Sandboxing turns an unknown binary into a behavioural fingerprint in 5-15 minutes. Done well, it produces YARA rules, Sigma rules, and a network-IOC pack the SOC can deploy by end-of-day. Done badly, it leaks the sample to a public service, telegraphs your investigation to the attacker, and burns the source-of-find. This whitepaper covers the discipline.

1. Public vs private sandbox — when to use which

Sandbox	Type	Use when…
VirusTotal Intelligence	Public	Initial triage; sample is already widely known
ANY.RUN	Public (interactive)	Lure-pretext follow-through where user-interaction matters; sample is public
Hybrid Analysis (CrowdStrike Falcon Sandbox)	Public	Detailed behaviour; sample already in TI feeds
Joe Sandbox	Private cloud / on-prem	Sample is sensitive; comprehensive report; commercial licence
Cuckoo / CAPE	Self-hosted	Operational secrecy; you control telemetry
Triage (recordedfuture)	Private cloud	High volume; good signature engine

The 'just paste it in VirusTotal' mistake.

If you upload a targeted-attack sample (especially one with low or zero VT detections) to a public sandbox, the actor is watching that VT account-id and will know you've found them within hours. Use self-hosted Cuckoo / CAPE for targeted-attack samples and reserve public services for already-widely-known families.

2. Sandbox preparation — environment that detects you isn't useful

Resolution: 1920×1080 (not the VM default 800×600)
Recent activity: open Office documents, simulate user history, populated recycle bin
Domain-joined or workgroup: choose what the family expects — many corp-targeted families only fire on domain-joined
Time zone + locale: match the target (IST for India-targeting samples; the malware may check)
MAC OUI prefix: not a virtualisation prefix (VMware, VirtualBox, KVM all have detectable OUIs)
WMI queries: spoof BIOS vendor, model, manufacturer if the sandbox tooling allows
Process list: at minimum no obvious sandbox processes (procmon, wireshark, etc.) running

3. What to capture

Process tree — every spawn including parent / commandline / image hash
File system writes — full path + final hash
Registry writes — key path + value type + value data
Network — DNS queries, IPs, full URLs, TLS SNI, raw payloads where in scope
Memory snapshot at peak-activity for later string-extraction
Mutex / pipe / event names — useful as family-IOC
Loaded modules — DLLs sideloaded or reflected
Persistence — autoruns, scheduled tasks, services, WMI subscriptions

4. Anti-analysis: what to expect

Modern malware almost always checks for sandbox indicators before executing the payload. Common checks: sleep / time-stomp loops, mouse-movement detection, hostname blacklist (SANDBOX, MALWARE, CUCKOO), specific process / DLL presence, parent-process verification, and CPU-core-count thresholds. Cuckoo and CAPE patch most of these by default; commercial sandboxes (Joe, Hybrid Analysis) do better; ANY.RUN's interactivity defeats some by letting you click through.

5. Converting sandbox output to deployable detections

From sandbox	To detection layer	Time
DNS / IP / URL	Network IDS + DNS firewall blocklist	< 1 hour
Process tree	Sigma rule (SIEM)	< 4 hours
File-system / Registry artifacts	EDR custom IOC rules	< 4 hours
String patterns in dropped payload	YARA rules (endpoint + retro-hunt)	< 1 day
Imphash / TLSH of dropped payload	EDR cluster + retro-hunt	< 1 day
MITRE ATT&CK techniques observed	Hunt query backlog	ongoing

6. Operational secrecy — protect your source-of-find

Do not upload to VT until you've decided source-of-find is OK to burn
Use a dedicated sandbox identity / VT account separate from your main TI account
Don't include client identifiers in sample filenames or metadata
Track who-told-whom in a closed-room CTI workflow (TheHive / Confluence-restricted)
Coordinate with affected client before public disclosure

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.