How to Build a SandBox

10261197883?profile=RESIZE_400xThose readers who have children have already built a sandbox and watched the contents be tracked into their house.  What I will be describing is a different type of sandbox or some have referred to it as a “Cuckoo box.”  Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it; build your own environment or use third-party solutions.  Here are some “easy” steps required to create a custom malware sandbox where you can perform a proper analysis without infecting your computer.  Then test/compare it with a ready-made service.

A sandbox allows detecting cyber threats and analyzing them safely. All information remains secure, and a suspicious file can't access the system.   You can monitor malware processes, identify their patterns and investigate behavior. Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab.[1]

There are two ways how to organize your working space for analysis:

  • Custom sandbox. Made from scratch by an analyst on their own, specifically for their needs.
  • A turnkey solution. A versatile service with a range of configurations to meet your demands.

Steps below that you need to set up a secure environment for malware research:

1 — Install a virtual machine.  Running malware should happen in a properly isolated environment to avoid infection of a host operating system. It is better to have an isolated computer, but you can set up a virtual machine or rather a few of them with different versions of OSs. There are a number of VMs presented in the market: VMWare, VirtualBox, KVM, Oracle VM VirtualBox, Microsoft Hyper-V, Parallels, or Xen.

2 — Check artifacts.  Modern malware is smart, it understands whether it is run on the virtual machine or not. That is why it is essential to get rid of artifacts. Check code, remove detection, and others.

3 — Use a Different Network.  Another precaution is to use a different network system. Preventing any infection of other computers on your network is important. Get a VPN service and set it up correctly. You can't let the traffic leak happen from a real IP address.

4 — Assign a Realistic Number of Resources.  The goal is to make a system look as authentic as possible to trick any malicious program into executing. Make sure that you assign a realistic amount of resources: more than 4 Gb of RAM, a minimum of 4 cores, and disk space of 100 Gb and more. That is a basic requirement to pretend as a legit system. Keep in mind that malware checks the configuration of equipment. If there is a virtual machine's name somewhere, a malicious object identifies it and stops working.

5 — Install Commonly used Software.  If you install Windows and leave it as is, a malicious object will get that it is analyzed.  Install a few applications, like Word, browsers, and other programs that all users usually have.

6 — Open Several Files.  You will need to show that it is a real computer that belongs to someone. Open a few documents to accumulate logs and a few temp files. Several types of viruses check this. You can use Regshot or Process monitor to make logs of registry and file system changes. Note that these programs can be detected by malware when it is running.

7 — Imitate a Network Connection.  Some kinds of malware check if it can connect to websites like Google. How to trick a malicious program into thinking that it's online? Utilities like INetSim and the FakeNet tool imitate a real Internet connection and allow you to intercept the requests that malware is making. Try to check network protocols between a malicious object and its host server. But beforehand, find out what the analyzed sample is connecting with using WireShark. It takes some effort not to give up this tool to the malware, be careful.

8 — Install Analysis Tools.  Prepare the tools you plan to use for analysis and ensure that you know how to use them. You can go with Flare VM tools or make use of these programs:

  • Debuggers: x64dbg investigates malicious code by executing it.
  • Disassemblers: Ghidra makes reverse engineering easier, with access to the decompiler's output. It also can be used as a debugger.
  • Traffic analyzers: Wireshark checks network communication that malware requests.
  • File analyzers: Process Monitor, ProcDOT aim to monitor and understand how processes deal with files.
  • Process monitors: Process Explorer, and Process Hacker help to watch malware behavior.

9 — Update your System to the Latest Version.  Your system should be up-to-date as well as all software. Filter out the regular Windows changes that are happening quite often. However, your experiment may require a different version, such as how malware exploits some OS errors. In this scenario, choose and get the necessary version set up.

10 — Turn off Windows Defender and Windows Firewall.  Disable things like Windows defender. If you are working with malware, it can trip the antivirus.

11 — Prepare the Files for Analysis.  Create a shared folder, and select a directory you need.  Set up a snapshot to roll back to the later state of the VM in case of an error.

***If you complete all these steps, you are ready to start the analysis.

All these steps will require time and preparation.  There is a chance that your sandbox will not be secure enough, invisible for malware, and provide the necessary information.  It is recommended that you test your results against a commercial service to ensure that your system is working.   And compare your results with fellow researchers’ results.


Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance