AnyRun Sandbox Analyzer v1.1

analyzers/AnyRun/AnyRun_Sandbox_Analysis.json

@@ -1,7 +1,7 @@
 {
   "name": "AnyRun_Sandbox_Analysis",
-  "version": "1.0",
-  "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT",
+  "version": "1.1",
+  "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Any.Run Sandbox file analysis",
@@ -31,6 +31,102 @@
       "multi": false,
       "required": true,
       "defaultValue": true
+    },
+    {
+      "name": "env_bitness",
+      "description": "default OS bitness; 32 or 64",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 32
+    },
+    {
+      "name": "env_version",
+      "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"",
+      "type": "string",
+      "multi": false,
+      "required": false,
+      "defaultValue": "7"
+    },
+    {
+      "name": "env_type",
+      "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"",
+      "type": "string",
+      "multi": false,
+      "required": false,
+      "defaultValue": "complete"
+    },
+    {
+      "name": "opt_network_connect",
+      "description": "Do you want to disable networking? set false to disable",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": true
+    },
+    {
+      "name": "opt_network_fakenet",
+      "description": "FakeNet feature status; set true to enable.",
+      "type": "boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_tor",
+      "description": "TOR using.",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_mitm",
+      "description": "HTTPS MITM proxy option.",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_network_geo",
+      "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "fastest"
+    },
+    {
+      "name": "opt_kernel_heavyevasion",
+      "description": "Heavy evasion option.   Default value: false",
+      "type": "Boolean",
+      "multi": false,
+      "required": false,
+      "defaultValue": false
+    },
+    {
+      "name": "opt_timeout",
+      "description": "Timeout option. Size range: 10-660",
+      "type": "Number",
+      "multi": false,
+      "required": false,
+      "defaultValue": "60"
+    },
+    {
+      "name": "obj_ext_startfolder",
+      "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "temp"
+    },
+    {
+      "name": "obj_ext_browser",
+      "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"",
+      "type": "String",
+      "multi": false,
+      "required": false,
+      "defaultValue": "Internet Explorer"
     }
   ],
   "registration_required": true,

analyzers/AnyRun/README.md

@@ -12,4 +12,19 @@ You need a valid AnyRun API integration subscription to use the analyzer. Free p
 
 - Provide your API token as a value for the `token` parameter.
 - Define the privacy setting in `privacy_type` parameter.
-- Set `verify_ssl` parameter as false if you connection requires it
+- Set `verify_ssl` parameter as false if you connection requires it
+
+#### Optional Parameters
+AnyRun provides a number of parameters that can be modified to do additional/different analysis.
+- Set the "bitness" of your runtime environment with the `env_bitness` parameter.
+- Select which version of Windows to use by setting `env_version` parameter.
+- Select which products to install by default with `env_type` parameter.
+- Enable/disable networking with `opt_network_connect` parameter.
+- Enable/disable "FakeNet" with `opt_network_fakenet` parameter.
+- Enable/disable the TOR network with `opt_network_tor` parameter.
+- Enable/disable MITM for https connections with `opt_network_mitm` parameter.
+- Need a specific geolocation? use `opt_network_geo` parameter.
+- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion`
+- Change the timeout settings with `opt_timeout` parameter.
+- Select which folder the analysis starts in with `obj_ext_startfolder` parameter.
+- Select which browser to use for analysis with `obj_ext_browser` parameter.

analyzers/AnyRun/anyrun_analyzer.py

@@ -16,6 +16,18 @@ def __init__(self):
         self.verify_ssl = self.get_param("config.verify_ssl", True, None)
         if not self.verify_ssl:
             requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.env_bitness = self.get_param("config.env_bitness", None, None)
+        self.env_version = self.get_param("config.env_version", None, None)
+        self.env_type = self.get_param("config.env_type", None, None)
+        self.opt_network_connect = self.get_param("config.opt_network_connect", None, None)
+        self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None)
+        self.opt_network_tor = self.get_param("config.opt_network_tor", None, None)
+        self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None)
+        self.opt_network_geo = self.get_param("config.opt_network_geo", None, None)
+        self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None)
+        self.opt_timeout = self.get_param("config.opt_timeout", None, None)
+        self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None)
+        self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None)
 
     def summary(self, raw):
         taxonomies = []
@@ -50,7 +62,18 @@ def run(self):
                 while status_code in (None, 429) and tries <= 15:
                     with open(filepath, "rb") as sample:
                         files = {"file": (filename, sample)}
-                        data = {"opt_privacy_type": self.privacy_type}
+                        data = {"opt_privacy_type": self.privacy_type,
+                                "env_bitness": self.env_bitness,
+                                "env_version": self.env_version,
+                                "env_type": self.env_type,
+                                "opt_network_connect": self.opt_network_connect,
+                                "opt_network_fakenet": self.opt_network_fakenet,
+                                "opt_network_tor": self.opt_network_tor,
+                                "opt_network_mitm": self.opt_network_mitm,
+                                "opt_network_geo": self.opt_network_geo,
+                                "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
+                                "opt_timeout": self.opt_timeout,
+                                "obj_ext_startfolder": self.obj_ext_startfolder }
                         response = requests.post(
                             "{0}/analysis".format(self.url),
                             files=files,
@@ -71,7 +94,20 @@ def run(self):
                         self.error(response.json()["message"])
             elif self.data_type == "url":
                 url = self.get_param("data", None, "Url is missing")
-                data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type}
+                data = {"obj_type": "url", 
+                        "obj_url": url, 
+                        "opt_privacy_type": self.privacy_type,
+                        "env_bitness": self.env_bitness,
+                        "env_version": self.env_version,
+                        "env_type": self.env_type,
+                        "opt_network_connect": self.opt_network_connect,
+                        "opt_network_fakenet": self.opt_network_fakenet,
+                        "opt_network_tor": self.opt_network_tor,
+                        "opt_network_mitm": self.opt_network_mitm,
+                        "opt_network_geo": self.opt_network_geo,
+                        "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion,
+                        "opt_timeout": self.opt_timeout,
+                        "obj_ext_browser": self.obj_ext_browser }
                 while status_code in (None, 429) and tries <= 15:
                     response = requests.post(
                         "{0}/analysis".format(self.url),
@@ -130,4 +166,4 @@ def run(self):
 
 
 if __name__ == "__main__":
-    AnyRunAnalyzer().run()
+    AnyRunAnalyzer().run()