How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within an analysis session. In October 2022, ANY.RUN launched TI Threat Intelligence Feeds to allow users to utilize this data. 

Security experts assess threats using ANY.RUN, an interactive malware sandbox, and the data collected from these analyses is used to build a threat intelligence database. 

TI Lookup’s introduction in February 2023 further improved this capability by enabling users to recognize threats even from lone indicators that other security solutions might not.

EHA

You can learn here about how ANY.RUN built Threat Intelligence Lookup.

ANY.RUN’s Approach to Indicator Analysis

An interactive sandbox environment allows for deep analysis of malware behavior. Suspicious files are executed within the sandbox, mimicking real-world scenarios that enable malware observation throughout its stages, including fetching payloads, encrypting files, or stealing data. 

Analysts can even trigger the malware manually by simulating user actions such as entering passwords or solving CAPTCHAs. 

The comprehensive analysis captures various indicators, including memory dumps, network traffic between the malware and its command-and-control server, and MITRE ATT&CK tactics. 

Around 30 event-specific details are collected, encompassing file and registry information, command line activity, HTTP response content, and more, which provides a thorough understanding of the malware’s entire attack cycle. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Origins of ANY.RUN’s IOCs

ANY.RUN utilizes a global community of analysts to gather indicators of compromise (IOCs) through public sandbox submissions. 

Daily, around 14,000 samples are uploaded, often stemming from suspicious activity detected by Security Information and Event Management (SIEM) logs or email investigations.

Analysts configure a sandbox environment mimicking real-world conditions and run the sample; during the 1200-second interactive analysis, the sandbox captures process activity and network events and extracts IOCs like file hashes, domains, IP addresses, and URLs. 

Comprehensive data collection from global submissions fuels ANY.RUN’s threat intelligence database currently stores a massive 24TB of information on evolving malware threats. 

Boosting Security with ANY.RUN Threat Intelligence

The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to

  • Access the latest community-reported and analyst-discovered malware data.
  • Search across various aspects (fields) of 1.5 million investigations conducted in the past 6 months.
  • To identify risks, analyze command lines, registry changes, memory dumps, encrypted and unencrypted network traffic, and more.

It offers threat intelligence in two formats:

  • Threat Intelligence Lookup – Search our portal for relevant events using 30 criteria. Use wildcards (*) or widely to search substrings. With rapid search, you will get results in 5 seconds. The attached IOCs and event fields include links to recorded sandbox research sessions.
  • Threat Intelligence Feeds – Receive STIX data from our Feeds directly into your TIP and SIEM systems. Set up firewalls for the current threats. New data provides indications and event fields for context every two hours.

TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.

SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.

What is ANY.RUN?

ANY.RUN is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUN platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.

Advantages of ANY.RUN 

  • Real-time Detection: ANY.RUN can find malware and instantly identify many malware families using YARA and Suricata rules within about 40 seconds of posting a file.
  • Interactive Malware Analysis: ANY.RUN differs from many automated options because it lets you connect with the virtual machine from your browser. This live feature helps stop zero-day vulnerabilities and advanced malware that can get past signature-based protection.
  • Value for money: ANY.RUN’s cloud-based nature makes it a cost-effective option for businesses since your DevOps team doesn’t have to do any setup or support work.
  • Best for onboarding new security team members: ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free