Skip to content

Malware Analysis - Egg-xecutable Banner

Malware Analysis - Egg-xecutable Logo

image Malware Analysis - Egg-xecutable | Advent of Cyber 2025 - Day 6

This guide contains the answer and steps necessary to get to them for the Malware Analysis - Egg-xecutable room.

Table of contents

Malware Analysis Using Sandboxes

  1. Static analysis:What is the SHA256Sum of the HopHelper.exe?

    After starting the 'pestudio' program, we must load the 'HopHelper.exe' executable. In the 'footprints' tab, it will show us the files sha256 hash.

    Sha

    Click for answerF29C270068F865EF4A747E2683BFA07667BF64E768B38FBB9A2750A3D879CA33

  2. Static analysis:Within the strings of HopHelper.exe, a flag with the format THM{XXXXX} exists. What is that flag value? Note, this can be found towards the bottom of the strings output.

    This can also be found within 'pestudio', in the 'strings' tab. Since it is located near the end of the file, we can simply sort the list on the offset to show last values first. Here we indeed find our first flag.

    Flag1

    Click for answerTHM{STRINGS_FOUND}

  3. Dynamic analysis: What registry value has the HopHelper.exe modified for persistence?Note: Provide the full path of the key that has been modified

    To find the modified registry key, we will use 'regshot' as provided. Open it, change the output folder to be in the users Desktop folder and 'shot' the first snapshot of the registry.

    Shot1

    Since we will be using ProcMon for the next question, I will alread start it up now. That way we only have to run the sample once.

    We can already see some strange stuff happening. In the mean time, make sure to stop the capture in Procmon.

    Execute

    Now click the second shot button in 'Regshot' to capture a second snapshot of the registry. After that is done, click compare. In the resulting file we can look for the sample.

    Compare

    We can see a key has been added which makes sure the sample is run automatically on reboot.

    Click for answerHKU\S-1-5-21-1966530601-3185510712-10604624-1008\Software\Microsoft\Windows\CurrentVersion\Run\HopHelper

  4. Dynamic analysis: Filter the output of ProcMon for "TCP" operations. What network protocol is HopHelper.exe using to communicate?Make sure to have executed HopHelper.exe while ProcMon was open and capturing events.

    Switching over the Procmon, we can filter the logs to only view the relevant TCP operation events.

    Filter the "process name" on "HopHelper.exe" and the "Operations" to contain "TCP".

    Processes

    Click for answerHTTP

  5. Bonus:Can you find the web panel that HopHelper.exe is communicating with?

    We already found this clue in the previous question. In the TCP operations events, there are multiple paths listed. These point to the server of a C2 server. We can open this url (without the port) in a browser to view it.

    Server

    Click for answerhttp://breachblocker-sandbox/

  6. If you enjoyed today's room, feel free to explore both theBasic Static AnalysisandBasic Dynamic Analysisrooms, where you can delve deeper into the techniques and tools discussed today.