Dynamic malware analysis tools are those that execute the malware in a controlled environment and monitor its actions. They can capture information such as the system calls, the network traffic, the file system changes, the registry changes, and the memory dumps of the malware. Dynamic malware analysis tools can be divided into two categories: emulators and sandboxes. Emulators simulate the hardware and software components of a target system, such as the CPU, the memory, the operating system, and the applications. Sandboxes isolate the malware from the rest of the system, using techniques such as virtualization, containerization, or application-level isolation. Some examples of dynamic malware analysis tools are QEMU, Cuckoo Sandbox, and Sysinternals Suite.
The main advantage of dynamic malware analysis tools is that they can reveal the actual behavior of the malware, which may differ from its code analysis. They can also handle obfuscated or encrypted code, which may be decrypted or deobfuscated at runtime. They can also provide a more realistic and interactive analysis environment, where the analyst can modify the inputs, outputs, and parameters of the malware. However, dynamic malware analysis tools also have some drawbacks. They are slower, riskier, and less reliable than static malware analysis tools. They can take a long time to execute the malware, expose the analyst's system to potential infection or damage, and trigger the malware's anti-analysis or anti-debugging mechanisms. They may also produce different results depending on the execution environment or configuration of the malware.