Sandbox systems have become an efficient way to analyze malware behavior. They can provide information about malware in a quick and automatic manner. However their analysis time is usually limited only to a couple of minutes, thus preventing observation of malware behavior in the long run and noticing interesting changes. To resolve these issues, we have created a Long Term Sandboxing system (LTS), which provides means for prolonged automatic analysis of malware behavior. In our presentation we will show how we use it to track botnets – both their infrastructure and operations. Our system has been augmented with network traffic and system resources analyses, providing means for network protocols investigation, including DNS, HTTP(S) and SMTP.