Read as
Why this module exists. Dynamic analysis — executing the sample in a controlled environment and observing behaviour — surfaces evidence that static analysis cannot: actual network destinations, dropped files, registry changes, process trees. This module covers the sandbox landscape (Cuckoo, ANY.RUN, Joe Sandbox, in-house with Velociraptor) and how to read sandbox reports without being fooled by sandbox-evasion logic.
Why this module exists. Sandboxes are not magic — sophisticated malware checks for them and either does nothing or does something different. Reading a sandbox report intelligently means knowing what the malware probably hid, not just what it did.
The sandbox landscape
| Tool | Type | When to use |
|---|---|---|
| ANY.RUN | Interactive cloud | First pass; you can click through prompts in real time |
| Joe Sandbox / Hybrid Analysis | Automated cloud | Comprehensive automated reports |
| CAPE / Cuckoo | Self-hosted | Sensitive samples, customised environment |
| VMware / VirtualBox + Procmon + Wireshark | Bare-metal manual | Last resort for evasion-aware samples |
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants