TryHackMe || Advent of Cyber 2023 Day 9: She sells C# shells by the C2shore || WalkThrough

TheCyberWarrior
2 min readDec 11, 2023

--

Day 9 Logo

Today’s task involves Malware Analysis. The Malware is to be analyzed into a sandbox tool, named dnSpy. The malware is written in C# and is a .NET binary. This task didn’t have any practical learning but learning how to read the code and find how it works.

Q/A

What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

Answer: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

What is the HTTP method used to submit the command execution output?

Answer: POST

What key is used by the malware to encrypt or decrypt the C2 data?

Answer: youcanthackthissupersecurec2keys

What is the first HTTP URL used by the malware?

Answer: http://mcgreedysecretc2.thm/reg

How many seconds is the hardcoded value used by the sleep function?

Answer: 15

What is the C2 command the attacker uses to execute commands via cmd.exe?

Answer: shell

What is the domain used by the malware to download another binary?

Answer: stash.mcgreedy.thm

If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/

Happy Learning

--

--