EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationstatic-analysisdynamic-analysissandbox

Approaches to Malware Analysis

The three approaches analysts use to study malware — basic static, basic dynamic, and automated sandbox — each answering a progressively deeper question at a different depth.

Ashish Revar12 May 202615 min read2 views
Quick Bite

⚡ Quick Bite · 30s

Malware Analysis: Static, Dynamic & Sandbox

Three tiers of malware analysis — basic static, basic dynamic, and automated sandbox — building a robust detection pipeline.

Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Overview

There are three ways to study a malware sample, and each answers a different question at a different depth. Most investigations use them in sequence, stopping when the question at hand is answered.

ApproachQuestion AnsweredExecutionKey Tools
Basic Static"What is this file?"NoneFLOSS, PEStudio, DIE, Capa
Basic Dynamic"What does it do?"Manual, isolated VMProcmon, Wireshark, FakeNet-NG
Automated Sandbox"What does it do at scale?"Automated, instrumented VMCAPE, Any.Run, Joe Sandbox

Refer to REMA eBook 2026, Figure 1.6 for the three-approach overview diagram.

Basic Static Analysis

Static analysis examines the binary without executing it. Nothing runs. The analyst inspects the file's structure, metadata, and embedded strings on disk. It is the safest starting point for any investigation.

The six-step triage sequence

  1. Hash it — Compute MD5 and SHA-256. Query VirusTotal and MalwareBazaar. If the hash is already known with 55/70 detections, you have your answer in thirty seconds.
  2. Pull strings — Run FLOSS (Mandiant). Look for IP addresses, domain names, registry paths, file paths, ransom note text, debug strings. FLOSS decodes stack strings and tight XOR loops that the basic strings tool misses.
  3. Inspect the PE header — Use PEStudio or PE-Bear. Check the compilation timestamp, imported DLLs and API functions, section names, entropy values, and digital signature.
  4. Detect packers — Run Detect It Easy (DIE). If it identifies UPX, ASPack, or Themida, the binary must be unpacked before deeper analysis.
  5. Map capabilities — Run Capa (Mandiant). Instead of raw import names, Capa reports behavioural capabilities: "can delete shadow copies," "communicates via HTTP," "captures keystrokes."
  6. Match YARA rules — Scan against community and custom rules for known families (LockBit, Conti, Emotet).

Limitation

If the binary is packed or encrypted, strings are gibberish, imports are stripped, and Capa cannot see past the packer stub. When static analysis hits a wall, move to dynamic.

Basic Dynamic Analysis

Running the malware in a controlled, isolated environment and observing what it does at runtime. Unlike static analysis, dynamic analysis sees what the malware actually does, including behaviour hidden by packing or encryption.

Cardinal rule: Never run malware on your host machine. Never on a system connected to a production network. Never in a VM with shared folders or clipboard sharing enabled. Snapshot the VM before execution. Revert after every run.

Three monitoring dimensions

DimensionToolsWhat to Watch For
Process activityProcess Hacker, Process ExplorerChild processes (cmd.exe, powershell.exe), thread injection into explorer.exe, mutex creation
File and registryProcmon, RegshotFiles dropped in %TEMP%, DLLs in System32, Run keys for persistence, ransom notes
Network trafficWireshark, FakeNet-NGDNS queries to suspicious domains, HTTP POST exfiltration, TOR traffic, C2 beaconing

What five minutes of dynamic analysis reveals

Detonate a Ryuk sample in an isolated VM with Procmon, Regshot, and FakeNet-NG running:

  1. Procmon logs cmd.exe /c vssadmin delete shadows /all /quiet within the first ten seconds — confirms ransomware immediately.
  2. Regshot diff shows a new Run key pointing to the dropped payload in %APPDATA%.
  3. FakeNet-NG captures a DNS query for the C2 domain and an HTTP POST containing the per-machine AES key encrypted with the attacker's RSA public key.
  4. File system monitoring shows mass .ryuk extension appending and a RyukReadMe.html note in every affected directory.

Total time: under five minutes.

Automated Sandbox Analysis

Manual dynamic analysis is thorough but slow. Automated sandboxes handle the volume problem: a SOC processing 500 alerts per day cannot manually detonate each one.

SandboxTypeCapability
Cuckoo / CAPEOpen-sourceVM-based execution, API hooking, PCAP capture, JSON/HTML report. CAPE adds automatic payload extraction.
Any.RunCloudInteractive: the analyst controls the VM through a browser in real time.
Joe SandboxCommercialDeep behavioural analysis, evasion detection, automated MITRE ATT&CK mapping.
Hybrid AnalysisFree onlineCrowdStrike Falcon engine. Good for quick triage.

Sandbox blind spots

Malware that sleeps for ten minutes before executing will outlast the sandbox timeout. Malware that checks for VMware MAC addresses, low RAM, or the CPUID hypervisor bit will detect the sandbox and refuse to detonate. These evasion techniques and their bypasses are covered in Unit 6.

Comparing the Three Approaches

Basic StaticBasic DynamicAutomated Sandbox
Time per sample5–15 min15–60 min2–5 min
Sees past packingNoYesYes
Handles volumeModerateLowHigh
Blind spotPacked/encryptedTime-bombs, env checksVM-aware evasion

The Analysis Pipeline

The three approaches form a sequential pipeline. A known Emotet dropper with 60/70 VirusTotal detections can be blocked at stage 1. A novel, packed, evasive implant requires all four stages spread across days of work.

Static Triage → Dynamic Analysis → Code Analysis → Report & Defend
"What is it?"   "What does it do?"  "How does it   "How do we
                                     work?"          stop it?"

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Binary Physics of Memory Corruption

Two experts break down the foundations of malware analysis and reverse engineering — malware taxonomy, x86 architecture, memory layout, and stack manipulation — using simple, real-world analogies.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Any.Run — Interactive Malware Sandbox

Free interactive sandbox. Upload a sample and watch it execute in real time inside a browser-controlled VM.

tool
Hybrid Analysis — Free Malware Analysis

CrowdStrike-powered free sandbox for quick triage. Provides behavioural reports, network IOCs, and MITRE ATT&CK mapping.

tool
Capa — Mandiant Capability Detection Tool

Open-source tool that identifies capabilities in PE files without executing them. Maps findings to MITRE ATT&CK and MBC.

tool
More articlesTest your knowledge