Access the room: https://tryhackme.com/room/malware-sandbox-aoc2025-SD1zn4fZQt
.png)
This lab focuses on malware analysis using static and dynamic techniques to investigate a suspicious executable, HopHelper.exe. The scenario involves analyzing the file in a sandboxed environment to understand its behavior, identify malicious activities, and determine defensive measures.
Overview
The town of Wareville remains quiet in the middle of the night. While the residents of Wareville are nicely tucked up in bed, blissfully unaware, the SOC team at The Best Festival Company (TBFC) remain alert, poised and ready for whatever may face them.
Monitoring their screens, armed with a freshly poured mug of hot cocoa, the elves of the SOC watch their dashboards diligently.
Suddenly, the elves receive an email in unison from Elf McClause, Head of Elf Affairs, in their inboxes. It reads:
“Why is Elf McClause working at 3AM?” Screams a member of the SOC team in the background. They’re right, something is amiss.
Elf McBlue is immediately suspicious. Their years of experience in the SOC have given them the wisdom not to download “out of the blue” executables. Without McSkidy’s wisdom, Elf McBlue takes charge, loading up their malware investigation toolkit — the investigation begins.
Learning Objectives
Today’s room will have you taking the place of Elf McBlue, a highly talented member of The Best Festival Company’s malware investigation squad. You have been tasked with investigating a highly suspicious executable that is being shared within the company. In today’s room, we will be covering the following:
- The principles of malware analysis
- An introduction to sandboxes
- Static vs. dynamic analysis
- Tools of the trade: PeStudio, ProcMon, Regshot
Setup
Start the target machine and connect to the sandbox environment.
Access the HopHelper.exe file located in the "HopHelper" folder on the Desktop. Ensure not to execute the executable until instructed to do so.
Tools we are going to use:
Static Analysis
Using PeStudio
Launch PeStudio and drag and drop the HopHelper.exe file.
Click on the “indicators” tab to view file properties
Double click on file>sha256Note the SHA256 checksum from the “sha256” property
Review the “strings” section for readable sequences
Look for any flags or suspicious strings
Dynamic Analysis
Using Regshot
Launch Regshot and set the output directory to the Desktop
Create the first snapshot before executing HopHelper.exe.
Execute the HopHelper.exe file.
After execution, create a second snapshot in Regshot.
Compare the two snapshots to identify registry changes.
We found the registry value that has been modified by HopHelper.exe for persistence
Using ProcMon
Open Process Monitor (ProcMon) and start capturing events.
Execute HopHelper.exe while ProcMon is running.
Allow the sample to execute fully, then stop capturing.
Apply filters to focus on HopHelper.exe:
- Filter by Process Name =
HopHelper.exe
- Filter by Operation = TCP
We found the network protocol which is being used by HopHelper.exe to communicate.
Bonus: Identifying the Web Panel
In the Bonus task we have to review the network activity in ProcMon for any web requests and identify the destination address or web panel that HopHelper.exe communicates with.
