{"id":7179,"date":"2024-02-29T06:56:11","date_gmt":"2024-02-29T06:56:11","guid":{"rendered":"\/cybersecurity-blog\/?p=7179"},"modified":"2025-06-30T14:00:56","modified_gmt":"2025-06-30T14:00:56","slug":"how-to-create-a-sandbox","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/","title":{"rendered":"How to Create a Sandbox Environment (for Malware Analysis)\u00a0"},"content":{"rendered":"\n<p>Working with malware is quite similar to analyzing dangerous pathogens \u2014 without proper security measures, your sample could escape and cause a potentially harmful infection. That&#8217;s why malware hunters utilize sandboxes \u2014 isolated environments where you can safely work with malware. Today, we&#8217;ll guide you through all the steps of creating a malware sandbox.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-1024x567.png\" alt=\"\" class=\"wp-image-7180\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-2048x1133.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-min-1-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN is a cloud interactive malware sandbox&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>(Spoiler: you use <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howtocreateasandbox&amp;utm_content=linktolanding&amp;utm_term=290224\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> to replace a local setup in 95% of cases)&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why do you need a sandbox for malware research?&nbsp;<\/h2>\n\n\n\n<p>Why do you need a sandbox for malware research?&nbsp;<\/p>\n\n\n\n<p>The purpose of a sandbox is to execute malicious code and observe its behavior within a controlled environment. This is particularly important when dealing with zero-day exploits, where the malware&#8217;s impact and payload are unknown. The sandbox environment is designed to be isolated from the host system, to prevent any compromise of critical infrastructure or even your personal computer.&nbsp;<\/p>\n\n\n\n<p>When creating a sandbox, there are two main approaches you can take:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Build a custom sandbox from scratch.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Use a turnkey solution.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Both options are valid. What\u2019s more, they can be utilized within the same research session for different purposes:&nbsp;<\/p>\n\n\n\n<p><strong>Custom sandbox: <\/strong>This approach allows you to bring your own tools into the environment, such as debuggers, disassemblers, and packet sniffers. However, setting up a custom sandbox requires a configuration process. You will need to create multiple VM instances with different operating systems: Windows 10 64-bit, Windows 10 32-bit sandbox, Windows 11, and so on. It takes a lot of time.&nbsp;<\/p>\n\n\n\n<p><strong>Turn-key solution: <\/strong>Come with all the necessary analysis tooling pre-installed and conveniently located in one place. They make it extremely simple to launch new analysis sessions and change the OS configuration whenever needed and then \u2014 collect IOCs that the malware left behind during execution.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-1024x565.png\" alt=\"\" class=\"wp-image-7181\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-2048x1130.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/2-7-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/app.any.run\/#register\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howtocreateasandbox&amp;utm_content=linktoregistration&amp;utm_term=290224\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> is an example of a turnkey sandbox&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>For example, ANY.RUN (above) offers an interactive virtual machine that you can launch directly in the browser. The service comes with a powerful analysis toolkit; You can easily:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collect IOCs not only from the hard drive but also from memory dumps and encrypted communications between malware and its control server.&nbsp;<\/li>\n\n\n\n<li>See how malware behavior corresponds to known TTPs in the MITRE ATT&amp;CK Matrix.&nbsp;<\/li>\n\n\n\n<li>Launch an unlimited number of public analysis sessions (even with the free plan) and modify system configurations as needed. Private submissions are available with paid plans and their number is customizable based on your needs.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSet up your account and start using <span class=\"highlight\">ANY.RUN<\/span> for free&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">The 3 levels of sandboxes&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take a step back from ready-made solutions; we\u2019ll circle back to them at the end of the article. When it comes to custom solutions, sandboxes can have different levels of isolation from the host and use different approaches to create a virtual environment.&nbsp;<\/p>\n\n\n\n<p>Here are the 2 common types of sandboxes:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Virtualization<\/strong>: In this approach, the sandbox creates a complete virtual replica of the underlying hardware, including the CPU, memory and storage. Examples include virtual machines managed by hypervisors like VMware or VirtualBox.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Containerization<\/strong>: Containers offer a lightweight alternative to full virtualization, where applications and their dependencies are packaged together and run in isolated environments called containers. Containers share the host system&#8217;s kernel, which results in less overhead compared to virtual machines. Popular containerization platforms include Docker and Kubernetes.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Virtualization is the simplest method when it comes to setup. But be careful; if configured incorrectly, it is easy to break the isolation between the host and the sandbox.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to build a custom malware sandbox?&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s go over all the steps you need to set up a basic environment for researching malware:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1 . Install a virtual machine&nbsp;<\/h3>\n\n\n\n<p>Select a full virtualization virtual machine. Ideally, install it on a dedicated malware analysis computer. If that&#8217;s not possible, your main system will have to do. Consider using VMWare, VirtualBox, KVM, Oracle VM VirtualBox, Microsoft Hyper-V, or Parallels.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Allocate a realistic amount of resources&nbsp;<\/h3>\n\n\n\n<p>Modern malware is sophisticated. Some malware families run system checks to prevent execution within virtual machines. One way to get around this is adequate resource allocation: a minimum of 4 GB RAM, at least 2 CPU cores, and a storage capacity of 80 GB or more.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Populate the OS with software&nbsp;<\/h3>\n\n\n\n<p>If you load malware into a bare Windows installation, the sample might detect analysis and stop running. Even worse, it might pretend to be harmless, leading you to make the wrong assumption. The fix? Install a few applications like MS Word, Chrome, Adobe Acrobat, or any others.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Mimic user activity&nbsp;<\/h3>\n\n\n\n<p>We still haven\u2019t quite outsmarted the malware. Even though the computer looks &#8220;lived in\u201d now, it lacks usage history, and some malware samples will detect this from empty logs. Try creating, opening, saving, and deleting a few files to build logs and generate temp files. You could use Regshot or Process Monitor to log changes in the registry and file system. Just keep in mind that malware might detect these programs while running.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Imitate a network connection&nbsp;<\/h3>\n\n\n\n<p>Sometimes, malware families connect to legitimate websites like Google to probe for fake networks. Tools like INetSim and FakeNet mimic a real internet connection to catch the requests made by malware. You can also see what the analyzed sample is connecting to using WireShark.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Install analysis tools&nbsp;<\/h3>\n\n\n\n<p>At this stage, we&#8217;ve got a virtual machine set up realistically. However, if you&#8217;re not using Flare VM, it won&#8217;t come with the necessary tools for actual analysis. You&#8217;ll need to install your own.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Here are some popular analysis tools among reverse engineers:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Debuggers: x64dbg allows to see what malware <em>does <\/em>in the system when you don\u2019t have access to the source code.&nbsp;<\/li>\n\n\n\n<li>Disassemblers: Ghidra simplifies reverse engineering and offers decompiler output. It can also work as a debugger.&nbsp;<\/li>\n\n\n\n<li>Traffic analyzers: Wireshark tracks network communication requested by malware.&nbsp;<\/li>\n\n\n\n<li>File analyzers: Process Monitor, ProcDOT help in observing how processes interact with files.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Process monitors: Process Explorer, Process Hacker keep an eye on malware activities.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>As you can see, there are quite a few tools required in a malware lab. The benefit is that each tool in this list is powerful, and mastering them fully enables efficient work. However, the drawback is that each tool has a unique interface and workflow so there\u2019s quite a steep learning curve.&nbsp;<\/p>\n\n\n\n<p>This is where turn-key services like ANY.RUN offer an advantage. They come pre-equipped with all the necessary functionality while also providing a consistent interface that you only need to learn once.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-1024x567.png\" alt=\"\" class=\"wp-image-7182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-1536x851.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-2048x1134.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/3-4-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN\u2019s built-in script tracer helps better understand behavior of complex malware&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">7. If you\u2019re using Windows, disable Windows Defender and Windows Firewall&nbsp;<\/h3>\n\n\n\n<p>Antivirus software like Windows Defender can interfere with your analysis, so you might be better of disabling them.&nbsp;<\/p>\n\n\n\n<p><strong>Let us show you how ANY.RUN can help your SOC team &#8211; book a call with us<\/strong> \u2b07\ufe0f<\/p>\n\n\n\n<!-- Calendly inline widget begin -->\n<div class=\"calendly-inline-widget\" data-url=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog?hide_event_type_details=1&#038;hide_gdpr_banner=1&#038;primary_color=00b0e8\" style=\"min-width:320px;height:700px;\"><\/div>\n<script type=\"text\/javascript\" src=\"https:\/\/assets.calendly.com\/assets\/external\/widget.js\" async><\/script>\n<!-- Calendly inline widget end -->\n\n\n\n<h2 class=\"wp-block-heading\">Custom sandbox best practices&nbsp;<\/h2>\n\n\n\n<p>When you&#8217;re operating within a custom sandbox, particularly if it&#8217;s running on the same PC or laptop you use to access production resources (which is not recommended), there&#8217;s always a risk of malware escaping onto the host system. Usually, this happens due to human error. What if you accidentally load a file with malware into a VM instance with enabled network access because of unclear naming?&nbsp;<\/p>\n\n\n\n<p>Here are a few suggestions to make sure that this \u2014 and other dangerous scenarios \u2014 don\u2019t come true when working with a custom sandbox:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Use clear naming for the ISO file<\/strong>&nbsp;<\/h3>\n\n\n\n<p>If you are using one, make sure to give the ISO file a clear, descriptive name. This way, you&#8217;ll always remember that this installation contains malware, and you won\u2019t accidentally run it somewhere else. A suggestion for naming could be something like &#8220;<em>malware_[some identifier]_[system name and version].iso<\/em>&#8220;.&nbsp;<\/p>\n\n\n\n<p>Apply the same naming strategy to the malware file, folders, etc.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Keep malware in a separate folder on the host<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Keep your malware samples in a separate folder on your host system. Just make sure the folder name is clear, like &#8220;sample001_shared&#8221;. This folder will be used for transferring samples into the virtual machine (VM).&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Don\u2019t allow anything other than zipped, password protected archives onto the host<\/strong>&nbsp;<\/h3>\n\n\n\n<p>This ensures that malware remains inactive within the archives and can&#8217;t accidentally be triggered.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Give the VM read-only permission for the shared folder<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Make sure to give your VM read-only permissions for the shared folder. This prevents malware from writing files onto your host system. Also, double-check that you\u2019ve restricted permissions to the shared folder only, minimizing malware&#8217;s potential read access.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Check that the configuration works before adding malware<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Create a test file and see if you can read it from the VM. If you can \u2014 that\u2019s great. Now also try to write to the folder. If you can \u2014 abort immediately.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Snapshot the VM<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Use VM snapshots to save the current state of your VM. This way, you can always revert back to a safe state before executing any malware. It&#8217;s a handy feature for running tests or undoing any potential damage.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"560\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-1024x560.png\" alt=\"\" class=\"wp-image-7188\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-1024x560.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-300x164.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-768x420.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-1536x841.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-2048x1121.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-370x203.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/4-3-740x405.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Creating a new VM instance is easy in <a href=\"http:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, and you can run as many as you want&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Is there a more efficient option for analyzing malware?&nbsp;<\/h2>\n\n\n\n<p>The short answer is yes. We&#8217;ve teased it throughout the article. It&#8217;s to utilize a turn-key analysis solution that provides all the necessary analysis tools and none of the security concerns mentioned earlier. One example of such a service is ANY.RUN.&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howtocreateasandbox&amp;utm_content=linktolanding&amp;utm_term=290224\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> is an online malware analysis sandbox that you can use for detection, monitoring, and analyzing threats. It helps SOC and DFIR teams and 400,000 independent professionals to investigate incidents and streamline threat analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nLet us show you how <span class=\"highlight\">ANY.RUN<\/span> can help <span class=\"highlight\">your SOC team<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nBook a call\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Advantages of ANY.RUN:<\/strong>&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real-time results<\/strong>: it takes about 40s from file upload to malware detection, and ANY.RUN identifies many families automatically through YARA and Suricata rules.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interactivity<\/strong>: Unlike many automated turn-key solutions ANY.RUN is fully interactive (you can engage with the VM directly in the browser). This feature helps prevent zero-day exploits and sophisticated malware that evades signature-based detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tailored for malware analysis<\/strong>: There\u2019s built in network analysis tools, debugger, script tracer, and automatic config extraction from memory, among other useful tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cost-savings<\/strong>: For businesses, ANY.RUN is more affordable to run than an on-premises solution because it doesn\u2019t need any setup or maintenance time from your DevOps team.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Efficient onboarding of new hires<\/strong>: ANY.RUN\u2019s intuitive interface means that even Junior SOC analysts can quickly learn to analyze malware and extract IOCs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>ANY.RUN supports Windows, Linux, and Android operating systems, each equipped with a pre-installed software set and configured to simulate realistic behavior. This means you won\u2019t ever need to go through the hassle of generating logs or creating artificial user activity.\u00a0<\/p>\n\n\n\n<p>If this sounds like something that could benefit you or your team, be sure to give ANY.RUN a try. Best of all, it&#8217;s starter plan is completely free. <\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/#register\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=howtocreateasandbox&amp;utm_content=linktoregistration&amp;utm_term=290224\" target=\"_blank\" rel=\"noreferrer noopener\">Register now<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Working with malware is quite similar to analyzing dangerous pathogens \u2014 without proper security measures, your sample could escape and cause a potentially harmful infection. That&#8217;s why malware hunters utilize sandboxes \u2014 isolated environments where you can safely work with malware. Today, we&#8217;ll guide you through all the steps of creating a malware sandbox.&nbsp; (Spoiler: [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-7179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Create a Sandbox Environment (for Malware Analysis)\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Find out how to build a sandbox for safely working with malware and discover alternatives such as the ANY.RUN sandbox.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Create a Sandbox Environment (for Malware Analysis)\u00a0\",\"datePublished\":\"2024-02-29T06:56:11+00:00\",\"dateModified\":\"2025-06-30T14:00:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\"},\"wordCount\":1939,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\",\"name\":\"How to Create a Sandbox Environment (for Malware Analysis)\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-02-29T06:56:11+00:00\",\"dateModified\":\"2025-06-30T14:00:56+00:00\",\"description\":\"Find out how to build a sandbox for safely working with malware and discover alternatives such as the ANY.RUN sandbox.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Create a Sandbox Environment (for Malware Analysis)\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Create a Sandbox Environment (for Malware Analysis)\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Find out how to build a sandbox for safely working with malware and discover alternatives such as the ANY.RUN sandbox.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"How to Create a Sandbox Environment (for Malware Analysis)\u00a0","datePublished":"2024-02-29T06:56:11+00:00","dateModified":"2025-06-30T14:00:56+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/"},"wordCount":1939,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/","name":"How to Create a Sandbox Environment (for Malware Analysis)\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-02-29T06:56:11+00:00","dateModified":"2025-06-30T14:00:56+00:00","description":"Find out how to build a sandbox for safely working with malware and discover alternatives such as the ANY.RUN sandbox.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-sandbox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How to Create a Sandbox Environment (for Malware Analysis)\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7179"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7179"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7179\/revisions"}],"predecessor-version":[{"id":14509,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7179\/revisions\/14509"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7184"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}