Post 80 - Resurgence

24 Dec 2025

Day 6 Malware Analysis Egg-xecutable

For whatever reason I wasn’t totally feeling AoC this year, but now I’m going to do a marathon and see how much I can accomplish before the end. Notes and posts might be blips, random notes, and combined days.

Static Analysis

Gathering information without executing the sample.
| Information | Explanation | Example | | :—-: | :—- | :—- | | Checksums | Used to track and catalog files and executables. | a93f7e8c4d21b19f2e12f09a5c33e48 | | Strings | Sequences of readable characters within an
executable - i.e. IP addresses, URLs, passwords. | 138.62.51.186 | | Imports | List of libraries and functions that the
application depends on. | CreateFileW
Library used to create a
file in Windows. | | Resources | Contains data such as the icon for the application.
Icon might be used to conceal malware or contain malware. | |

Using PeStudio

Can retrieve checksum from root or “footprints” section. Retrieved flag from “strings” section.

Dynamic Analysis

Analysis during/after execution.

Using Regshot

Takes snapshots of registry before and after malware execution for comparison. Malware often adds a Run key to the registry for persistence.

Using ProcMon

Typical, start collection, execute sample, pause collection, and filter. Operations of interest include:

• RegOpenKey
• CreateFile
• TCP Connect
• TCP Receive

The Task

Analyze provided sample using static and dynamic methods to capture info and flags.

Recommended Stuff

Basic Static Analysis and Basic Dynamic Analysis rooms.