Malware Analysis Any.Run Sandbox Detection Evasion

Ink

Administrator
Thread author
Verified
Jan 8, 2011
22,490
Source: Malware adds Any.Run sandbox detection to evade analysis

Malware developers are now checking if their malware is running in the Any.Run malware analysis service to prevent their malware from being easily analyzed by researchers.
Any.Run is a malware analysis sandbox service that lets researchers and users safely analyze malware without risk to their computers.

When an executable is submitted to Any.Run, the sandbox service will create a Windows virtual machine with an interactive remote desktop, and execute the submitted file within in it.

Researchers can utilize the interactive Windows desktop to see what behavior the malware is exhibiting, while Any.Run records its network activity, file activity, and registry changes.

In a new password-stealing trojan spam campaign discovered by security researcher JAMESWT, malicious PowerShell scripts are downloading and installing malware onto a computer.

1594630667060.png

When the above script is executed, it will download two PowerShell scripts to the victim's computer that contain obfuscated and embedded malware.

The above script will decode the embedded malware and execute it on the computer.

When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan.

1594630714971.png

If it detects that the program is running on Any.Run, it will display the message 'Any.run Detected!' and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.

Using this method, threat actors make it more difficult for researchers to analyze their attacks using an automated system.

When executed on a normal virtual machine, or a live system, the password-stealing Trojan would be allowed to execute and steal saved login credentials in browsers, FTP programs, and other software.

While this will not prevent a researcher from analyzing a particular malware using other methods, it does cause them to have to put more effort into the analysis.

With online malware analysis sandbox platforms becoming more commonly used by security researchers, we can expect to see more malware continue to target them.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Source: Malware adds Any.Run sandbox detection to evade analysis

Malware developers are now checking if their malware is running in the Any.Run malware analysis service to prevent their malware from being easily analyzed by researchers.
It seems that the malware "detects itself" by avoiding Any.Run and gently shows the alert.
So one who wants to know if it is malicious does not have to make any analysis. :)
I think that there can be other dangerous samples in the wild that simply do some innocent actions when running in Any.Run.
 
Last edited:

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
When executed on a normal virtual machine, or a live system, the password-stealing Trojan would be allowed to execute and steal saved login credentials in browsers, FTP programs, and other software. While this will not prevent a researcher from analyzing a particular malware using other methods, it does cause them to have to put more effort into the analysis.
Correct! From my own test also on AnyRun, the sample is still able to connect to a C&C server. That's more then malicious enough.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Correct! From my own test also on AnyRun, the sample is still able to connect to a C&C server. That's more then malicious enough.
I think that the alert is for the attacker when testing the malware before releasing it. Someone simply forgot to kill the alert or the pre-release malware was reused by someone else who did not understand it well.:unsure:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top