HomesecurityMalware checks if it is running on Any.Run to avoid parsing

Malware checks if it is running on Any.Run to avoid parsing


Malware creators have begun to check if malware software their is executed in service Any.Run malware analysis, to prevent easy analysis of malware by researchers.

The Any.Run is a malware analysis sandbox service, allowing researchers and users to safely analyze malware without compromising their computers their.

When an executable file is submitted to Any.Run, the sandbox service will create a Windows virtual machine with an interactive remote desktop and run the submission file inside this.

Researchers can use the interactive Windows desktop to see what behavior the malware exhibits, as Any.Run records the activity network, file activity and registry changes.

The malware starts checking if they are running on Any.Run

The security researcher JAMESWT discovered a new spam campaign, where maliciously PowerShell scripts download and install malware on one computer.

During the execution of the first script, two scripts are downloaded to the victim's computer, which contain malware.

The above script will decode the embedded malware and run it on the computer.

When the second script is executed, it will start Azorult Trojan, which steals passwords access.

If it detects that the program is running on Any.Run, the message will appear " Deteceted!" and will stop working. So, the malware will not run and the sandbox will not be able to analyze it.


Using this method, cybercriminals make it difficult for researchers to analyze attacks via Any.Run.

Of course, researchers can find other ways to analyze a particular malware software, but will need to put more effort.

Security researchers increasingly rely on malware analysis platforms such as Any.Run, which goes unnoticed by malicious people. hackers. Therefore, we have to wait for them to find other ways to avoid detecting and analyzing their software.

Digital Fortress
Pursue Your Dreams & Live!