Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-dynamic-analysis-with-any-runExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-dynamic-analysis-with-any-run from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-dynamic-analysis-with-any-run. Access via /performing-dynamic-analysis-with-any-run in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-dynamic-analysis-with-any-run |
| description | 'Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage. ' |
| domain | cybersecurity |
| subdomain | malware-analysis |
| tags | - malware - dynamic-analysis - sandbox - ANY.RUN - interactive-analysis |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - File Metadata Consistency Validation - Application Protocol Command Analysis - Identifier Analysis - Content Format Conversion - Message Analysis |
| nist_csf | - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 |
Do not use for highly sensitive samples that cannot be uploaded to cloud services; use an on-premises sandbox like Cuckoo instead.
Set up the ANY.RUN task with appropriate parameters:
ANY.RUN Task Configuration:
━━━━━━━━━━━━━━━━━━━━━━━━━━
OS Selection: Windows 10 x64 (recommended default)
Windows 7 x64 (for legacy malware)
Windows 11 x64 (for modern samples)
Execution Time: 60 seconds (default) / 120-300 for slow-acting malware
Network: Connected (captures real C2 traffic)
Residential Proxy (bypasses geo-blocking)
Privacy: Public (free tier) / Private (paid - not indexed)
MITM Proxy: Enable for HTTPS traffic decryption
Fake Net: Enable to simulate internet services if sample checks connectivity
API-based submission (paid tier):
# Submit file via ANY.RUN API
curl -X POST "https://api.any.run/v1/analysis" \
-H "Authorization: API-Key $ANYRUN_API_KEY" \
-F "[email protected]" \
-F "env_os=windows" \
-F "env_version=10" \
-F "env_bitness=64" \
-F "opt_timeout=120" \
-F "opt_network_connect=true" \
-F "opt_privacy_type=bylink"
# Check task status
curl "https://api.any.run/v1/analysis/$TASK_ID" \
-H "Authorization: API-Key $ANYRUN_API_KEY" | jq '.data.status'
Use the interactive session to trigger malware behavior:
Interactive Actions During Analysis:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Document Macros: Click "Enable Content" / "Enable Editing" when prompted
2. Installer Screens: Click through installation dialogs
3. UAC Prompts: Click "Yes" to allow elevation (observe privilege escalation)
4. Credential Harvests: Enter fake credentials to observe phishing behavior
5. Browser Redirects: Navigate to URLs if malware opens browser windows
6. File Dialogs: Select target files if malware presents file picker
7. Timeout Extension: Extend analysis time if malware has delayed execution
Review the complete process execution chain:
Process Tree Analysis Points:
━━━━━━━━━━━━━━━━━━━━━━━━━━━
Parent-Child Relationships:
- WINWORD.EXE -> cmd.exe -> powershell.exe (macro execution chain)
- explorer.exe -> suspect.exe -> svchost.exe (process injection)
Process Events to Note:
- Process creation with suspicious command-line arguments
- PowerShell with encoded commands (-enc / -encodedcommand)
- cmd.exe executing script files (.bat, .vbs, .js)
- Legitimate processes spawned from unusual parents
- Process termination (self-deletion behavior)
Examine DNS, HTTP/HTTPS, and TCP/UDP connections:
ANY.RUN Network Panel Analysis:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DNS Requests:
- Domain resolutions with threat intelligence tags
- Fast-flux or DGA domain patterns
- DNS over HTTPS (DoH) detection
HTTP/HTTPS Traffic (with MITM enabled):
- Full request/response bodies for HTTP
- Decrypted HTTPS traffic showing C2 commands
- Downloaded payloads and their content types
- POST data containing exfiltrated information
Connection Map:
- Geographic visualization of C2 server locations
- Connection timeline showing beacon patterns
- Suricata alerts triggered on network traffic
Extract indicators and map to known threats:
ANY.RUN IOC Categories:
━━━━━━━━━━━━━━━━━━━━━━
Files: Dropped files with hashes, YARA matches, VirusTotal results
Network: IPs, domains, URLs contacted during execution
Registry: Keys created/modified for persistence
Processes: Suspicious process names and command lines
Mutex: Named mutexes created (used for single-instance checking)
Signatures: Suricata rules triggered, behavioral signatures matched
MITRE ATT&CK Mapping:
- ANY.RUN automatically maps observed behaviors to ATT&CK techniques
- Review the ATT&CK matrix tab for technique coverage
- Export ATT&CK Navigator layer for reporting
Download comprehensive reports and artifacts:
# Download report via API
curl "https://api.any.run/v1/analysis/$TASK_ID/report" \
-H "Authorization: API-Key $ANYRUN_API_KEY" \
-o report.json
# Download PCAP
curl "https://api.any.run/v1/analysis/$TASK_ID/pcap" \
-H "Authorization: API-Key $ANYRUN_API_KEY" \
-o capture.pcap
# Download dropped files
curl "https://api.any.run/v1/analysis/$TASK_ID/files" \
-H "Authorization: API-Key $ANYRUN_API_KEY" \
-o dropped_files.zip
# Available exports from ANY.RUN web interface:
# - HTML Report (shareable standalone page)
# - PCAP file (network traffic capture)
# - Process dump (memory dumps of processes)
# - Dropped files (all files created during execution)
# - MITRE ATT&CK Navigator JSON
# - IOC export (STIX/JSON/CSV format)
| Term | Definition |
|---|---|
| Interactive Sandbox | Analysis environment allowing real-time analyst interaction with the executing sample, enabling triggering of user-dependent behaviors |
| MITM Proxy | Man-in-the-middle TLS interception in ANY.RUN that decrypts HTTPS traffic for visibility into encrypted C2 communications |
| Residential Proxy | ANY.RUN feature routing malware traffic through residential IP addresses to bypass geo-IP and datacenter-IP evasion checks |
| Suricata Alerts | Network IDS signatures triggered during execution, providing immediate identification of known malicious traffic patterns |
| Process Tree | Hierarchical visualization of parent-child process relationships showing the complete execution chain from initial sample to final payloads |
| Behavioral Tags | ANY.RUN classification labels automatically applied based on observed behavior (e.g., "trojan", "stealer", "ransomware") |
Context: Phishing email contains a .docm file that requires clicking "Enable Content" to trigger the macro payload. Traditional non-interactive sandboxes fail to trigger the malicious behavior.
Approach:
Pitfalls:
ANY.RUN ANALYSIS REPORT
=========================
Task URL: https://app.any.run/tasks/<task_id>
Sample: invoice_q3.docm
SHA-256: e3b0c44298fc1c149afbf4c8996fb924...
Verdict: MALICIOUS (Score: 95/100)
Family: Emotet
Tags: [trojan, banker, spam, macro]
PROCESS TREE
WINWORD.EXE (PID: 2184)
└── cmd.exe (PID: 3456) "/c powershell -enc JABXAG..."
└── powershell.exe (PID: 4012)
└── rundll32.exe (PID: 4568) "C:\Users\...\payload.dll,Control_RunDLL"
NETWORK INDICATORS
DNS: update.emotet-c2[.]com -> 185.220.101.42
HTTPS: POST hxxps://185.220.101[.]42/wp-content/gate/ (C2 beacon)
HTTP: GET hxxp://compromised-site[.]com/invoice.dll (payload download)
SURICATA ALERTS
[1:2028401] ET MALWARE Emotet CnC Beacon
[1:2028402] ET MALWARE Win32/Emotet Activity
MITRE ATT&CK TECHNIQUES
T1566.001 Phishing: Spearphishing Attachment
T1204.002 User Execution: Malicious File
T1059.001 Command and Scripting Interpreter: PowerShell
T1218.011 Rundll32 Execution
T1071.001 Application Layer Protocol: Web Protocols
DROPPED FILES
payload.dll SHA-256: abc123... Detection: 48/72 (VirusTotal)
config.dat SHA-256: def456... (encrypted configuration)
Get statistically sound analysis without PhD in statistics
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Prerequisites
Time Estimate
20-40 minutes to set up and run first analysis
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: performing-dynamic-analysis-with-any-run is the kind of skill you can hand to a new teammate without a long onboarding doc.
performing-dynamic-analysis-with-any-run fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
performing-dynamic-analysis-with-any-run is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-dynamic-analysis-with-any-run has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for performing-dynamic-analysis-with-any-run matched our evaluation — installs cleanly and behaves as described in the markdown.
We added performing-dynamic-analysis-with-any-run from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: performing-dynamic-analysis-with-any-run is focused, and the summary matches what you get after install.
performing-dynamic-analysis-with-any-run reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-dynamic-analysis-with-any-run is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
We added performing-dynamic-analysis-with-any-run from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 51