Researchers can use the interactive Windows desktop to see what behavior the malware exhibits, as Any.Run records the activity network, file activity and registry changes.
The malware starts checking if they are running on Any.Run
During the execution of the first script, two scripts are downloaded to the victim's computer, which contain malware.
The above script will decode the embedded malware and run it on the computer.
When the second script is executed, it will start Azorult Trojan, which steals passwords access.
If it detects that the program is running on Any.Run, the message will appear "Any.run Deteceted!" and will stop working. So, the malware will not run and the sandbox will not be able to analyze it.
Using this method, cybercriminals make it difficult for researchers to analyze attacks via Any.Run.
Of course, researchers can find other ways to analyze a particular malware software, but will need to put more effort.
Security researchers increasingly rely on malware analysis platforms such as Any.Run, which goes unnoticed by malicious people. hackers. Therefore, we have to wait for them to find other ways to avoid detecting and analyzing their software.