Advent of Cyber Day 6 | Malware Analysis
๐ก️ Malware Analysis Using Sandboxes
Day 6 Challenge Recap
Introduction
The town of Wareville sleeps peacefully under the night sky—but inside The Best Festival Company (TBFC), the SOC elves remain wide awake. With glowing monitors and hot cocoa in hand, they vigilantly defend the organisation.
At 3:00 AM, every elf receives an unexpected email from Elf McClause, Head of Elf Affairs. Attached is a suspicious executable named HopHelper.exe.
Sensing danger, Elf McBlue refuses to execute the file blindly. Instead, the team begins a full malware investigation using static and dynamic analysis inside a secure sandbox environment.
This post walks through the complete analysis process and the findings uncovered.
๐ฏ Learning Objectives
By the end of this challenge, you will understand:
-
Core principles of malware analysis
-
Why sandbox environments are essential
-
The difference between static and dynamic analysis
-
How to use tools like PeStudio, ProcMon, and Regshot
-
How to investigate a suspicious executable safely
๐งช Malware Analysis Essentials
๐ What Is Malware Analysis?
Malware analysis is the process of examining a suspicious file to understand:
-
How it works
-
What damage it can cause
-
How to detect and mitigate it
Because malware can be destructive, analysis is always performed in an isolated sandbox, usually a virtual machine.
๐ง Types of Malware Analysis
1️⃣ Static Analysis
Examining a file without executing it, focusing on:
-
Hashes
-
Strings
-
Imports
-
Embedded resources
2️⃣ Dynamic Analysis
Executing the file in a controlled environment to observe:
-
File system changes
-
Registry modifications
-
Network activity
Both approaches complement each other and provide a full picture of malware behaviour.
๐ Interactive Static Analysis
Using PeStudio, analysts can quickly extract valuable indicators such as:
-
Cryptographic hashes
-
Suspicious strings
-
Imported libraries
-
Embedded URLs or commands
These insights help determine intent before execution.
✔ Static Analysis Findings
Question: What is the SHA-256 hash of HopHelper.exe?
Question: What flag appears in the strings section?
๐ Interactive Dynamic Analysis
Dynamic analysis reveals what the malware actually does when executed.
The following tools were used:
๐️ Regshot
-
Captures registry snapshots before and after execution
-
Commonly used to identify persistence mechanisms
๐ ProcMon (Process Monitor)
Monitors real-time activity, including:
-
Registry access
-
File creation and modification
-
Network communications
These behaviours expose the malware’s operational intent.
๐ Dynamic Analysis Findings
✔ Registry Persistence
Question: Which registry key is modified for persistence?
This indicates that HopHelper.exe ensures it runs automatically at system startup—a classic persistence technique.
✔ Network Communication
Question: Which network protocol does HopHelper.exe use?
After filtering network events in ProcMon, the malware was observed communicating over:
This suggests potential communication with a Command-and-Control (C2) server.
⭐ Bonus Observation
A web panel used by HopHelper.exe was also identified during analysis.
(No flag required—but it exists.)
๐ Final Thoughts
This challenge demonstrates why malware analysis is a critical cybersecurity skill. Using the right tools in a safe environment allows analysts to uncover:
-
File hashes and identifiers
-
Embedded strings and indicators
-
Persistence mechanisms
-
Network communication methods
-
Potential attacker infrastructure
For deeper learning, explore:
-
Basic Static Analysis
-
Basic Dynamic Analysis
Both rooms expand these techniques and prepare you for real-world malware investigations.
Comments
Post a Comment