The three approaches analysts use to study malware — basic static, basic dynamic, and automated sandbox — each answering a progressively deeper question at a different depth.
⚡ Quick Bite · 30s
Three tiers of malware analysis — basic static, basic dynamic, and automated sandbox — building a robust detection pipeline.
Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
There are three ways to study a malware sample, and each answers a different question at a different depth. Most investigations use them in sequence, stopping when the question at hand is answered.
| Approach | Question Answered | Execution | Key Tools |
|---|---|---|---|
| Basic Static | "What is this file?" | None | FLOSS, PEStudio, DIE, Capa |
| Basic Dynamic | "What does it do?" | Manual, isolated VM | Procmon, Wireshark, FakeNet-NG |
| Automated Sandbox | "What does it do at scale?" | Automated, instrumented VM | CAPE, Any.Run, Joe Sandbox |
Refer to REMA eBook 2026, Figure 1.6 for the three-approach overview diagram.
Static analysis examines the binary without executing it. Nothing runs. The analyst inspects the file's structure, metadata, and embedded strings on disk. It is the safest starting point for any investigation.
strings tool misses.If the binary is packed or encrypted, strings are gibberish, imports are stripped, and Capa cannot see past the packer stub. When static analysis hits a wall, move to dynamic.
Running the malware in a controlled, isolated environment and observing what it does at runtime. Unlike static analysis, dynamic analysis sees what the malware actually does, including behaviour hidden by packing or encryption.
Cardinal rule: Never run malware on your host machine. Never on a system connected to a production network. Never in a VM with shared folders or clipboard sharing enabled. Snapshot the VM before execution. Revert after every run.
| Dimension | Tools | What to Watch For |
|---|---|---|
| Process activity | Process Hacker, Process Explorer | Child processes (cmd.exe, powershell.exe), thread injection into explorer.exe, mutex creation |
| File and registry | Procmon, Regshot | Files dropped in %TEMP%, DLLs in System32, Run keys for persistence, ransom notes |
| Network traffic | Wireshark, FakeNet-NG | DNS queries to suspicious domains, HTTP POST exfiltration, TOR traffic, C2 beaconing |
Detonate a Ryuk sample in an isolated VM with Procmon, Regshot, and FakeNet-NG running:
cmd.exe /c vssadmin delete shadows /all /quiet within the first ten seconds — confirms ransomware immediately.Run key pointing to the dropped payload in %APPDATA%..ryuk extension appending and a RyukReadMe.html note in every affected directory.Total time: under five minutes.
Manual dynamic analysis is thorough but slow. Automated sandboxes handle the volume problem: a SOC processing 500 alerts per day cannot manually detonate each one.
| Sandbox | Type | Capability |
|---|---|---|
| Cuckoo / CAPE | Open-source | VM-based execution, API hooking, PCAP capture, JSON/HTML report. CAPE adds automatic payload extraction. |
| Any.Run | Cloud | Interactive: the analyst controls the VM through a browser in real time. |
| Joe Sandbox | Commercial | Deep behavioural analysis, evasion detection, automated MITRE ATT&CK mapping. |
| Hybrid Analysis | Free online | CrowdStrike Falcon engine. Good for quick triage. |
Malware that sleeps for ten minutes before executing will outlast the sandbox timeout. Malware that checks for VMware MAC addresses, low RAM, or the CPUID hypervisor bit will detect the sandbox and refuse to detonate. These evasion techniques and their bypasses are covered in Unit 6.
| Basic Static | Basic Dynamic | Automated Sandbox | |
|---|---|---|---|
| Time per sample | 5–15 min | 15–60 min | 2–5 min |
| Sees past packing | No | Yes | Yes |
| Handles volume | Moderate | Low | High |
| Blind spot | Packed/encrypted | Time-bombs, env checks | VM-aware evasion |
The three approaches form a sequential pipeline. A known Emotet dropper with 60/70 VirusTotal detections can be blocked at stage 1. A novel, packed, evasive implant requires all four stages spread across days of work.
Static Triage → Dynamic Analysis → Code Analysis → Report & Defend
"What is it?" "What does it do?" "How does it "How do we
work?" stop it?"
Sign in to mark this article as read and track your progress.