A sandbox is an isolated Virtual Machine (VM) that executes suspicious files and records everything they do. File modifications, Registry changes, Network connections.
Anti-Sandbox Techniques
Malware is smart. It checks if it is in a sandbox.
- "Is the mouse moving?" (Sandboxes usually don't move the mouse).
- "Is the hard drive only 20GB?" (Real users have bigger drives).
If the malware detects a sandbox, it does nothing. It plays dead.
1. Cuckoo Sandbox
The open-source standard for automated malware analysis.
You can host it yourself.
It generates detailed reports: "This PDF tried to contact bad-hacker.com and dropped keylogger.exe".
2. Any.Run
An interactive online sandbox.
You can actually control the VM while the malware runs.
Useful for malware that requires user interaction (e.g., clicking "Enable Content" in Word).