Skip to main content

ANY.RUN Malware Analysis Coursework

Disclaimer
This document is a university coursework assignment, translated from the original German version using ChatGPT.
It is not peer-reviewed and not formally published.
Provided for educational and demonstrational purposes only.

Author: skull

Keywords: Malware, ANY.RUN, Forensics, WannaCry, Postmortem Analysis, Debug Board, Process Graph

ABSTRACT

This paper explores the tool ANY.RUN, evaluates its features, and examines how it can support postmortem forensic analysis.
The goal is to demonstrate its use through a practical example using the well-known WannaCry ransomware.

1. INTRODUCTION

Malware is widespread, but analyzing it safely is not trivial.
Even in controlled virtual environments, the risk of infection persists, and critical behaviors may only appear for a few frames, making them easy to miss.

Here, tools such as ANY.RUN [1] are invaluable. ANY.RUN allows analysts to examine malware safely via a browser interface. This paper highlights its main features and illustrates their use with an analysis of WannaCry.

2. BACKGROUND

This section reviews the configuration of the platform and how malware can be analyzed postmortem.

2.1 Finding Hashes

To analyze malware, we often begin with its hash. Services like abuse.ch Malware Bazaar or VirusTotal allow uploading files and identifying known samples.

For this coursework, the WannaCry ransomware [2] was selected. Using its hash, we located an infected machine on ANY.RUN and retrieved its analysis dashboard.

3. CORE CONCEPTS

3.1 Dashboard Overview

The dashboard is divided into several views (see Figure 1):

  • Monitor View — Replay screen activity frame-by-frame.
  • DFN Board (Debug, Files, Network).
  • Details View — Process tree and details.
  • Metadata Panel — Indicators, tags, reports.

Dashboard Overview

3.2 Monitor View

The Monitor View allows frame-by-frame playback of the infected machine’s screen.
This ensures no short-lived activity (like a command prompt flash) is missed.

For example, by reviewing command windows, one can identify which CVE was exploited and whether it is patched.
The view also reveals the sequence of malware actions.

3.3 DFN Board

The Debug/File/Network Board shows low-level system behavior.

  • Debug Tab: Logs messages with timestamps, PIDs, and process names. Useful for spotting process injection or suspicious crashes (e.g., Skype.exe repeatedly crashing).
  • Files Tab: Tracks file modifications, sizes, and types (green = harmless, orange = binaries, red = executables).
  • Network Tab: Displays HTTP requests, connections, DNS queries, and flagged threats, including headers and payloads.

Example: In WannaCry analysis, HTTP downloads were cross-checked against VirusTotal.

3.4 Details View

Displays the full process tree of the malware execution.
Analysts can expand nodes, inspect processes, and follow their spawned children.
Clicking a process provides extended details and behavior summaries.

3.5 Metadata Panel

Provides indicators, tags, and contextual reports.
Generates exports such as:

  • Process Graph
  • Text Reports
  • MITRE ATT&CK matrix

These outputs are suitable for presenting findings to third parties, such as in awareness training or court demonstrations.

4. CASE STUDY: WANNACRY

Using ANY.RUN, the WannaCry ransomware behavior was reconstructed:

  • Initial execution disguised as a file (fake JPG/PDF).
  • Desktop wallpaper changed → encryption screen appeared.
  • Processes showed exploitation of EternalBlue [8][9].
  • Command-line traces revealed use of Volume Shadow Copy deletion [11].

False positives (e.g., Skype.exe, javacpl.exe) were identified and dismissed through deeper inspection, showing the importance of careful manual analysis alongside automated tagging.

5. RESULTS

  • Strengths:

    • Easy to use, intuitive interface.
    • Frame-by-frame playback ensures no activity is missed.
    • Automatically generated reports aid communication.
    • No installation required; browser-based.

  • Limitations:

    • Occasional false positives.
    • Requires basic knowledge of processes and malware behavior.

Overall, ANY.RUN is a valuable tool for both training and practical malware analysis in a safe environment.

6. CONCLUSION

ANY.RUN proves effective for postmortem analysis and malware education.
It combines usability with sufficient depth to support forensic investigations.
Despite occasional misclassifications, its features make it a strong complement to other forensic tools.

References

  1. BSI: WannaCry Overview
  2. ANY.RUN Sandbox
  3. MITRE ATT&CK: Process Injection
  4. NVD CVE Database
  5. ASCII vs. Binary
  6. Proofpoint: Indicators of Compromise
  7. MITRE ATT&CK Matrix
  8. ANY.RUN Malware Trends: WannaCry
  9. ResearchGate: WannaCry Ransomware Analysis
  10. Cambridge Dictionary: False Positive
  11. Microsoft: Volume Shadow Copy Service

For feedback or questions, contact: 📧 skull@ttl.zip