In ANY.RUN, we have proprietary mechanisms in place to keep malware from realizing it’s in a sandbox. We’re rolling out another feature to mask sandbox activity — Residential proxy (RP). Now, you’ll be able to allocate a home users’ IP address to your VMs, effectively erasing any traces that can hint at a sandbox environment from your network traffic.
Here’s what it means in practice:
- Understand malware behavior better: because malware won’t detect sandbox or data center’s IP, it willbehave normally, allowing for accurate analysis.
- Bypass geo-restrictions: emulate local users to analyze region-specific threats.
- Investigate C2 traffic without giving yourself away: your connection will mimic an infected user.
Residential proxy’s greatest power is in analysis of geo-targeted attacks — especially when dealing with phishing. In some phishing campaigns, users are rerouted to different pages based on their geographic location. And some attacks analyze if the traffic is coming from a hosting to detect sandboxes. But with our new feature, you can effectively sidestep these detection attempts.
Here’s how it all works in practice.