https://github.com/kkent030315/detect-anyrun

ANY.RUN sandbox detection collection
https://github.com/kkent030315/detect-anyrun

Last synced: 7 months ago
JSON representation

ANY.RUN sandbox detection collection

• Host: GitHub
• URL: https://github.com/kkent030315/detect-anyrun
• Owner: kkent030315
• License: mit
• Created: 2024-08-19T03:10:32.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-08-21T07:45:15.000Z (about 1 year ago)
• Last Synced: 2025-03-18T00:37:31.818Z (7 months ago)
• Language: C++
• Homepage:
• Size: 271 KB
• Stars: 17
• Watchers: 2
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
Associated article: [Attacking ANY.RUN for Sandbox Detection Development](https://medium.com/@orangemaster674/attacking-any-run-for-sandbox-detection-development-747c1a8aa4fd)

# ANY.RUN Sandbox Detection

- Part 1: The symblic device name of the driver.

- Part 2: The non-standard filesystem behaviour under protected ANY.RUN installed files and folders.

![IMG](.png)



Part 3: Coming Soon



### Irrelevant Glossaries

- The ANY.RUN components are under `%ProgramFiles%\\KernelLogger`.

- The usermode agent (a Windows service) is registered as `aga` with binary path `%ProgramFiles%\\KernelLogger\\aga.exe`.

- The virtual machine runs in a test signing mode.

  - ANY.RUN driver `A3E64E55_fl_x64.sys` is signed by WDK test certificate [attached here](./WDKTestCert%20SYSTEM,133087515274835630.cer).

- The macshift embedded in the ANY.RUN package spoofs MAC address but it is still able to obtain the original *permanent* MAC address by calling out the NDIS driver.

- The hypervisor presense bit in the CPU indicates is not present.

- Pinning SSL/TLS certificate against most popular and stable website may help you identify the intermediate certificate inserted by ANY.RUN to sniff the traffics.