Malware Analysis - Egg-xecutable | Advent of Cyber 2025 - Day 6

This guide contains the answer and steps necessary to get to them for the Malware Analysis - Egg-xecutable room.

Malware Analysis Using Sandboxes

Malware Analysis Using Sandboxes

Static analysis:What is the SHA256Sum of the HopHelper.exe?

After starting the 'pestudio' program, we must load the 'HopHelper.exe' executable. In the 'footprints' tab, it will show us the files sha256 hash.

Click for answer
F29C270068F865EF4A747E2683BFA07667BF64E768B38FBB9A2750A3D879CA33
Static analysis:Within the strings of HopHelper.exe, a flag with the format THM{XXXXX} exists. What is that flag value? Note, this can be found towards the bottom of the strings output.

This can also be found within 'pestudio', in the 'strings' tab. Since it is located near the end of the file, we can simply sort the list on the offset to show last values first. Here we indeed find our first flag.

Click for answer
THM{STRINGS_FOUND}
Dynamic analysis: What registry value has the HopHelper.exe modified for persistence?Note: Provide the full path of the key that has been modified

To find the modified registry key, we will use 'regshot' as provided. Open it, change the output folder to be in the users Desktop folder and 'shot' the first snapshot of the registry.

Since we will be using ProcMon for the next question, I will alread start it up now. That way we only have to run the sample once.

We can already see some strange stuff happening. In the mean time, make sure to stop the capture in Procmon.

Now click the second shot button in 'Regshot' to capture a second snapshot of the registry. After that is done, click compare. In the resulting file we can look for the sample.

We can see a key has been added which makes sure the sample is run automatically on reboot.

Click for answer
HKU\S-1-5-21-1966530601-3185510712-10604624-1008\Software\Microsoft\Windows\CurrentVersion\Run\HopHelper
Dynamic analysis: Filter the output of ProcMon for "TCP" operations. What network protocol is HopHelper.exe using to communicate?Make sure to have executed HopHelper.exe while ProcMon was open and capturing events.

Switching over the Procmon, we can filter the logs to only view the relevant TCP operation events.

Filter the "process name" on "HopHelper.exe" and the "Operations" to contain "TCP".

Click for answer
HTTP
Bonus:Can you find the web panel that HopHelper.exe is communicating with?

We already found this clue in the previous question. In the TCP operations events, there are multiple paths listed. These point to the server of a C2 server. We can open this url (without the port) in a browser to view it.

Click for answer
http://breachblocker-sandbox/
If you enjoyed today's room, feel free to explore both theBasic Static AnalysisandBasic Dynamic Analysisrooms, where you can delve deeper into the techniques and tools discussed today.

Table of contents

Malware Analysis Using Sandboxes

Static analysis:What is the SHA256Sum of the HopHelper.exe?

After starting the 'pestudio' program, we must load the 'HopHelper.exe' executable. In the 'footprints' tab, it will show us the files sha256 hash.

Sha

Click for answer
F29C270068F865EF4A747E2683BFA07667BF64E768B38FBB9A2750A3D879CA33

Static analysis:Within the strings of HopHelper.exe, a flag with the format THM{XXXXX} exists. What is that flag value? Note, this can be found towards the bottom of the strings output.

This can also be found within 'pestudio', in the 'strings' tab. Since it is located near the end of the file, we can simply sort the list on the offset to show last values first. Here we indeed find our first flag.

Flag1

Click for answer
THM{STRINGS_FOUND}

Dynamic analysis: What registry value has the HopHelper.exe modified for persistence?Note: Provide the full path of the key that has been modified

To find the modified registry key, we will use 'regshot' as provided. Open it, change the output folder to be in the users Desktop folder and 'shot' the first snapshot of the registry.

Shot1

Since we will be using ProcMon for the next question, I will alread start it up now. That way we only have to run the sample once.

We can already see some strange stuff happening. In the mean time, make sure to stop the capture in Procmon.

Execute

Now click the second shot button in 'Regshot' to capture a second snapshot of the registry. After that is done, click compare. In the resulting file we can look for the sample.

Compare

We can see a key has been added which makes sure the sample is run automatically on reboot.

Click for answer
HKU\S-1-5-21-1966530601-3185510712-10604624-1008\Software\Microsoft\Windows\CurrentVersion\Run\HopHelper

Dynamic analysis: Filter the output of ProcMon for "TCP" operations. What network protocol is HopHelper.exe using to communicate?Make sure to have executed HopHelper.exe while ProcMon was open and capturing events.

Switching over the Procmon, we can filter the logs to only view the relevant TCP operation events.

Filter the "process name" on "HopHelper.exe" and the "Operations" to contain "TCP".

Processes

Click for answer
HTTP

Bonus:Can you find the web panel that HopHelper.exe is communicating with?

We already found this clue in the previous question. In the TCP operations events, there are multiple paths listed. These point to the server of a C2 server. We can open this url (without the port) in a browser to view it.

Server

Click for answer
http://breachblocker-sandbox/

If you enjoyed today's room, feel free to explore both theBasic Static AnalysisandBasic Dynamic Analysisrooms, where you can delve deeper into the techniques and tools discussed today.