Reverse Engineering ANY.RUN Sandbox

 

Threat actors continue their own research and development, constantly finding unique and novel ways to bypass sandbox environments.

I recently wrote an article about reversing a sample that has the capability to detect the Any.Run sandbox by interacting with specific drivers in particular, the driver a3E64E55_fl.sys. I'm often curious about how we can detect such behavior ourselves.

Since most sandboxes interact with Ring 0 (kernel mode) rather than user mode, we need a more advanced toolkit to analyze them properly. Tools like PC Hunter, PowerTool, and Windows Kernel Explorer are particularly useful for this purpose.

In this article, I'll be using Windows Kernel Explorer, which is an excellent tool for inspecting kernel-level components. You can find the screenshot below.

Well, it's actually quite easy to interact with and detect the manufacturer, hard drives, RAM size, etc. However, I want to take a deeper dive into the subject.

Well, there's a suspicious red process at C:\ProgramFiles\KernelLogger, but we can't access it because it's protected by the kernel itself. So far, I’ve right-clicked on the red process and selected "View Handles" to inspect the system drivers. Interestingly, I found a driver that matches Any.Run’s a3E64E55_fl.sys. You can see the results in the screenshot below:

You can also export the items as .txt files to have a more detailed view, as shown in the screenshot below:

To further confirm that this .sys file is related to Any.Run, you can dump it. The selected file is located in C:\Windows\System32\drivers\. Simply copy the file and transfer it to your analysis lab, then upload it into IDA for reverse engineering. You can see the results below:

An important point to note: trying to find the driver name or .sys file A3E64E55_fl using the driverquery /v command is not possible, as shown in the screenshot below:

Although the driverquery /v command does not reveal the presence of the A3E64E55_fl.sys file, you can still manually search for it using the command dir /s /b C:\*.sys | findstr "A3E64E55". This command recursively searches for all .sys files on the C: drive and filters the results for any that match the specified string. Using this method, you can successfully locate the hidden driver, as demonstrated in the screenshot below.