ANY.RUN
ANY.RUN is a cloud-based sandbox with interactive access.
Use Cases
- Submit a file, remote file, or URL to ANY.RUN for analysis.
- Retrieve report details for a given analysis task ID.
- View history of analysis tasks.
Configure ANYRUN on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for ANYRUN.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL
- Username
- Trust any certificate (not secure)
- Use system proxy
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get analysis history
Gets the analysis history.
Base Command
anyrun-get-history
Input
| Argument Name | Description | Required |
|---|---|---|
| team | If true, gets team history. If empty, gets your submitted analyses history. | Optional |
| skip | The number of analyses to skip. | Optional |
| limit | Limits the history retrieved/searched to the specified number of executed analyses. The range is 1-100. | Optional |
| filter | File name, hash, or task ID by which to filter the task history. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ANYRUN.Task.Name | String | Task name. |
| ANYRUN.Task.Verdict | String | ANY.RUN verdict for the submitted file’s status. |
| ANYRUN.Task.Related | String | ANY.RUN link to a related file. |
| ANYRUN.Task.File | String | ANY.RUN link to download the submitted file. |
| ANYRUN.Task.Date | Date | The date that the file was submitted for analysis. |
| ANYRUN.Task.Hash.MD5 | String | MD5 hash of the submitted file. |
| ANYRUN.Task.Hash.SHA1 | String | SHA1 hash of the submitted file. |
| ANYRUN.Task.Hash.SHA256 | String | SHA256 hash of the submitted file. |
| ANYRUN.Task.Hash.HeadHash | String | Head hash of the submitted file. |
| ANYRUN.Task.Hash.SSDeep | String | SSDeep hash of the submitted file. |
Command Example
anyrun-get-history skip=0 team=false filter=scribbles2.txt.zip
Context Example
{
"ANYRUN.Task": [
{
"Hash": {
"HeadHash": "e61fcc6a06420106fa6642ef833b9c38",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"Name": "scribbles2.txt.zip",
"Related": "[https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9](https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9)",
"Verdict": "No threats detected",
"File": "https://content.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9/download/files/afca4a63-9fe0-461c-8e73-c8fd784cf90e",
"Date": "2019-04-24T07:13:06.087Z",
"ID": "892455a2-8c96-45fb-9f2a-18ca4ef184f9"
},
{
"Hash": {
"HeadHash": "e61fcc6a06420106fa6642ef833b9c38",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"Name": "scribbles2.txt.zip",
"Related": "[https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef](https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef)",
"Verdict": "No threats detected",
"File": "https://content.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef/download/files/227a7bd4-5baa-477b-b319-58d7619b79ef",
"Date": "2019-04-24T07:02:38.747Z",
"ID": "fe7c63ef-2b7f-4e70-b50c-996ae34b28ef"
},
{
"Hash": {
"HeadHash": "e61fcc6a06420106fa6642ef833b9c38",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"Name": "scribbles2.txt.zip",
"Related": "[https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d](https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d)",
"Verdict": "No threats detected",
"File": "https://content.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d/download/files/0c5c1527-b50b-483e-84e1-7b4b8f82d26b",
"Date": "2019-04-23T13:46:47.372Z",
"ID": "81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d"
},
{
"Hash": {
"HeadHash": "e61fcc6a06420106fa6642ef833b9c38",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"Name": "scribbles2.txt.zip",
"Related": "[https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329](https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329)",
"Verdict": "No threats detected",
"File": "https://content.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329/download/files/69dcf7f0-69c2-432e-8d30-3e2f630e0aae",
"Date": "2019-04-23T08:11:17.460Z",
"ID": "07d4d230-9638-4f04-a226-c7b18a81c329"
},
{
"Hash": {
"HeadHash": "e61fcc6a06420106fa6642ef833b9c38",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"Name": "scribbles2.txt.zip",
"Related": "[https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d](https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d)",
"Verdict": "No threats detected",
"File": "https://content.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d/download/files/a006642b-956b-4a9d-a72c-0affdd2dd6c8",
"Date": "2019-04-22T12:16:13.302Z",
"ID": "411fe6a6-ca36-4322-8f1d-f5ec67c6346d"
}
]
}
Human Readable Output
Task History - Filtered By “scribbles2.txt.zip”
| Name | ID | File | Hash | Verdict | Related | Date |
|---|---|---|---|---|---|---|
| scribbles2.txt.zip | 892455a2-8c96-45fb-9f2a-18ca4ef184f9 | https://content.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9/download/files/afca4a63-9fe0-461c-8e73-c8fd784cf90e |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9 | 2019-04-24T07:13:06.087Z |
| scribbles2.txt.zip | fe7c63ef-2b7f-4e70-b50c-996ae34b28ef | https://content.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef/download/files/227a7bd4-5baa-477b-b319-58d7619b79ef |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef | 2019-04-24T07:02:38.747Z |
| scribbles2.txt.zip | 81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d | https://content.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d/download/files/0c5c1527-b50b-483e-84e1-7b4b8f82d26b |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d | 2019-04-23T13:46:47.372Z |
| scribbles2.txt.zip | 07d4d230-9638-4f04-a226-c7b18a81c329 | https://content.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329/download/files/69dcf7f0-69c2-432e-8d30-3e2f630e0aae |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329 | 2019-04-23T08:11:17.460Z |
| scribbles2.txt.zip | 411fe6a6-ca36-4322-8f1d-f5ec67c6346d | https://content.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d/download/files/a006642b-956b-4a9d-a72c-0affdd2dd6c8 |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d | 2019-04-22T12:16:13.302Z |
2. Get a task report for a submission
Gets the report of a task created for a submitted file or URL.
Base Command
anyrun-get-report
Input
| Argument Name | Description | Required |
|---|---|---|
| task |
Unique task ID. A task ID is returned when submitting a file or URL for analysis using the
anyrun-run-analysis
command. Task IDs can also be located in the
ID
field of the output of executing the
anyrun-get-history
command.
|
Required |
Context Output
| Path | Type | Description |
|---|---|---|
| ANYRUN.Task.AnalysisDate | String | Date and time the analysis was executed. |
| ANYRUN.Task.Behavior.Category | String | Category of a process behavior. |
| ANYRUN.Task.Behavior.Action | String | Actions performed by a process. |
| ANYRUN.Task.Behavior.ThreatLevel | Number | Threat score associated with a process behavior. |
| ANYRUN.Task.Behavior.ProcessUUID | String | Unique ID of the process whose behaviors are being profiled. |
| ANYRUN.Task.Connection.Reputation | String | Connection reputation. |
| ANYRUN.Task.Connection.ProcessUUID | String | ID of the process that created the connection. |
| ANYRUN.Task.Connection.ASN | String | Connection autonomous system network. |
| ANYRUN.Task.Connection.Country | String | Connection country. |
| ANYRUN.Task.Connection.Protocol | String | Connection protocol. |
| ANYRUN.Task.Connection.Port | Number | Connection port number. |
| ANYRUN.Task.Connection.IP | String | Connection IP number. |
| ANYRUN.Task.DnsRequest.Reputation | String | Reputation of the DNS request. |
| ANYRUN.Task.DnsRequest.IP | Unknown | IP addresses associated with a DNS request. |
| ANYRUN.Task.DnsRequest.Domain | String | Domain resolution of a DNS request. |
| ANYRUN.Task.Threat.ProcessUUID | String | Unique process ID from where the threat originated. |
| ANYRUN.Task.Threat.Msg | String | Threat message. |
| ANYRUN.Task.Threat.Class | String | Class of the threat. |
| ANYRUN.Task.Threat.SrcPort | Number | Port on which the threat originated. |
| ANYRUN.Task.Threat.DstPort | Number | Destination port of the threat. |
| ANYRUN.Task.Threat.SrcIP | String | Source IP address where the threat originated. |
| ANYRUN.Task.Threat.DstIP | String | Destination IP address of the threat. |
| ANYRUN.Task.HttpRequest.Reputation | String | Reputation of the HTTP request. |
| ANYRUN.Task.HttpRequest.Country | String | HTTP request country. |
| ANYRUN.Task.HttpRequest.ProcessUUID | String | ID of the process making the HTTP request. |
| ANYRUN.Task.HttpRequest.Body | Unknown | HTTP request body parameters and details. |
| ANYRUN.Task.HttpRequest.HttpCode | Number | HTTP request response code. |
| ANYRUN.Task.HttpRequest.Status | String | Status of the HTTP request. |
| ANYRUN.Task.HttpRequest.ProxyDetected | Boolean | Whether the HTTP request was made through a proxy. |
| ANYRUN.Task.HttpRequest.Port | Number | HTTP request port. |
| ANYRUN.Task.HttpRequest.IP | String | HTTP request IP address. |
| ANYRUN.Task.HttpRequest.URL | String | HTTP request URL. |
| ANYRUN.Task.HttpRequest.Host | String | HTTP request host. |
| ANYRUN.Task.HttpRequest.Method | String | HTTP request method type. |
| ANYRUN.Task.FileInfo | String | Details of the submitted file. |
| ANYRUN.Task.OS | String | OS of the sandbox in which the file was analyzed. |
| ANYRUN.Task.ID | String | The unique ID of the task. |
| ANYRUN.Task.MIME | String | The MIME of the file submitted for analysis. |
| ANYRUN.Task.MD5 | String | The MD5 hash of the file submitted for analysis. |
| ANYRUN.Task.SHA1 | String | The SHA1 hash of the file submitted for analysis. |
| ANYRUN.Task.SHA256 | String | The SHA256 hash of the file submitted for analysis. |
| ANYRUN.Task.SSDeep | String | SSDeep hash of the file submitted for analysis. |
| ANYRUN.Task.Verdict | String | ANY.RUN verdict for the maliciousness of the submitted file or URL. |
| ANYRUN.Task.Process.FileName | String | File name of the process. |
| ANYRUN.Task.Process.PID | Number | Process identification number. |
| ANYRUN.Task.Process.PPID | Number | Parent process identification number. |
| ANYRUN.Task.Process.ProcessUUID | String | Unique process ID (used by ANY.RUN). |
| ANYRUN.Task.Process.CMD | String | Process command. |
| ANYRUN.Task.Process.Path | String | Path of the executed command. |
| ANYRUN.Task.Process.User | String | User who executed the command. |
| ANYRUN.Task.Process.IntegrityLevel | String | The process integrity level. |
| ANYRUN.Task.Process.ExitCode | Number | Process exit code. |
| ANYRUN.Task.Process.MainProcess | Boolean | Whether the process is the main process. |
| ANYRUN.Task.Process.Version.Company | String | Company responsible for the program executed. |
| ANYRUN.Task.Process.Version.Description | String | Description of the type of program. |
| ANYRUN.Task.Process.Version.Version | String | Version of the program executed. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | Type of indicator. |
| DBotScore.Vendor | String | Vendor used to calculate the score. |
| File.Extension | String | Extension of the file submitted for analysis. |
| File.Name | String | The name of the file submitted for analysis. |
| File.MD5 | String | MD5 hash of the file submitted for analysis. |
| File.SHA1 | String | SHA1 hash of the file submitted for analysis. |
| File.SHA256 | String | SHA256 hash of the file submitted for analysis. |
| File.SSDeep | String | SSDeep hash of the file submitted for analysis. |
| File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. |
| URL.Data | String | URL data. |
| URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. |
| URL.Malicious.Description | String | For malicious URLs, the reason that the vendor made the decision. |
| ANYRUN.Task.Status | String | Task analysis status. |
Command Example
anyrun-get-report task=fe7c63ef-2b7f-4e70-b50c-996ae34b28ef
Context Example
{
"ANYRUN.Task": {
"HttpRequest": [],
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"Status": "done",
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"Threat": [],
"Process": [
{
"CMD": "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"C:\\Users\\admin\\AppData\\Local\\Temp\\scribbles2.txt.zip\"",
"IntegrityLevel": "MEDIUM",
"PID": 916,
"MainProcess": true,
"FileName": "WinRAR.exe",
"Version": {
"Company": "Alexander Roshal",
"Version": "5.60.0",
"Description": "WinRAR archiver"
},
"ProcessUUID": "8834c75a-ceba-4ae3-83e6-87b8b460ff82",
"User": "admin",
"Path": "C:\\Program Files\\WinRAR\\WinRAR.exe",
"PPID": 2044,
"ExitCode": null
}
],
"ID": "fe7c63ef-2b7f-4e70-b50c-996ae34b28ef",
"Connection": [],
"MIME": "application/zip",
"Behavior": [],
"Verdict": "No threats detected",
"FileInfo": "Zip archive data, at least v2.0 to extract",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"OS": "Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)",
"DnsRequest": [],
"AnalysisDate": "2019-04-24T07:02:38.747Z",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
},
"DBotScore": {
"Vendor": "ANYRUN",
"Indicator": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"Score": 1,
"Type": "hash"
},
"File": {
"SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2",
"Name": "scribbles2.txt.zip",
"Extension": "zip",
"SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9",
"SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1",
"MD5": "e61fcc6a06420106fa6642ef833b9c38"
}
}
Human Readable Output
Report for Task fe7c63ef-2b7f-4e70-b50c-996ae34b28ef
| OS | AnalysisDate | Verdict | MIME | FileInfo | Process | Status | MD5 | SHA1 | SHA256 | SSDeep |
|---|---|---|---|---|---|---|---|---|---|---|
| Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) | 2019-04-24T07:02:38.747Z | No threats detected | application/zip | Zip archive data, at least v2.0 to extract | FileName: WinRAR.exe, PID: 916, PPID: 2044, ProcessUUID: 8834c75a-ceba-4ae3-83e6-87b8b460ff82, CMD: \C:\Program Files\WinRAR\WinRAR.exe\ \C:\Users\admin\AppData\Local\Temp\scribbles2.txt.zip, Path: C:\Program Files\WinRAR\WinRAR.exe, User: admin, IntegrityLevel: MEDIUM, ExitCode: null, MainProcess: true, Version: {Company: Alexander Roshal, Description: WinRAR archiver, Version: 5.60.0 | done | e61fcc6a06420106fa6642ef833b9c38 | 475d7efc7983357e51ea780e350b0efe6a5ba2e2 | 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 | 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
3. Submit a file or URL for analysis
Submits a file or URL for analysis.
Base Command
anyrun-run-analysis
Input
| Argument Name | Description | Required |
|---|---|---|
| obj_type | Type of new task. | Optional |
| file | EntryID of the file to analyze. | Optional |
| obj_url | URL, used only if ‘obj_type’ command argument is ‘url’ or ‘download’. Permitted size is 5-512 characters long. | Optional |
| env_bitness | Bitness of OS. | Optional |
| env_version | Version of Windows OS. | Optional |
| env_type | Environment preset type. | Optional |
| opt_network_connect | Network connection state. | Optional |
| opt_kernel_heavyevasion | Heavy evasion option. | Optional |
| opt_privacy_type | Privacy settings for generated task. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| ANYRUN.Task.ID | String | ID of the task created to analyze the submission. |
Command Example
anyrun-run-analysis obj_type=file file=693@66884384-c643-4343-8cf7-26f59e62a88e env_bitness=64
Context Example
{
"ANYRUN.Task": {
"ID": "e04b401f-9396-4183-ad00-b6ed34c023e3"
}
}
Human Readable Output
Submission Successful
| Task |
|---|
| e04b401f-9396-4183-ad00-b6ed34c023e3 |