Malware Analysis - Egg-xecutable Tryhackme Walkthrough

Unlock advanced malware analysis with the TryHackMe “Malware Sandbox” room. Dive into hands-on dynamic sandbox setup, behavior monitoring, and safe execution of suspicious files. Perfect for boosting real-world malware detection, reverse-engineering, and threat containment skills.

MALWARE ANALYSISREVERSE ENGINEERINGOFFENSIVE SECURITYMETHODOLOGYWINDOWSTRYHACKME WRITEUPSCTFPENETRATION TESTINGEXPLOITATIONCREDENTIAL DUMPINGTRYHACKME WALKTHROUGHCYBERSECURITY CHALLENGESTRYHACKME ROOM SOLUTIONSTRYHACKME ANSWERSCYBERSECURITY LABSCYBERSECURITYETHICAL HACKINGTRYHACKMECHAT GPTOPEN-SOURCE TOOLSPRIVILEGE ESCALATION

Jawstar

12/8/20252 min read

Task 2 : Malware Analysis Using Sandboxes

Principles of Malware Analysis

Malware analysis is the process of examining a malicious file to understand its functionality, operation, and methods for defence against it. By analysing a malicious file or application, we can see exactly how it operates, and therefore, know how to prevent it. For example, could the malicious file communicate with an attacker's server? We can block that server.
Could the malicious file leave traces on the machine? We can use these to determine if the malware has ever infected another device. Instead of fearing malware, we can take a proactive approach by translating technical findings into practical defensive measures and understanding how the malware fits into an attacker's techniques.
There are two main branches of malware analysis: static and dynamic. Static analysis focuses on inspecting a file without executing it, whereas dynamic analysis involves execution. We will come to these shortly.

Sandboxes

In cyber security, sandboxes are used to execute potentially dangerous code. Think of this as disposable digital play-pens. These sandboxes are safe, isolated environments where potentially malicious applications can perform their actions without risking sensitive data or impacting other systems.
The use of sandboxes is part of the golden rule in malware analysis: never run dangerous applications on devices you care about.
Most of the time, sandboxes present themselves as virtual machines. Virtual machines are a popular choice for sandboxing because you can control how the system operates and benefit from features such as snapshotting, which allows you to create and restore the machine to various stages of its status.
To reiterate, it is imperative to understand that potentially malicious code and applications should only be run in a safe, isolated environment. From now on, this room will refer to malicious code and applications as samples.

Answer the questions below

Static analysis: What is the SHA256Sum of the HopHelper.exe?
F29C270068F865EF4A747E2683BFA07667BF64E768B38FBB9A2750A3D879CA33

Static analysis: Within the strings of HopHelper.exe, a flag with the format THM{XXXXX} exists. What is that flag value?
Note, this can be found towards the bottom of the strings output.
THM{STRINGS_FOUND}

Dynamic analysis: What registry value has the HopHelper.exe modified for persistence?
Note: Provide the full path of the key that has been modified
HKU\S-1-5-21-1966530601-3185510712-10604624-1008\Software\Microsoft\Windows\CurrentVersion\Run\HopHelper

Dynamic analysis: Filter the output of ProcMon for "TCP" operations. What network protocol is HopHelper.exe using to communicate?
Make sure to have executed HopHelper.exe while ProcMon was open and capturing events.
http

Subscribe for all Days Answers of Advent of Cyber 2025

Connect

Secure your future with expert cybersecurity solutions

Support

Quick Links

© 2025. All rights reserved.

contact@jawstarsec.in

Services
Blog
Contact Us
Homepage