eacc 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -114,7 +114,7 @@ }, { "name": "obj_ext_startfolder", - "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\", + "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"", "type": "String", "multi": false, "required": false, From fe3224304e25d95d9ce9d6467551f77bba39bbf2 Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 11:59:28 -0800 Subject: [PATCH 3/9] additional parameters for any.run --- analyzers/AnyRun/anyrun_analyzer.py | 40 ++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py index 67a5e521f..0e7280ea7 100755 --- a/analyzers/AnyRun/anyrun_analyzer.py +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -16,6 +16,17 @@ def __init__(self): self.verify_ssl = self.get_param("config.verify_ssl", True, None) if not self.verify_ssl: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.env_bitness = self.get_param("config.env_bitness", None, None) + self.env_version = self.get_param("config.env_version", None, None) + self.env_type = self.get_param("config.env_type", None, None) + self.opt_network_connect = self.get_param("config.opt_network_connect", None, None) + self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None) + self.opt_network_tor = self.get_param("config.opt_network_tor", None, None) + self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None) + self.opt_network_geo = self.get_param("config.opt_network_geo", None, None) + self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None) + self.opt_timeout = self.get_param("config.opt_timeout", None, None) + self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None) def summary(self, raw): taxonomies = [] @@ -50,7 +61,18 @@ def run(self): while status_code in (None, 429) and tries <= 15: with open(filepath, "rb") as sample: files = {"file": (filename, sample)} - data = {"opt_privacy_type": self.privacy_type} + data = {"opt_privacy_type": self.privacy_type, + "env_bitness": self.env_bitness, + "env_version": self.env_version, + "env_type": self.env_type, + "opt_network_connect": self.opt_network_connect, + "opt_network_fakenet": self.opt_network_fakenet, + "opt_network_tor": self.opt_network_tor, + "opt_network_mitm": self.opt_network_mitm, + "opt_network_geo": self.opt_network_geo, + "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, + "opt_timeout": self.opt_timeout, + "obj_ext_startfolder": self.obj_ext_startfolder } response = requests.post( "{0}/analysis".format(self.url), files=files, @@ -71,7 +93,19 @@ def run(self): self.error(response.json()["message"]) elif self.data_type == "url": url = self.get_param("data", None, "Url is missing") - data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type} + data = {"obj_type": "url", + "obj_url": url, + "opt_privacy_type": self.privacy_type, + "env_bitness": self.env_bitness, + "env_version": self.env_version, + "env_type": self.env_type, + "opt_network_connect": self.opt_network_connect, + "opt_network_fakenet": self.opt_network_fakenet, + "opt_network_tor": self.opt_network_tor, + "opt_network_mitm": self.opt_network_mitm, + "opt_network_geo": self.opt_network_geo, + "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, + "opt_timeout": self.opt_timeout } while status_code in (None, 429) and tries <= 15: response = requests.post( "{0}/analysis".format(self.url), @@ -130,4 +164,4 @@ def run(self): if __name__ == "__main__": - AnyRunAnalyzer().run() \ No newline at end of file + AnyRunAnalyzer().run() From 9691e88db0cf6dd820668c8905faec2bdc6e926b Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:06:05 -0800 Subject: [PATCH 4/9] additional params in documentation now --- analyzers/AnyRun/README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/analyzers/AnyRun/README.md b/analyzers/AnyRun/README.md index 999e0e5de..8e569f8d5 100644 --- a/analyzers/AnyRun/README.md +++ b/analyzers/AnyRun/README.md @@ -12,4 +12,18 @@ You need a valid AnyRun API integration subscription to use the analyzer. Free p - Provide your API token as a value for the `token` parameter. - Define the privacy setting in `privacy_type` parameter. -- Set `verify_ssl` parameter as false if you connection requires it \ No newline at end of file +- Set `verify_ssl` parameter as false if you connection requires it + +#### Optional Parameters +AnyRun provides a number of parameters that can be modified to do additional/different analysis. +- Set the "bitness" of your runtime environment with the `env_bitness` parameter. +- Select which version of Windows to use by setting `env_version` parameter. +- Select which products to install by default with `env_type` parameter. +- Enable/disable networking with `opt_network_connect` parameter. +- Enable/disable "FakeNet" with `opt_network_fakenet` parameter. +- Enable/disable the TOR network with `opt_network_tor` parameter. +- Enable/disable MITM for https connections with `opt_network_mitm` parameter. +- Need a specific geolocation? use `opt_network_geo` parameter. +- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion` +- Change the timeout settings with `opt_timeout` parameter. +- Select which folder the analysis starts in with `obj_ext_startfolder` parameter. From 3c69d05eb25ae8d0780b4c2432a38ac2beb80a0b Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:09:36 -0800 Subject: [PATCH 5/9] Update AnyRun_Sandbox_Analysis.json --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index 990f9eacc..5837bb8fa 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -38,7 +38,7 @@ "type": "number", "multi": false, "required": false, - "defaultValue": false + "defaultValue": 32 }, { "name": "env_version", @@ -78,7 +78,7 @@ "type": "Boolean", "multi": false, "required": false, - "defaultValue": "false" + "defaultValue": false }, { "name": "opt_network_mitm", @@ -86,7 +86,7 @@ "type": "Boolean", "multi": false, "required": false, - "defaultValue": "false" + "defaultValue": false }, { "name": "opt_network_geo", @@ -102,7 +102,7 @@ "type": "Boolean", "multi": false, "required": false, - "defaultValue": "false" + "defaultValue": false }, { "name": "opt_timeout", From c86e5ba1ca22ed7013fb2e5510a21737c28d0209 Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:24:04 -0800 Subject: [PATCH 6/9] Update anyrun_analyzer.py --- analyzers/AnyRun/anyrun_analyzer.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py index 0e7280ea7..94e8fdf0a 100755 --- a/analyzers/AnyRun/anyrun_analyzer.py +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -27,6 +27,7 @@ def __init__(self): self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None) self.opt_timeout = self.get_param("config.opt_timeout", None, None) self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None) + self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None) def summary(self, raw): taxonomies = [] @@ -105,7 +106,8 @@ def run(self): "opt_network_mitm": self.opt_network_mitm, "opt_network_geo": self.opt_network_geo, "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, - "opt_timeout": self.opt_timeout } + "opt_timeout": self.opt_timeout, + "obj_ext_browser": self.obj_ext_browser } while status_code in (None, 429) and tries <= 15: response = requests.post( "{0}/analysis".format(self.url), From 562eea9c5963588e7adfbfe005aa22724995dae1 Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:25:39 -0800 Subject: [PATCH 7/9] add browser selection --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index 5837bb8fa..e689a4c1c 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -119,6 +119,14 @@ "multi": false, "required": false, "defaultValue": "temp" + }, + { + "name": "obj_ext_browser", + "description": "Choose which browser to use. Allowed values: ", + "type": "String", + "multi": false, + "required": false, + "defaultValue": "Internet Explorer" } ], "registration_required": true, From 86549226b25dc4c107e3cec6bd6cc51cededc0ec Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:26:26 -0800 Subject: [PATCH 8/9] Update AnyRun_Sandbox_Analysis.json --- analyzers/AnyRun/AnyRun_Sandbox_Analysis.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json index e689a4c1c..f1a2a3e76 100644 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json @@ -122,7 +122,7 @@ }, { "name": "obj_ext_browser", - "description": "Choose which browser to use. Allowed values: ", + "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"", "type": "String", "multi": false, "required": false, From bbea1ca2e551bd91b3df310e0430f6b8cc2ff684 Mon Sep 17 00:00:00 2001 From: Nathan Olsen Date: Mon, 28 Nov 2022 12:28:51 -0800 Subject: [PATCH 9/9] Update README.md --- analyzers/AnyRun/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/analyzers/AnyRun/README.md b/analyzers/AnyRun/README.md index 8e569f8d5..2829e2d40 100644 --- a/analyzers/AnyRun/README.md +++ b/analyzers/AnyRun/README.md @@ -27,3 +27,4 @@ AnyRun provides a number of parameters that can be modified to do additional/dif - Need to analyze something with evasion tactics? `opt_kernel_heavyevasion` - Change the timeout settings with `opt_timeout` parameter. - Select which folder the analysis starts in with `obj_ext_startfolder` parameter. +- Select which browser to use for analysis with `obj_ext_browser` parameter.