TryHackMe: Advent of Cyber 2023 (Day 9) She sells C# shells by the C2shore

“Having retrieved the deleted version of the malware that allows Tracy McGreedy to control elves remotely, Forensic McBlue and his team have started investigating to stop the mind control incident. They are now planning to take revenge by analysing the C2’s back-end infrastructure based on the malware’s source code.”

Looks like I will be combing through some malware! I will try to keep it short and simple today, since my brain hurts from going through the included lesson.

And when I tell you I still have no idea what I’m doing here, I sincerely mean that. I mostly just clicked around until I found the answers.

Q1: What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

Q2: What is the HTTP method used to submit the command execution output?

Q3: What key is used by the malware to encrypt or decrypt the C2 data?

Q4: What is the first HTTP URL used by the malware?

For this one, make sure you are adding on the /reg string to the end of the URL.

Q5: How many seconds is the hardcoded value used by the sleep function?

This is in milliseconds and needs to be converted.

Q6: What is the C2 command the attacker uses to execute commands via cmd.exe?

This is the only one that gave me trouble while searching. Eventually I figured out that this section references a bunch of one word commands that correspond with different aspects of the malware program.

Q7: What is the domain used by the malware to download another binary?

❤