diff --git a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json b/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json deleted file mode 100644 index f1a2a3e76..000000000 --- a/analyzers/AnyRun/AnyRun_Sandbox_Analysis.json +++ /dev/null @@ -1,151 +0,0 @@ -{ - "name": "AnyRun_Sandbox_Analysis", - "version": "1.1", - "author": "Andrea Garavaglia, Davide Arcuri, LDO-CERT; Nate Olsen, WSECU", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-V3", - "description": "Any.Run Sandbox file analysis", - "dataTypeList": ["file", "url"], - "command": "AnyRun/anyrun_analyzer.py", - "baseConfig": "AnyRun", - "configurationItems": [ - { - "name": "token", - "description": "API token", - "type": "string", - "multi": false, - "required": false - }, - { - "name": "privacy_type", - "description": "Define the privacy setting (Allowed values: public, bylink, owner)", - "type": "string", - "multi": false, - "required": true, - "defaultValue": "bylink" - }, - { - "name": "verify_ssl", - "description": "Verify SSL certificate", - "type": "boolean", - "multi": false, - "required": true, - "defaultValue": true - }, - { - "name": "env_bitness", - "description": "default OS bitness; 32 or 64", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 32 - }, - { - "name": "env_version", - "description": "Which version of Windows do you want to use by default? allowed values: \"vista\", \"7\", \"8.1\", \"10\"", - "type": "string", - "multi": false, - "required": false, - "defaultValue": "7" - }, - { - "name": "env_type", - "description": "How much do you want pre-installed in the runtime environment? allowed values: \"clean\", \"office\", \"complete\"", - "type": "string", - "multi": false, - "required": false, - "defaultValue": "complete" - }, - { - "name": "opt_network_connect", - "description": "Do you want to disable networking? set false to disable", - "type": "boolean", - "multi": false, - "required": false, - "defaultValue": true - }, - { - "name": "opt_network_fakenet", - "description": "FakeNet feature status; set true to enable.", - "type": "boolean", - "multi": false, - "required": false, - "defaultValue": false - }, - { - "name": "opt_network_tor", - "description": "TOR using.", - "type": "Boolean", - "multi": false, - "required": false, - "defaultValue": false - }, - { - "name": "opt_network_mitm", - "description": "HTTPS MITM proxy option.", - "type": "Boolean", - "multi": false, - "required": false, - "defaultValue": false - }, - { - "name": "opt_network_geo", - "description": "Geo location option. Allowed values: \"fastest\", \"AU\", \"BR\", \"DE\", \"CH\", \"FR\", \"KR\", \"US\", \"RU\", \"GB\", \"IT\"", - "type": "String", - "multi": false, - "required": false, - "defaultValue": "fastest" - }, - { - "name": "opt_kernel_heavyevasion", - "description": "Heavy evasion option. Default value: false", - "type": "Boolean", - "multi": false, - "required": false, - "defaultValue": false - }, - { - "name": "opt_timeout", - "description": "Timeout option. Size range: 10-660", - "type": "Number", - "multi": false, - "required": false, - "defaultValue": "60" - }, - { - "name": "obj_ext_startfolder", - "description": "Start object from. Allowed values: \"desktop\", \"home\", \"downloads\", \"appdata\", \"temp\", \"windows\", \"root\"", - "type": "String", - "multi": false, - "required": false, - "defaultValue": "temp" - }, - { - "name": "obj_ext_browser", - "description": "Choose which browser to use. Allowed values: \"Google Chrome\", \"Mozilla Firefox\", \"Opera\", \"Internet Explorer\"", - "type": "String", - "multi": false, - "required": false, - "defaultValue": "Internet Explorer" - } - ], - "registration_required": true, - "subscription_required": true, - "free_subscription": false, - "service_homepage": "https://any.run/", - "service_logo": { - "path": "assets/anyrun.png", - "caption": "AnyRun logo" - }, - "screenshots": [ - { - "path": "assets/short_report.png", - "caption": "AnyRun: Short report template" - }, - - { - "path": "assets/long_report.png", - "caption": "AnyRun: Long report template" - } - ] -} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_File_Android.json b/analyzers/AnyRun/AnyRun_Sandbox_File_Android.json new file mode 100644 index 000000000..ee6ac124f --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_File_Android.json @@ -0,0 +1,180 @@ +{ + "name": "AnyRun_Sandbox_File_Android", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run File analysis using Android VM", + "dataTypeList": ["file"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "android", + "analysis_type": "file" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "240" + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "obj_ext_cmd", + "description": "Optional command line", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "" + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_File_Linux.json b/analyzers/AnyRun/AnyRun_Sandbox_File_Linux.json new file mode 100644 index 000000000..3771133a8 --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_File_Linux.json @@ -0,0 +1,212 @@ +{ + "name": "AnyRun_Sandbox_File_Linux", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run File analysis using Linux VM", + "dataTypeList": ["file"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "linux", + "analysis_type": "file" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "env_os", + "description": "Operation System. Supports ubuntu, debian", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "ubuntu" + }, + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "240" + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "obj_ext_extension", + "description": "Automatically change extension to valid", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "obj_ext_cmd", + "description": "Optional command line", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "" + }, + { + "name": "obj_ext_startfolder", + "description": "Start object from. Supports: desktop, home, downloads, temp", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "temp" + }, + { + "name": "run_as_root", + "description": "Run file with superuser privileges", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_File_Windows.json b/analyzers/AnyRun/AnyRun_Sandbox_File_Windows.json new file mode 100644 index 000000000..1e1d8aadf --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_File_Windows.json @@ -0,0 +1,236 @@ +{ + "name": "AnyRun_Sandbox_File_Windows", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run File analysis using Windows VM", + "dataTypeList": ["file"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "windows", + "analysis_type": "file" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "env_version", + "description": "Version of OS. Supports: 7, 10, 11, server 2025", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "10" + }, + { + "name": "env_bitness", + "description": "Bitness of Operation System. Supports 32, 64 for Windows. 64 for Windows Server 2025", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": 64 + }, + { + "name": "env_type", + "description": "Environment preset type. You can select **development** env for OS Windows 10 x64. For all other cases, **complete** env is required", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "complete" + }, + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "240" + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "obj_ext_extension", + "description": "Automatically change extension to valid", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "obj_ext_cmd", + "description": "Optional command line", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "" + }, + { + "name": "obj_ext_startfolder", + "description": "Start object from. Supports: desktop, home, downloads, appdata, temp, windows, root", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "temp" + }, + { + "name": "obj_force_elevation", + "description": "Forces the file to execute with elevated privileges and an elevated token (for PE32, PE32+, PE64 files only)", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "auto_confirm_uac", + "description": "Auto confirm Windows UAC requests", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_URL_Android.json b/analyzers/AnyRun/AnyRun_Sandbox_URL_Android.json new file mode 100644 index 000000000..c305190b7 --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_URL_Android.json @@ -0,0 +1,179 @@ +{ + "name": "AnyRun_Sandbox_URL_Android", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run URL analysis using Android VM", + "dataTypeList": ["url"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "android", + "analysis_type": "url" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "obj_url", + "description": "Target URL. Size range 5-512. Example -> (http/https)://(your-link)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "120" + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_URL_Linux.json b/analyzers/AnyRun/AnyRun_Sandbox_URL_Linux.json new file mode 100644 index 000000000..d4817ad26 --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_URL_Linux.json @@ -0,0 +1,204 @@ +{ + "name": "AnyRun_Sandbox_URL_Linux", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run URL analysis using Linux VM", + "dataTypeList": ["url"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "linux", + "analysis_type": "url" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "obj_url", + "description": "Target URL. Size range 5-512. Example -> (http/https)://(your-link)", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "env_os", + "description": "Operation System. Supports ubuntu, debian", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "ubuntu" + }, + + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": "120" + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "obj_ext_browser", + "description": "Browser name. Supports Google Chrome, Mozilla Firefox", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "Google Chrome" + }, + { + "name": "obj_ext_extension", + "description": "Automatically change extension to valid", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_Sandbox_URL_Windows.json b/analyzers/AnyRun/AnyRun_Sandbox_URL_Windows.json new file mode 100644 index 000000000..4db41293c --- /dev/null +++ b/analyzers/AnyRun/AnyRun_Sandbox_URL_Windows.json @@ -0,0 +1,212 @@ +{ + "name": "AnyRun_Sandbox_URL_Windows", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Run URL analysis using Windows VM", + "dataTypeList": ["url"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "os": "windows", + "analysis_type": "url" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN Sandbox API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_html_report", + "description": "Attach HTML report to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_network_traffic_dump", + "description": "Attach PCAP file to the case as observable", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "env_version", + "description": "Version of OS. Supports: 7, 10, 11, server 2025", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "10" + }, + { + "name": "env_bitness", + "description": "Bitness of Operation System. Supports 32, 64 for Windows. 64 for Windows Server 2025", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": 64 + }, + { + "name": "env_type", + "description": "Environment preset type. You can select **development** env for OS Windows 10 x64. For all other cases, **complete** env is required", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "complete" + }, + { + "name": "env_locale", + "description": "Operation System language. Use locale identifier or country name Example - ( \"en-US\" or \"Brazil\"). Case insensitive", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "en-US" + }, + { + "name": "opt_network_connect", + "description": "Network connection state", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "opt_network_fakenet", + "description": "FakeNet feature status", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_tor", + "description": "TOR using", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_geo", + "description": "TOR geo location option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_network_mitm", + "description": "HTTPS MITM proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy", + "description": "Residential Proxy option", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": false + }, + { + "name": "opt_network_residential_proxy_geo", + "description": "Residential Proxy Geo option", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "fastest" + }, + { + "name": "opt_privacy_type", + "description": "Privacy settings. Supports: public, bylink, owner, byteam", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "bylink" + }, + { + "name": "opt_timeout", + "description": "Timeout option, size range 10-660", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": 120 + }, + { + "name": "opt_auto_delete_after", + "description": "Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "obj_ext_browser", + "description": "Browser name. Supports Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge for Windows 7, 10, 11. Microsoft Edge for Windows Server 2025", + "type": "string", + "multi": false, + "required": false, + "defaultValue": "Microsoft Edge" + }, + { + "name": "obj_ext_extension", + "description": "Automatically change extension to valid", + "type": "Boolean", + "multi": false, + "required": false, + "defaultValue": true + }, + { + "name": "user_tags", + "description": "Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8", + "type": "string", + "multi": false, + "required": false + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} diff --git a/analyzers/AnyRun/AnyRun_TI_Lookup.json b/analyzers/AnyRun/AnyRun_TI_Lookup.json new file mode 100644 index 000000000..c08528289 --- /dev/null +++ b/analyzers/AnyRun/AnyRun_TI_Lookup.json @@ -0,0 +1,69 @@ +{ + "name": "AnyRun_TI_Lookup", + "version": "1.0", + "author": "ANY.RUN Integrations Team", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Check URL/IP/Domain/File reputation", + "dataTypeList": ["ip", "domain", "url", "hash"], + "command": "AnyRun/anyrun_analyzer.py", + "baseConfig": "AnyRun", + "config": { + "analysis_type": "ti_lookup" + }, + "configurationItems": [ + { + "name": "api_key", + "description": "ANY.RUN TI Lookup API key", + "type": "string", + "multi": false, + "required": true + }, + { + "name": "verify_ssl", + "description": "Verify SSL certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "get_iocs", + "description": "Attach Analysis IOCs to the case as observables", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "extract_malicious_iocs", + "description": "When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "lookup_depth", + "description": "Specify the number of days from the current date for which you want to lookup", + "type": "Number", + "multi": false, + "required": false, + "defaultValue": 180 + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://any.run/", + "service_logo": { + "path": "assets/anyrun.png", + "caption": "AnyRun logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AnyRun: Long report template" + } + ] +} \ No newline at end of file diff --git a/analyzers/AnyRun/Dockerfile b/analyzers/AnyRun/Dockerfile new file mode 100644 index 000000000..9e9362355 --- /dev/null +++ b/analyzers/AnyRun/Dockerfile @@ -0,0 +1,10 @@ +FROM python:3-alpine + +WORKDIR /worker +RUN apk add --no-cache whois + +COPY requirements.txt AnyRun/ +RUN test ! -e AnyRun/requirements.txt || pip install --no-cache-dir -r AnyRun/requirements.txt +COPY . AnyRun/ + +ENTRYPOINT ["python", "AnyRun/anyrun_analyzer.py"] \ No newline at end of file diff --git a/analyzers/AnyRun/README.md b/analyzers/AnyRun/README.md index 2829e2d40..21450a083 100644 --- a/analyzers/AnyRun/README.md +++ b/analyzers/AnyRun/README.md @@ -1,30 +1,273 @@ -### AnyRun -[ANY.RUN](https://any.run/) is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as: - -- Interactive access -- Research threats by filter in public submissions -- File and URL dynamic analysis -- Mitre ATT&CK mapping -- Detailed malware reports - -#### Requirements -You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access. - -- Provide your API token as a value for the `token` parameter. -- Define the privacy setting in `privacy_type` parameter. -- Set `verify_ssl` parameter as false if you connection requires it - -#### Optional Parameters -AnyRun provides a number of parameters that can be modified to do additional/different analysis. -- Set the "bitness" of your runtime environment with the `env_bitness` parameter. -- Select which version of Windows to use by setting `env_version` parameter. -- Select which products to install by default with `env_type` parameter. -- Enable/disable networking with `opt_network_connect` parameter. -- Enable/disable "FakeNet" with `opt_network_fakenet` parameter. -- Enable/disable the TOR network with `opt_network_tor` parameter. -- Enable/disable MITM for https connections with `opt_network_mitm` parameter. -- Need a specific geolocation? use `opt_network_geo` parameter. -- Need to analyze something with evasion tactics? `opt_kernel_heavyevasion` -- Change the timeout settings with `opt_timeout` parameter. -- Select which folder the analysis starts in with `obj_ext_startfolder` parameter. -- Select which browser to use for analysis with `obj_ext_browser` parameter. +

+ + ANY.RUN logo + +

+ +______________________________________________________________________ + +# ANY.RUN Analyzers + +## Table of Contents + +- [ANY.RUN Analyzers](#anyrun-analyzers) + - [Table of Contents](#table-of-contents) + - [ANY.RUN Sandbox Analyzers](#anyrun-sandbox-analyzers) + - [Introduction](#introduction) + - [Generate API-KEY](#generate-api-key) + - [Configuration parameters](#configuration-parameters) + - [Base ANY.RUN parameters](#base-anyrun-parameters) + - [ANY.RUN environment parameters](#anyrun-environment-parameters) + - [ANY.RUN Windows specific environment parameters](#anyrun-windows-specific-environment-parameters) + - [ANY.RUN Linux specific environment parameters](#anyrun-linux-specific-environment-parameters) + - [ANY.RUN Android specific environment parameters](#anyrun-android-specific-environment-parameters) + - [Data flow](#data-flow) + - [Additional information](#additional-information) + - [ANY.RUN TI Lookup Analyzer](#anyrun-ti-lookup-analyzer) + - [Introduction](#introduction-1) + - [Generate API-KEY](#generate-api-key-1) + - [Configuration parameters](#configuration-parameters-1) + - [Base ANY.RUN parameters](#base-anyrun-parameters-1) + - [ANY.RUN environment parameters](#anyrun-environment-parameters-1) + - [Data flow](#data-flow-1) + - [Additional information](#additional-information-1) + - [Support](#support) + +## ANY.RUN Sandbox Analyzers + +## Introduction + +[ANY.RUN's Interactive Sandbox](https://any.run/features/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktosandboxlanding) is a cloud-based service that provides SOC teams with a simple way to analyze cyber threats, enabling rapid threat intelligence and deep analysis in a secure environment. + +The connector for the Interactive Sandbox enables TheHive users to quickly analyze and identify observables, such as artifacts and URLs in the cloud sandbox. + +* Perform real-time analysis to make fast decisions +* Get detailed reports that include insights into network activity, dropped files, and MITRE ATT&CK techniques +* Enrich observables in TheHive + +As a result of the integration of ANY.RUN’s Interactive Sandbox with TheHive, you’ll achieve: + +* Streamlined Triage and Detection: Automate threat analysis to receive actionable verdicts and reports to prioritize incidents effectively. +* Shorter MTTD and MTTR: Lower response times by gaining a full understanding of the threat’s behavior in seconds. +* Higher Detection Rates: In-depth insights and advanced detection mechanisms provide deep visibility into complex threats. +* Minimized Workload: Reduce analyst workload by automating repetitive tasks. +* Stronger Security: Use sandbox reports and related data to refine rules, update playbooks, and train threat detection models. + +Report example: +![img.png](assets/long_report_sandbox.png) + +## Generate API-KEY + +To use this integration, make sure that you have an active [ANY.RUN Sandbox license](https://app.any.run/plans/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktopricing). + +* Go to [ANY.RUN Sandbox](https://app.any.run/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktoservice) +* Click Profile > API and Limits > Generate > Copy +![img.png](assets/ANYRUN_API_TOKEN.png) + +## Configuration parameters + +There are a number of configuration options, which are set either in Cortex UI. + +#### Base ANY.RUN parameters +| Parameter | Mandatory | Description | +|------------------------------|-----------|----------------------------------------------------------------------------------------------| +| `api_key` | Yes | ANY.RUN Sandbox API-KEY. See "Generate API-KEY" section in the README file. | +| `verify_ssl` | Yes | Enable SSL verification option. | +| `get_html_report` | Yes | Attach HTML report to the case as observable. | +| `get_network_traffic_dump` | Yes | Attach PCAP file to the case as observable. | +| `get_iocs` | Yes | Attach Analysis IOCs to the case as observables. | +| `extract_malicious_iocs` | Yes | When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs. | + +#### ANY.RUN environment parameters +| Parameter | Mandatory | Description | +|-------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `opt_timeout` | No | Select analysis completion time. Size range: 10-660 seconds. | +| `opt_network_connect` | No | Enable network connection. | +| `opt_network_fakenet` | No | Enable FakeNet feature. | +| `opt_network_tor` | No | Enable TOR using. | +| `opt_network_geo` | No | TOR geolocation option. Example: US, AU | +| `opt_network_mitm` | No | Enable HTTPS MITM Proxy using. | +| `opt_network_residential_proxy` | No | Residential proxy using. | +| `opt_network_residential_proxy_geo` | No | Residential proxy geolocation option. Example: US, AU. | +| `opt_privacy_type` | No | Privacy settings. Supports: public, bylink, owner, byteam. | +| `opt_auto_delete_after` | No | Specify after what period of time this report should be deleted. Supports: day, week, 2 weeks, month. Leave blank for the task's infinite lifetime. | +| `obj_ext_extension` | No | Automatically change file extension to valid. | +| `env_locale` | No | Operation system's language. Use locale identifier or country name (Ex: "en-US" or "Brazil"). Case-insensitive. | +| `user_tags` | No | Append User Tags to new analysis. Only characters a-z, A-Z, 0-9, hyphen (-), and comma (,) are allowed. Max tag length - 16 characters. Max unique tags per analysis - 8. | + + +#### ANY.RUN Windows specific environment parameters +| Parameter | Mandatory | Description | +|-----------------------|------------|---------------------------------------------------------------------------------------------------------------------------------------| +| `env_version` | No | Version of OS. Supports: 7, 10, 11, server 2025 | +| `env_bitness` | No | Bitness of Operation System. Supports 32, 64. | +| `env_type` | No | Environment preset type. You can select **development** env for OS Windows 10 x64. For all other cases, **complete** env is required. | +| `obj_ext_startfolder` | No | Supports: desktop, home, downloads, appdata, temp, windows, root. | +| `obj_ext_cmd` | No | Optional command-line arguments for the analyzed object. Use an empty string ("") to apply the default behavior. | +| `obj_force_elevation` | No | Forces the file to execute with elevated privileges and an elevated token (for PE32, PE32+, PE64 files only). | +| `obj_ext_browser` | No | Browser name. Supports: Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge. | +| `auto_confirm_uac` | No | Auto confirm Windows UAC requests. | + + +#### ANY.RUN Linux specific environment parameters +| Parameter | Mandatory | Description | +|-----------------------|------------|---------------------------------------------------------| +| `env_os` | No |Operation System. Supports ubuntu, debian| +| `obj_ext_startfolder` | No | Start object from. Supports: desktop, home, downloads, temp. | +| `obj_ext_cmd` | No | Optional command-line arguments for the analyzed object. Use an empty string ("") to apply the default behavior. | +| `run_as_root` | No | Run file with superuser privileges. | +| `obj_ext_browser` | No | Browser name. Supports: Google Chrome, Mozilla Firefox. | + + +#### ANY.RUN Android specific environment parameters +| Parameter | Mandatory | Description | +|------------------------------|-----------|--------------------------------------------------------------------------------------------------------------| +| `obj_ext_cmd` | No | Optional command-line arguments for the analyzed object. Use an empty string ("") to apply the default behavior. | + + +### Data Flow + +```mermaid +graph LR + subgraph TheHive Input + URL[URL Observable] + File[File Observable] + end + + subgraph ANY.RUN Sandbox + Task[Sandbox Analysis] + Analysis[Behavioral Analysis] + end + + subgraph TheHive Output + Verdict[Analysis verdict] + MainObject[MainObject] + AnalysisURL[Interactive analysis URL] + Reports[Link to the IOC/MISP/STIX/HTML/graph reports] + Indicators[Related Domain/IPs/URLs] + Tags[Analysis tags] + Counters[Analysis statistic] + Mitre[MITRE ATT&CK techniques] + end + + URL --> Task + File --> Task + Task --> Analysis + Analysis --> MainObject + Analysis --> AnalysisURL + Analysis --> Reports + Analysis --> Indicators + Analysis --> Tags + Analysis --> Counters + Analysis --> Mitre +``` + +## Additional information + +- **Analysis Time**: Sandbox analysis typically takes 1-3 minutes depending on the sample +- **Task Timer**: Configure `anyrun_opt_timeout` based on expected analysis time +- **Privacy Settings**: Use `bylink` or `team` for sensitive samples +- **API Access Required**: Available on ANY.RUN plans with API access, including trial +- **Rate Limits**: API calls are subject to ANY.RUN rate limits based on subscription tier + +## ANY.RUN TI Lookup Analyzer + +## Introduction + +ANY.RUN’s [Threat Intelligence Lookup](https://any.run/threat-intelligence-lookup/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_lookup&utm_content=linktolookuplanding) (TI Lookup) is a service that allows you to browse IOCs and related threat data to simplify and enrich cyberattack investigations. + +The Threat Intelligence Lookup сonnector enables TheHive users to browse various types of IOCs, from IPs and domains to URLs and hashes. + +* Browse indicators in TI Lookup without leaving TheHive +* Receive data related to your query to gain actionable insights +* Use them for incident response, to create new rules, train models, update playbooks, etc. + +As a result of integration of TI Lookup with TheHive, you’ll achieve: + +* Early Threat Detection: Correlate IOCs to identify incidents before they escalate. +* Proactive Defense Enrichment: Collect indicators from attacks on other companies to update your detection systems. +* Reduced MTTR and Increased Detection Rate: Access to rich threat context enables SOCs to make informed decisions fast. + +Report example: +![img.png](assets/long_report_ti_lookup.png) + +## Generate API-KEY + +To use this integration, make sure that you have an active [ANY.RUN Sandbox license](https://app.any.run/plans/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktopricing). + +* Go to [ANY.RUN Sandbox](https://app.any.run/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktoservice) +* Click Profile > API and Limits > Generate > Copy +![img.png](assets/ANYRUN_API_TOKEN.png) + +## Configuration parameters + +There are a number of configuration options, which are set either in Cortex UI. + +#### Base ANY.RUN parameters +| Parameter | Mandatory | Description | +|------------------------------|-----------|----------------------------------------------------------------------------------------------| +| `api_key` | Yes | ANY.RUN Sandbox API-KEY. See "Generate API-KEY" section in the README file. | +| `verify_ssl` | Yes | Enable SSL verification option. | +| `get_iocs` | Yes | Attach Analysis IOCs to the case as observables. | +| `extract_malicious_iocs` | Yes | When enabled, extracts only Suspicious and Malicious IOCs. When disabled, extracts all IOCs. | + +#### ANY.RUN environment parameters +| Parameter | Mandatory | Description | +|-------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `lookup_depth` | No | Specify the number of days from the current date for which you want to lookup. | + +### Data Flow + +```mermaid +graph LR + subgraph TheHive Input + Hash[Hash Observable] + Domain[Domain Observable] + IP[IP Observable] + Url[Url Observable] + + end + + subgraph ANY.RUN TI Lookup + Intelligence[Threat Intelligence] + end + + subgraph OpenCTI Output + ThreatLevel[Object ThreatLevel] + LookupURL[TI Lookup URL] + LastSeen[Object last seen] + Industries[Object related industries] + Tags[Object related tags] + ASN[Object autonomous system owner] + GEO[Object geo country] + Indicators[Object related Domain/IPs/URLs/Files] + Tasks[Object related analyses] + FileMeta[Object related file meta data] + end + + Hash --> Intelligence + Domain --> Intelligence + IP --> Intelligence + Url --> Intelligence + Intelligence --> ThreatLevel + Intelligence --> LookupURL + Intelligence --> LastSeen + Intelligence --> Industries + Intelligence --> Tags + Intelligence --> ASN + Intelligence --> GEO + Intelligence --> Indicators + Intelligence --> Tasks + Intelligence --> FileMeta +``` + +## Additional information + +- **API Access Required**: Available on ANY.RUN plans with API access, including trial +- **Rate Limits**: API calls are subject to ANY.RUN rate limits based on subscription tier + + +## Support + +This is an ANY.RUN’s supported connector. You can write to us for help with integration via [techsupport@any.run](mailto:techsupport@any.run) . +Contact us for a quote or demo via [this form](https://app.any.run/contact-us/?utm_source=thehivegithub&utm_medium=documentation&utm_campaign=thehive_sandbox&utm_content=linktocontactus). diff --git a/analyzers/AnyRun/anyrun_analyzer.py b/analyzers/AnyRun/anyrun_analyzer.py index 2d2af8f96..03de22f32 100755 --- a/analyzers/AnyRun/anyrun_analyzer.py +++ b/analyzers/AnyRun/anyrun_analyzer.py @@ -1,169 +1,349 @@ #!/usr/bin/env python3 # encoding: utf-8 -import time -import requests +import tempfile +import json from os.path import basename from cortexutils.analyzer import Analyzer -from requests.packages.urllib3.exceptions import InsecureRequestWarning +from urllib3.exceptions import InsecureRequestWarning +from urllib3 import disable_warnings +from datetime import datetime + +from anyrun import RunTimeException + +from tools import catch_exceptions, connectors, extract_sandbox_iocs class AnyRunAnalyzer(Analyzer): def __init__(self): Analyzer.__init__(self) - self.url = "https://api.any.run/v1" - self.token = self.get_param("config.token", None, "Service token is missing") - self.privacy_type = self.get_param("config.privacy_type", None, "Privacy type is missing") - self.verify_ssl = self.get_param("config.verify_ssl", True, None) + + self.version = "Cortex:1.0" + + self.api_key = self.get_param("config.api_key", None, "ANY.RUN API key is missing") + self.verify_ssl = self.get_param("config.verify_ssl", None, "Verify SSL option is missing") + self.get_iocs = self.get_param("config.get_iocs", None, "Get IOCs option is missing") + self.extract_malicious_iocs = self.get_param( + "config.extract_malicious_iocs", None, "Extract Malicious IOCs option is missing" + ) + + self.get_html_report = self.get_param("config.get_html_report", None, None) + self.get_network_traffic_dump = self.get_param("config.get_network_traffic_dump", None, None) + + self.os = self.get_param("config.os", None, None) + self.analysis_type = self.get_param("config.analysis_type", None, None) + + if not self.api_key: + raise RunTimeException(f"ANY.RUN API key is not specified.") + if not self.verify_ssl: - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - self.env_bitness = self.get_param("config.env_bitness", None, None) - self.env_version = self.get_param("config.env_version", None, None) - self.env_type = self.get_param("config.env_type", None, None) - self.opt_network_connect = self.get_param("config.opt_network_connect", None, None) - self.opt_network_fakenet = self.get_param("config.opt_network_fakenet", None, None) - self.opt_network_tor = self.get_param("config.opt_network_tor", None, None) - self.opt_network_mitm = self.get_param("config.opt_network_mitm", None, None) - self.opt_network_geo = self.get_param("config.opt_network_geo", None, None) - self.opt_kernel_heavyevasion = self.get_param("config.opt_kernel_heavyevasion", None, None) - self.opt_timeout = self.get_param("config.opt_timeout", None, None) - self.obj_ext_startfolder = self.get_param("config.obj_ext_startfolder", None, None) - self.obj_ext_browser = self.get_param("config.obj_ext_browser", None, None) + disable_warnings(InsecureRequestWarning) + def summary(self, raw): taxonomies = [] level = "safe" namespace = "AnyRun" - predicate = "Sandbox" - value = ( - raw.get("analysis", {}).get("scores", {}).get("verdict", {}).get("score", 0) - ) - if 50 < value < 100: - level = "suspicious" - elif value == 100: - level = "malicious" + + if self.os: + predicate = "Sandbox" + + if 50 < self.score < 100: + level = "suspicious" + elif self.score == 100: + level = "malicious" + else: + predicate = "TI Lookup" + level = self.verdict.lower() if self.verdict in ("Suspicious", "Malicious") else None taxonomies.append( - self.build_taxonomy(level, namespace, predicate, "{0}/100".format(value)) + self.build_taxonomy(level, namespace, predicate, self.verdict) ) return {"taxonomies": taxonomies} + + def artifacts(self, raw): + artifacts = list() + + if self.get_html_report: + self.attach_file( + artifacts, + self.html_report, + f"ANYRUN_analysis_report_{datetime.now().strftime(f'%Y_%m_%d_%H_%M_%S')}.html", + "ANY.RUN Analysis report" + ) + + if self.get_network_traffic_dump: + self.attach_file( + artifacts, + self.network_traffic_dump, + f"ANYRUN_analysis_network_traffic_dump_{datetime.now().strftime(f'%Y_%m_%d_%H_%M_%S')}.pcap", + "ANY.RUN Analysis network traffic dump" + ) + + if self.get_iocs: + self.create_sandbox_observables(artifacts) if self.os else self.create_ti_lookup_observables(artifacts) + + return artifacts + + def attach_file( + self, + artifacts: list, + report_content: str | bytes, + report_name: str, + observable_message: str + ) -> None: + """ + Saves a file as observable + + :param artifacts: The list of Artifacts + :param report_content: Report payload + :param report_name: Report name + :param observable_message: Description + """ + report_path = f"{tempfile.gettempdir()}/{report_name}" + + with open(report_path, 'wb') as file: + file.write(report_content.encode() if isinstance(report_content, str) else report_content) + + artifacts.append( + self.build_artifact( + "file", + report_path, + message=observable_message, + tags=["anyrun"] + ) + ) + + def create_sandbox_observables(self, artifacts: list): + """ + Adds related Suspicious and Malicious indicators to the artifacts list + + :param artifacts: Artifacts list + """ + for ioc in self.iocs: + artifacts.append( + self.build_artifact( + "hash" if ioc.get("type") == "sha256" else ioc.get("type"), + ioc.get("ioc"), + message="Detected by ANY.RUN Sandbox", + tags=["anyrun"] + ) + ) + + def create_ti_lookup_observables(self, artifacts: list): + self.extract_lookup_iocs(self.related_urls, artifacts, "url", "url") + self.extract_lookup_iocs(self.related_ips, artifacts, "ip", "destinationIP") + self.extract_lookup_iocs(self.related_domains, artifacts, "domain", "domainName") + self.extract_lookup_iocs(self.related_files, artifacts, "hash", "sha256") + + def extract_lookup_iocs(self, collection: list[str], artifacts: list, ioc_type: str, ioc_field: str) -> None: + """ + Adds related Suspicious and Malicious indicators to the artifacts list + + :param collection: IOCs collection + :param artifacts: Artifacts list + :param ioc_type: IOC type + :param ioc_field: IOC field name + """ + for obj in collection: + ioc = json.loads(obj) + + if self.extract_malicious_iocs and ioc.get("threatLevel") not in (1, 2): + continue + + if ioc.get("threatLevel") not in (0, 1, 2): + continue + + artifacts.append( + self.build_artifact( + ioc_type, + ioc.get(ioc_field) if ioc_type != "hash" else ioc.get("hashes").get(ioc_field), + message="Detected by ANY.RUN TI Lookup", + tags=["anyrun"] + ) + ) + + @catch_exceptions def run(self): Analyzer.run(self) - try: - headers = {"Authorization": "API-Key {0}".format(self.token)} + self.check_authorization() - status_code = None - tries = 0 - if self.data_type == "file": - filepath = self.get_param("file", None, "File is missing") - filename = self.get_param("filename", basename(filepath)) - while status_code in (None, 429) and tries <= 15: - with open(filepath, "rb") as sample: - files = {"file": (filename, sample)} - data = {"opt_privacy_type": self.privacy_type, - "env_bitness": self.env_bitness, - "env_version": self.env_version, - "env_type": self.env_type, - "opt_network_connect": self.opt_network_connect, - "opt_network_fakenet": self.opt_network_fakenet, - "opt_network_tor": self.opt_network_tor, - "opt_network_mitm": self.opt_network_mitm, - "opt_network_geo": self.opt_network_geo, - "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, - "opt_timeout": self.opt_timeout, - "obj_ext_startfolder": self.obj_ext_startfolder } - response = requests.post( - "{0}/analysis".format(self.url), - files=files, - data=data, - headers=headers, - verify=self.verify_ssl, - ) - status_code = response.status_code - if status_code == 200: - task_id = response.json()["data"]["taskid"] - elif status_code == 201: - task_id = response.json()["data"]["taskid"] - elif status_code == 429: - # it not support parallel runs, so we wait and resubmit later - time.sleep(60) - tries += 1 - else: - self.error(response.json()["message"]) - elif self.data_type == "url": - url = self.get_param("data", None, "Url is missing") - data = {"obj_type": "url", - "obj_url": url, - "opt_privacy_type": self.privacy_type, - "env_bitness": self.env_bitness, - "env_version": self.env_version, - "env_type": self.env_type, - "opt_network_connect": self.opt_network_connect, - "opt_network_fakenet": self.opt_network_fakenet, - "opt_network_tor": self.opt_network_tor, - "opt_network_mitm": self.opt_network_mitm, - "opt_network_geo": self.opt_network_geo, - "opt_kernel_heavyevasion": self.opt_kernel_heavyevasion, - "opt_timeout": self.opt_timeout, - "obj_ext_browser": self.obj_ext_browser } - while status_code in (None, 429) and tries <= 15: - response = requests.post( - "{0}/analysis".format(self.url), - data=data, - headers=headers, - verify=self.verify_ssl, - ) - status_code = response.status_code - if status_code == 200: - task_id = response.json()["data"]["taskid"] - elif status_code == 201: - task_id = response.json()["data"]["taskid"] - elif status_code == 429: - # it not support parallel runs, so we wait and resubmit later - time.sleep(60) - tries += 1 - else: - self.error(response.json()["message"]) + if self.os: + self.run_analysis(connectors.get(self.os)) + else: + self.get_reputation(connectors.get("ti_lookup")) + + + def run_analysis(self, connector): + """ + ANY.RUN Sandbox implementation. Sends data to ANY.RUN Sandbox, then parses the report + + :param connector: Sandbox connector + """ + final_report = dict() + + with connector(self.api_key, self.version, self.verify_ssl) as connector: + if self.analysis_type == "url": + analysis_uuid = connector.run_url_analysis(**self.get_params()) else: - self.error("Invalid data type!") - - finished = False - tries = 0 - while not finished and tries <= 15: # wait max 15 mins - time.sleep(60) - response = requests.get( - "{0}/analysis/{1}".format(self.url, task_id), - headers=headers, - verify=self.verify_ssl, - ) - if response.status_code == 200: - finished = ( - True if response.json()["data"]["status"] == "done" else False - ) - elif 400 < response.status_code < 500: - self.error(response.json()["message"]) - tries += 1 - if not finished: - self.error("AnyRun analysis timed out") - - # this items could be huge, we provide link to the report so avoid them in cortex - final_report = response.json()["data"] - final_report.pop("environments", None) - final_report.pop("modified", None) - for incident in final_report.get("incidents", []): - incident.pop("events", None) - for process in final_report.get("processes", []): - process.pop("modules", None) + filepath = self.get_param("file", None, "File is missing") + filename = self.get_param("filename", basename(filepath), None) + with open(filepath, "rb") as file_content: + analysis_uuid = connector.run_file_analysis(file_content, filename, **self.get_params()) + + for status in connector.get_task_status(analysis_uuid): + print(status) + + report = connector.get_analysis_report(analysis_uuid) + + self.score = report.get("data").get("analysis").get("scores").get("verdict").get("score", 0) + self.verdict = connector.get_analysis_verdict(analysis_uuid) + self.html_report = connector.get_analysis_report(analysis_uuid, report_format="html") + self.network_traffic_dump = connector.download_pcap(analysis_uuid) + self.iocs = connector.get_analysis_report( + analysis_uuid, + report_format="ioc", + ioc_reputation="suspicious" if self.extract_malicious_iocs else "all" + ) + + final_report["mainObject"] = report.get("data").get("analysis").get("content").get("mainObject") + final_report["permanentUrl"] = report.get("data").get("analysis").get("permanentUrl") + final_report["reports"] = report.get("data").get("analysis").get("reports") + final_report["verdict"] = self.verdict + final_report["related_domains"] = extract_sandbox_iocs(report, "dnsRequests", "domain") + final_report["related_ips"] = extract_sandbox_iocs(report, "connections", "ip") + final_report["related_urls"] = extract_sandbox_iocs(report, "httpRequests", "url") + final_report["counters"] = report.get("data").get("counters") + final_report["tags"] = ( + ",".join([tag.get("tag") for tag in tags]) + if (tags := report.get("data").get("analysis").get("tags")) else "" + ) + final_report["mitre"] = ( + ",".join((set([obj.get("id") for obj in mitre]))) + if (mitre := report.get("data").get("mitre")) else "" + ) + self.report(final_report) - except requests.exceptions.RequestException as e: - self.error(str(e)) + def get_reputation(self, connector) -> None: + """ + ANY.RUN TI Lookup implementation. Sends data to ANY.RUN TI Lookup, then parses the report + + :param connector: Lookup connector + """ + final_report = dict() + + entity_type = self.get_param("dataType", None, "Data Type option is missing") + entity_value = self.extract_data() + lookup_depth = self.get_param("config.lookup_depth", 180, None) + + if entity_type == "hash": + hash_type = {32: "md5", 40: "sha1", 64: "sha256"}.get(len(entity_value)) + if not hash_type: + raise RunTimeException("Unsupported hash type. Allowed: SHA1, SHA256, MD5") + query_params = {hash_type: entity_value} + else: + entity_type = {"url": "url", "ip": "destination_ip", "domain": "domain_name"}.get(entity_type) + query_params = {entity_type: entity_value} + + with connector(self.api_key, self.version, self.verify_ssl) as connector: + summary = connector.get_intelligence(**query_params, lookup_depth=lookup_depth, parse_response=True) + self.verdict = summary.verdict() + + final_report["treat_level"] = summary.verdict() + final_report["ti_lookup_url"] = summary.intelligence_url(entity_value) + final_report["last_seen"] = summary.last_modified() + final_report["industries"] = summary.industries() + final_report["tags"] = summary.tags() + final_report["asn"] = summary.asn() + final_report["geo"] = summary.country() + final_report["asn"] = summary.country() + final_report["detected_type"] = entity_value + + self.related_urls = [url.json() for url in summary.related_urls] + self.related_ips = [ip.json() for ip in summary.related_ips] + self.related_domains = [domain.json() for domain in summary.related_dns] + self.related_files = [file.json() for file in summary.related_files] + + final_report["related_urls"] = self.related_urls + final_report["related_ips"] = self.related_ips + final_report["related_domains"] = self.related_domains + final_report["related_files"] = self.related_files + + if tasks := summary.tasks(tasks_range=20): + final_report["last_tasks"] = tasks + + if file_meta := summary.file_meta(): + final_report["file_extension"] = file_meta.filepath.split(".")[-1] + final_report["filename"] = file_meta.filename + final_report["filepath"] = file_meta.filepath + final_report["sha1"] = file_meta.hashes.sha1 + final_report["sha256"] = file_meta.hashes.sha256 + final_report["md5"] = file_meta.hashes.md5 + final_report["ssdeep"] = file_meta.hashes.ssdeep + + self.report(final_report) + + def get_params(self) -> dict: + """ + Prepares Sandbox analysis parameters + + :return: Prepared parameters + """ + params = { + "env_locale": self.get_param("config.env_locale", None, None), + "opt_network_connect": self.get_param("config.opt_network_connect", None, None), + "opt_network_fakenet": self.get_param("config.opt_network_fakenet", None, None), + "opt_network_tor": self.get_param("config.opt_network_tor", None, None), + "opt_network_geo": self.get_param("config.opt_network_geo", None, None), + "opt_network_mitm": self.get_param("config.opt_network_mitm", None, None), + "opt_network_residential_proxy": self.get_param("config.opt_network_residential_proxy", None, None), + "opt_network_residential_proxy_geo": self.get_param("config.opt_network_residential_proxy_geo", None, None), + "opt_privacy_type": self.get_param("config.opt_privacy_type", None, None), + "opt_auto_delete_after": self.get_param("config.opt_auto_delete_after", None, None), + "obj_ext_extension": self.get_param("config.obj_ext_extension", None, None), + "user_tags": self.get_param("config.user_tags", None, None), + "opt_timeout": self.get_param("config.opt_timeout", None, None), + "env_os": self.get_param("config.env_os", None, None), + "env_version": self.get_param("config.env_version", None, None), + "env_bitness": self.get_param("config.env_bitness", None, None), + "env_type": self.get_param("config.env_type", None, None), + "obj_ext_cmd": self.get_param("config.obj_ext_cmd", None, None), + "obj_ext_startfolder": self.get_param("config.obj_ext_startfolder", None, None), + "obj_force_elevation": self.get_param("config.obj_force_elevation", None, None), + "auto_confirm_uac": self.get_param("config.auto_confirm_uac", None, None), + "run_as_root": self.get_param("config.run_as_root", None, None), + "lookup_depth": self.get_param("config.lookup_depth", None, None), + "obj_type": self.get_param("config.obj_type", None, None), + "obj_value": self.get_param("config.obj_value", None, None), + } + + if self.analysis_type == "url": + params["obj_url"] = self.extract_data() + + return {key: value for key, value in params.items() if value is not None} + + @catch_exceptions + def check_authorization(self) -> None: + """ + Checks connection to ANY.RUN services. + """ + connector = connectors.get("ti_lookup") if self.analysis_type == "ti_lookup" else connectors.get("base") + + with connector(self.api_key, self.version, self.verify_ssl) as connector: + connector.check_authorization() - except Exception as e: - self.unexpectedError(e) + def extract_data(self) -> str: + """ + Extracts data from parameters, prepares it for sending to ANY.RUN + :return: Prepared data + """ + data = self.get_param("data", None, "Data option is missing") + data = data.replace("[", "").replace("]", "").replace("hxxp", "http") + return data if __name__ == "__main__": AnyRunAnalyzer().run() diff --git a/analyzers/AnyRun/assets/ANYRUN_API_TOKEN.png b/analyzers/AnyRun/assets/ANYRUN_API_TOKEN.png new file mode 100644 index 000000000..7a7804a72 Binary files /dev/null and b/analyzers/AnyRun/assets/ANYRUN_API_TOKEN.png differ diff --git a/analyzers/AnyRun/assets/AnyRun.png b/analyzers/AnyRun/assets/AnyRun.png index e4cd7b1fb..77de70ec1 100644 Binary files a/analyzers/AnyRun/assets/AnyRun.png and b/analyzers/AnyRun/assets/AnyRun.png differ diff --git a/analyzers/AnyRun/assets/long_report.png b/analyzers/AnyRun/assets/long_report.png deleted file mode 100644 index 97c58b2a3..000000000 Binary files a/analyzers/AnyRun/assets/long_report.png and /dev/null differ diff --git a/analyzers/AnyRun/assets/long_report_sandbox.png b/analyzers/AnyRun/assets/long_report_sandbox.png new file mode 100644 index 000000000..0acfa4791 Binary files /dev/null and b/analyzers/AnyRun/assets/long_report_sandbox.png differ diff --git a/analyzers/AnyRun/assets/long_report_ti_lookup.png b/analyzers/AnyRun/assets/long_report_ti_lookup.png new file mode 100644 index 000000000..17a1debd0 Binary files /dev/null and b/analyzers/AnyRun/assets/long_report_ti_lookup.png differ diff --git a/analyzers/AnyRun/assets/short_report.png b/analyzers/AnyRun/assets/short_report.png deleted file mode 100644 index b5e750e62..000000000 Binary files a/analyzers/AnyRun/assets/short_report.png and /dev/null differ diff --git a/analyzers/AnyRun/requirements.txt b/analyzers/AnyRun/requirements.txt index 6aabc3cfa..048cc3d18 100644 --- a/analyzers/AnyRun/requirements.txt +++ b/analyzers/AnyRun/requirements.txt @@ -1,2 +1,3 @@ cortexutils requests +anyrun-sdk==1.14.12 diff --git a/analyzers/AnyRun/tools.py b/analyzers/AnyRun/tools.py new file mode 100644 index 000000000..a9ab7d449 --- /dev/null +++ b/analyzers/AnyRun/tools.py @@ -0,0 +1,66 @@ +import traceback +from functools import wraps + +from cortexutils.analyzer import Analyzer + +from anyrun import RunTimeException +from anyrun.connectors import SandboxConnector, LookupConnector +from anyrun.connectors.sandbox.base_connector import BaseSandboxConnector +from anyrun.connectors.sandbox.operation_systems import ( + AndroidConnector, + LinuxConnector, + WindowsConnector, +) + + +def catch_exceptions(func): + @wraps(func) + def wrapper(self: Analyzer, *args, **kwargs): + try: + result = func(self, *args, **kwargs) + return result + except RunTimeException as exc: + self.error(str(exc)) + except Exception: + self.unexpectedError(traceback.format_exc()) + return wrapper + + +def extract_sandbox_iocs(report: dict, field: str, ioc: str) -> str | None: + if (content := report.get("data").get("network").get(field)): + return ",".join([obj.get(ioc) for obj in content if obj.get("reputation") in ("suspicious", "malicious")]) + return "" + + +def get_windows_sandbox_connector(api_key: str, version: str, verify_ssl: bool) -> WindowsConnector: + """ Builds ANY.RUN Sandbox instance for the Windows OS """ + return SandboxConnector().windows(api_key, integration=version, verify_ssl=verify_ssl) + + +def get_linux_sandbox_connector(api_key: str, version: str, verify_ssl: bool) -> LinuxConnector: + """ Builds ANY.RUN Sandbox instance for the Linux OS """ + return SandboxConnector().linux(api_key, integration=version, verify_ssl=verify_ssl) + + +def get_android_sandbox_connector(api_key: str, version: str, verify_ssl: bool) -> AndroidConnector: + """ Builds ANY.RUN Sandbox instance for the Android OS """ + return SandboxConnector().android(api_key, integration=version, verify_ssl=verify_ssl) + + +def get_base_sandbox_connector(api_key: str, version: str, verify_ssl: bool) -> BaseSandboxConnector: + """ Builds ANY.RUN Sandbox generic instance """ + return BaseSandboxConnector(api_key, integration=version, verify_ssl=verify_ssl) + + +def get_ti_lookup_connector(api_key: str, version: str, verify_ssl: bool) -> LookupConnector: + """ Builds ANY.RUN Sandbox generic instance """ + return LookupConnector(api_key, integration=version, verify_ssl=verify_ssl) + + +connectors = { + 'windows': get_windows_sandbox_connector, + 'linux': get_linux_sandbox_connector, + 'android': get_android_sandbox_connector, + 'base': get_base_sandbox_connector, + 'ti_lookup': get_ti_lookup_connector +} \ No newline at end of file diff --git a/thehive-templates/AnyRun_Sandbox_Analysis_1_0/long.html b/thehive-templates/AnyRun_Sandbox_Analysis_1_0/long.html deleted file mode 100644 index a76be43ef..000000000 --- a/thehive-templates/AnyRun_Sandbox_Analysis_1_0/long.html +++ /dev/null @@ -1,132 +0,0 @@ -
- -
- Any.Run Sandbox -
-
-
-
-
Score:
{{content.analysis.scores.verdict.score}}/100
-
Threat Score:
-
{{content.analysis.scores.verdict.threatLevelText}}
-
Tags:
{{tag.tag}}
-
-
- -
-

Link

-
-
-
-
-
-
-
-
- -
-

Counters

-
-
-

Registry

-
-
Read:
{{content.counters.registry.read}}
-
Write:
{{content.counters.registry.write}}
-
Delete:
{{content.counters.registry.delete}}
-
Total:
{{content.counters.registry.total}}
-
-
-
-

Processes

-
-
Monitored:
{{content.counters.processes.monitored}}
-
Suspicious:
{{content.counters.processes.suspicious}}
-
Malicious:
{{content.counters.processes.malicious}}
-
Total:
{{content.counters.processes.total}}
-
-
-
-

Files

-
-
Text:
{{content.counters.files.text}}
-
Suspicious:
{{content.counters.files.suspicious}}
-
Malicious:
{{content.counters.files.malicious}}
-
Unknown:
{{content.counters.files.unknown}}
-
-
-
-

Network

-
-
Dns:
{{content.counters.network.dns}}
-
Http:
{{content.counters.network.http}}
-
Connections:
{{content.counters.network.connections}}
-
Threats:
{{content.counters.network.threats}}
-
-
- -
- -
-

Scores

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- -
-

Mitre

-
-
- - - -
-
-
-
-
- - -
-
- Any.Run Sandbox Error -
-
-
-
Error:
-
{{content.errorMessage}}
-
-
-
\ No newline at end of file diff --git a/thehive-templates/AnyRun_Sandbox_Analysis_1_0/short.html b/thehive-templates/AnyRun_Sandbox_Analysis_1_0/short.html deleted file mode 100644 index 3dfae10bf..000000000 --- a/thehive-templates/AnyRun_Sandbox_Analysis_1_0/short.html +++ /dev/null @@ -1,3 +0,0 @@ - - {{t.namespace}}:{{t.predicate}}="{{t.value}}" -  diff --git a/thehive-templates/AnyRun_Sandbox_File_Android_1_0/long.html b/thehive-templates/AnyRun_Sandbox_File_Android_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_File_Android_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_Sandbox_File_Linux_1_0/long.html b/thehive-templates/AnyRun_Sandbox_File_Linux_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_File_Linux_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_Sandbox_File_Windows_1_0/long.html b/thehive-templates/AnyRun_Sandbox_File_Windows_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_File_Windows_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_Sandbox_URL_Android_1_0/long.html b/thehive-templates/AnyRun_Sandbox_URL_Android_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_URL_Android_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_Sandbox_URL_Linux_1_0/long.html b/thehive-templates/AnyRun_Sandbox_URL_Linux_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_URL_Linux_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_Sandbox_URL_Windows_1_0/long.html b/thehive-templates/AnyRun_Sandbox_URL_Windows_1_0/long.html new file mode 100644 index 000000000..363a0e494 --- /dev/null +++ b/thehive-templates/AnyRun_Sandbox_URL_Windows_1_0/long.html @@ -0,0 +1,236 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Sandbox Analysis Report +

+ +
+
+ + {{ repName }} + +
+ + + Open ANY.RUN Sandbox + +
+
+ +
+
+
+

+ + Verdict: {{ content.verdict || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+ +
+
MITRE ATT&CK
+ + {{ m.trim() }} + +
+
+
+ +
+
+ Main Object: {{ content.mainObject.type }} +
+
+ +
+
+ URL: +
+
+ {{ content.mainObject.url }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.mainObject.hashes.sha256 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.mainObject.hashes.md5 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.mainObject.hashes.sha1 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.mainObject.hashes.ssdeep }} +
+
+ +
+
+ +

Execution Activity

+
+
+
+
+ +
Processes
+
+
+
+ Total: {{ content.counters.processes.total || 0 }} +
+
+ Monitored: {{ content.counters.processes.monitored || 0 }} +
+
+ Suspicious: {{ content.counters.processes.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.processes.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Network
+
+
+
+ Connections: {{ content.counters.network.connections || 0 }} +
+
+ HTTP Reqs: {{ content.counters.network.http || 0 }} +
+
+ DNS Reqs: {{ content.counters.network.dns || 0 }} +
+
+ Threats: {{ content.counters.network.threats || 0 }} +
+
+
+
+ +
+
+
+ +
Files
+
+
+
+ Text: {{ content.counters.files.text || 0 }} +
+
+ Unknown: {{ content.counters.files.unknown || 0 }} +
+
+ Suspicious: {{ content.counters.files.suspicious || 0 }} +
+
+ Malicious: {{ content.counters.files.malicious || 0 }} +
+
+
+
+ +
+
+
+ +
Registry
+
+
+
+ Total Events: {{ content.counters.registry.total || 0 }} +
+
+ Read: {{ content.counters.registry.read || 0 }} +
+
+ Write: {{ content.counters.registry.write || 0 }} +
+
+ Delete: {{ content.counters.registry.delete || 0 }} +
+
+
+
+
+ +

Related Entities

+
+
+
+
+
Domains
+ + {{ dom.trim() }} + +
+
+
IP Addresses
+ + {{ ip.trim() }} + +
+
+
URLs
+ + {{ url.trim() }} + +
+
+
+
+ +
diff --git a/thehive-templates/AnyRun_TI_Lookup_1_0/long.html b/thehive-templates/AnyRun_TI_Lookup_1_0/long.html new file mode 100644 index 000000000..55e0a5107 --- /dev/null +++ b/thehive-templates/AnyRun_TI_Lookup_1_0/long.html @@ -0,0 +1,268 @@ +
+
+ {{ artifact.data }} +
+
+ Execution Error: {{ errorMessage }} +
+
+ +
+ +
+

+ + ANY.RUN Threat Intelligence Lookup +

+ +
+ + Open ANY.RUN TI Lookup + +
+
+ +
+
+
+

+ + Verdict: {{ content.treat_level || 'Unknown' }} +

+ +
+ + {{ t.trim() }} + +
+
+
+
+ +
+
+ Main Object +
+
+ +
+
+ Object: +
+
+ {{ content.detected_type }} +
+
+ +
+
+ Name: +
+
+ {{ content.filename }} +
+
+ +
+
+ Last Seen: +
+
+ {{ content.last_seen }} +
+
+ +
+
+ GEO: +
+
+ {{ content.geo }} +
+
+ +
+
+ ASN: +
+
+ {{ content.asn }} +
+
+ +
+ +
+
+ Path: +
+
+ {{ content.filepath }} +
+
+ +
+
+ SHA256: +
+
+ {{ content.sha256 }} +
+
+ +
+
+ SHA1: +
+
+ {{ content.sha1 }} +
+
+ +
+
+ MD5: +
+
+ {{ content.md5 }} +
+
+ +
+
+ SSDEEP: +
+
+ {{ content.ssdeep }} +
+
+
+
+ +

+ Risk score by industry +

+
+ + {{ ind.trim() }} + +
+ +

+ Intelligence Context +

+ +
+
+
+
+ Related URLs ({{ content.related_urls.length }}) +
+
+ + + + + + + + + + + + + + + + + + + +
URL Verdict Date Threat NameMalconf
{{ pU }} + Malicious + Suspicious + Info + {{ pD }} + {{ pN }}- + + Yes- +
+
+
+
+ +
+
+
+ Related IPs ({{ content.related_ips.length }}) +
+
+ + + + + + + + + + + + + + + + + + + +
IP Address Verdict Date Threat NameMalconf
{{ pI }} + Malicious + Suspicious + Info + {{ pD }} + {{ pN }}- + + Yes- +
+
+
+
+ +
+
+
+ Recent ANY.RUN Sandbox Analysis +
+
+ +
+
+
+
+