TryHackMe || Advent of Cyber 2023 Day 9: She sells C# shells by the C2shore || WalkThrough
Today’s task involves Malware Analysis. The Malware is to be analyzed into a sandbox tool, named dnSpy. The malware is written in C# and is a .NET binary. This task didn’t have any practical learning but learning how to read the code and find how it works.
Q/A
What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Answer: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
What is the HTTP method used to submit the command execution output?
Answer: POST
What key is used by the malware to encrypt or decrypt the C2 data?
Answer: youcanthackthissupersecurec2keys
What is the first HTTP URL used by the malware?
Answer: http://mcgreedysecretc2.thm/reg
How many seconds is the hardcoded value used by the sleep function?
Answer: 15
What is the C2 command the attacker uses to execute commands via cmd.exe?
Answer: shell
What is the domain used by the malware to download another binary?
Answer: stash.mcgreedy.thm
If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/
Happy Learning