A simple, terminal-based Python tool for observing the basic runtime behavior of a single executable — new processes, network connections, file creation, and (optionally) DNS requests — for educational and defensive security analysis.
Only run this tool, and any sample you analyze with it, inside an isolated, disposable virtual machine:
- Use a VM with no shared folders, no clipboard sharing, and ideally a host-only or fully isolated network (or no network at all, unless you specifically want to observe C2/network behavior in a controlled fake-internet setup like INetSim or a lab network).
- Take a VM snapshot before running any sample so you can revert cleanly afterward.
- Never run untrusted executables on your host machine or on a network you care about.
- This tool includes a best-effort check that warns you if the current system doesn't look like a recognized VM — but that check is a convenience reminder, not a security guarantee. You are responsible for verifying real isolation yourself.
This tool does not perform reverse engineering, does not use machine learning, and does not attempt to contain, sandbox, or restrict the sample's execution beyond what your VM environment provides — it is a monitoring/observation harness, not a containment mechanism.
- Prompts for the path to an executable
- Calculates and displays its SHA256 hash
- Takes a "before" snapshot of processes, network connections, and (optionally) a watched folder
- Runs the executable
- Monitors for a configurable duration (default 20 seconds)
- Diffs system state to show:
- New processes
- New network connections
- New files created in a watched folder
- DNS requests made during the run (optional, requires
scapy+ packet capture permissions; degrades gracefully if unavailable)
- Displays a summary with a simple heuristic risk rating
- Saves a timestamped text report to
reports/
Basic-Malware-Sandbox/
├── main.py # Starts the analysis (entry point)
├── monitor.py # Process, network, file, and DNS monitoring
├── hash.py # SHA256 calculation
├── runner.py # Executes the sample
├── utils.py # Helper functions
├── samples/ # Put test executables here
├── reports/ # Saved analysis reports land here
├── requirements.txt
└── README.md
Inside your isolated analysis VM:
pip install -r requirements.txtOptional extras (only if you want DNS monitoring):
pip install scapyDNS monitoring via scapy typically needs:
- Linux/macOS:
libpcap, and usually running as root (or grantingcap_net_rawto the Python interpreter) - Windows: Npcap installed, and running as Administrator
If scapy isn't installed or sniffing permissions aren't available,
the tool simply reports no DNS data instead of crashing.
python main.pyExample session:
========================================
Basic Malware Sandbox
========================================
Enter executable path:
samples/sample.exe
Calculating SHA256...
SHA256:
9c5f2f0a9b...
Folder to watch for new files (press Enter to skip):
/home/test/tmp
Monitoring duration in seconds (default 20):
20
Taking system snapshot...
Running sample...
Monitoring for 20 seconds...
----------------------------
New Processes
----------------------------
sample.exe
cmd.exe
----------------------------
Network Connections
----------------------------
142.250.xx.xx:443
----------------------------
Files Created
----------------------------
temp123.tmp
----------------------------
DNS Requests
----------------------------
(none observed / not available)
==========================
Analysis Summary
==========================
Processes Created : 2
Network Connections : 1
Files Created : 1
DNS Requests : 0
Risk Level : Medium
==========================
Report saved:
reports/report_001.txt
Analysis Complete.
This is intentionally a very simple heuristic — a rough talking point, not a verdict:
score = (new processes × 1) + (new connections × 2)
+ (new files × 1) + (dns requests × 2)
score == 0 -> Low
score in 1..5 -> Medium
score > 5 -> High
Feel free to tune the weights/thresholds in main.py (calculate_risk_level)
to fit your own analysis needs.
- This is a basic sandbox meant for learning and light defensive triage — it is not a substitute for tools like Cuckoo/CAPE Sandbox, a real EDR, or manual reverse engineering.
- Process/connection attribution is diff-based (before vs. after), so very short-lived processes or connections that start and close entirely within the monitoring window between polls may still be missed depending on timing.
- DNS monitoring is optional and best-effort; it requires extra packages and OS-level packet capture permissions.
- File monitoring here uses a simple directory listing diff. For more
robust, event-driven monitoring, wire in
watchdoginstead of pollingos.listdir().