Agent mode gives the AI access to a suite of analysis tools that run inside isolated Firecracker microVMs. The agent autonomously selects and chains tools based on your questions and the sample type.
File Info
Extracts file metadata including hashes (MD5, SHA1, SHA256, ssdeep), entropy calculation, file size, and file type. This is typically the first tool the agent runs.
YARA Scan
Scans the sample against DECODA’s built-in YARA rulesets and any custom rules you’ve added. Rulesets cover malware families, packer signatures, ransomware indicators, and suspicious API patterns.
Strings Analysis
Extracts printable strings and automatically categorises them into types: URLs, IP addresses, file paths, registry keys, API function names, and more. Supports configurable minimum length.
Terminal Command
Executes shell commands inside the sandbox for ad-hoc analysis. Common commands like hexdump, objdump, readelf, and file are available.
Dangerous commands are blocked: rm -rf /, curl|sh, nc/netcat, sudo, chmod 777, and others. This is enforced at the sandbox level.
/home/user/analysis, where the sample is always available at the fixed path /home/user/analysis/sample regardless of its original filename.
Python Code
Runs custom Python scripts with access to analysis libraries. Available packages include:
- pefile - PE header parsing
- lief - Multi-format binary parsing (PE, ELF, Mach-O)
- capstone - Disassembly framework
- yara - YARA rule matching (
import yara)
- Crypto (PyCryptodome) - Cryptographic operations (
from Crypto.Cipher import AES)
Network is disabled in the sandbox, and dangerous imports (subprocess, socket, requests, ctypes, and others) are blocked to maintain isolation.
/home/user/analysis/sample, regardless of the original filename, with /home/user/analysis as the working directory.
Example use cases:
- Custom decryption and deobfuscation routines
- Parsing proprietary configuration formats
- IOC correlation across multiple data sources
- Statistical analysis of binary sections (entropy, byte frequency)
- Ad-hoc YARA rule generation from findings
- Extracting embedded payloads or configs
| Tier | Executions/Session | Max Code Size | Timeout |
|---|
| Free | Not available | - | - |
| Pro | 10 | 10 KB | 60s |
| Max | 25 | 15 KB | 120s |
Ghidra Scripts
23 pre-built Ghidra scripts for binary analysis, running on Ghidra 12.1.2 in headless mode. Available on Pro and Max tiers.
| Script | What It Does |
|---|
| decompile_function | Decompile a specific function by name or address to C-like pseudocode |
| decompile_all | Decompile up to N functions (default: 50), optionally filtering by minimum size |
| find_crypto | Detect cryptographic constants and algorithms (AES, RSA, DES, RC4, SHA, etc.) |
| extract_strings | Context-aware string extraction - shows where strings are referenced in code |
| analyze_imports | List imported functions with optional cross-references and suspicious-only filtering |
| detect_packer | Identify packers/protectors (UPX, Themida, VMProtect, MPRESS, etc.) via entropy and signatures |
| unpack_upx | Attempt UPX unpacking and output the decompressed binary |
| extract_resources | Extract embedded resources (icons, manifests, certificates, data blobs) |
| trace_calls | Trace function call chains from a starting point with configurable depth |
| find_interesting | Heuristic scan for suspicious patterns (anti-debug, injection, persistence, etc.) |
| get_functions | List all functions with size, address, and call count - sortable and filterable |
| generate_iocs | Extract IOCs directly from binary analysis with defanging and confidence filtering |
| get_memory_map | Show memory layout with section entropy and signature detection |
| search_bytes | Search for byte patterns across the binary with context display |
| get_xrefs | Get cross-references to/from a target address or function |
| analyze_control_flow | Generate control flow graphs for functions, showing branches, loops, and conditional paths |
| find_dead_code | Detect unreachable or dead code blocks that may indicate removed functionality or anti-analysis tricks |
| analyze_api_chains | Trace chains of API calls to identify multi-step behaviours (e.g., VirtualAlloc → WriteProcessMemory → CreateRemoteThread) |
| disassemble_at | Disassemble instructions at a specific address with configurable context window |
| read_memory_region | Read raw bytes from a memory region - useful for extracting embedded data or encoded payloads |
| go_binary_info | Extract Go build metadata (Go version, module path, build settings, GOOS/GOARCH) for triaging Go binaries |
| resolve_go_symbols | Parse gopclntab to recover function names from stripped Go binaries |
| filter_go_runtime | Classify functions into Go runtime, stdlib, and user code to focus analysis |
.NET Analysis
Specialised tools for .NET assemblies using ILSpyCMD and monodis. Available on Pro and Max tiers.
| Operation | What It Does |
|---|
| decompile | Full C# decompilation of the assembly |
| decompile_type | Decompile a specific class or type by name |
| disassemble | Raw IL disassembly via monodis |
| list_types | List all types in the assembly with hierarchy |
| list_methods | List all methods with full signatures |
| metadata | Full metadata extraction (version, references, attributes) |
| references | List referenced assemblies |
| strings | Extract user strings and string literals |
| resources | Extract embedded resources |
| entry_point | Locate and decompile the assembly entry point |
| detect_obfuscator | Identify ConfuserEx, Dotfuscator, SmartAssembly, .NET Reactor |
| detect_anti_analysis | Detect anti-debugging and anti-analysis techniques |
| extract_rat_config | Extract configs from known RATs (AsyncRAT, QuasarRAT, AgentTesla, DcRAT) |
| decrypt_strings | Attempt string decryption for common obfuscation patterns |
| triage | Quick overview of the assembly |
Cross References
Map function cross-references across the binary. Shows what calls a function and what it calls, helping trace execution flow and identify key routines.
Call Graph
Generate function call graphs showing the relationships between functions. Useful for understanding program structure and identifying central routines.
Crypto Detection
Identify cryptographic algorithms by searching for known constants (S-boxes, round constants, key schedules). Detects AES, DES, RC4, Blowfish, SHA family, and custom XOR routines.
Python Unpacker
Detect and unpack Python executables built with PyInstaller, py2exe, Nuitka, or cx_Freeze. Uses pyinstxtractor-ng, uncompyle6, and pycdc to recover original Python source code.
Web Search
Real-time threat intelligence enrichment powered by Perplexity’s Search API. The agent can search the web during analysis to look up CVE details, malware family documentation, campaign reports, and known indicators.
Example use cases:
- Identifying a malware family from behavioural patterns
- Looking up CVE details referenced in exploit code
- Finding published threat reports about specific indicators
- Checking if observed TTPs match known campaigns
Web Search is available when the platform’s Perplexity API key is configured. Results are treated as untrusted external input - the agent uses them as context but always cross-references with its own analysis findings.
Analysis Skills
On-demand loading of specialised analysis methodologies. When the agent encounters a specific scenario (e.g., a Go binary, a packed sample, or a request for a STIX export), it can load a detailed skill with step-by-step instructions tailored to that task.
Available skills:
| Category | Skills |
|---|
| Analysis | PE deep-dive, Go binary reversing, packed binary unpacking, .NET triage, YARA hunting |
| Techniques | API hashing resolution, C2 configuration extraction, string decryption |
| Reporting | PDF report generation, HTML report generation, STIX 2.1 export |
These tools observe what a sample actually does. The sandbox itself stays network-disabled throughout - no real outbound traffic ever leaves the microVM.
Speakeasy
Emulates Windows PE executables, DLLs, drivers, and shellcode using Mandiant Speakeasy. Because it runs entirely via CPU emulation on Linux, no real process execution is needed. It captures API call traces, network connection attempts (DNS, HTTP, sockets), file operations, registry access, process creation, memory operations, and dropped files.
- mode -
pe (default) for executables, DLLs, and drivers, or shellcode for raw shellcode blobs.
- architecture -
x86 or amd64, used when emulating shellcode.
Use Speakeasy for PE files (.exe, .dll, .sys, .scr, .cpl) and shellcode. For ELF binaries or scripts, use strace or runScript instead.
strace
Executes an ELF binary and traces its system calls, returning structured events grouped by category: file, network, process, memory, signal, and IPC operations. This reveals file access, network connection attempts, process spawning, and memory manipulation. Suitable for ELF binaries, Go binaries, and any Linux executable. The sample runs with a timeout and is killed if it exceeds the limit.
runScript
Detonates a script under tracing and auto-detects the runtime from the file extension. Supports Python (.py), PowerShell (.ps1), Bash (.sh), and Java (.jar). The runtime can also be specified explicitly. It captures the system calls made by the script and its interpreter, including file access, network connection attempts, and process spawning.
FakeNet-NG
Captures a sample’s network intent without giving it real network access. FakeNet-NG starts fake DNS, HTTP, SMTP, and IRC listeners (plus raw TCP/UDP), runs the sample, and records every connection attempt. This reveals C2 domains, C2 URLs, user agents, POST data, and custom-protocol callbacks. The sandbox remains network-disabled - FakeNet simulates the services locally and intercepts traffic so nothing reaches the internet.
FakeNet-NG works well alongside the other dynamic tools: pair it with Speakeasy for PE files, strace for ELF binaries, or runScript for script detonation to capture socket-level network intent.
Behaviour & TTP Analysis
capa
Statically maps a binary’s capabilities to MITRE ATT&CK and Malware Behavior Catalog (MBC) technique IDs. capa identifies high-level behaviours - for example “inject into process via CreateRemoteThread” - and labels them with the corresponding technique IDs, giving you a quick read on what a sample is built to do.
Supported file types are native PE, ELF, and Mach-O binaries (including those built from C, C++, Rust, or Go). It does not understand .NET assemblies, scripts, documents, or archive formats - use the .NET analysis tools for managed assemblies.
capa may not be installed in every sandbox template. When it is unavailable, the agent notes the absence and continues with other tools.
OLE Analysis
Analyse legacy Office documents and OLE compound files:
| Operation | What It Does |
|---|
| triage | Quick indicators scan via oleid (macros, DDE, suspicious elements) |
| extract_macros | Full VBA macro source code extraction (olevba) |
| analyze_macros | Macro analysis with automatic deobfuscation |
| check_malicious | Heuristic malicious macro detection (mraptor) |
| detect_dde | Find DDE/DDEAUTO formula injection |
| extract_objects | Extract embedded OLE objects |
| extract_rtf_objects | Extract objects from RTF documents (rtfobj) |
PDF Analysis
Inspect PDF structure for malicious content:
| Operation | What It Does |
|---|
| triage | Keyword counting for suspicious elements (/JS, /OpenAction, /AA, /EmbeddedFile) |
| search_javascript | Find and extract JavaScript objects |
| search_openaction | Find auto-execution triggers |
| extract_object | Extract a specific PDF object by ID |
| search_embedded | Find embedded files |
JAR/APK Analysis
Analyse Java archives and Android packages:
| Operation | What It Does |
|---|
| triage | Contents listing + MANIFEST.MF inspection |
| list_classes | List all .class files |
| decompile_cfr | Full decompilation via CFR |
| decompile_jadx | Decompilation with deobfuscation via JADX |
| decompile_class | Decompile a single class |
| disassemble | Bytecode disassembly via javap |
| verify_signature | Verify JAR/APK cryptographic signatures |
Generate IOCs
Extract Indicators of Compromise from the analysis. See the IOC Categories reference for the full list of supported indicator types.
Export formats: JSON, CSV, STIX 2.1
Generate YARA Rule
Create a YARA detection rule based on the sample’s unique characteristics - strings, byte patterns, import patterns, and structural features.
Save Artifact
Save extracted payloads, unpacked binaries, decoded configs, or other analysis artifacts for download. Available on Pro and Max tiers.
| Tier | Artifacts/Session | Max Size |
|---|
| Pro | 5 | 1 MB |
| Max | 20 | 5 MB |
Saved artifacts expire 24 hours after they are created. Once expired they can no longer be downloaded (the download request returns HTTP 410), so download anything you need promptly.
Save Report
Generate a structured threat intelligence report from the current analysis session. Reports can be downloaded in 8 formats including PDF, DOCX, HTML, Markdown, JSON, CSV, XML, and MITRE ATT&CK Navigator layers. See the Reports guide for details on report structure and export formats. 
